CN111541675B - Network security protection method, device and equipment based on white list - Google Patents
Network security protection method, device and equipment based on white list Download PDFInfo
- Publication number
- CN111541675B CN111541675B CN202010305704.5A CN202010305704A CN111541675B CN 111541675 B CN111541675 B CN 111541675B CN 202010305704 A CN202010305704 A CN 202010305704A CN 111541675 B CN111541675 B CN 111541675B
- Authority
- CN
- China
- Prior art keywords
- domain name
- target
- address
- white list
- target application
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computing Systems (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application discloses a network security protection method based on a white list, which utilizes a sandbox technology to expand network behaviors of independently analyzed malicious applications to network assets of analyzed normal applications, deploys the applications on a platform, utilizes the platform to analyze the flow of the applications, further utilizes a consensus algorithm to determine the corresponding relation between the applications and the network assets, obtains the white list, and finally carries out network security protection based on the white list, so that the reliability and the scene adaptability of the network security protection are improved. In addition, the application also provides a network security protection device, equipment and a readable storage medium based on the white list, and the technical effect of the network security protection device and the equipment corresponds to that of the method.
Description
Technical Field
The present application relates to the field of computer technologies, and in particular, to a method, an apparatus, a device, and a readable storage medium for network security protection based on a white list.
Background
When network security protection or flow analysis is performed, a large number of unknown IP or domain names exist, whether the unknown IP or domain names belong to malice cannot be determined, and misjudgment is easily caused. At present, a sandbox is often used for analyzing malicious samples, communication IP and domain names of the malicious samples are labeled, and then a threat information library is constructed by combining threat information. And the IP and the domain name in the threat information library are utilized to carry out plugging configuration on the firewall, so that the network safety is guaranteed. However, the blacklist-based policy is often poor in reliability, and a security protection policy based on the blacklist is not generally adopted by a key system during key guarantee.
Therefore, how to improve the reliability of the network security protection scheme is a problem to be solved urgently by the technical personnel in the field.
Disclosure of Invention
The application aims to provide a network security protection method, a device, equipment and a readable storage medium based on a white list, which are used for solving the problem that the reliability of the current network security protection scheme is low. The specific scheme is as follows:
in a first aspect, the present application provides a network security protection method based on a white list, including:
deploying a target application to be analyzed into a target platform, wherein the target platform is a platform which is based on a sandbox technology and can independently run the target application;
performing traffic analysis on the target application by using the target platform, and determining an IP address and a domain name of external communication of the target application as a traffic analysis result;
determining the corresponding relation between the IP address and the domain name and the target application according to the flow analysis result by using a consensus algorithm to obtain a white list;
and according to the white list, utilizing a firewall technology to perform network security protection.
Preferably, the deploying the target application to be analyzed into the target platform includes:
deploying a target application to be analyzed into a target platform, wherein the target platform is any one of the following items: sandbox, virtual machine, Docker, solid host.
Preferably, the performing, by using the target platform, traffic analysis on the target application, and determining an IP address and a domain name of external communication of the target application as a traffic analysis result includes:
performing traffic analysis on the target application by using the target platform, determining an IP address and a domain name of external communication of the target application, and generating an IP table and a domain name table as a traffic analysis result, wherein the IP table comprises any one or more of the following dimensions: platform number, application name, destination IP, destination port, recent communication time, communication frequency, communication protocol, plaintext or ciphertext, wherein the domain name table comprises any one or more dimensions of: platform number, application name, request domain name, return IP value, last communication time, communication frequency, request DNS server.
Preferably, the determining, by using a consensus algorithm, a correspondence between the IP address and the domain name and the target application according to the traffic analysis result to obtain a white list includes:
judging whether the current IP address and the domain name meet the marking conditions by using a consensus algorithm, wherein the marking conditions are as follows: the number of the target platforms with the target applications is larger than a preset threshold, and the flow analysis result of the target platforms with the target applications exceeding a preset proportion comprises a current IP address and a domain name;
and if the marking condition is met, determining that the corresponding relation exists between the current IP address and domain name and the target application, and adding the current IP address and domain name to a white list.
Preferably, the adding the current IP address and domain name to the white list includes:
constructing a network asset database as a white list;
and adding the current IP address and the domain name in the network asset database, and setting a label of the target application for the current IP address and the domain name.
Preferably, after the adding the current IP address and domain name and setting the label of the target application for the current IP address and domain name, the method further includes:
judging whether the IP address and the domain name in the network asset database exceed a preset time threshold value and are not communicated with a target application;
and if so, deleting the label of the target application preset for the IP address and the domain name.
In a second aspect, the present application provides a white list-based network security protection apparatus, including:
a deployment module: the system comprises a target platform, a database and a database, wherein the target platform is used for deploying a target application to be analyzed into the target platform, and the target platform is a platform which is based on sandbox technology and can independently run the target application;
a flow analysis module: the system comprises a target platform, a target application and a server, wherein the target platform is used for carrying out traffic analysis on the target application and determining an IP address and a domain name of external communication of the target application as a traffic analysis result;
a correspondence determination module: the device is used for determining the corresponding relation between the IP address and the domain name and the target application according to the flow analysis result by utilizing a consensus algorithm to obtain a white list;
the safety protection module: and the system is used for utilizing a firewall technology to perform network security protection according to the white list.
In a third aspect, the present application provides a network security protection device based on a white list, including:
a memory: for storing a computer program;
a processor: for executing the computer program to implement the steps of the white list-based network security protection method as described above.
In a fourth aspect, the present application provides a readable storage medium, on which a computer program is stored, which, when being executed by a processor, is configured to implement the steps of the white list-based network security defending method described above.
The application provides a network security protection method based on a white list, which comprises the following steps: deploying a target application to be analyzed into a target platform, wherein the target platform is a platform which is based on a sandbox technology and can independently run the target application; performing traffic analysis on the target application by using the target platform, and determining an IP address and a domain name of external communication of the target application as a traffic analysis result; determining the corresponding relation between the IP address and the domain name and the target application according to the flow analysis result by utilizing a consensus algorithm to obtain a white list; and according to the white list, performing network security protection by using a firewall technology. Therefore, the method expands the network behavior of the independently analyzed malicious application to the analysis of the network assets of the normal application by utilizing the sandbox technology, deploys the application on the platform, performs flow analysis on the application by utilizing the platform, further determines the corresponding relation between the application and the network assets by utilizing the consensus algorithm to obtain the white list, and finally performs network security protection based on the white list, so that the reliability of the network security protection and the scene adaptability are improved.
In addition, the application also provides a network security protection device, equipment and a readable storage medium based on the white list, and the technical effect of the network security protection device, the equipment and the readable storage medium correspond to the technical effect of the method, and the details are not repeated here.
Drawings
In order to clearly illustrate the embodiments or technical solutions of the present application, the drawings used in the embodiments or technical solutions of the present application will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present application, and other drawings can be obtained by those skilled in the art without creative efforts.
Fig. 1 is a flowchart illustrating a first implementation of a white list-based network security protection method according to an embodiment of the present disclosure;
fig. 2 is a flowchart illustrating an implementation of a second white list-based network security protection method according to an embodiment of the present disclosure;
FIG. 3 is a block diagram illustrating an embodiment of a white list-based network security protection apparatus according to the present disclosure;
fig. 4 is a schematic structural diagram of an embodiment of a network security protection device based on a white list according to the present application.
Detailed Description
In order that those skilled in the art will better understand the disclosure, the following detailed description will be given with reference to the accompanying drawings. It is to be understood that the embodiments described are only a few embodiments of the present application and not all embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments in the present application without making any creative effort belong to the protection scope of the present application.
The core of the application is to provide a network security protection method, a device, equipment and a readable storage medium based on a white list, and the network security protection is expanded from only analyzing malicious codes to analyzing normal applications. It should be noted that, unlike malware, normal applications often have a single fixed control IP and domain name, and network assets associated with normal applications, especially large applications, are numerous and varied, and need to be consolidated by using various technical means. According to the method and the device, the corresponding relation between the application and the network assets is determined through technical means such as sandbox analysis, flow collection, flow statistics and consensus algorithm, a white list is obtained, network safety protection is finally carried out on the basis of the white list, and the reliability and the scene adaptability of the network safety protection are improved.
Referring to fig. 1, a first embodiment of a network security protection method based on a white list provided in the present application is described below, where the first embodiment includes:
s101, deploying a target application to be analyzed to a target platform, wherein the target platform is a platform which is based on a sandbox technology and can independently run the target application;
s102, carrying out traffic analysis on the target application by using the target platform, and determining an IP address and a domain name of external communication of the target application as a traffic analysis result;
s103, determining the corresponding relation between the IP address and the domain name and the target application according to the flow analysis result by using a consensus algorithm to obtain a white list;
and S104, performing network security protection by using a firewall technology according to the white list.
In order to increase the security of network data interaction, a firewall is usually disposed between the internal network and the external network. The white list-based network security protection refers to performing corresponding configuration on a firewall according to a white list so as to ensure network security, and the key point of the white list-based network security protection lies in how to generate the white list.
Unlike blacklists, generating a blacklist by analyzing malware is relatively simple, as the control-side IP and domain name of malware tend to be single fixed. Whereas normal applications, especially large applications, often involve a large amount of network assets (IP addresses, domain names, etc.) and therefore require complex analysis to derive white lists from them. In this embodiment, a sandbox technology is used to collect traffic information of various normal software (operating system, application, APP, and other programs), analyze information such as network assets related to a communication process, and determine a corresponding relationship between an IP and a domain name and an application, thereby obtaining a white list.
Firstly, deploying a target application to be analyzed to a target platform, wherein the target platform is a platform of a technology sandbox technology and capable of independently running the target application. It can be understood that, in this embodiment, the sandbox technology is not limited to a sandbox, and may also be a virtual machine, a Docker, a solid host, and the like, as long as the target application to be analyzed can be independently run. A so-called sandbox is a virtual system program that allows a browser or other program to be run in a sandbox environment and changes made to the run can be subsequently deleted. In network security, sandboxing refers to the tools used to test the behavior of untrusted files or applications, etc., in an isolated environment.
In practical application, the target application refers to an application to be analyzed, and can be selected from various large software application stores and common office software. The target platform has a flow recording function, each target platform only deploys one application, and one application can be deployed to a plurality of target platforms.
Then, the target platform is used to perform traffic analysis on the target application, that is, network asset information related to the running process of the target application, such as an IP address and a domain name of external communication, is collected, and of course, information such as a port number, communication time, communication frequency, and the like can be collected as a traffic analysis result.
And after the flow analysis result is obtained, determining the corresponding relation between the IP address and the domain name and the target application by utilizing a consensus algorithm. Specifically, for the current target application, if the number of target platforms deployed with the current target application exceeds a preset threshold and the traffic analysis results of the target platforms exceeding a preset proportion all include a certain IP address and a domain name, it is determined that a corresponding relationship exists between the IP address and the domain name and the current target application, and then, under the condition that the known target application is a normal application, the corresponding IP address and the domain name can be considered as reliable, and the IP address and the domain name meeting the above conditions are added to a white list. The preset threshold and the preset ratio may be adjusted according to actual conditions, which is not limited in this embodiment.
Finally, network security protection can be realized by utilizing a firewall technology according to the white list.
The network security protection method based on the white list provided by the embodiment can deploy the target application to be analyzed to the target platform; performing traffic analysis on the target application by using the target platform, and determining an IP address and a domain name of external communication of the target application as a traffic analysis result; determining the corresponding relation between the IP address and the domain name and the target application according to the flow analysis result by utilizing a consensus algorithm to obtain a white list; and according to the white list, utilizing a firewall technology to perform network security protection. As can be seen, in the embodiment, a sandbox technology is used to expand network behavior for analyzing malicious applications alone to network assets for analyzing normal applications, an application is deployed on a platform, the platform is used to perform traffic analysis on the application, a consensus algorithm is used to determine a correspondence between the application and the network assets, a white list is obtained, network security protection is performed based on the white list, and reliability and scene adaptability of network security protection are improved.
The second embodiment of the network security protection method based on the white list provided by the present application is described in detail below, and the second embodiment is implemented based on the first embodiment and is expanded to a certain extent on the basis of the first embodiment.
Specifically, the present embodiment deploys the target application to be analyzed into a sandbox,
referring to fig. 2, the second embodiment specifically includes:
s201, deploying a target application to be analyzed into a sandbox;
s202, carrying out flow analysis on the target application by using a sandbox, determining an IP address and a domain name of external communication of the target application, and generating an IP table and a domain name table as a flow analysis result;
wherein the IP table comprises any one or more of the following dimensions: platform number, application name, destination IP, destination port, recent communication time, communication frequency, communication protocol, plaintext or ciphertext, wherein the domain name table comprises any one or more dimensions of: platform number, application name, request domain name, return IP value, recent communication time, communication frequency number, request DNS server.
S203, creating a network asset database as a white list;
it should be noted that the present embodiment does not limit the execution sequence of S203, as long as it is guaranteed to be before S205.
S204, judging whether the current IP address and the domain name meet the marking condition by using a consensus algorithm, and if so, entering S205; otherwise, taking the next IP address and the domain name in the flow analysis result as the current IP address and the domain name, and entering S204 until all the IP addresses and the domain names in the flow analysis result are analyzed;
in the traffic analysis result for the target application, there are typically a plurality of IP addresses and domain names. In this embodiment, when the relationship between the target application and the IP address and the domain name is sorted by using the consensus algorithm, the IP address and the domain name in the traffic analysis result are analyzed one by one, and therefore, the "current IP address and domain name" mentioned in this embodiment refers to the IP address and the domain name currently analyzed in the traffic analysis result.
The embodiment adopts a voting mechanism, each application is deployed into at least 10 sandboxes, and no less than 30% of the sandboxes record certain network asset information at the same time, so that the corresponding relationship between the application and the network asset information can be determined. In other words, the above-mentioned marking conditions are: the number of the target platforms with the target applications is larger than a preset threshold, and the traffic analysis result of the target platforms with the target applications exceeding a preset proportion comprises a current IP address and a domain name. Wherein the preset threshold is 10, and the preset proportion is 30%.
S205, determining that a corresponding relation exists between a current IP address and a domain name and a target application, adding the current IP address and the domain name in the network asset database, and setting a label of the target application for the current IP address and the domain name;
s206, periodically judging whether the IP address and the domain name in the network asset database exceed a preset time threshold value and are not communicated with a target application; if yes, entering S207, otherwise, not performing any processing;
in this embodiment, the correspondence recorded in the network asset database has timeliness, and the correspondence without communication record for too long time is cleared. The preset time threshold may be set according to actual requirements, and this embodiment is not limited.
S207, deleting the labels of the target application preset for the IP address and the domain name;
and S208, according to the network asset database, performing network security protection by using a firewall technology.
In this embodiment, the consensus algorithm may further include the following features: multiple applications have common network assets, which can be labeled by large categories; for IDC assets and IP assets of CDN technology, individual marking can be carried out; a multi-label regime, i.e. there may be multiple labels for the same application.
In practical applications, appropriate manual intervention may be performed. The method utilizes manpower to increase the asset collection range in aspects of asset marking, application maintenance (login account, simulation operation) and the like.
In addition, a domain name IP linkage mechanism may be implemented, i.e., the IP of the domain name resolution requested by the application is also tagged with the application. That is, for a normal application, when a domain name is normal, it is considered that an IP address corresponding to the domain name returned by the DNS server is also normal, and a label of a target application is set for the IP address.
Therefore, according to the network security protection method based on the white list provided by the embodiment, the sandbox technology is used for expanding the network behavior of independently analyzing the malicious software to the network asset of analyzing the normal software, the corresponding relation between the software and the network asset is determined by various algorithms, and finally the network asset database is constructed. By long-term collection and arrangement, most of commonly applied network assets can be marked, and convenience is provided in later-stage network firewall white list configuration and flow analysis.
In the following, a white list-based network security protection apparatus provided in an embodiment of the present application is introduced, and a white list-based network security protection apparatus described below and a white list-based network security protection method described above may be referred to correspondingly.
As shown in fig. 3, the white list based network security protection apparatus of this embodiment includes:
the deployment module 301: the system comprises a target platform, a database and a database, wherein the target platform is used for deploying a target application to be analyzed into the target platform, and the target platform is a platform which is based on sandbox technology and can independently run the target application;
the flow analysis module 302: the system comprises a target platform, a target application and a server, wherein the target platform is used for carrying out traffic analysis on the target application and determining an IP address and a domain name of external communication of the target application as a traffic analysis result;
the correspondence determining module 303: the device is used for determining the corresponding relation between the IP address and the domain name and the target application according to the flow analysis result by utilizing a consensus algorithm to obtain a white list;
the security protection module 304: and the system is used for utilizing a firewall technology to perform network security protection according to the white list.
The white list-based network security protection apparatus of this embodiment is used to implement the white list-based network security protection method, and therefore a specific implementation manner of the apparatus may be found in the foregoing embodiment part of the white list-based network security protection method, for example, the deployment module 301, the traffic analysis module 302, the correspondence determination module 303, and the security protection module 304 are respectively used to implement steps S101, S102, S103, and S104 in the white list-based network security protection method. Therefore, specific embodiments thereof may be referred to in the description of the corresponding respective partial embodiments, and will not be described herein.
In addition, since the network security protection apparatus based on the white list of this embodiment is used to implement the network security protection method based on the white list, the role thereof corresponds to the role of the method described above, and details are not described here.
In addition, the present application further provides a network security protection device based on a white list, as shown in fig. 4, including:
the memory 100: for storing a computer program;
the processor 200: for executing the computer program to implement the steps of the white list based network security defending method as described above.
Finally, the present application provides a readable storage medium having stored thereon a computer program for implementing the steps of the white list based network security protection method as described above when being executed by a processor.
The embodiments are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same or similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, read-only memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
The above detailed descriptions of the solutions provided in the present application, and the specific examples applied herein are set forth to explain the principles and implementations of the present application, and the above descriptions of the examples are only used to help understand the method and its core ideas of the present application; meanwhile, for a person skilled in the art, according to the idea of the present application, the specific implementation manner and the application scope may be changed, and in summary, the content of the present specification should not be construed as a limitation to the present application.
Claims (9)
1. A network security protection method based on a white list is characterized by comprising the following steps:
deploying a target application to be analyzed into a target platform, wherein the target platform is a platform which is based on a sandbox technology and can independently run the target application;
performing traffic analysis on the target application by using the target platform, and determining an IP address and a domain name of external communication of the target application as a traffic analysis result;
determining the corresponding relation between the IP address and the domain name and the target application according to the flow analysis result by using a consensus algorithm to obtain a white list;
and according to the white list, utilizing a firewall technology to perform network security protection.
2. The method of claim 1, wherein deploying the target application to be analyzed into the target platform comprises:
deploying a target application to be analyzed into a target platform, wherein the target platform is any one of the following items: sandbox, virtual machine, Docker, solid host.
3. The method of claim 2, wherein the performing traffic analysis on the target application by using the target platform, and determining an IP address and a domain name of an external communication of the target application as a traffic analysis result comprises:
performing traffic analysis on the target application by using the target platform, determining an IP address and a domain name of external communication of the target application, and generating an IP table and a domain name table as a traffic analysis result, wherein the IP table comprises any one or more of the following dimensions: platform number, application name, destination IP, destination port, recent communication time, communication frequency, communication protocol, plaintext or ciphertext, wherein the domain name table comprises any one or more dimensions of the following items: platform number, application name, request domain name, return IP value, last communication time, communication frequency, request DNS server.
4. The method of claim 1, wherein determining the correspondence between the IP address and the domain name and the target application according to the traffic analysis result by using a consensus algorithm to obtain a white list comprises:
judging whether the current IP address and the domain name meet the marking conditions by using a consensus algorithm, wherein the marking conditions are as follows: the number of the target platforms with the target applications is larger than a preset threshold, and the flow analysis result of the target platforms with the target applications exceeding a preset proportion comprises a current IP address and a domain name;
and if the marking condition is met, determining that the corresponding relation exists between the current IP address and domain name and the target application, and adding the current IP address and domain name to a white list.
5. The method of claim 4, wherein adding the current IP address and domain name to a white list comprises:
constructing a network asset database as a white list;
and adding the current IP address and the domain name in the network asset database, and setting a label of the target application for the current IP address and the domain name.
6. The method of claim 5, wherein after said adding the current IP address and domain name and setting the label of the target application for the current IP address and domain name, further comprising:
judging whether the IP address and the domain name in the network asset database exceed a preset time threshold value and are not communicated with a target application;
and if so, deleting the label of the target application preset for the IP address and the domain name.
7. A white list based network security protection device, comprising:
a deployment module: the system comprises a target platform, a database and a database, wherein the target platform is used for deploying a target application to be analyzed into the target platform, and the target platform is a platform which is based on sandbox technology and can independently run the target application;
a flow analysis module: the system comprises a target platform, a target application and a server, wherein the target platform is used for carrying out traffic analysis on the target application and determining an IP address and a domain name of external communication of the target application as a traffic analysis result;
a correspondence determination module: the device is used for determining the corresponding relation between the IP address and the domain name and the target application according to the flow analysis result by utilizing a consensus algorithm to obtain a white list;
the safety protection module: and the system is used for utilizing a firewall technology to perform network security protection according to the white list.
8. A white list based network security protection device, comprising:
a memory: for storing a computer program;
a processor: for executing the computer program for implementing the steps of the white list based network security defending method according to any one of claims 1 to 6.
9. A readable storage medium, having stored thereon a computer program for implementing the steps of the whitelist-based network security method according to any one of claims 1-6 when executed by a processor.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010305704.5A CN111541675B (en) | 2020-04-17 | 2020-04-17 | Network security protection method, device and equipment based on white list |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010305704.5A CN111541675B (en) | 2020-04-17 | 2020-04-17 | Network security protection method, device and equipment based on white list |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111541675A CN111541675A (en) | 2020-08-14 |
| CN111541675B true CN111541675B (en) | 2022-05-17 |
Family
ID=71970981
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010305704.5A Active CN111541675B (en) | 2020-04-17 | 2020-04-17 | Network security protection method, device and equipment based on white list |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111541675B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112333191A (en) * | 2020-11-06 | 2021-02-05 | 杭州安恒信息技术股份有限公司 | Illegal network asset detection and access blocking method, device, equipment and medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106685951A (en) * | 2016-12-26 | 2017-05-17 | 北京奇虎科技有限公司 | Network flow filtering system and method based on domain name rules |
| CN108809892A (en) * | 2017-04-27 | 2018-11-13 | 贵州白山云科技有限公司 | A kind of IP white lists generation method and device |
| CN110611673A (en) * | 2019-09-18 | 2019-12-24 | 赛尔网络有限公司 | IP credit calculation method, device, electronic equipment and medium |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106650425B (en) * | 2016-12-06 | 2019-08-09 | 中国联合网络通信集团有限公司 | A kind of control method and device of security sandbox |
| US10873588B2 (en) * | 2017-08-01 | 2020-12-22 | Pc Matic, Inc. | System, method, and apparatus for computer security |
| CN110891071A (en) * | 2019-12-25 | 2020-03-17 | 杭州安恒信息技术股份有限公司 | Network traffic information acquisition method, device and related equipment |
-
2020
- 2020-04-17 CN CN202010305704.5A patent/CN111541675B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106685951A (en) * | 2016-12-26 | 2017-05-17 | 北京奇虎科技有限公司 | Network flow filtering system and method based on domain name rules |
| CN108809892A (en) * | 2017-04-27 | 2018-11-13 | 贵州白山云科技有限公司 | A kind of IP white lists generation method and device |
| CN110611673A (en) * | 2019-09-18 | 2019-12-24 | 赛尔网络有限公司 | IP credit calculation method, device, electronic equipment and medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111541675A (en) | 2020-08-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108183916B (en) | Network attack detection method and device based on log analysis | |
| CN106790186B (en) | Multi-step attack detection method based on multi-source abnormal event correlation analysis | |
| CN111355697B (en) | Detection method, device, equipment and storage medium for botnet domain name family | |
| US11270001B2 (en) | Classification apparatus, classification method, and classification program | |
| CN112685682B (en) | Method, device, equipment and medium for identifying forbidden object of attack event | |
| CN110933101A (en) | Security event log processing method, device and storage medium | |
| CN106796635A (en) | Determining device, determine method and determination program | |
| CN110365674B (en) | Method, server and system for predicting network attack surface | |
| Kaaniche et al. | Empirical analysis and statistical modeling of attack processes based on honeypots | |
| CN111625841B (en) | Virus processing method, device and equipment | |
| JP5739034B1 (en) | Attack detection system, attack detection device, attack detection method, and attack detection program | |
| CN112511561A (en) | Network attack path determination method, equipment, storage medium and device | |
| CN110880983A (en) | Penetration testing method and device based on scene, storage medium and electronic device | |
| EP3913888A1 (en) | Detection method for malicious domain name in domain name system and detection device | |
| CN115001789B (en) | Method, device, equipment and medium for detecting collapse equipment | |
| CN110365673B (en) | Method, server and system for isolating network attack plane | |
| CN112333191A (en) | Illegal network asset detection and access blocking method, device, equipment and medium | |
| CN110381047B (en) | Network attack surface tracking method, server and system | |
| CN111541675B (en) | Network security protection method, device and equipment based on white list | |
| CN113315785B (en) | Alarm reduction method, device, equipment and computer readable storage medium | |
| JPWO2017217247A1 (en) | Malignant event detection apparatus, malignant event detection method, and malignant event detection program | |
| CN112448963A (en) | Method, device, equipment and storage medium for analyzing automatic attack industrial assets | |
| CN112953895B (en) | Attack behavior detection method, device and equipment and readable storage medium | |
| CN115955333A (en) | C2 server identification method and device, electronic equipment and readable storage medium | |
| CN115935356A (en) | Software security testing method, system and application |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |