CN111885087A - Intranet computer network behavior monitoring method, device and equipment - Google Patents
Intranet computer network behavior monitoring method, device and equipment Download PDFInfo
- Publication number
- CN111885087A CN111885087A CN202010779509.6A CN202010779509A CN111885087A CN 111885087 A CN111885087 A CN 111885087A CN 202010779509 A CN202010779509 A CN 202010779509A CN 111885087 A CN111885087 A CN 111885087A
- Authority
- CN
- China
- Prior art keywords
- network
- preset program
- program
- target remote
- target
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 68
- 238000012544 monitoring process Methods 0.000 title claims abstract description 49
- 238000004891 communication Methods 0.000 claims abstract description 22
- 238000012806 monitoring device Methods 0.000 claims abstract description 10
- 230000006399 behavior Effects 0.000 claims description 57
- 238000012545 processing Methods 0.000 claims description 14
- 238000004590 computer program Methods 0.000 claims description 11
- 230000005540 biological transmission Effects 0.000 claims description 7
- 238000005206 flow analysis Methods 0.000 claims description 7
- 230000006835 compression Effects 0.000 claims description 5
- 238000007906 compression Methods 0.000 claims description 5
- 230000007123 defense Effects 0.000 abstract description 5
- 230000000694 effects Effects 0.000 abstract description 3
- 230000002349 favourable effect Effects 0.000 abstract description 3
- 230000008569 process Effects 0.000 description 16
- 238000004458 analytical method Methods 0.000 description 5
- 230000006870 function Effects 0.000 description 5
- 230000002159 abnormal effect Effects 0.000 description 4
- 238000013523 data management Methods 0.000 description 4
- 238000001514 detection method Methods 0.000 description 4
- 238000004140 cleaning Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 230000004044 response Effects 0.000 description 3
- 238000010586 diagram Methods 0.000 description 2
- 230000035515 penetration Effects 0.000 description 2
- 238000012360 testing method Methods 0.000 description 2
- 230000000903 blocking effect Effects 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 230000006837 decompression Effects 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 238000011156 evaluation Methods 0.000 description 1
- 238000005065 mining Methods 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 230000026676 system process Effects 0.000 description 1
- 230000032258 transport Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
- H04L67/025—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP] for remote control or remote monitoring of applications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/06—Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/2866—Architectures; Arrangements
- H04L67/30—Profiles
Abstract
The application discloses an intranet computer network behavior monitoring method which can be used for transmitting a preset program to target remote equipment, capturing network flow, matching a data packet in the network flow with a protocol feature library to obtain a protocol type, further analyzing the network flow to obtain network communication session data, and finally transmitting a result to a target address through a data return function. The method is a passive safety monitoring scheme, can identify the communication protocol and the network behavior of the target remote equipment under the condition that the target remote equipment user does not sense, further discovers the safety vulnerability of the intranet, judges whether the intranet equipment has the illegal network behavior, and is favorable for improving the defense capability of the whole network. In addition, the application also provides an intranet computer network behavior monitoring device, equipment and a readable storage medium, and the technical effect of the device corresponds to the method.
Description
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method, an apparatus, a device, and a readable storage medium for monitoring network behavior of an intranet computer.
Background
With the increasing of new threats and attacks such as APT, malicious mining, Lessovirus and the like, the network threat is rapidly and maliciously evolving, and the diversification of attack means and attack channels puts higher requirements on the analysis and processing capacity of network security personnel. Enterprises and organizations also need to identify intranet security vulnerabilities in protecting against external attacks to help them better discover and respond to these new threats.
The internal network security threat events are layered in a large number, but the enterprise is still hard to pay attention to, and enterprise managers may want to certainly think that attackers all come from the outside, but in fact, the internal network is just a place where many enterprises are difficult to obtain enough visibility, and many network attack events are caused by internal staff at the beginning, or intentionally, or caused by careless misoperation, or possibly caused by hacker intrusion, and the intranet equipment is controlled to make illegal behaviors with common user identities.
At present, the security monitoring scheme for the intranet mainly comprises two types, one type is a remote vulnerability scanning system, and the other type is a network behavior auditing system, a network intrusion detection system or a network intrusion defense system.
The remote vulnerability scanning system is an active scanning method. It is possible to identify which vulnerabilities exist in system software or application software on a target host device, but detailed network session information of the target device cannot be identified, and vulnerabilities and violations other than known vulnerabilities of the target device cannot be identified.
The network intrusion detection system or the network intrusion prevention system is network protection equipment deployed by enterprises or units, mainly monitors external threats in a mode of preset rules, and realizes interception of malicious traffic and blocking of security attacks in a mode of internally installing known attack feature libraries, leak libraries and the like. The scheme mainly based on rule detection solves most threats, but cannot capture the violation behaviors of internal personnel.
The network behavior auditing system can modify or delete part of illegal auditing behaviors due to overlarge administrator authority, and internal staff know the defense means of an enterprise, so that the network behavior auditing system can be easily bypassed when the network behavior auditing system is engaged in malicious activities.
In summary, the reliability of the current security monitoring scheme for the intranet is low, how to provide a security monitoring scheme for the intranet to improve the security of the intranet is a problem to be solved by technical personnel in the field.
Disclosure of Invention
The application aims to provide an intranet computer network behavior monitoring method, an intranet computer network behavior monitoring device, intranet computer network behavior monitoring equipment and a readable storage medium, and aims to solve the problem that the reliability of a current intranet safety monitoring scheme is low. The specific scheme is as follows:
in a first aspect, the present application provides a method for monitoring network behavior of an intranet computer, comprising:
transmitting a preset program to a target remote device;
acquiring network traffic of the target remote equipment by using the preset program to obtain a traffic acquisition result;
matching the message in the flow acquisition result with a preset protocol feature library by using the preset program, and determining the protocol type used by the target remote equipment for network communication;
analyzing the flow acquisition result by using the preset program according to the protocol specification of the protocol type to obtain network session data of the target remote equipment;
and transmitting the network session data to a target address by using the preset program.
Preferably, before the acquiring network traffic of the target remote device by using the preset program and obtaining a traffic acquisition result, the method further includes:
and executing self-concealment processing on the preset program.
Preferably, before the transmitting the network session data to the local by using the preset program, the method further includes:
and carrying out volume division, encryption and compression on the network session data by using the preset program.
Preferably, the transmitting the preset program to the target remote device includes:
transmitting a preset program and a configuration file containing program operation parameters to a target remote device, wherein the program operation parameters comprise: the method comprises the steps of flow collection frequency, flow analysis frequency, network session data return time and a target address of returned network session data.
Preferably, the configuration file further includes a monitoring termination condition, and after the transmitting the network session data to the target address by using the preset program, the method further includes:
and if the monitoring termination condition is met, utilizing the preset program segment to clean the file.
Preferably, the configuration file further includes a target protocol type to be monitored, and the analyzing the traffic collection result according to a protocol specification of the protocol type to obtain network session data of the target remote device includes:
and if and only if the protocol type is the target protocol type, analyzing the flow acquisition result according to the protocol specification of the protocol type to obtain the network session data of the target remote equipment.
Preferably, after the transmitting the preset program to the target remote device, the method further includes:
and if the preset program runs abnormally, generating a log record by using the preset program, and transmitting the log record to a target address.
In a second aspect, the present application provides an intranet computer network behavior monitoring device, including:
a program transmission module: the system comprises a target remote device, a program module and a program module, wherein the target remote device is used for transmitting a preset program to the target remote device;
a flow acquisition module: the system comprises a preset program, a target remote device and a server, wherein the preset program is used for acquiring network traffic of the target remote device by utilizing the preset program to obtain a traffic acquisition result;
a protocol identification module: the system comprises a preset program, a target remote device and a flow acquisition result, wherein the preset program is used for matching a message in the flow acquisition result with a preset protocol feature library and determining a protocol type used by the target remote device for network communication;
a flow analysis module: the network session data acquisition unit is used for analyzing the flow acquisition result by using the preset program according to the protocol specification of the protocol type to obtain the network session data of the target remote equipment;
a result returning module: and the network session data is transmitted to a target address by using the preset program.
In a third aspect, the present application provides an intranet computer network behavior monitoring device, comprising:
a memory: for storing a computer program;
a processor: for executing the computer program to implement the steps of the intranet computer behavior monitoring method as described above.
In a fourth aspect, the present application provides a readable storage medium having stored thereon a computer program for implementing the steps of the intranet computer behavior monitoring method as described above when the computer program is executed by a processor.
The application provides a method for monitoring the network behavior of an intranet computer, which comprises the following steps: transmitting a preset program to a target remote device; acquiring network traffic of target remote equipment by using a preset program to obtain a traffic acquisition result; matching the message in the flow acquisition result with a preset protocol feature library by using a preset program, and determining the protocol type used by the target remote equipment for network communication; analyzing the flow acquisition result by using a preset program according to the protocol specification of the protocol type to obtain network session data of the target remote equipment; and transmitting the network session data to the target address by using a preset program.
Therefore, the method transmits the preset program to the target remote equipment, captures the network flow in a remote mode, matches the data packet in the network flow with the protocol feature library to obtain the protocol type used by network communication, further analyzes the network flow to obtain network communication session data, and then transmits the result to the target address through the data return function. The method is a passive safety monitoring scheme, can identify the communication protocol and the network behavior of the target remote equipment under the condition that a user at one side of the target remote equipment does not sense the communication protocol and the network behavior, further finds the safety vulnerability of an intranet, judges whether the intranet equipment has illegal network behavior, and is favorable for improving the defense capability of the whole network.
In addition, the application also provides an intranet computer network behavior monitoring device, equipment and a readable storage medium, and the technical effect of the device corresponds to the method, and the device is not repeated herein.
Drawings
For a clearer explanation of the embodiments or technical solutions of the prior art of the present application, the drawings needed for the description of the embodiments or prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
Fig. 1 is a flowchart illustrating a first implementation of a method for monitoring network behavior of an intranet computer provided in the present application;
fig. 2 is a schematic process diagram of a second embodiment of an intra-network computer network behavior monitoring method provided in the present application;
fig. 3 is a flowchart illustrating operation of a preset program in a second embodiment of a method for monitoring network behavior of an intranet computer provided by the present application;
fig. 4 is a functional block diagram of an embodiment of an intranet computer network behavior monitoring apparatus provided in the present application.
Detailed Description
In order that those skilled in the art will better understand the disclosure, the following detailed description will be given with reference to the accompanying drawings. It is to be understood that the embodiments described are only a few embodiments of the present application and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
Generally, monitoring network traffic is implemented by deploying devices at the entrances and exits of an enterprise network and capturing traffic from switches, for example: an internet access behavior auditing system and a network intrusion detection system. These are network security monitoring systems deployed actively in enterprises, and have poor reliability.
The application provides an intranet computer network behavior monitoring method, an intranet computer network behavior monitoring device, intranet computer network behavior monitoring equipment and a readable storage medium, which can carry out remote monitoring, check whether an intranet is vulnerable and judge whether an intranet target device has illegal network behavior. The scheme provided by the application can be used in the processes of enterprise penetration testing and enterprise internal network security evaluation.
Referring to fig. 1, a first embodiment of a method for monitoring network behavior of an internal computer provided by the present application is described as follows:
s101, transmitting a preset program to target remote equipment;
specifically, a file transmission tool is used on a source host to transmit a preset program to a target remote device, wherein the target remote device is an intranet device.
When the preset program is transmitted, the program operation parameters can be placed in a configuration file, and the configuration file and the preset program are transmitted together. The program operation parameters, that is, the parameters used for the preset program operation, include, but are not limited to: mainly collects and monitors the flow of which protocol or protocols; at what time traffic is captured; performing flow analysis for more than one time; at what time the resolution results are returned; the resolved result returns an address (i.e., the following target address); a run-off time; whether to parse application layer protocol request content and response content, etc.
It will be appreciated that if no configuration file including program run parameters is transmitted, the preset program run may use default parameters, i.e. default values for the parameters.
S102, carrying out network traffic acquisition on the target remote equipment by using the preset program to obtain a traffic acquisition result;
specifically, on the source host, a preset program on the target remote device is started by using the remote start tool. If the remote starting tool is in a windows environment, the sc and wmic tools can be used; if the target device is in the linux/unix environment, the program may be started after remote login is performed through telnet or ssh, or after the remote target device is controlled through another remote control tool, which is not limited in this embodiment.
The network traffic collection means that a preset program collects network traffic on a network card of a target remote device, and in practical application, all the traffic can be collected, or only traffic of a specified protocol type can be adopted according to corresponding configuration parameters.
The output data comprises key information of the network communication session of the target equipment: the source IP, the destination IP, the source port, the destination port, the source Mac address, the destination Mac address, the request time and the protocol type can be further analyzed through the protocol analysis module according to actual needs.
S103, matching the message in the flow acquisition result with a preset protocol feature library by using the preset program, and determining the protocol type used by the target remote equipment for network communication;
specifically, network traffic is captured from the network card, and a data packet in the traffic is matched with the protocol feature library to obtain a protocol type used by the network communication of the target remote device.
The protocol feature library includes feature description information for a variety of common protocols, including but not limited to: the port number, request and response keywords and return status codes commonly used by each protocol. In the implementation, the protocol feature library may be contained in the program or may be independent of the program in the form of a configuration file.
S104, analyzing the flow acquisition result by using the preset program according to the protocol specification of the protocol type to obtain network session data of the target remote equipment;
according to the protocol specification, the session information of the two communication parties is analyzed from the network traffic data, and the specific network session data may include: source IP, destination IP, source port, destination port, source Mac address, destination Mac address, request time, protocol type, etc. In practical application, the network request content and the response content can be further analyzed according to actual needs.
And S105, transmitting the network session data to a target address by using the preset program.
Specifically, the network session data is transmitted to a target receiving address specified by the source host, and the target receiving address may be preset in a configuration file of a preset program. Tools such as FTP, Curl, etc. can be used for specific transmission.
It is to be understood that the target address may be a source host, or may be other devices that are not the source host, for example, a special data analysis processing device, which is not limited in this embodiment.
The method for monitoring network behavior of an intranet computer provided by this embodiment can transmit a preset program to a target remote device, capture network traffic in a remote manner, match a data packet in the network traffic with a protocol feature library to obtain a protocol type used for network communication, further analyze the network traffic to obtain network communication session data, and transmit a result to a target address through a data return function. The method is a passive safety monitoring scheme, can identify the communication protocol and the network behavior of the target remote equipment under the condition that a user at one side of the target remote equipment does not sense the communication protocol and the network behavior, further finds the safety vulnerability of an intranet, judges whether the intranet equipment has illegal network behavior, and is favorable for improving the defense capability of the whole network.
The second embodiment of the method for monitoring the network behavior of the internal computer provided by the present application is described in detail below, and the second embodiment is implemented based on the first embodiment and is expanded to a certain extent based on the first embodiment.
Specifically, in this embodiment, the preset program can perform the hiding processing on itself; in this embodiment, the target address is set as a data receiving module on the source host side; before the network session data are transmitted to the data receiving module, the network session data can be subjected to volume division, encryption and compression, so that the data transmission time is saved under the condition of ensuring the data security; and configuring a plurality of operating parameters of the preset program through the configuration file.
As shown in fig. 2, the overall work flow of the present embodiment includes:
(1) the source host uploads a preset program to the target device.
(2) And remotely starting a preset program.
(3) Running a preset program to realize that:
carrying out self-hiding processing on the process;
outputting result data after the process is operated;
processing output data, including bundling, encrypting and compressing;
returning the processed result data;
and if the condition for stopping running is met, the preset program stops running, and after the data return is finished, file cleaning is carried out.
(4) The source host receives data through the data receiving module.
(5) And the data receiving module processes the received data and then stores the data in a database.
(6) The source host machine carries out operations such as data query and data backup plan making through the data management module.
Obviously, in this embodiment, after the preset program is started, the following steps are mainly implemented: self-concealing treatment; according to the operation parameters, carrying out flow acquisition, protocol identification and protocol analysis in sequence, and outputting network session data; and the data is subjected to volume division, encryption and compression, and then is sent to a data receiving module at one side of the source host by the data returning module.
The self-concealment processing means that the embodiment can be used for penetration testing or checking whether internal personnel have illegal operations, a process, a parameter file and an output file of program operation are required to be concealed by a protocol identification program, the process in operation and a read-write file are invisible to a user by using a concealing tool or a programming technology, or a process name is changed and disguised as a system process.
In addition, if the preset program is abnormal in the running process, abnormal log information can be output, and the abnormal log information is also used as an output result and is sent to the data receiving module by the data returning module.
And the data receiving module at the source host side is responsible for receiving the network session data sent by the data returning module and processing the received network session data, including decompression, decryption and combination. After the data is processed, as shown in fig. 2, the data is further transmitted to a data management module, and is stored in a database by data management. The data management module also provides a data query function, and the data query function is called by the source host. The protocol identification result can be inquired, and the protocol identification program abnormal log information can also be inquired.
The logic of the preset program is described in detail below, and as shown in fig. 3, the preset program is mainly used for implementing the following functions: self-concealment processing, flow collection, protocol identification, protocol analysis, output data processing, data return and file cleaning.
And in the flow acquisition process, network flow acquisition is carried out on the network card of the target remote equipment to obtain a flow acquisition result.
In the protocol identification process, matching the message in the flow acquisition result with a preset protocol feature library, and determining the protocol type used by the target remote equipment for network communication.
In the protocol analysis process, according to the protocol specification of the protocol type, analyzing the flow acquisition result to obtain the network session data of the target remote equipment.
The output data processing process refers to processing the network session data, including volume splitting, encryption and compression, before the network session data is transmitted back to the database accessible to the source host. The bundling refers to that when the protocol identification program runs on the target device, the result data is continuously output, and the output result data needs to be divided and transmitted for multiple times.
And in the data returning process, the processed data is transmitted to the data receiving module at one side of the source host by using the data returning module.
In the file cleaning process, the operation of the preset program is stopped when the preset program reaches an end operation time or a monitoring end condition, and the deletion operation is performed on the program, the configuration parameter file and the like.
Therefore, the method for monitoring the network behavior of the intranet computer provided by the embodiment integrates various technologies such as process information hiding, flow capturing, protocol identification, flow analysis, encryption processing and the like, and achieves the purpose of identifying the communication protocol and the network behavior of the remote device.
In the following, the intranet computer network behavior monitoring device provided in the embodiment of the present application is introduced, and an intranet computer network behavior monitoring device described below and an intranet computer network behavior monitoring method described above may be referred to in a corresponding manner.
As shown in fig. 4, the intranet computer network behavior monitoring apparatus of the present embodiment includes:
the program transmission module 401: the system comprises a target remote device, a program module and a program module, wherein the target remote device is used for transmitting a preset program to the target remote device;
the traffic collection module 402: the system comprises a preset program, a target remote device and a server, wherein the preset program is used for acquiring network traffic of the target remote device by utilizing the preset program to obtain a traffic acquisition result;
the protocol identification module 403: the system comprises a preset program, a target remote device and a flow acquisition result, wherein the preset program is used for matching a message in the flow acquisition result with a preset protocol feature library and determining a protocol type used by the target remote device for network communication;
the traffic resolution module 404: the network session data acquisition unit is used for analyzing the flow acquisition result by using the preset program according to the protocol specification of the protocol type to obtain the network session data of the target remote equipment;
result passing back module 405: and the network session data is transmitted to a target address by using the preset program.
The intranet computer network behavior monitoring apparatus of this embodiment is used to implement the intranet computer network behavior monitoring method, and therefore, a specific implementation manner of the apparatus may be found in the foregoing embodiment portions of the intranet computer network behavior monitoring method, for example, the program transmission module 401, the flow acquisition module 402, the protocol identification module 403, the flow analysis module 404, and the result return module 405 are respectively used to implement steps S101, S102, S103, S104, and S105 in the intranet computer network behavior monitoring method. Therefore, specific embodiments thereof may be referred to in the description of the corresponding respective partial embodiments, and will not be described herein.
In addition, since the intranet computer network behavior monitoring apparatus of this embodiment is used to implement the foregoing intranet computer network behavior monitoring method, the role thereof corresponds to that of the foregoing method, and details are not described here.
In addition, this application still provides an intranet computer network behavior monitoring facilities, includes:
a memory: for storing a computer program;
a processor: for executing said computer program for implementing the steps of the intranet computer behavior monitoring method as described above.
Finally, the present application provides a readable storage medium having stored thereon a computer program for implementing the steps of the intranet computer behavior monitoring method as described above when executed by a processor.
The embodiments are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same or similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
The above detailed descriptions of the solutions provided in the present application, and the specific examples applied herein are set forth to explain the principles and implementations of the present application, and the above descriptions of the examples are only used to help understand the method and its core ideas of the present application; meanwhile, for a person skilled in the art, according to the idea of the present application, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present application.
Claims (10)
1. An intra-network computer network behavior monitoring method, comprising:
transmitting a preset program to a target remote device;
acquiring network traffic of the target remote equipment by using the preset program to obtain a traffic acquisition result;
matching the message in the flow acquisition result with a preset protocol feature library by using the preset program, and determining the protocol type used by the target remote equipment for network communication;
analyzing the flow acquisition result by using the preset program according to the protocol specification of the protocol type to obtain network session data of the target remote equipment;
and transmitting the network session data to a target address by using the preset program.
2. The method of claim 1, wherein before the performing network traffic collection on the target remote device by using the preset program to obtain a traffic collection result, the method further comprises:
and executing self-concealment processing on the preset program.
3. The method of claim 1, wherein before said transmitting said network session data locally using said predetermined program, further comprising:
and carrying out volume division, encryption and compression on the network session data by using the preset program.
4. The method of claim 1, wherein transmitting the preset program to the target remote device comprises:
transmitting a preset program and a configuration file containing program operation parameters to a target remote device, wherein the program operation parameters comprise: the method comprises the steps of flow collection frequency, flow analysis frequency, network session data return time and a target address of returned network session data.
5. The method of claim 4, wherein the configuration file further comprises monitoring a termination condition, and wherein after transmitting the network session data to a destination address using the predetermined program, further comprises:
and if the monitoring termination condition is met, utilizing the preset program segment to clean the file.
6. The method of claim 4, wherein the configuration file further includes a target protocol type to be monitored, and the analyzing the traffic collection result according to a protocol specification of the protocol type to obtain the network session data of the target remote device comprises:
and if and only if the protocol type is the target protocol type, analyzing the flow acquisition result according to the protocol specification of the protocol type to obtain the network session data of the target remote equipment.
7. The method of any of claims 1-6, further comprising, after the transmitting the preset program to the target remote device:
and if the preset program runs abnormally, generating a log record by using the preset program, and transmitting the log record to a target address.
8. An intranet computer network behavior monitoring device, comprising:
a program transmission module: the system comprises a target remote device, a program module and a program module, wherein the target remote device is used for transmitting a preset program to the target remote device;
a flow acquisition module: the system comprises a preset program, a target remote device and a server, wherein the preset program is used for acquiring network traffic of the target remote device by utilizing the preset program to obtain a traffic acquisition result;
a protocol identification module: the system comprises a preset program, a target remote device and a flow acquisition result, wherein the preset program is used for matching a message in the flow acquisition result with a preset protocol feature library and determining the type of a network communication use protocol of the target remote device;
a flow analysis module: the network session data acquisition unit is used for analyzing the flow acquisition result by using the preset program according to the protocol specification of the protocol type to obtain the network session data of the target remote equipment;
a result returning module: and the network session data is transmitted to a target address by using the preset program.
9. An intra-network computer network behavior monitoring device, comprising:
a memory: for storing a computer program;
a processor: for executing said computer program for implementing the steps of the intranet computer behavior monitoring method according to any one of claims 1-7.
10. A readable storage medium, characterized in that the readable storage medium has stored thereon a computer program for implementing the steps of the intranet computer behavior monitoring method according to any one of claims 1-7 when the computer program is executed by a processor.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010779509.6A CN111885087A (en) | 2020-08-05 | 2020-08-05 | Intranet computer network behavior monitoring method, device and equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010779509.6A CN111885087A (en) | 2020-08-05 | 2020-08-05 | Intranet computer network behavior monitoring method, device and equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111885087A true CN111885087A (en) | 2020-11-03 |
Family
ID=73212044
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010779509.6A Pending CN111885087A (en) | 2020-08-05 | 2020-08-05 | Intranet computer network behavior monitoring method, device and equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111885087A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113286295A (en) * | 2021-05-11 | 2021-08-20 | 博瑞得科技有限公司 | Centralized data forwarding method and device and computer readable storage medium |
| CN114598509A (en) * | 2022-02-23 | 2022-06-07 | 烽台科技(北京)有限公司 | Method and device for determining vulnerability result |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101582883A (en) * | 2009-06-26 | 2009-11-18 | 西安电子科技大学 | System and method for managing security of general network |
| CN102480749A (en) * | 2010-11-25 | 2012-05-30 | 中国移动通信集团浙江有限公司 | Method, device and system for remotely collecting host process information |
| CN107179979A (en) * | 2016-03-10 | 2017-09-19 | 阿里巴巴集团控股有限公司 | A kind of acquisition of remote terminal information, analysis method, apparatus and system |
| CN107426159A (en) * | 2017-05-03 | 2017-12-01 | 成都国腾实业集团有限公司 | APT based on big data analysis monitors defence method |
| CN110995538A (en) * | 2019-12-03 | 2020-04-10 | 北京博睿宏远数据科技股份有限公司 | Network data acquisition method, device, system, equipment and storage medium |
-
2020
- 2020-08-05 CN CN202010779509.6A patent/CN111885087A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101582883A (en) * | 2009-06-26 | 2009-11-18 | 西安电子科技大学 | System and method for managing security of general network |
| CN102480749A (en) * | 2010-11-25 | 2012-05-30 | 中国移动通信集团浙江有限公司 | Method, device and system for remotely collecting host process information |
| CN107179979A (en) * | 2016-03-10 | 2017-09-19 | 阿里巴巴集团控股有限公司 | A kind of acquisition of remote terminal information, analysis method, apparatus and system |
| CN107426159A (en) * | 2017-05-03 | 2017-12-01 | 成都国腾实业集团有限公司 | APT based on big data analysis monitors defence method |
| CN110995538A (en) * | 2019-12-03 | 2020-04-10 | 北京博睿宏远数据科技股份有限公司 | Network data acquisition method, device, system, equipment and storage medium |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113286295A (en) * | 2021-05-11 | 2021-08-20 | 博瑞得科技有限公司 | Centralized data forwarding method and device and computer readable storage medium |
| CN114598509A (en) * | 2022-02-23 | 2022-06-07 | 烽台科技(北京)有限公司 | Method and device for determining vulnerability result |
| CN114598509B (en) * | 2022-02-23 | 2023-06-20 | 烽台科技(北京)有限公司 | Method and device for determining vulnerability result |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Panjwani et al. | An experimental evaluation to determine if port scans are precursors to an attack | |
| Pilli et al. | Network forensic frameworks: Survey and research challenges | |
| US8042182B2 (en) | Method and system for network intrusion detection, related network and computer program product | |
| US11080392B2 (en) | Method for systematic collection and analysis of forensic data in a unified communications system deployed in a cloud environment | |
| US20050216764A1 (en) | Systems and methods for dynamic threat assessment | |
| GB2382283A (en) | a three-layered intrusion prevention system for detecting network exploits | |
| CN111885087A (en) | Intranet computer network behavior monitoring method, device and equipment | |
| Gupta et al. | Vulnerable network analysis using war driving and security intelligence | |
| CN113411295A (en) | Role-based access control situation awareness defense method and system | |
| CA2471055A1 (en) | A network security enforcement system | |
| CN112217777A (en) | Attack backtracking method and equipment | |
| CN116132989B (en) | Industrial Internet security situation awareness system and method | |
| US11271959B2 (en) | Method and apparatus for combining a firewall and a forensics agent to detect and prevent malicious software activity | |
| CN111049853A (en) | Security authentication system based on computer network | |
| CN114205169B (en) | Network security defense method, device and system | |
| CN116319028A (en) | Rebound shell attack interception method and device | |
| KR101551537B1 (en) | Information spill prevention apparatus | |
| KR20190134287A (en) | security provenance providing system for providing of the root cause of security problems and the method thereof | |
| Chen et al. | Active event correlation in Bro IDS to detect multi-stage attacks | |
| Sourour et al. | Ensuring security in depth based on heterogeneous network security technologies | |
| Fanfara et al. | Autonomous hybrid honeypot as the future of distributed computer systems security | |
| CN107124390B (en) | Security defense and implementation method, device and system of computing equipment | |
| D'Agostino et al. | Toward Pinpointing Data Leakage from Advanced Persistent Threats | |
| Asokan et al. | A Case Study Using National e-Government Portals to Investigate the Deployment of the Nmap Tool for Network Vulnerability Assessment | |
| Perez | Practical SIEM tools for SCADA environment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20201103 |