CN112272173A - Information analysis alarm method, device and storage medium - Google Patents
Information analysis alarm method, device and storage medium Download PDFInfo
- Publication number
- CN112272173A CN112272173A CN202011136922.7A CN202011136922A CN112272173A CN 112272173 A CN112272173 A CN 112272173A CN 202011136922 A CN202011136922 A CN 202011136922A CN 112272173 A CN112272173 A CN 112272173A
- Authority
- CN
- China
- Prior art keywords
- information
- identification rule
- feedback
- identifying
- feedback information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 29
- 238000012544 monitoring process Methods 0.000 claims description 6
- 238000012549 training Methods 0.000 claims description 3
- 230000000694 effects Effects 0.000 abstract description 3
- 230000010365 information processing Effects 0.000 abstract description 3
- 230000009545 invasion Effects 0.000 abstract description 3
- 230000004044 response Effects 0.000 description 6
- 238000012937 correction Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000005070 sampling Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0245—Filtering by information in the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application discloses an information analysis alarm method, an information analysis alarm device and a storage medium, which relate to the technical field of information processing, wherein the method comprises the following steps: acquiring flow information of a gateway outlet; storing the traffic information to a message queue MQ; acquiring feedback information when consuming the traffic information in the MQ; and carrying out alarm prompt according to the feedback information. The problem that in the prior art, only the content in the access log can be analyzed, and the application scene is limited is solved, and the effects that the analysis can be performed on the real-time flow without invasion and the technical scheme is more universal are achieved.
Description
Technical Field
The invention relates to the technical field of information processing, in particular to an information analysis alarm method and device and ultrasonic equipment.
Background
When a user uses a network service, the user usually needs to submit personal information, and some information is sensitive information needing to be kept secret, and the leakage brings great trouble to the user.
The existing scheme for avoiding leakage is as follows: extracting Http (hypertext transfer protocol) response information from the access log; detecting whether the Http response information comprises sensitive information of the database system; and if so, determining that the Http request information points to the Webshell. Then, the above scheme can only analyze HTTP responses to access logs printed by the business system.
Disclosure of Invention
In view of this, embodiments of the present invention provide an information analysis alarm method, apparatus, and storage medium to solve the problems in the prior art.
According to a first aspect, an embodiment of the present invention provides an information analysis alarm method, including:
acquiring flow information of a gateway outlet;
storing the traffic information to a message queue MQ;
acquiring feedback information when consuming the traffic information in the MQ;
and carrying out alarm prompt according to the feedback information.
Optionally, the performing an alarm prompt according to the feedback information includes:
identifying characteristic information in the feedback information according to a preset identification rule, wherein the preset identification rule is set according to preset reminding service training;
and intercepting and/or alarming according to the characteristic information.
Optionally, the identifying the feature information in the feedback information according to a preset identification rule includes:
and identifying sensitive information in the feedback information according to the preset identification rule, wherein the sensitive information comprises at least one of name, identity information, contact telephone, bank account number, address, medical information and education information.
Optionally, the intercepting and/or alarming according to the feature information includes:
determining the information type of the sensitive information obtained by identification;
and pushing alarm information to a monitoring terminal corresponding to the information type.
Optionally, the identifying the feature information in the feedback information according to a preset identification rule includes:
and identifying characteristic information used for representing network attacks in the feedback information according to the preset identification rule.
Optionally, the intercepting and/or alarming according to the feature information includes:
and when the characteristic information for characterizing the network attack is identified, alarming or intercepting is performed.
Optionally, the obtaining of the traffic information of the gateway outlet includes:
and acquiring the flow information of the http flow at the gateway outlet.
In a second aspect, there is provided an information analysis alarm apparatus, the apparatus comprising a memory having at least one program instruction stored therein and a processor, the processor implementing the method according to the first aspect by loading and executing the at least one program instruction.
In a third aspect, there is provided a computer storage medium having stored therein at least one program instruction which is loaded and executed by a processor to implement the method of the first aspect.
Obtaining the flow information of the gateway outlet; storing the traffic information to a message queue MQ; acquiring feedback information when consuming the traffic information in the MQ; and carrying out alarm prompt according to the feedback information. The problem that in the prior art, only the content in the access log can be analyzed, and the application scene is limited is solved, and the effects that the analysis can be performed on the real-time flow without invasion and the technical scheme is more universal are achieved. Meanwhile, the reliability and the performance of the alarm method can be analyzed by storing the flow information acquired in real time into the MQ.
The foregoing description is only an overview of the technical solutions of the present invention, and in order to make the technical solutions of the present invention more clearly understood and to implement them in accordance with the contents of the description, the following detailed description is given with reference to the preferred embodiments of the present invention and the accompanying drawings.
Drawings
Fig. 1 is a flowchart of a method for analyzing information and alarming according to an embodiment of the present invention.
Detailed Description
The technical solutions of the present invention will be described clearly and completely with reference to the accompanying drawings, and it should be understood that the described embodiments are some, but not all embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In the description of the present invention, it should be noted that the terms "center", "upper", "lower", "left", "right", "vertical", "horizontal", "inner", "outer", etc., indicate orientations or positional relationships based on the orientations or positional relationships shown in the drawings, and are only for convenience of description and simplicity of description, but do not indicate or imply that the device or element being referred to must have a particular orientation, be constructed and operated in a particular orientation, and thus, should not be construed as limiting the present invention. Furthermore, the terms "first," "second," and "third" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance.
In the description of the present invention, it should be noted that, unless otherwise explicitly specified or limited, the terms "mounted," "connected," and "connected" are to be construed broadly, e.g., as meaning either a fixed connection, a removable connection, or an integral connection; can be mechanically or electrically connected; they may be connected directly or indirectly through intervening media, or they may be interconnected between two elements. The specific meanings of the above terms in the present invention can be understood in specific cases to those skilled in the art.
In addition, the technical features involved in the different embodiments of the present invention described below may be combined with each other as long as they do not conflict with each other.
Referring to fig. 1, a flowchart of a method for analyzing information and alarming according to an embodiment of the present application is shown, where as shown in fig. 1, the method includes:
the flow information of each gateway outlet can be collected in real time. During actual implementation, the flow information of the http flow at the gateway outlet can be collected in real time. Optionally, a traffic collection agent (proxy) may be disposed in the gateway, and traffic information of http traffic of 7 layers at the gateway outlet is collected by each traffic collection agent.
and after the flow information is acquired, sequentially storing the acquired flow information into the MQ.
103, acquiring feedback information when consuming the flow information in the MQ;
while consuming the traffic information in the MQ, intercept the response returned to the user.
And 104, carrying out alarm prompt according to the feedback information.
After the feedback information is obtained, alarm prompt information can be sent out according to the feedback information. And the alarm prompt information can be sent out through the alarm platform.
In practical implementation, the step may include:
step 104a, identifying characteristic information in the feedback information according to a preset identification rule, wherein the preset identification rule is set according to preset reminding service training;
in actual implementation, the information required to be identified according to different application scenarios is also different, and the identification modes for identifying different information are also different, so that the preset identification rule in the application can be a rule set for the preset reminding service according to the required reminding. When the feature information to be identified includes a plurality of types, the preset identification rule may include a rule for identifying different feature information.
In actual implementation, according to different application scenarios, the feature information may be sensitive information, or may be other types of information, for example, attack feature information in a network attack, or customized feature information for other customized services, which is not limited herein.
In one possible embodiment, the sensitive information, when used in an insurance service system, may include at least one of a name, identity information, contact phone number, bank account number, address, insurance policy number, medical information, and educational information. The identity information may include an identification number, passport number, social security account number, etc. that may identify the user. When used in a banking system, sensitive information may include name, identity information, contact number, bank account number, and address, among others. The present embodiment does not limit the specific content thereof. When the sensitive information comprises an identity card number, the preset identification rule can be an identification rule for identifying an 18-bit string; when the sensitive information includes a bank account, the preset identification rule may correspondingly include an identification rule for identifying the bank account, which is not limited herein.
In another possible embodiment, when the feature information is attack feature information used for characterizing a network attack, common features of the network attack may be determined through the intelligent AI and the big data, and an identification rule for identifying the common features is generated according to the determined common features, which is not limited herein.
And 104b, intercepting and/or alarming according to the characteristic information.
After the characteristic information is obtained through identification, interception and/or alarm can be carried out according to the characteristic information obtained through identification.
In summary, by acquiring the traffic information of the gateway outlet; storing the traffic information to a message queue MQ; acquiring feedback information when consuming the traffic information in the MQ; and carrying out alarm prompt according to the feedback information. The problem that in the prior art, only the content in the access log can be analyzed, and the application scene is limited is solved, and the effects that the analysis can be performed on the real-time flow without invasion and the technical scheme is more universal are achieved. Meanwhile, the reliability and the performance of the alarm method can be analyzed by storing the flow information acquired in real time into the MQ.
In addition, when the flow information is collected, a user-defined sampling rate can be supported, and details are not repeated here.
It should be added that, based on the above discussion, the characteristic information may be sensitive information or information for characterizing a network attack, and therefore, the following description will separately describe two cases.
In a first possible embodiment, when the feature information obtained by identification includes sensitive information, the step 104a includes:
and identifying sensitive information in the feedback information according to the preset identification rule, wherein the sensitive information comprises at least one of name, identity information, contact telephone, bank account number, address, medical information and education information.
Step 104b comprises:
firstly, determining the information type of the sensitive information obtained by identification;
the information type is at least one of name, identity information, contact phone number, bank account number, address, medical information and educational information.
And secondly, pushing alarm information to a monitoring terminal corresponding to the information type.
In actual implementation, different types of information can come from different micro services, so that in order to assist in improving functions of each micro service, after the information type is determined, the alarm prompt information can be pushed to the monitoring terminal corresponding to the information type, and the monitoring terminal can be a terminal corresponding to a person in charge of the micro service.
For example, in the information analysis alarm method, when there are two gateways, the flow information of each gateway is collected through the flow collection agent in each gateway, and the collected flow information is guided to the MQ. And then, entering a sensitive information processing service, specifically, acquiring response when the MQ is consumed, automatically identifying the sensitive information in the response, determining the micro-service and the responsible person corresponding to the sensitive information, and sending an alarm through an alarm platform. It should be noted that, in practical implementation, more or fewer gateways may be included, and are not limited herein. In addition, a possible method flow chart of the information analysis alarm method is provided.
By determining the information type of the sensitive information, the alarm information is pushed to the monitoring terminal corresponding to the information type, so that corresponding technicians can timely know the alarm information and further promote the correction of corresponding services.
In a second possible embodiment, when the characteristic information is information for characterizing a network attack, step 104a includes:
and identifying characteristic information used for representing network attacks in the feedback information according to the preset identification rule.
As described above, when the feature information is attack feature information for characterizing a network attack, the common feature of the network attack may be determined through the intelligent AI and the big data, and the identification rule for identifying the common feature is generated according to the determined common feature, which is not limited herein. In actual implementation, the specific identification manner of this step is different according to the difference of the preset identification rule, and is not enumerated here.
Step 104b comprises:
and when the characteristic information for characterizing the network attack is identified, alarming or intercepting is performed.
When the feedback information includes the characteristic information for characterizing the network attack, it indicates that there is a risk of being attacked, and at this time, an alarm may be given, or intercepted, or an alarm may be given while intercepting.
The embodiment also discloses an information analysis alarm device, which comprises a memory and a processor, wherein at least one program instruction is stored in the memory, and the processor executes the information analysis alarm method in a mode of loading and executing the at least one program instruction.
The embodiment also discloses a computer storage medium, wherein at least one program instruction is stored in the storage medium, and the at least one program instruction is loaded by the processor and executes the information analysis alarm method.
The technical features of the embodiments described above may be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the embodiments described above are not described, but should be considered as being within the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above-mentioned embodiments only express several embodiments of the present invention, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the inventive concept, which falls within the scope of the present invention. Therefore, the protection scope of the present patent shall be subject to the appended claims.
Claims (9)
1. An information analysis alarm method, characterized in that the method comprises:
acquiring flow information of a gateway outlet;
storing the traffic information to a message queue MQ;
acquiring feedback information when consuming the traffic information in the MQ;
and carrying out alarm prompt according to the feedback information.
2. The method of claim 1, wherein the alerting based on the feedback information comprises:
identifying characteristic information in the feedback information according to a preset identification rule, wherein the preset identification rule is set according to preset reminding service training;
and intercepting and/or alarming according to the characteristic information.
3. The method according to claim 2, wherein the identifying the feature information in the feedback information according to a preset identification rule comprises:
and identifying sensitive information in the feedback information according to the preset identification rule, wherein the sensitive information comprises at least one of name, identity information, contact telephone, bank account number, address, medical information and education information.
4. The method according to claim 3, wherein the intercepting and/or alarming according to the feature information comprises:
determining the information type of the sensitive information obtained by identification;
and pushing alarm information to a monitoring terminal corresponding to the information type.
5. The method according to claim 2, wherein the identifying the feature information in the feedback information according to a preset identification rule comprises:
and identifying characteristic information used for representing network attacks in the feedback information according to the preset identification rule.
6. The method according to claim 5, wherein the intercepting and/or alarming according to the feature information comprises:
and when the characteristic information for characterizing the network attack is identified, alarming or intercepting is performed.
7. The method according to any one of claims 1 to 6, wherein the obtaining of the traffic information of the gateway egress includes:
and acquiring the flow information of the http flow at the gateway outlet.
8. An information analysis alarm device, comprising a memory having at least one program instruction stored therein and a processor for implementing the method of any one of claims 1 to 7 by loading and executing the at least one program instruction.
9. A computer storage medium having stored therein at least one program instruction which is loaded and executed by a processor to implement the method of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011136922.7A CN112272173A (en) | 2020-10-22 | 2020-10-22 | Information analysis alarm method, device and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011136922.7A CN112272173A (en) | 2020-10-22 | 2020-10-22 | Information analysis alarm method, device and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112272173A true CN112272173A (en) | 2021-01-26 |
Family
ID=74341470
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011136922.7A Pending CN112272173A (en) | 2020-10-22 | 2020-10-22 | Information analysis alarm method, device and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112272173A (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107302586A (en) * | 2017-07-12 | 2017-10-27 | 深信服科技股份有限公司 | A kind of Webshell detection methods and device, computer installation, readable storage medium storing program for executing |
| CN107733834A (en) * | 2016-08-10 | 2018-02-23 | 中国移动通信集团甘肃有限公司 | A kind of leakage prevention method and device |
| CN110225062A (en) * | 2019-07-01 | 2019-09-10 | 北京微步在线科技有限公司 | A kind of method and apparatus monitoring network attack |
| CN110602046A (en) * | 2019-08-13 | 2019-12-20 | 上海陆家嘴国际金融资产交易市场股份有限公司 | Data monitoring processing method and device, computer equipment and storage medium |
| CN110650126A (en) * | 2019-09-06 | 2020-01-03 | 珠海格力电器股份有限公司 | Method and device for preventing website traffic attack, intelligent terminal and storage medium |
| CN111641658A (en) * | 2020-06-09 | 2020-09-08 | 杭州安恒信息技术股份有限公司 | Request intercepting method, device, equipment and readable storage medium |
-
2020
- 2020-10-22 CN CN202011136922.7A patent/CN112272173A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107733834A (en) * | 2016-08-10 | 2018-02-23 | 中国移动通信集团甘肃有限公司 | A kind of leakage prevention method and device |
| CN107302586A (en) * | 2017-07-12 | 2017-10-27 | 深信服科技股份有限公司 | A kind of Webshell detection methods and device, computer installation, readable storage medium storing program for executing |
| CN110225062A (en) * | 2019-07-01 | 2019-09-10 | 北京微步在线科技有限公司 | A kind of method and apparatus monitoring network attack |
| CN110602046A (en) * | 2019-08-13 | 2019-12-20 | 上海陆家嘴国际金融资产交易市场股份有限公司 | Data monitoring processing method and device, computer equipment and storage medium |
| CN110650126A (en) * | 2019-09-06 | 2020-01-03 | 珠海格力电器股份有限公司 | Method and device for preventing website traffic attack, intelligent terminal and storage medium |
| CN111641658A (en) * | 2020-06-09 | 2020-09-08 | 杭州安恒信息技术股份有限公司 | Request intercepting method, device, equipment and readable storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20180219907A1 (en) | Method and apparatus for detecting website security | |
| CN117714132A (en) | System and method for filtering internet traffic through client fingerprint | |
| CN111277587A (en) | Malicious encrypted traffic detection method and system based on behavior analysis | |
| CN114584405B (en) | Electric power terminal safety protection method and system | |
| US10257222B2 (en) | Cloud checking and killing method, device and system for combating anti-antivirus test | |
| CN108363662A (en) | A kind of applied program testing method, storage medium and terminal device | |
| CN113810408B (en) | Network attack organization detection method, device, equipment and readable storage medium | |
| CN103746992A (en) | Reverse-based intrusion detection system and reverse-based intrusion detection method | |
| CN110351237B (en) | Honeypot method and device for numerical control machine tool | |
| CN108923974B (en) | Internet of things asset fingerprint identification method and system | |
| CN109388963A (en) | A kind of mobile terminal user's private data means of defence and device | |
| CN106650281B (en) | A kind of data processing method, system, server and client side | |
| CN115378619A (en) | Sensitive data access method, electronic equipment and computer readable storage medium | |
| CN112272173A (en) | Information analysis alarm method, device and storage medium | |
| CN111314326A (en) | Method, device, equipment and medium for confirming HTTP vulnerability scanning host | |
| CN106850562A (en) | A kind of malice peripheral hardware detecting system and method | |
| CN116455620A (en) | Malicious domain name access analysis and determination method | |
| CN115225385A (en) | Flow monitoring method, system, equipment and computer readable storage medium | |
| CN113709136A (en) | Access request verification method and device | |
| CN116595512B (en) | Third party server safety management system | |
| CN117061252B (en) | Data security detection method, device, equipment and storage medium | |
| CN116346488B (en) | Unauthorized access detection method and device | |
| CN113014574B (en) | Method and device for detecting intra-domain detection operation and electronic equipment | |
| CN114640522B (en) | Firewall security policy processing method, device, equipment and storage medium | |
| CN112565306B (en) | Third-party server identification method for app private data collection |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210126 |
|
| RJ01 | Rejection of invention patent application after publication |