CN112468500A - Risk processing method and system based on multi-dimensional data dynamic change scene - Google Patents
Risk processing method and system based on multi-dimensional data dynamic change scene Download PDFInfo
- Publication number
- CN112468500A CN112468500A CN202011361122.5A CN202011361122A CN112468500A CN 112468500 A CN112468500 A CN 112468500A CN 202011361122 A CN202011361122 A CN 202011361122A CN 112468500 A CN112468500 A CN 112468500A
- Authority
- CN
- China
- Prior art keywords
- baseline
- data
- information
- terminal
- dimensional
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000008859 change Effects 0.000 title claims abstract description 25
- 238000003672 processing method Methods 0.000 title claims abstract description 13
- 238000000034 method Methods 0.000 claims abstract description 20
- 238000012545 processing Methods 0.000 claims description 30
- 230000006399 behavior Effects 0.000 claims description 15
- 238000004590 computer program Methods 0.000 claims description 11
- 238000003745 diagnosis Methods 0.000 claims description 6
- 238000012790 confirmation Methods 0.000 abstract description 5
- 238000011835 investigation Methods 0.000 abstract description 4
- 230000000903 blocking effect Effects 0.000 description 4
- 238000004891 communication Methods 0.000 description 4
- 238000010586 diagram Methods 0.000 description 4
- 238000012423 maintenance Methods 0.000 description 3
- 230000002452 interceptive effect Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 238000004353 relayed correlation spectroscopy Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/50—Address allocation
- H04L61/5007—Internet protocol [IP] addresses
- H04L61/5014—Internet protocol [IP] addresses using dynamic host configuration protocol [DHCP] or bootstrap protocol [BOOTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
Abstract
The invention provides a risk processing method and system based on a multi-dimensional data dynamic change scene, wherein the method comprises the following steps: acquiring real-time network coordinate information of terminal equipment, and acquiring a DHCP fingerprint to obtain terminal characteristic information; comparing the terminal characteristic information in a preset multi-dimensional characteristic database, and judging whether to adjust baseline data; and if the baseline data needs to be adjusted, adjusting the baseline and giving a risk treatment opinion. According to the risk processing method and system based on the multi-dimensional data dynamic change scene, provided by the embodiment of the invention, when the real-time data and the current baseline data are different, a user can be allowed to adjust the baseline after investigation and confirmation, so that the consistency of a multi-dimensional database and a dynamic environment is ensured.
Description
Technical Field
The invention relates to the technical field of Internet of things, in particular to a risk processing method and system based on a multi-dimensional data dynamic change scene.
Background
Under the current environment of the internet of things, the number of terminals is large, many terminals are located in an outdoor environment, equipment is easy to damage due to changes of working environment and temperature and humidity, the equipment needs to be replaced frequently, and illegal personnel can illegally and privately connect through an exposed access point to secretly steal data or initiate network attack. In order to avoid such events, security manufacturers adopt various types of network authentication mechanisms to perform MAC comparison or password authentication on the terminal devices accessing the network and the terminal data stored in the server.
The traditional authentication mode mainly focuses on 'terminal characteristic information', does not focus on 'network coordinate information' such as IP/VLAN/NAS of an access terminal, and is insensitive to a network access path of a device.
In a practical production environment, the "network coordinate information" can actually provide the terminal features from the perspective of network equipment, such as switches, due to objective requirements relating to IP orchestration, construction specifications, fault detection, etc. For example, in an actual use case, if a terminal device continuously appears in multiple NAS, or appears in different VLANs of the same NAS, or appears in different IPs of the same VLAN within a short time, these phenomena all indicate to a great extent that there may be a problem in network configuration, or a failure in operation of a network device, or a security risk of the terminal device.
Therefore, a risk processing method and system based on a multi-dimensional data dynamic change scene are needed to solve the problem.
Disclosure of Invention
The invention provides a risk processing method and a risk processing system based on a multi-dimensional data dynamic change scene, which are used for solving the problem that a traditional authentication mode is not sensitive to a network access path of equipment.
In a first aspect, an embodiment of the present invention provides a risk processing method based on a multi-dimensional data dynamic change scenario, including:
101, acquiring real-time network coordinate information of terminal equipment, and acquiring a DHCP fingerprint to obtain terminal characteristic information;
102, comparing the terminal characteristic information in a preset multi-dimensional characteristic database, and judging whether to adjust baseline data;
and 103, if the baseline data needs to be adjusted, adjusting the baseline and giving a risk treatment opinion.
Preferably, before the obtaining of the real-time network coordinate information of the terminal device, and the obtaining of the DHCP fingerprint to obtain the terminal feature information, the method further includes:
and prerecording the multi-dimensional characteristic information of each terminal device in asset management, and constructing network coordinate information and a multi-dimensional characteristic database of the terminal device.
Preferably, the network coordinate information includes:
IP information, VlAN information, and NAS information.
Preferably, in step 101, the obtaining real-time network coordinate information of the terminal device, and obtaining a DHCP fingerprint to obtain terminal feature information specifically include:
acquiring real-time network coordinate information of the terminal equipment through a network access RADIUS protocol;
acquiring a DHCP fingerprint on core gateway equipment in a DHCP time delay mode;
and analyzing the DHCP fingerprint to obtain the terminal characteristic information.
Preferably, in step 103, the performing baseline adjustment includes:
if the data comparison has no difference, the baseline adjustment is not carried out;
if the data comparison is different, the diagnosis is an intrusion behavior, the access is blocked and early warning is given;
if the data comparison is different, the diagnosis is human error, and the work order is sent for intervention processing;
if the data comparison is a reasonable movement behavior, temporarily releasing the data, and not adjusting the baseline;
if the data comparison is a reasonable replacement behavior, it is released and the baseline is adjusted.
Preferably, in step 103, the giving of the risk processing opinion includes:
and after a new baseline is formed, comparing the terminal characteristic information acquired in real time subsequently with the new baseline, and proposing a risk processing suggestion.
In a second aspect, an embodiment of the present invention provides a risk processing system based on a multi-dimensional data dynamic change scenario, including:
the characteristic information acquisition module is used for acquiring real-time network coordinate information of the terminal equipment and acquiring a DHCP fingerprint to obtain terminal characteristic information;
the data comparison module is used for comparing the terminal characteristic information in a preset multi-dimensional characteristic database and judging whether to adjust the baseline data or not;
and the risk processing module is used for adjusting the baseline data and giving a risk processing opinion if the baseline data needs to be adjusted.
In a third aspect, an embodiment of the present invention provides an electronic device, including a memory, a processor, and a computer program stored in the memory and executable on the processor, where the processor implements the steps of the method for risk processing based on a multi-dimensional data dynamic change scene, as provided in the first aspect.
In a fourth aspect, an embodiment of the present invention provides a non-transitory computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the steps of the method for risk processing based on a multi-dimensional data dynamic change scene as provided in the first aspect.
According to the risk processing method and system based on the multi-dimensional data dynamic change scene, provided by the embodiment of the invention, when the real-time data and the current baseline data are different, a user can be allowed to adjust the baseline after investigation and confirmation, so that the consistency of a multi-dimensional database and a dynamic environment is ensured.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and those skilled in the art can also obtain other drawings according to the drawings without creative efforts.
Fig. 1 is a schematic flowchart of a risk processing method based on a multi-dimensional data dynamic change scene according to an embodiment of the present invention;
fig. 2 is a schematic structural diagram of a risk processing system based on a multi-dimensional data dynamic change scenario according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Reference herein to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the application. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. It is explicitly and implicitly understood by one skilled in the art that the embodiments described herein can be combined with other embodiments.
Fig. 1 is a schematic flowchart of a risk processing method based on a multi-dimensional data dynamic change scene, as shown in fig. 1, including:
101. acquiring real-time network coordinate information of terminal equipment, and acquiring a DHCP fingerprint to obtain terminal characteristic information;
102. comparing the terminal characteristic information in a preset multi-dimensional characteristic database, and judging whether to adjust baseline data;
103. and if the baseline data needs to be adjusted, adjusting the baseline and giving a risk treatment opinion.
Specifically, in order to quickly find problems and ensure the network operation quality, the network access path and the terminal characteristics of the internet of things terminal are compared by using multidimensional databases such as network coordinate information, terminal characteristic information and the like, so that possible network faults and safety risks are found, and various treatment suggestions are given. In step 101, the present invention sets a baseline maintenance function of the multidimensional database, and when there is a difference between the real-time data and the current baseline data (in an initial state, the prerecorded multidimensional database is the current baseline) in step 102, in step 103, the user may be allowed to adjust the baseline after performing investigation and confirmation, thereby ensuring the consistency between the multidimensional database and the dynamic environment.
According to the risk processing method and system based on the multi-dimensional data dynamic change scene, provided by the embodiment of the invention, when the real-time data and the current baseline data are different, a user can be allowed to adjust the baseline after investigation and confirmation, so that the consistency of a multi-dimensional database and a dynamic environment is ensured.
On the basis of the above embodiment, before step 101, the method further includes:
and prerecording the multi-dimensional characteristic information of each terminal device in asset management, and constructing network coordinate information and a multi-dimensional characteristic database of the terminal device.
The network coordinate information includes:
IP information, VlAN information and NAS information, and other information such as which port of that switch the device comes in from, the complete network path (device-which port of which access switch/VlAN/IP-who is the superior switch, which port-which is the core switch), etc.
Specifically, multi-dimensional characteristic information of each terminal device is prerecorded in asset management, and a multi-dimensional database of 'network coordinate information' such as IP/VLAN/NAS and the like with the terminal device as a unit and 'terminal characteristic information' such as an open port/operating system is constructed. The initial asset management information is manually filled in, and is typically tabulated or excel imported by the customer as needed, which is to ensure the accuracy of the initial baseline.
On the basis of the foregoing embodiment, in step 101, acquiring real-time network coordinate information of the terminal device, and acquiring a DHCP fingerprint to obtain terminal feature information, includes:
acquiring real-time network coordinate information of the terminal equipment through a network access RADIUS protocol;
acquiring a DHCP fingerprint on core gateway equipment in a DHCP time delay mode;
and analyzing the DHCP fingerprint to obtain the terminal characteristic information.
It should be noted that, the implementation of acquiring the "network coordinate information" of the terminal device is mainly acquired from several angles, such as SNMP protocol, Radius protocol, SYSLOG information, and these types of information are generally supported on the network side.
The SNMP protocol may obtain the MAC/IP/port of the switch headroom by polling the switch for OIDs.
SYSLOG is mainly initiated by the switch, and if the switch monitors the transaction of the MAC/IP, the transaction is actively submitted to the server.
The RADIUS protocol is an interactive authentication protocol, and the amount of information covered is more comprehensive, including information such as IP/VLAN/NAS/port/access time/traffic.
All gateway switch devices can be opened DHCP RELAY, so that discover and request packets in the DHCP flow can be diverted to a designated server, and in the discover or request packets, a large number of DHCP Option values are generally included, which is called DHCP fingerprints in the industry, and the more the number of entries of the Option values acquired, the more likely the matching of string values carried by the options is to be performed, and the more detailed information of the devices is queried. For example, mac information, manufacturer information, operating system type, system version and patch numbers, hostname, etc. may be known by querying.
The asset information recorded by initialization only records the most basic information of a device, namely a computer and a tablet, and the real-time information discovered by a network side through DHCP fingerprints is much more detailed than the recorded information, for example, the asset information is known as the computer, the win7 operating system, the SP2 patch and the host name lilei-pc.
When the user is online, after knowing more information through DHCP fingerprint, the information can be changed into the latest baseline of terminal characteristic information, so that next time if someone adopts the computer to impersonate the host to use IP, the network manager can find that the administrator submits the host name administeror which is the win8 operating system through monitoring the DHCP fingerprint, and the updated baseline is inconsistent with the original baseline.
On the basis of the foregoing embodiment, in step 103, the performing baseline adjustment includes:
if the data comparison has no difference, the baseline adjustment is not carried out;
if the data comparison is different, the diagnosis is an intrusion behavior, the access is blocked and early warning is given;
if the data comparison is different, the diagnosis is human error, and the work order is sent for intervention processing;
if the data comparison is a reasonable movement behavior, temporarily releasing the data, and not adjusting the baseline;
if the data comparison is a reasonable replacement behavior, it is released and the baseline is adjusted.
The embodiment of the invention analyzes whether the data changes and submits the data with differences to an administrator to judge whether to adjust the baseline data by comparing the prerecorded multidimensional database with the real-time acquired network coordinate information and terminal characteristic information.
Specifically, a set of "network coordinate baseline" and "terminal feature information" is established for each terminal (specifically, a MAC is a terminal), which includes a great number of columns of values, including but not limited to "IP", "VLAN", "NAS" network coordinate "information, and" terminal type "," operating system "," system version number "," terminal hostname "terminal feature" information, and if it is considered that any change occurs in the terminal, an early warning is generated, for example, if any change occurs in the terminal (whether the "coordinate" and "feature" are consistent depends on whether the value is changed or not)
The administrator can carry out various operations according to the data comparison condition, such as baseline adjustment, blocking access and early warning, dispatching a work order, and temporarily approving:
the judgment is based on whether the 'network coordinate' and 'terminal characteristic' in the following table are changed or not, and if so, the administrator is reminded to change the baseline
The Radius protocol is an interactive protocol, and can acquire information such as basic IP/VLAN/NAS/port/access time/traffic, and also operate a terminal on a switch to modify the network authority of the terminal. Such as clear or block. At the same time he can also generate alarm information on the internal network management platform.
No difference exists, the access is reasonable, and the baseline adjustment is not involved;
suspicion of an intrusion behavior, blocking access and early warning;
suspected human error, early warning and dispatching a work order for intervention processing;
the mobile behavior is reasonable (such as temporary mobile office), and temporary release is carried out, but the base line is not adjusted;
is a reasonable replacement behavior (such as equipment maintenance and replacement), is released, and the baseline is adjusted;
on the basis of the above embodiment, in step 103, the giving of the risk processing opinion includes:
and after a new baseline is formed, comparing the terminal characteristic information acquired in real time subsequently with the new baseline, and proposing a risk processing suggestion.
After a new baseline is formed, subsequently acquired network coordinate information and terminal characteristic information in real time are compared with the new baseline, potential problems are found out through multi-dimensional data comparison, risk processing suggestions are provided, network changes are adapted through baseline adjustment, and data consistency is maintained.
Common risk management recommendations: (hereinafter, "coordinate" and "feature" are used to refer to "network coordinate information" and "terminal feature information", and "consistent" and "inconsistent" are used to refer to whether the real-time data and the current baseline data have differences, and in the initial state, the prerecorded multidimensional database is the current baseline)
1, if the coordinates are consistent and the characteristics are consistent, the reasonable behavior is judged and released.
And 2, if the coordinates are consistent and the characteristics are inconsistent, judging that the intrusion is possible.
Or maintenance replacement and worker confirmation of field condition, normal baseline modification, abnormal baseline blocking
If the coordinates are inconsistent and the characteristics are consistent, the situation that the configuration of a worker is wrong, the worker is mistaken, the place is mistakenly connected, the assets with stronger mobility, the spare parts are temporarily replaced and the spare parts are permanently replaced is judged, the situation on site is confirmed by the worker, the modified baseline of the permanent behavior is adopted, and the configuration is modified or the temporary release is carried out according to other conditions
And 4, judging the intrusion behavior if the coordinates are inconsistent and the characteristics are inconsistent, blocking and early warning.
Fig. 2 is a schematic structural diagram of a risk processing system based on a multi-dimensional data dynamic change scenario, as shown in fig. 2, including: a characteristic information obtaining module 201, a data comparing module 202 and a risk processing module 203, wherein:
the characteristic information obtaining module 201 is configured to obtain real-time network coordinate information of the terminal device, and obtain a DHCP fingerprint to obtain terminal characteristic information;
the data comparison module 202 is configured to compare the terminal feature information in a preset multidimensional feature database, and determine whether to adjust baseline data;
the risk processing module 203 is configured to perform baseline adjustment and provide risk processing opinions if the baseline data needs to be adjusted.
For details, how to utilize the feature information obtaining module 201, the data comparing module 202, and the risk processing module 203 to process the risk based on the multi-dimensional data dynamic change scene may refer to the above method embodiment, and details of the embodiment of the present invention are not repeated herein.
In an embodiment, based on the same concept, an embodiment of the present invention further provides an electronic device, as shown in fig. 3, where fig. 3 illustrates a schematic structural diagram of the electronic device, and the electronic device may include: a processor (processor)301, a communication Interface (communication Interface)302, a memory (memory)303 and a bus 304, wherein the processor 301, the communication Interface 302 and the memory 303 complete communication with each other through the bus 304. Processor 301 may invoke logic instructions in memory 303 to perform the steps of a road network matching method between heterogeneous high-precision maps, for example, including: acquiring real-time network coordinate information of terminal equipment, and acquiring a DHCP fingerprint to obtain terminal characteristic information; comparing the terminal characteristic information in a preset multi-dimensional characteristic database, and judging whether to adjust baseline data; and if the baseline data needs to be adjusted, adjusting the baseline and giving a risk treatment opinion.
In one embodiment, based on the same concept, the present embodiment further provides a computer program product, which includes a computer program stored on a non-transitory computer-readable storage medium, the computer program includes program instructions, when the program instructions are executed by a computer, the computer can execute the steps of the road network matching method between the heterogeneous high-precision maps provided by the above-mentioned method embodiments, for example, the steps include: acquiring real-time network coordinate information of terminal equipment, and acquiring a DHCP fingerprint to obtain terminal characteristic information; comparing the terminal characteristic information in a preset multi-dimensional characteristic database, and judging whether to adjust baseline data; and if the baseline data needs to be adjusted, adjusting the baseline and giving a risk treatment opinion.
In one embodiment, based on the same concept, the embodiment of the present invention further provides a non-transitory computer-readable storage medium, which stores a computer program, and when the computer program is executed by a computer, the computer program causes the computer to perform the steps of the road network matching method between the heterogeneous high-precision maps provided by the above embodiments, for example, the steps include: acquiring real-time network coordinate information of terminal equipment, and acquiring a DHCP fingerprint to obtain terminal characteristic information; comparing the terminal characteristic information in a preset multi-dimensional characteristic database, and judging whether to adjust baseline data; and if the baseline data needs to be adjusted, adjusting the baseline and giving a risk treatment opinion.
The embodiments of the present invention can be arbitrarily combined to achieve different technical effects.
The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (9)
1. A risk processing method based on a multi-dimensional data dynamic change scene is characterized by comprising the following steps:
101, acquiring real-time network coordinate information of terminal equipment, and acquiring a DHCP fingerprint to obtain terminal characteristic information;
102, comparing the terminal characteristic information in a preset multi-dimensional characteristic database, and judging whether to adjust baseline data;
and 103, if the baseline data needs to be adjusted, adjusting the baseline and giving a risk treatment opinion.
2. The method for processing risks based on a multi-dimensional data dynamic change scene as claimed in claim 1, wherein before obtaining real-time network coordinate information of a terminal device, and obtaining a DHCP fingerprint to obtain terminal feature information, the method further comprises:
and prerecording the multi-dimensional characteristic information of each terminal device in asset management, and constructing network coordinate information and a multi-dimensional characteristic database of the terminal device.
3. The method of claim 2, wherein the network coordinate information comprises:
IP information, VlAN information, and NAS information.
4. The method according to claim 1, wherein in step 101, the obtaining real-time network coordinate information of the terminal device and the DHCP fingerprint to obtain terminal feature information specifically comprises:
acquiring real-time network coordinate information of the terminal equipment through a network access RADIUS protocol;
acquiring a DHCP fingerprint on core gateway equipment in a DHCP time delay mode;
and analyzing the DHCP fingerprint to obtain the terminal characteristic information.
5. The method for risk processing based on multi-dimensional data dynamic change scene according to claim 1, wherein in step 103, the performing of baseline adjustment comprises:
if the data comparison has no difference, the baseline adjustment is not carried out;
if the data comparison is different, the diagnosis is an intrusion behavior, the access is blocked and early warning is given;
if the data comparison is different, the diagnosis is human error, and the work order is sent for intervention processing;
if the data comparison is a reasonable movement behavior, temporarily releasing the data, and not adjusting the baseline;
if the data comparison is a reasonable replacement behavior, it is released and the baseline is adjusted.
6. The method as claimed in claim 5, wherein the step 103 of giving the risk processing opinion includes:
and after a new baseline is formed, comparing the terminal characteristic information acquired in real time subsequently with the new baseline, and proposing a risk processing suggestion.
7. A risk processing system based on a multi-dimensional data dynamic change scene is characterized by comprising:
the characteristic information acquisition module is used for acquiring real-time network coordinate information of the terminal equipment and acquiring a DHCP fingerprint to obtain terminal characteristic information;
the data comparison module is used for comparing the terminal characteristic information in a preset multi-dimensional characteristic database and judging whether to adjust the baseline data or not;
and the risk processing module is used for adjusting the baseline data and giving a risk processing opinion if the baseline data needs to be adjusted.
8. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the steps of the method for risk processing based on a dynamically changing scenario of multidimensional data according to any of claims 1 to 6 when executing the program.
9. A non-transitory computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, implements the steps of the method for risk processing based on a multi-dimensional data dynamic scenario of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011361122.5A CN112468500A (en) | 2020-11-28 | 2020-11-28 | Risk processing method and system based on multi-dimensional data dynamic change scene |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011361122.5A CN112468500A (en) | 2020-11-28 | 2020-11-28 | Risk processing method and system based on multi-dimensional data dynamic change scene |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112468500A true CN112468500A (en) | 2021-03-09 |
Family
ID=74809208
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011361122.5A Pending CN112468500A (en) | 2020-11-28 | 2020-11-28 | Risk processing method and system based on multi-dimensional data dynamic change scene |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112468500A (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101388796A (en) * | 2008-10-29 | 2009-03-18 | 北京星网锐捷网络技术有限公司 | Information sending processing method, communication equipment and communication system |
| US20110035484A1 (en) * | 2008-04-14 | 2011-02-10 | Invicta Networks, Inc. | Method and system for creating and managing a variable number of visible internet protocol (ip) addresses |
| CN103532940A (en) * | 2013-09-30 | 2014-01-22 | 广东电网公司电力调度控制中心 | Network security detection method and device |
| CN107302527A (en) * | 2017-06-09 | 2017-10-27 | 北京奇安信科技有限公司 | A kind of unit exception detection method and device |
| US20180041536A1 (en) * | 2016-08-02 | 2018-02-08 | Invincea, Inc. | Methods and apparatus for detecting and identifying malware by mapping feature data into a semantic space |
| CN111885106A (en) * | 2020-06-16 | 2020-11-03 | 武汉零感网御网络科技有限公司 | Internet of things safety management and control method and system based on terminal equipment characteristic information |
-
2020
- 2020-11-28 CN CN202011361122.5A patent/CN112468500A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20110035484A1 (en) * | 2008-04-14 | 2011-02-10 | Invicta Networks, Inc. | Method and system for creating and managing a variable number of visible internet protocol (ip) addresses |
| CN101388796A (en) * | 2008-10-29 | 2009-03-18 | 北京星网锐捷网络技术有限公司 | Information sending processing method, communication equipment and communication system |
| CN103532940A (en) * | 2013-09-30 | 2014-01-22 | 广东电网公司电力调度控制中心 | Network security detection method and device |
| US20180041536A1 (en) * | 2016-08-02 | 2018-02-08 | Invincea, Inc. | Methods and apparatus for detecting and identifying malware by mapping feature data into a semantic space |
| CN107302527A (en) * | 2017-06-09 | 2017-10-27 | 北京奇安信科技有限公司 | A kind of unit exception detection method and device |
| CN111885106A (en) * | 2020-06-16 | 2020-11-03 | 武汉零感网御网络科技有限公司 | Internet of things safety management and control method and system based on terminal equipment characteristic information |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11323484B2 (en) | Privilege assurance of enterprise computer network environments | |
| CN111092869B (en) | Security management and control method for terminal access to office network and authentication server | |
| CN111711616B (en) | Network zone boundary safety protection system, method and equipment | |
| JP4152108B2 (en) | Vulnerability monitoring method and system | |
| US7519996B2 (en) | Security intrusion mitigation system and method | |
| US9015794B2 (en) | Determining several security indicators of different types for each gathering item in a computer system | |
| US9756067B2 (en) | Network security | |
| US20190132346A1 (en) | Distributed Data Surveillance in a Community Capture Environment | |
| US20220060507A1 (en) | Privilege assurance of enterprise computer network environments using attack path detection and prediction | |
| CN103929376A (en) | Terminal admission control method based on switch port management | |
| TW200424845A (en) | Method and system for responding to a computer intrusion | |
| WO2023216641A1 (en) | Security protection method and system for power terminal | |
| CN105847300B (en) | The method for visualizing and device of enterprise network boundary device topology | |
| US20020133603A1 (en) | Method of and apparatus for filtering access, and computer product | |
| CN113612783B (en) | Honeypot protection system | |
| US20060143717A1 (en) | Computer network monitoring method and device | |
| CN108234516B (en) | Method and device for detecting network flooding attack | |
| CN110881186B (en) | Illegal device identification method and device, electronic device and readable storage medium | |
| CN103975331A (en) | Data center infrastructure management system incorporating security for managed infrastructure devices | |
| CN116527299A (en) | Network-based safety protection method and dynamic defense system | |
| WO2016197782A2 (en) | Service port management method and apparatus, and computer readable storage medium | |
| CN107231245B (en) | Method and device for reporting monitoring log, and method and device for processing monitoring log | |
| CN112468500A (en) | Risk processing method and system based on multi-dimensional data dynamic change scene | |
| CN111343193B (en) | Cloud network port security protection method and device, electronic equipment and storage medium | |
| CN115550068A (en) | Host log information security audit method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210309 |