CN112511387A - Network attack monitoring system based on multi-source information analysis - Google Patents
Network attack monitoring system based on multi-source information analysis Download PDFInfo
- Publication number
- CN112511387A CN112511387A CN202011481680.5A CN202011481680A CN112511387A CN 112511387 A CN112511387 A CN 112511387A CN 202011481680 A CN202011481680 A CN 202011481680A CN 112511387 A CN112511387 A CN 112511387A
- Authority
- CN
- China
- Prior art keywords
- flow
- module
- network attack
- data
- malicious code
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000004458 analytical method Methods 0.000 title claims abstract description 43
- 238000012544 monitoring process Methods 0.000 title claims abstract description 29
- 238000005111 flow chemistry technique Methods 0.000 claims abstract description 16
- 238000000034 method Methods 0.000 claims description 31
- 230000008569 process Effects 0.000 claims description 27
- 238000005070 sampling Methods 0.000 claims description 27
- 238000012545 processing Methods 0.000 claims description 15
- 238000000605 extraction Methods 0.000 claims description 8
- 230000006835 compression Effects 0.000 claims description 6
- 238000007906 compression Methods 0.000 claims description 6
- 238000007667 floating Methods 0.000 claims description 6
- 238000010606 normalization Methods 0.000 claims description 6
- 238000011156 evaluation Methods 0.000 claims description 4
- 238000001914 filtration Methods 0.000 claims description 3
- 230000000694 effects Effects 0.000 abstract description 4
- 238000005206 flow analysis Methods 0.000 abstract description 4
- 230000004044 response Effects 0.000 abstract description 2
- 239000000523 sample Substances 0.000 description 40
- 230000006399 behavior Effects 0.000 description 8
- 230000005540 biological transmission Effects 0.000 description 7
- 238000004891 communication Methods 0.000 description 4
- 238000010586 diagram Methods 0.000 description 4
- 230000004048 modification Effects 0.000 description 4
- 238000012986 modification Methods 0.000 description 4
- 230000009467 reduction Effects 0.000 description 4
- 244000035744 Hura crepitans Species 0.000 description 3
- 238000010219 correlation analysis Methods 0.000 description 3
- 101001094649 Homo sapiens Popeye domain-containing protein 3 Proteins 0.000 description 2
- 101000608234 Homo sapiens Pyrin domain-containing protein 5 Proteins 0.000 description 2
- 101000578693 Homo sapiens Target of rapamycin complex subunit LST8 Proteins 0.000 description 2
- 102100027802 Target of rapamycin complex subunit LST8 Human genes 0.000 description 2
- 238000012217 deletion Methods 0.000 description 2
- 230000037430 deletion Effects 0.000 description 2
- 238000001514 detection method Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 238000007619 statistical method Methods 0.000 description 2
- 230000009471 action Effects 0.000 description 1
- 230000003190 augmentative effect Effects 0.000 description 1
- 230000006837 decompression Effects 0.000 description 1
- 238000009792 diffusion process Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000014509 gene expression Effects 0.000 description 1
- 230000036541 health Effects 0.000 description 1
- 238000002347 injection Methods 0.000 description 1
- 239000007924 injection Substances 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 239000000243 solution Substances 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/02—Capturing of monitoring data
- H04L43/022—Capturing of monitoring data by sampling
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0631—Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/04—Processing captured monitoring data, e.g. for logfile generation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Abstract
The invention belongs to the technical field of computers, and particularly relates to a network attack monitoring system based on multi-source information analysis. The system comprises: the system comprises a rule making module, a flow collecting module, a flow processing module, a malicious code sample collecting module, a flow scanning and analyzing module and a threat assessment and early warning releasing module; the invention has the technical effects that: comprehensively perceiving the network threat: based on flow analysis, the network security hidden danger is accurately identified, sensitive network threat sensing capability is built, and an all-around network security situation is displayed. Stopping loss and fast response in time: through network attack security analysis, a network security threat assessment report is provided, and network security management personnel are assisted to take corresponding treatment measures in time to prevent the situation from developing continuously.
Description
Technical Field
The invention belongs to the technical field of computers, and particularly relates to a network attack monitoring system based on multi-source information analysis.
Background
With the continuous development of computer technology, network security becomes more and more concerned, and information networks and security systems become the basis and guarantee of informatization health development. At present, unknown vulnerabilities exist in operating systems, application software, network devices and service systems, so that under the large background of civil network munitions and organization of network attacks, network security faces more serious challenges, and higher requirements are provided for network security monitoring.
At present, most of traditional network security monitoring methods are based on known rule bases for monitoring, known security threats can be detected, but the methods are incapable of treating unknown threats, and complete traceability evidence obtaining and loss evaluation cannot be performed on intrusion behaviors which are occurring or cause loss.
Disclosure of Invention
Technical problem to be solved
The technical problem to be solved by the invention is as follows: how to improve the network security monitoring capability.
(II) technical scheme
In order to solve the above technical problem, the present invention provides a network attack monitoring system based on multi-source information analysis, the system comprising: the system comprises a rule making module, a flow collecting module, a flow processing module, a malicious code sample collecting module, a flow scanning and analyzing module and a threat assessment and early warning releasing module;
the rule making module is used for making a flow sampling standard according to the fixed and floating position keywords and the application protocol content, so that the flow acquisition module performs sampling acquisition on the flow according to a flow proportion mode, an IP quintuple mode or a time mode;
the flow acquisition module is used for acquiring data of flow according to a sampling acquisition rule and transmitting the flow data to the flow processing module;
the flow processing module is used for carrying out duplication removing operation, normalization operation and compression processing operation on the acquired flow data and transmitting the data to the flow scanning and analyzing module;
the malicious code sample acquisition module is used for acquiring a malicious code sample from a malicious code sample library and transmitting the malicious code sample to the flow scanning and analysis module;
the flow scanning and analyzing module is used for storing the processed flow data into a flow file, detecting the flow file to be monitored by combining with a malicious code sample, and generating alarm event data when network attack behavior is found when content matched with the malicious code sample is identified in the flow file, and transmitting the alarm event data to the threat assessment and early warning release module;
the threat assessment and early warning release module is used for receiving alarm event data and realizing the functions of threat assessment, feature extraction, sample library upgrading and event alarm.
In the working process of the rule making module, the sampling according to the flow proportion mode refers to sampling and collecting flow according to percentage.
In the working process of the rule making module, the sampling according to the IP quintuple mode refers to sampling and collecting flow according to a source IP, a source port, a destination IP, a destination port and a protocol.
In the working process of the rule making module, the sampling according to the time mode refers to sampling and collecting the flow according to time periods, and the time periods can be accurate to minutes.
Wherein, in the working process of the flow processing module, the duplication removing operation refers to: filtering the repeated flow data.
In the working process of the flow processing module, the normalization operation refers to: and carrying out format standardization processing on the original flow data, and processing the original flow into data in a pcap format.
In the working process of the flow processing module, the compression operation refers to: and compressing the flow data and then uploading the compressed flow data.
In the working process of the threat assessment and early warning release module, the threat assessment refers to: and analyzing and comparing the alarm event data with threat event data of historical records, evaluating the affected range of the network attack and the target threat condition, and generating an evaluation report.
In the working process of the threat assessment and early warning release module, the feature extraction and sample library upgrading refers to the following steps: and (4) the characteristic information of the novel network attack and the malicious code carried in the alarm event data is analyzed in an auxiliary manner, and the characteristic information is added and updated to a uniform malicious code sample library to complete the upgrading of the malicious code sample library.
In the working process of the threat assessment and early warning release module, the event alarm refers to: and displaying, inquiring and counting the information of the alarm event data, and generating a report.
(III) advantageous effects
Compared with the prior art, the network attack monitoring system based on flow analysis can be used for carrying out threat clue discovery and comprehensive analysis by combining multi-source information such as flow, samples and behaviors, capturing and analyzing a large amount of network data through functions such as self-defined rules and flow reduction, discovering latent unknown attacks, realizing data packet level tracking and evidence obtaining, providing automatic detection and auxiliary analysis means of network attack data for network security management personnel, and improving comprehensive analysis capability of network attack events.
The invention has the technical effects that:
(1) comprehensively perceiving the network threat: based on flow analysis, the network security hidden danger is accurately identified, sensitive network threat sensing capability is built, and an all-around network security situation is displayed.
(2) Stopping loss and fast response in time: through network attack security analysis, a network security threat assessment report is provided, and network security management personnel are assisted to take corresponding treatment measures in time to prevent the situation from developing continuously.
(3) Data evidence taking and responsibility determination: the network original communication data is completely stored in full flow, all network communication contents when a network security event occurs can be restored, data evidence obtaining and responsibility judgment at a data packet level are realized, and the influence and treatment effect of an attack event are tracked and evaluated for a long time.
Drawings
Fig. 1 is a schematic structural diagram of the technical solution of the present invention.
Detailed Description
In order to make the objects, contents, and advantages of the present invention clearer, the following detailed description of the embodiments of the present invention will be made in conjunction with the accompanying drawings and examples.
In order to solve the above technical problem, the present invention provides a network attack monitoring system based on multi-source information analysis, as shown in fig. 1, the system includes: the system comprises a rule making module, a flow collecting module, a flow processing module, a malicious code sample collecting module, a flow scanning and analyzing module and a threat assessment and early warning releasing module;
the rule making module is used for making a flow sampling standard according to the fixed and floating position keywords and the application protocol content, so that the flow acquisition module performs sampling acquisition on the flow according to a flow proportion mode, an IP quintuple mode or a time mode;
the flow acquisition module is used for acquiring data of flow according to a sampling acquisition rule and transmitting the flow data to the flow processing module;
the flow processing module is used for carrying out duplication removing operation, normalization operation and compression processing operation on the acquired flow data and transmitting the data to the flow scanning and analyzing module;
the malicious code sample acquisition module is used for acquiring a malicious code sample from a malicious code sample library and transmitting the malicious code sample to the flow scanning and analysis module;
the flow scanning and analyzing module is used for storing the processed flow data into a flow file, detecting the flow file to be monitored by combining with a malicious code sample, and generating alarm event data when network attack behavior is found when content matched with the malicious code sample is identified in the flow file, and transmitting the alarm event data to the threat assessment and early warning release module;
the threat assessment and early warning release module is used for receiving alarm event data and realizing the functions of threat assessment, feature extraction, sample library upgrading and event alarm.
In the working process of the rule making module, the sampling according to the flow proportion mode refers to sampling and collecting flow according to percentage.
In the working process of the rule making module, the sampling according to the IP quintuple mode refers to sampling and collecting flow according to a source IP, a source port, a destination IP, a destination port and a protocol.
In the working process of the rule making module, the sampling according to the time mode refers to sampling and collecting the flow according to time periods, and the time periods can be accurate to minutes.
Wherein, in the working process of the flow processing module, the duplication removing operation refers to: filtering the repeated flow data.
In the working process of the flow processing module, the normalization operation refers to: and carrying out format standardization processing on the original flow data, and processing the original flow into data in a pcap format.
In the working process of the flow processing module, the compression operation refers to: and compressing the flow data and then uploading the compressed flow data.
In the working process of the threat assessment and early warning release module, the threat assessment refers to: and analyzing and comparing the alarm event data with threat event data of historical records, evaluating the affected range of the network attack and the target threat condition, and generating an evaluation report.
In the working process of the threat assessment and early warning release module, the feature extraction and sample library upgrading refers to the following steps: and (4) the characteristic information of the novel network attack and the malicious code carried in the alarm event data is analyzed in an auxiliary manner, and the characteristic information is added and updated to a uniform malicious code sample library to complete the upgrading of the malicious code sample library.
In the working process of the threat assessment and early warning release module, the event alarm refers to: and displaying, inquiring and counting the information of the alarm event data, and generating a report.
Example 1
The embodiment provides a network attack monitoring system based on multi-source information analysis, which comprises a flow monitoring and collecting module, a network attack analysis module, a malicious code analysis module, a threat assessment and early warning release module and the like.
The network attack monitoring system based on flow analysis has the following working process:
(1) flow monitoring and collecting module
a) And acquiring and restoring suspicious original flow data monitored by the network safety monitoring probe equipment, and carrying out standardized processing and storage on the flow data to realize functions of retrieval, flow restoration, file extraction and the like.
b) And the acquisition rule defines and issues the flow acquisition rule to the network safety monitoring probe equipment in a visual mode aiming at the contents of the IP quintuple, the fixed and floating position keywords, the application protocol and the like.
1) The IP quintuple refers to a source IP address, a destination IP address, a source port, a destination port and a protocol;
2) the fixed and floating position keywords refer to that the positions (digits, bytes, fields and the like) of the keywords in the message are fixed or floating;
3) the application protocols include HTTP, FTP, TELNET, SMTP, POP3, SNMP, SCTP, SIP, long message transmission protocol, short message transmission protocol, real-time message transmission protocol, etc.
(2) Network attack analysis module
a) And flow reduction, namely retrieving the original flow according to the session, carrying out flow reduction on the session, extracting information of a network layer, a transmission layer and an application layer, supporting analyzed application layer protocols including HTTP, FTP, TELNET, SMTP, POP3, SNMP, SCTP, SIP, a long message transmission protocol, a short message transmission protocol, a real-time message transmission protocol and the like, carrying out multi-dimensional statistical analysis on the session by using quintuple and the application protocol and generating an analysis report.
b) And (4) correlation analysis, namely defining correlation analysis rules based on logic expressions by combining multiple dimensions such as time, IP addresses, network ports, application protocols, attack types and the like.
c) And auxiliary analysis, namely assisting in distinguishing suspicious behaviors, extracting attack characteristics and generating an analysis report based on flow reduction and correlation analysis.
d) And dynamic analysis, namely extracting and restoring specific protocol contents in network communication flow, converting source and target address information in the flow, injecting the source and target address information into a sandbox for dynamic analysis, monitoring the influence of the source and target address information on a target system, analyzing and extracting behavior characteristics of the target system, assisting in analyzing and judging the nature and the hazard of the flow, and generating an analysis report.
(3) Malicious code analysis module
a) Sample acquisition, a suspected malicious code sample can be acquired from the following channels:
1) extracting and restoring files in network communication flow;
2) the method is submitted by safety protection equipment such as host intrusion detection protection software;
3) manual submission is via a sample submission page.
b) Sample processing, wherein the sample is preprocessed before being submitted for sandbox analysis:
1) automatically numbering the sample files;
2) automatically decompressing zip, rar,7z and tar (gz) packages, providing a configurable default decompression password;
3) analyzing basic attributes such as sample file formats and the like, and sorting;
4) and calculating the hash of the file, and performing deduplication processing.
c) Automatic analysis, can automatic analysis sample action, produce suspicious code automatic analysis report:
1) loading a sample in a sandbox operating environment, dynamically analyzing the behavior of the sample, including file creation/modification/deletion, registry creation/modification/deletion, driver loading/unloading, kernel calling, peripheral access, network access, process creation/injection/stop and the like, assisting in analyzing and judging the property and the hazard of the file, and generating an analysis report;
2) in the automatic analysis process, the system can manually log in a background to intervene in the sample execution flow;
3) suspicious behavior determination rules can be modified or augmented.
d) Sample management, capable of storing and managing the analyzed samples:
1) the storage of the target sample and the release file thereof can be realized;
2) recording information such as sample sources, file numbers, file types, analysis reports and the like;
3) the method can search and count the sample information, generate a statistical analysis report, display the statistical result in the modes of a column diagram, a pie chart, a radar chart, a scatter diagram, a mesh diagram and the like, and support the customization of the display mode of the analysis result.
(4) Threat assessment and early warning release module
a) And threat assessment, which provides a function of analyzing and comparing with known threats, supports the assessment of the affected range of the network attack and the target threat situation, and generates an assessment report.
b) The feature extraction and the upgrade can assist in analyzing the feature information of the novel network attack and the malicious codes, and the feature information is added into a unified feature library to provide feature library upgrade service for the whole network.
c) And (3) event alarm, which can display, inquire and count safety event alarm information and generate a report:
1) receiving security event alarm information generated by equipment such as a network security monitoring probe and the like;
2) and analyzing the generated security event alarm information by itself.
d) Early warning issuing, dynamic issuing of relevant information such as threat assessment, attack propagation diffusion trend and the like.
The above description is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, several modifications and variations can be made without departing from the technical principle of the present invention, and these modifications and variations should also be regarded as the protection scope of the present invention.
Claims (10)
1. A cyber attack monitoring system based on multi-source information analysis, the system comprising: the system comprises a rule making module, a flow collecting module, a flow processing module, a malicious code sample collecting module, a flow scanning and analyzing module and a threat assessment and early warning releasing module;
the rule making module is used for making a flow sampling standard according to the fixed and floating position keywords and the application protocol content, so that the flow acquisition module performs sampling acquisition on the flow according to a flow proportion mode, an IP quintuple mode or a time mode;
the flow acquisition module is used for acquiring data of flow according to a sampling acquisition rule and transmitting the flow data to the flow processing module;
the flow processing module is used for carrying out duplication removing operation, normalization operation and compression processing operation on the acquired flow data and transmitting the data to the flow scanning and analyzing module;
the malicious code sample acquisition module is used for acquiring a malicious code sample from a malicious code sample library and transmitting the malicious code sample to the flow scanning and analysis module;
the flow scanning and analyzing module is used for storing the processed flow data into a flow file, detecting the flow file to be monitored by combining with a malicious code sample, and generating alarm event data when network attack behavior is found when content matched with the malicious code sample is identified in the flow file, and transmitting the alarm event data to the threat assessment and early warning release module;
the threat assessment and early warning release module is used for receiving alarm event data and realizing the functions of threat assessment, feature extraction, sample library upgrading and event alarm.
2. The network attack monitoring system based on multi-source information analysis according to claim 1, wherein in the working process of the rule making module, the sampling according to the flow proportion mode refers to sampling and collecting the flow according to percentage.
3. The multi-source information analysis-based network attack monitoring system according to claim 1, wherein in the working process of the rule making module, the sampling according to the IP quintuple mode refers to sampling and collecting the flow according to a source IP, a source port, a destination IP, a destination port and a protocol.
4. The network attack monitoring system based on multi-source information analysis according to claim 1, wherein during the operation of the rule making module, the sampling in a time mode refers to sampling and collecting the flow according to time periods, and the time periods can be accurate to minutes.
5. The network attack monitoring system based on multi-source information analysis according to claim 1, wherein in the working process of the traffic processing module, the deduplication operation refers to: filtering the repeated flow data.
6. The network attack monitoring system based on multi-source information analysis according to claim 1, wherein during the operation of the traffic processing module, the normalization operation refers to: and carrying out format standardization processing on the original flow data, and processing the original flow into data in a pcap format.
7. The network attack monitoring system based on multi-source information analysis according to claim 1, wherein during the operation of the traffic processing module, the compression operation refers to: and compressing the flow data and then uploading the compressed flow data.
8. The network attack monitoring system based on multi-source information analysis according to claim 1, wherein in the working process of the threat assessment and early warning release module, the threat assessment means: and analyzing and comparing the alarm event data with threat event data of historical records, evaluating the affected range of the network attack and the target threat condition, and generating an evaluation report.
9. The network attack monitoring system based on multi-source information analysis according to claim 1, wherein in the working process of the threat assessment and early warning release module, the feature extraction and sample library upgrading refers to: and (4) the characteristic information of the novel network attack and the malicious code carried in the alarm event data is analyzed in an auxiliary manner, and the characteristic information is added and updated to a uniform malicious code sample library to complete the upgrading of the malicious code sample library.
10. The network attack monitoring system based on multi-source information analysis according to claim 1, wherein in the working process of the threat assessment and early warning release module, the event alarm refers to: and displaying, inquiring and counting the information of the alarm event data, and generating a report.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011481680.5A CN112511387A (en) | 2020-12-15 | 2020-12-15 | Network attack monitoring system based on multi-source information analysis |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011481680.5A CN112511387A (en) | 2020-12-15 | 2020-12-15 | Network attack monitoring system based on multi-source information analysis |
Publications (1)
Publication Number | Publication Date |
---|---|
CN112511387A true CN112511387A (en) | 2021-03-16 |
Family
ID=74972238
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202011481680.5A Pending CN112511387A (en) | 2020-12-15 | 2020-12-15 | Network attack monitoring system based on multi-source information analysis |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN112511387A (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112468515A (en) * | 2020-12-15 | 2021-03-09 | 北京京航计算通讯研究所 | Network attack monitoring method based on multi-source information analysis |
CN112953975A (en) * | 2021-05-12 | 2021-06-11 | 南京恒先伟网络工程有限公司 | Network security situation awareness system and method |
CN115622818A (en) * | 2022-12-20 | 2023-01-17 | 北京微步在线科技有限公司 | Network attack data processing method and device |
Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107196910A (en) * | 2017-04-18 | 2017-09-22 | 国网山东省电力公司电力科学研究院 | Threat early warning monitoring system, method and the deployment framework analyzed based on big data |
CN108234419A (en) * | 2016-12-21 | 2018-06-29 | 江苏神州信源系统工程有限公司 | A kind of network attack monitoring method and device based on big data |
CN108600275A (en) * | 2018-05-29 | 2018-09-28 | 广西电网有限责任公司 | Threat context aware information security Active Defending System Against based on artificial intelligence |
CN108650225A (en) * | 2018-04-03 | 2018-10-12 | 国家计算机网络与信息安全管理中心 | A kind of telesecurity monitoring device, system and telesecurity monitoring method |
CN109889476A (en) * | 2018-12-05 | 2019-06-14 | 国网冀北电力有限公司信息通信分公司 | A kind of network safety protection method and network security protection system |
CN110535855A (en) * | 2019-08-28 | 2019-12-03 | 北京安御道合科技有限公司 | A kind of network event method for monitoring and analyzing and system, information data processing terminal |
US10587647B1 (en) * | 2016-11-22 | 2020-03-10 | Fireeye, Inc. | Technique for malware detection capability comparison of network security devices |
CN111611583A (en) * | 2020-04-08 | 2020-09-01 | 国家计算机网络与信息安全管理中心 | Malicious code homology analysis method and malicious code homology analysis device |
-
2020
- 2020-12-15 CN CN202011481680.5A patent/CN112511387A/en active Pending
Patent Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10587647B1 (en) * | 2016-11-22 | 2020-03-10 | Fireeye, Inc. | Technique for malware detection capability comparison of network security devices |
CN108234419A (en) * | 2016-12-21 | 2018-06-29 | 江苏神州信源系统工程有限公司 | A kind of network attack monitoring method and device based on big data |
CN107196910A (en) * | 2017-04-18 | 2017-09-22 | 国网山东省电力公司电力科学研究院 | Threat early warning monitoring system, method and the deployment framework analyzed based on big data |
CN108650225A (en) * | 2018-04-03 | 2018-10-12 | 国家计算机网络与信息安全管理中心 | A kind of telesecurity monitoring device, system and telesecurity monitoring method |
CN108600275A (en) * | 2018-05-29 | 2018-09-28 | 广西电网有限责任公司 | Threat context aware information security Active Defending System Against based on artificial intelligence |
CN109889476A (en) * | 2018-12-05 | 2019-06-14 | 国网冀北电力有限公司信息通信分公司 | A kind of network safety protection method and network security protection system |
CN110535855A (en) * | 2019-08-28 | 2019-12-03 | 北京安御道合科技有限公司 | A kind of network event method for monitoring and analyzing and system, information data processing terminal |
CN111611583A (en) * | 2020-04-08 | 2020-09-01 | 国家计算机网络与信息安全管理中心 | Malicious code homology analysis method and malicious code homology analysis device |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112468515A (en) * | 2020-12-15 | 2021-03-09 | 北京京航计算通讯研究所 | Network attack monitoring method based on multi-source information analysis |
CN112953975A (en) * | 2021-05-12 | 2021-06-11 | 南京恒先伟网络工程有限公司 | Network security situation awareness system and method |
CN115622818A (en) * | 2022-12-20 | 2023-01-17 | 北京微步在线科技有限公司 | Network attack data processing method and device |
CN115622818B (en) * | 2022-12-20 | 2023-04-21 | 北京微步在线科技有限公司 | Network attack data processing method and device |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN112511387A (en) | Network attack monitoring system based on multi-source information analysis | |
CN112953933B (en) | Abnormal attack behavior detection method, device, equipment and storage medium | |
US8805995B1 (en) | Capturing data relating to a threat | |
US11949692B1 (en) | Method and system for efficient cybersecurity analysis of endpoint events | |
US10176321B2 (en) | Leveraging behavior-based rules for malware family classification | |
US10133866B1 (en) | System and method for triggering analysis of an object for malware in response to modification of that object | |
US9628507B2 (en) | Advanced persistent threat (APT) detection center | |
US8713681B2 (en) | System and method for detecting executable machine instructions in a data stream | |
US9635040B2 (en) | Method and apparatus for collecting information for identifying computer attack | |
CN107295021B (en) | Security detection method and system of host based on centralized management | |
CN108650225B (en) | Remote safety monitoring equipment, system and remote safety monitoring method | |
CN111726357A (en) | Attack behavior detection method and device, computer equipment and storage medium | |
US10505986B1 (en) | Sensor based rules for responding to malicious activity | |
CN110210213B (en) | Method and device for filtering malicious sample, storage medium and electronic device | |
JP6523582B2 (en) | INFORMATION PROCESSING APPARATUS, INFORMATION PROCESSING METHOD, AND INFORMATION PROCESSING PROGRAM | |
CN110149318B (en) | Mail metadata processing method and device, storage medium and electronic device | |
CN113660115B (en) | Alarm-based network security data processing method, device and system | |
CN114640548A (en) | Network security sensing and early warning method and system based on big data | |
Liu et al. | Loocipher ransomware detection using lightweight packet characteristics | |
CN109815702B (en) | Software behavior safety detection method, device and equipment | |
CN112468515A (en) | Network attack monitoring method based on multi-source information analysis | |
KR101174635B1 (en) | The automated defense system for the malicious code and the method thereof | |
KR20180013270A (en) | Automatic generation method of Indicators of Compromise and its application for digital forensic investigation of cyber attack and System thereof | |
CN112637215A (en) | Network security detection method and device, electronic equipment and readable storage medium | |
CN110224975B (en) | APT information determination method and device, storage medium and electronic device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210316 |
|
RJ01 | Rejection of invention patent application after publication |