CN112560029A - Website content monitoring and automatic response protection method based on intelligent analysis technology - Google Patents
Website content monitoring and automatic response protection method based on intelligent analysis technology Download PDFInfo
- Publication number
- CN112560029A CN112560029A CN202011560810.4A CN202011560810A CN112560029A CN 112560029 A CN112560029 A CN 112560029A CN 202011560810 A CN202011560810 A CN 202011560810A CN 112560029 A CN112560029 A CN 112560029A
- Authority
- CN
- China
- Prior art keywords
- technology
- website
- analysis
- web
- detection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000005516 engineering process Methods 0.000 title claims abstract description 126
- 238000004458 analytical method Methods 0.000 title claims abstract description 85
- 238000000034 method Methods 0.000 title claims abstract description 84
- 230000004044 response Effects 0.000 title claims abstract description 51
- 238000012544 monitoring process Methods 0.000 title claims abstract description 40
- 238000001514 detection method Methods 0.000 claims abstract description 67
- 230000006399 behavior Effects 0.000 claims abstract description 50
- 238000012545 processing Methods 0.000 claims abstract description 18
- 238000012423 maintenance Methods 0.000 claims abstract description 9
- 238000004422 calculation algorithm Methods 0.000 claims description 20
- 238000013473 artificial intelligence Methods 0.000 claims description 17
- 241000408529 Libra Species 0.000 claims description 15
- 238000007405 data analysis Methods 0.000 claims description 13
- 230000000694 effects Effects 0.000 claims description 12
- 238000013515 script Methods 0.000 claims description 12
- 238000013528 artificial neural network Methods 0.000 claims description 11
- 238000010219 correlation analysis Methods 0.000 claims description 9
- 238000013527 convolutional neural network Methods 0.000 claims description 7
- 238000007418 data mining Methods 0.000 claims description 6
- 230000000903 blocking effect Effects 0.000 claims description 5
- 238000013135 deep learning Methods 0.000 claims description 5
- 230000008447 perception Effects 0.000 claims description 2
- 230000002265 prevention Effects 0.000 claims description 2
- 230000008569 process Effects 0.000 description 20
- 238000011160 research Methods 0.000 description 15
- 238000010801 machine learning Methods 0.000 description 13
- 230000000875 corresponding effect Effects 0.000 description 11
- 230000007246 mechanism Effects 0.000 description 11
- 230000009193 crawling Effects 0.000 description 8
- 206010000117 Abnormal behaviour Diseases 0.000 description 7
- 238000004364 calculation method Methods 0.000 description 7
- 230000006870 function Effects 0.000 description 7
- 230000002159 abnormal effect Effects 0.000 description 6
- 238000011161 development Methods 0.000 description 6
- 238000007726 management method Methods 0.000 description 6
- 238000012098 association analyses Methods 0.000 description 5
- 230000008901 benefit Effects 0.000 description 5
- 231100000279 safety data Toxicity 0.000 description 5
- 238000007619 statistical method Methods 0.000 description 5
- 241000239290 Araneae Species 0.000 description 4
- 230000005856 abnormality Effects 0.000 description 4
- 230000008859 change Effects 0.000 description 3
- 239000003795 chemical substances by application Substances 0.000 description 3
- 238000013461 design Methods 0.000 description 3
- 238000005259 measurement Methods 0.000 description 3
- 230000003068 static effect Effects 0.000 description 3
- 241000700605 Viruses Species 0.000 description 2
- 230000009471 action Effects 0.000 description 2
- 230000002411 adverse Effects 0.000 description 2
- 238000003066 decision tree Methods 0.000 description 2
- 230000007547 defect Effects 0.000 description 2
- 238000002347 injection Methods 0.000 description 2
- 239000007924 injection Substances 0.000 description 2
- 238000007689 inspection Methods 0.000 description 2
- 239000000463 material Substances 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000005457 optimization Methods 0.000 description 2
- 238000003909 pattern recognition Methods 0.000 description 2
- 230000000737 periodic effect Effects 0.000 description 2
- 238000007781 pre-processing Methods 0.000 description 2
- 239000000243 solution Substances 0.000 description 2
- 238000012549 training Methods 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- 238000012800 visualization Methods 0.000 description 2
- 208000001613 Gambling Diseases 0.000 description 1
- 238000012896 Statistical algorithm Methods 0.000 description 1
- 230000006978 adaptation Effects 0.000 description 1
- 230000002547 anomalous effect Effects 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 238000012550 audit Methods 0.000 description 1
- 230000003542 behavioural effect Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000013529 biological neural network Methods 0.000 description 1
- 210000004556 brain Anatomy 0.000 description 1
- 230000008309 brain mechanism Effects 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 230000002596 correlated effect Effects 0.000 description 1
- 210000003792 cranial nerve Anatomy 0.000 description 1
- 238000012517 data analytics Methods 0.000 description 1
- 238000013480 data collection Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 238000011156 evaluation Methods 0.000 description 1
- 238000011985 exploratory data analysis Methods 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 238000005206 flow analysis Methods 0.000 description 1
- 230000004927 fusion Effects 0.000 description 1
- 230000002068 genetic effect Effects 0.000 description 1
- 230000001771 impaired effect Effects 0.000 description 1
- 230000006698 induction Effects 0.000 description 1
- 230000001939 inductive effect Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000011835 investigation Methods 0.000 description 1
- 230000007087 memory ability Effects 0.000 description 1
- 230000008450 motivation Effects 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 238000000513 principal component analysis Methods 0.000 description 1
- 238000010223 real-time analysis Methods 0.000 description 1
- 238000011897 real-time detection Methods 0.000 description 1
- 238000000611 regression analysis Methods 0.000 description 1
- 238000005070 sampling Methods 0.000 description 1
- 238000007493 shaping process Methods 0.000 description 1
- 238000004088 simulation Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
- 238000013107 unsupervised machine learning method Methods 0.000 description 1
- 239000013598 vector Substances 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N20/00—Machine learning
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/042—Knowledge-based neural networks; Logical representations of neural networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/043—Architecture, e.g. interconnection topology based on fuzzy logic, fuzzy membership or fuzzy inference, e.g. adaptive neuro-fuzzy inference systems [ANFIS]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/045—Combinations of networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
Abstract
The invention discloses a website content monitoring and automatic response protection method based on an intelligent analysis technology, which relates to the technical field of electronic data processing, and comprises the following steps: detecting an attack behavior of a protected website, wherein the monitoring comprises: web log detection and webshell detection aiming at internet application in a target company, and tampering detection on website content, text content and newly added pages; establishing a corresponding emergency scene according to different attacked behaviors of a protected website, and when any one condition of the attacked behaviors is monitored, automatically responding to the corresponding emergency scene. The invention solves the problem of insufficient professional safety analysis capability of operation and maintenance personnel, and assists in obtaining evidence of safety events and tracing after the events.
Description
Technical Field
The invention relates to the technical field of electronic data processing, in particular to a website content monitoring and automatic response protection method based on an intelligent analysis technology.
Background
With the development of global informatization, the surge and the accelerated development of the development process of the information society, the network security threat faced by various countries in the world in recent years is synchronously increased, for example, a Struts2 vulnerability causes fatal threats to network servers of many countries, a Bash shell-breaking vulnerability highlights the potential safety hazard of Linux systems, a Havex virus traverses an energy industry network system, Iran mystery hacker organization ' Andishan ' invades multi-country network system, an apple mobile phone application is infected with ' XcodeGhost ' virus, and a HackTeam ' hacker military fire bank data is leaked. Especially, after the 'prism gate event' is outbreak, the network security issue based on the national interest game becomes a hotspot of audiences of all countries in the world.
Under the condition of 'internal worries and external worries' in the current network security environment, various web sites distributed in the internet environment in a user unit become one of more serious targets to be attacked, and various adverse effects are caused to the society and even the national security is damaged because the behavior of webpage content tampering for propagandizing illegal contents such as evil education, rumor, obscenism, pornography, gambling and the like sometimes happens.
Aiming at malicious behaviors such as webpage tampering which may harm the public image of countries and related units in the internet environment, the prior art adopts web firewall and other protection means at present, but the protection means is too single to quickly respond to the current situation of complex webpage tampering behaviors, and research on the internet webpage tampering prevention technology needs to be enhanced.
Disclosure of Invention
Aiming at the defects in the prior art, the invention provides a website content monitoring and automatic response protection method based on an intelligent analysis technology, which effectively solves the problem of website content safety of Internet application, can discover website attack behaviors and network tampering behaviors in time, automatically shuts down a website when monitoring and discovering the webpage tampering behaviors, can avoid adverse effects caused by illegal tampering behaviors, effectively improves the overall defense effect of website safety,
in order to achieve the purpose, the technical scheme of the invention is as follows:
a website content monitoring and automatic response protection method based on intelligent analysis technology is characterized by comprising the following steps:
detecting an attack behavior of a protected website, wherein the monitoring comprises: web log detection and webshell detection aiming at internet application in a target company, and tampering detection on website content, text content and newly added pages;
establishing a corresponding emergency scene according to different attacked behaviors of a protected website, and when any one condition of the attacked behaviors is monitored, automatically responding to the corresponding emergency scene.
The method for monitoring website contents and automatically protecting response based on intelligent analysis technology as described above, further, the web log detection includes:
receiving a Web application log submitted by a Syslog client of a Web server;
and carrying out deep learning-based data mining on the Web application logs and carrying out security event correlation analysis on all the normalized Web application logs.
The website content monitoring and automatic response protection method based on the intelligent analysis technology as described above, further, the webshell detection includes: the webshell detection and analysis engine is established based on an artificial intelligence technology, wherein the artificial intelligence technology comprises an expert system, an artificial neural network, a fuzzy detection technology and an Agent technology.
According to the website content monitoring and automatic response protection method based on the intelligent analysis technology, further, the attack monitoring and perception technology combining DPI and DFI is adopted for detecting the attack behavior of the protected website.
According to the website content monitoring and automatic response protection method based on the intelligent analysis technology, further, a big data analysis model platform is established by a relational database technology and a distributed analysis system through a multi-source heterogeneous processing framework.
The website content monitoring and automated response protection method based on intelligent analysis technology as described above, further, the tamper detection includes:
acquiring current picture resources of a target website by using a Libra crawler technology;
converting all picture resources used by a target website into a first model by using a convolutional neural network algorithm;
and after detecting the modified or newly added picture resources, converting the modified or newly added picture resources into a second model and comparing the second model with the previous first model, and meanwhile, comparing the second model with an FG picture model in threat information provided by a security manufacturer to find a tampered picture of the website.
The website content monitoring and automatic response protection method based on the intelligent analysis technology further prevents the website content from being tampered by adopting a kernel-based drive protection technology, a dynamic webpage script protection technology and a continuous tampering attack protection technology.
According to the website content monitoring and automatic response protection method based on the intelligent analysis technology, furthermore, attack and subsidence indexes are screened out from threat data and used as machine-readable threat information, and existing logs are used for comparing and matching to form a trend or clue so as to guide safety response and block attack behaviors.
The website content monitoring and automatic response protection method based on the intelligent analysis technology further comprises the step of establishing an automatic response of an emergency scene by adopting an SOAR technology, wherein the SOAR technology helps to collect web safety monitored information, performs event analysis and alarm triage on the collected information, and helps safety operation and maintenance personnel to define, sequence and drive standardized event response activities in a man-machine combined mode under the guidance of a standard workflow.
According to the website content monitoring and automatic response protection method based on the intelligent analysis technology, further, after the website content is detected to be tampered, the webpage content under the trusted backup path is quickly restored to the corresponding folder.
Compared with the prior art, the invention has the beneficial effects that:
1. around the problems of web log detection and webshell detection, the following research will be carried out:
on one hand, the method is to study and receive mass Web application logs submitted by a Syslog client of a Web server through a standard Syslog protocol interface aiming at the mass Web logs applied to the Internet in the ultra-high voltage company, perform comprehensive relevance analysis on the mass Web logs by means of a large data analysis platform and a Web attack AI detection engine, and globally display and find out the abnormal operation conditions of all external websites of the ultra-high voltage company in time.
On the other hand, aiming at the problem of current Webshell safety detection, technical research and detection optimization are carried out on Webshell detection based on an AI (artificial intelligence) technology, a corresponding Webshell detection engine is researched and developed, various Webshell bypass problems faced by a traditional Webshell searching and killing engine are solved, and the detection capability of website safety is improved.
2. The research on tamper protection technology focuses on tamper detection of website content, text content and newly added pages. For the detection technology research work of website content tampering, an AI (artificial intelligence) technology is mainly introduced, all picture resources used by a target website are converted into a model by a CNN (convolutional neural network) algorithm, and after modified or newly added picture resources are found, the modified or newly added picture resources are converted into the model and compared with the previous model to find suspicious newly added pictures. Meanwhile, the modified or newly added picture model is compared with an FG picture model in threat information provided by a security manufacturer, so that the picture which is tampered in the website is actively detected and found from the outside.
3. For the technical research work of text content tampering detection, page difference content is obtained mainly by capturing page content returned by a target website, and combining with a high-efficiency cache analysis technology, and the part of content is compared with illegal contents such as FG extracted from threat information provided by a security manufacturer, so that active detection is realized and tampered web page content is found, after the website content is tampered, a tampered trace can be immediately found, an alarm is generated and sent to a disposal platform, and the platform automatically takes corresponding response measures. For the research work of the added page tampering detection technology, the key point is that the acquired Web log needs to be analyzed in real time, the returned state code is 404 or 403, the state code 2000K is returned when a certain user request is responded, and the condition that the added page of the website is actively discovered through comprehensive analysis of alarm data of website protection equipment such as WAF and the like at the front end can be realized.
4. According to the actual environment of the Web site, different website tampering emergency scenes are modeled, a user is supported to set a self-defined automatic response strategy, the self-defined automatic response strategy is linked with front-end network equipment or a safety protection component such as a firewall, automatic response measures such as one-key shutdown of the website or inaccessible website access are realized, and the automatic response efficiency of website tampering events is continuously improved.
5. The technology for preventing the current page content from returning to the visitor and quickly and automatically synchronizing the original normal page content from the issuing part server after monitoring that the website page content is tampered (including internal monitoring and external detection) is researched, and the negative influence caused by the fact that the tampered page content is accessed is avoided.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art that other drawings can be obtained according to these drawings without creative efforts.
FIG. 1 is a flow chart of a method according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be described clearly and completely with reference to the accompanying drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
Example (b):
it should be noted that the terms "first," "second," and the like in the description and claims of the present invention and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the invention described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
A website content monitoring and automatic response protection method based on intelligent analysis technology comprises the following steps:
detecting an attack behavior of a protected website, wherein the monitoring comprises: web log detection and webshell detection aiming at internet application in a target company, and tampering detection on website content, text content and newly added pages;
establishing a corresponding emergency scene according to different attacked behaviors of a protected website, and when any one condition of the attacked behaviors is monitored, automatically responding to the corresponding emergency scene.
As an optional implementation, in some embodiments, the web log detection includes: receiving a Web application log submitted by a Syslog client of a Web server; and carrying out deep learning-based data mining on the Web application logs and carrying out security event correlation analysis on all the normalized Web application logs.
In particular, deep learning is a new field of machine learning research, and a model simulating human brain analysis and learning is established based on a neural network, so that a human brain mechanism is simulated to identify a target and perceive information. Deep learning is machine learning aimed at building a deep-level structured model, and a general engagement model at least comprises three hidden layers. The network with the multi-hidden-layer structure uses a training algorithm of a common neural network.
In the invention, aiming at the intelligent analysis and research of network security risks, the essence of the method is actually a data mining process for obtaining valuable information from various web log data, so that the web application abnormal behavior analysis algorithm can refer to methods in data mining and analysis disciplines, and combines the service characteristics of the web application behaviors, quantizes a base line based on data analysis work and a mathematical algorithm, establishes a model, and calculates and outputs various abnormal behavior scenes. Common data mining and analysis methods include classification, clustering, regression analysis (multivariate regression, autoregressive, etc.), discriminant analysis, exploratory analysis (principal component analysis, correlation analysis, etc.), user feature analysis, association analysis, TopN analysis, etc.
The core of the method is machine learning, and various web application abnormal behavior patterns are mined through various machine learning algorithms. The machine learning method can be subdivided into a statistical learning method, an inductive learning method (decision tree, rule induction and the like), example-based learning, a genetic algorithm and the like; the learning form can be divided into supervised learning and unsupervised learning.
The present invention analyzes the use of supervised and unsupervised machine learning techniques to detect and identify patterns of abnormal behavior not found in the early stages. The supervised learning mode is based on a large amount of real sample data and is applied to quickly finding unknown abnormality; the unsupervised machine learning method ensures the self-learning of the system, and continuously adjusts and accurately identifies unknown abnormalities.
By means of an advanced intelligent event correlation analysis engine, the method and the system can perform security event correlation analysis on all normalized Web log streams in real time uninterruptedly, so that the protected website has event correlation analysis capability based on intelligent rules.
Meanwhile, the invention provides an intelligent rule editor, a user can define an association rule based on a logic expression and a statistical condition, and all log fields can participate in association. When events are correlated, single event correlation and multi-event correlation can be further divided.
As an optional implementation, in some embodiments, the webshell detection analysis engine is built based on artificial intelligence techniques, including expert systems, artificial neural networks, fuzzy detection techniques, and Agent techniques.
Artificial intelligence has taken an important place in evaluating research based on Web security intelligence analysis. The artificial intelligence technology mainly applied in the invention comprises the following technologies:
(1) the expert system is an intelligent program system with expert problem-solving ability in the related field, and can simulate the thinking process of human by using the experience and knowledge accumulated by the experts in the field for many years to solve the difficult problem which can be solved by the experts. The system administrator encodes some known intrusion characteristics into rules to form a rule base, and detects intrusion by matching audit records with the rules. Although the expert system is simple, due to the continuous increase of the intrusion modes and the continuous expansion of the rule base, the data amount needing to be matched is continuously increased, and the real-time detection becomes more and more difficult until the expert system can not be finally applied. The offline processing takes too much time due to too large amount of data, and the effect will be impaired.
(2) The artificial neural network is established on the basis of the biological neural network research, is a simulation of the structure and the function of a cranial nerve system, and has the functions of learning ability, memory ability, calculation ability and intelligent processing. The artificial neural network has the advantages of strong fault tolerance, capability of identifying input modes with noise or deformation and strong self-adaptive capacity; the parallel distributed information storage and processing can be performed, and the recognition speed is high. The recognition processing and a plurality of preprocessing can be integrated into a whole for processing. The neural network is applied to intrusion detection, a prediction model based on time series is established, and the neural network is applied to a local mode of a learning program track after a method based on system calling appears, wherein the mode is more accurate and simpler than the former method, is irrelevant to the repeated and infrequent change of habits of a user, and can overcome the defect that a malicious user intentionally changes the behavior of the malicious user in order to be coded into a normal contour. Although the performance of intrusion detection can be improved by using a neural network, it cannot interpret the detected data due to the inherent disadvantages of the neural network.
(3) In the fuzzy detection technology, most fuzzy detection models consider that "abnormality" in abnormality detection is essentially a fuzzy concept because the behavior of a detection object is so complicated. So that no accurate definition can be given under "exception". The purpose of anomaly detection is to discover an "anomalous" behavior and then decide whether the behavior is an intrusive behavior based on the degree of "anomaly". This idea is well suited to be described in terms of fuzzy mathematics. The algorithm has the advantages that the establishment of the detection model has low requirements on training data, the detection model is stable once being established, and a satisfactory detection rate and a low false alarm rate can be achieved without frequent relearning and establishment, which is lacking in the conventional anomaly detection method. The fuzzy comprehensive evaluation is adopted as a detection algorithm, and the method is characterized in that the problems of complexity and strong ambiguity can be solved by using an accurate mathematical tool, so that an accurate result is obtained.
(4) The Agent technology mainly comprises a semantic network mode, a framework representation mode, a rule generation mode, an object-oriented representation and other methods for the expression mode of knowledge in the artificial intelligence technology. The recently proposed Agent-oriented technology is the development of the object-oriented technology in the field of artificial intelligence.
As an alternative implementation, in some embodiments, detecting the attack behavior of the protected website employs an attack monitoring and awareness technique combining DPI and DFI.
The traditional safety data acquisition is limited by the limitation of synchronization and blocking of network communication, in order to improve the performance, the advanced event acquisition algorithm fully utilizes asynchronous and non-blocking modes, but the performance still cannot meet the requirement of large-scale event processing.
The invention designs a unique technical route of fusing the DPI and the DFI on the basis of using an asynchronous non-blocking mechanism, and greatly improves the event receiving and storing speed through a parallel computing algorithm. Meanwhile, the time sequence flow of event processing is ensured, and the condition that 'event missing storage' easily occurs in a pure asynchronous mode is avoided.
DPIs are all referred to as "Deep Packet Inspection". The DPI technology adds analysis to an application layer on the basis of analyzing a packet header, and is a flow detection and control technology based on the application layer. When an IP packet, TCP or UDP data stream passes through a traffic management system based on DPI technology, the system reassembles application layer information in OSI 7 layer protocol by reading the content of the IP packet payload in depth, so as to obtain the content of the whole application program, and then performs a shaping operation on the traffic according to the management policy defined by the system.
For different protocol types, DPI identification techniques can be divided into the following three categories:
(1) identification technology based on 'feature words': different applications typically rely on different protocols that all have their particular "fingerprints" which may be specific ports, specific strings, or specific bit sequences.
(2) Application layer gateway identification technology: the control flow and the traffic flow of some services are separate and the traffic flow does not have any features. The application layer gateway needs to recognize the control flow first, and analyze the control flow through the specific application layer gateway according to the protocol of the control flow, and recognize the corresponding service flow from the protocol content.
(3) Behavior pattern recognition technology: the behavior pattern recognition technology determines an action that a user is performing or an action to be performed based on an analysis of a behavior that the terminal has performed.
The DFI (Deep/Dynamic Flow Inspection) and the DPI perform different load matching of application layers, and an application identification technology based on Flow behavior is adopted, that is, different application types are different in the current session connection or the current state on the data Flow.
Because the DPI technology and the DFI technology are different in implementation mechanism, the application of technology fusion is mainly realized based on the following mechanism:
(1) the DPI technology is adopted, and packet unpacking operation is carried out packet by packet, and matching comparison is carried out on the DPI technology and a background database; the DFI technology is adopted for flow analysis, and only the flow characteristics are compared with the background flow model.
(2) The bandwidth management system based on the DPI technology always lags behind new applications, a background application database needs to be continuously upgraded following the generation of new protocols and new applications, otherwise, the bandwidth under the new technology cannot be effectively identified and managed, and the mode matching efficiency is improved; the workload of the system based on the DFI technology is less than that of the DPI system in management and maintenance, and because the traffic characteristics of the new application and the old application of the same type do not change greatly, the traffic behavior model does not need to be updated frequently.
(3) The DPI adopts packet-by-packet analysis and pattern matching technology, so that the specific application type and protocol in the flow can be accurately identified; and the DFI only analyzes the flow behavior, so that only application types can be classified generally, for example, applications meeting the P2P flow model are uniformly identified as P2P flow. If the data packet is transmitted by encryption, the flow control technology in the DPI mode cannot identify its specific application, while the flow control technology in the DFI mode is not affected because the state behavior characteristics of the application flow are not changed fundamentally due to encryption.
As an alternative implementation, in some embodiments, the data is provided with a data storage system through a relational database technology and a distributed analysis system based on a multi-source heterogeneous processing framework.
At present, massive real-time data cannot be effectively associated and analyzed, and false alarm and missing alarm can be generated, so that security attack cannot be effectively discovered. Historical data cannot be effectively analyzed, time is consumed for historical query and retrieval of mass data by adopting a relational database technology, and generation of a report usually consumes several hours, which cannot meet the daily safety work requirement of safety analysts.
Aiming at the problems, a safe and reliable big data analysis model platform is established by combining a relational database technology and a distributed analysis system (HDFS) based on a multi-source heterogeneous processing framework.
(1) Big data collection
The platform collects the security events at a high speed through a security event collector deployed in a distributed mode, and the collector preprocesses the collected original security data and the collected events, wherein the preprocessing comprises generalization, filtration and merging and sends the acquired original security data and the collected events to a big data analysis platform.
(2) Storage of big data
The relational database and the distributed file system store the received structured events and original events, the structured events and the original events are stored in the file systems distributed in all nodes in the platform through distributed storage nodes, and the conversion of the structured data and the unstructured data is realized through a special database adaptation tool. The distributed file system adopts a redundancy type storage technology, safe storage of safety data is achieved, data on each node is backed up on other nodes, and once the nodes are damaged and cannot affect the data, the system can redistribute the data.
(3) Analysis of big data
Big data analytics technologies provide powerful security event analysis methods, including feature-based, behavior-based, statistical-based, and machine-learning-based automated and semi-automated analysis methods. These analysis methods automatically perform real-time and historical analysis of the collected data.
1) The big data analysis technology adopts a flow type calculation framework based on CEP, and realizes real-time dynamic analysis of security events. The platform pre-compiles all the association rules into CQL (Continuous Query Language), and sends the CQL into a CEP engine which is independently developed to perform pattern matching on the real-time event stream. The pattern matching model is implemented by using an uncertain Finite state machine (NFA) with reference to the RETE algorithm. The process of identifying known patterns of attacks and violations through a feature-based rule association analysis engine is one of the most classical and traditional association analysis techniques.
2) The positioning of the event correlation analysis based on the behaviors is that the safety analysis implementation is reversed to an active analysis model based on the abnormal detection, so that the mainstream analysis mode of the safety monitoring platform does not depend on a correlation engine strongly.
Rule association analysis relies on an expert empirically defined attack signature or known attack methods. Advanced threats are often unsigned and the exact attacker behavior is difficult to predict. The event behavior analysis is an active analysis mode based on anomaly detection, which is not based on a static association rule, but establishes a normal reference behavior of an observed object, and reveals suspicious attack activities by comparing real-time activities with the reference behavior. The event behavior analysis can intelligently discover hidden attack behaviors, accelerate the determination of the threat without signature, and reduce the number of accidents that managers must investigate.
The system supports two behavioral analysis techniques:
● dynamic baseline technique: a periodic baseline analysis method was used. The periodic baseline is calculated from historical data, typically a monocycle database profile. This curve consists of several data contour points. Each contour point represents a sampling time point. If a new actual measurement does not exceed the baseline range, the old profile values are updated by a weighted average algorithm. If the new actual measurement value exceeds the baseline range, the new actual measurement value is discarded and does not participate in the calculation of the new contour value. This is repeated, the baseline is always in dynamic change.
Predictive analysis techniques: a detection model and method based on a time window confidence interval is employed. The method can continuously self-adjust and approach in actual operation, automatically remove abnormal historical data in the historical time window, and realize high coincidence between the historical time window data and the actual normal flow behavior characteristics of the network, thereby improving the accuracy of alarming the abnormal behavior.
3) Machine learning and statistical based analysis techniques. The big data provides a strong place for machine learning and statistical analysis, firstly, the accuracy of machine learning is ensured by massive safety data, and the distributed processing technology provides a quick and efficient calculation method for a statistical analysis method, so that the processing of massive data can be completed in a short time. And the big data analysis platform distributes complex statistics and calculation to each node for processing by adopting a Map/Reduce method, and each node calculates and collects results to the master node to finish a complex calculation process. The platform counts events from multiple dimensions in a specific time period through a specific statistical algorithm to obtain statistical data such as mean values, standard deviations and the like, calculates a behavior baseline for a period of time, and can find abnormal safety events exceeding the normal behavior baseline through the setting of a confidence interval. The big data analysis platform continuously carries out clustering operation from multiple dimensions (vectors) of the security events to set categories by using a clustering/classifying/recommending analysis algorithm, and finds event hot spots in a current period of time, thereby realizing real-time macroscopic analysis on massive events.
The platform adopts an algorithm based on machine learning, such as decision tree analysis, mathematical statistics, hypothesis testing and the like, and establishes a normal base line by learning the multi-dimension of the security event in a certain time period, and by analyzing the deviation of the characteristic value of the security event and the base line, the event exceeding the confidence interval can be taken as an abnormal event, and the security trend can be predicted. The machine learning algorithm can learn constantly according to the collected complete safety data so as to keep the latest baseline model, and the accuracy of finding abnormal behaviors and unknown threats is greatly improved.
The big data analysis model platform provides functions of address entropy analysis, hot event analysis, threat situation analysis and the like based on a machine learning and statistical method, and realizes real-time analysis of security events.
The big data analysis platform provides an interface with a statistical analysis tool language, and safety analysts can analyze the safety data by using the statistical analysis tool which is most widely applied all over the world, and find abnormal safety events.
As an optional implementation manner, in some embodiments, the Libra crawler technology is used to obtain the current picture resource of the target website; converting all picture resources used by a target website into a first model by using a convolutional neural network algorithm; and after detecting the modified or newly added picture resources, converting the modified or newly added picture resources into a second model and comparing the second model with the previous first model, and meanwhile, comparing the second model with an FG picture model in threat information provided by a security manufacturer to find a tampered picture of the website.
The method comprises the steps of utilizing a Libra crawler technology, capturing page content returned by a target website by a design platform, combining with a high-efficiency cache analysis technology, obtaining page difference content, comparing the part of content with illegal contents such as FG extracted from threat information provided by a security manufacturer, and realizing active detection and finding tampered web page content.
The advantage of the Libra crawler technology combination Python crawler and the script crawler, especially in the aspect of the scripting language design, this crawler technology can carry out nimble adjustment according to crawling task type to promote its deduplication efficiency. When detecting Web vulnerabilities by using the Libra crawler technology, the method has a perfect engineering catalogue, and comprises the following steps:
1) defining and extracting a network page structure;
2) processing the extracted data;
3) a crawler configuration file;
4) an invention profile.
In the process of applying the Libra crawler technology, a Spider class is created, and the URL is crawled, a list is built and analyzed respectively through the Spider class. In the Spider class, the following mandatory properties are included:
1) name, namely establishing a crawler tag name;
2) start-URLs, i.e. building a list from which the URLs needed for the subsequent crawling operation come, and the URLs generated in the crawling process are automatically included in the list;
3) parse, the way in which URLs are parsed. In the crawling process, the target URL generates a Response, which is a parameter relied on by the parsing process.
Advantage based on Libra crawler
In the field of Web vulnerability detection, various crawler technologies can be selected, including python crawlers, Scapy crawlers, Base Spider crawlers, Libra crawlers and the like. Compared with the traditional crawler technology, the technical process of the Libra crawler has the advantages of the following aspects:
1) and dynamic crawling is realized, and the flexibility is high. Traditional crawler modes, such as python crawler, can only crawl links such as form through a simple html mode, and can acquire script information only after a vulnerability runs. However, the internal script of the crawled page can be processed by the Libra crawler by using javascript and the like, so that the crawling efficiency is improved.
2) And the method has better URL deduplication function. During the crawling process, a large number of links are identified, at which point network duplication may occur. By applying the traditional crawler technology, a new URL can be extracted from complex network interaction, but the extraction speed is low. Through the Libra crawler technology, the new URL can be quickly identified, whether the new URL is crawled in the previous step or not is determined, and if the crawling record exists, subsequent link identification can be skipped.
3) The content usage amount is reduced. When the URL deduplication is performed on the link, the Libra crawler technology emphasizes the application of the Hash table, and through the table, not only can the time complexity be reduced, but also the Hash conflict can be reduced to the minimum degree, so that the repeated judgment accuracy is improved. In the process of identifying repeatability, if identification information is stored in str format, a large amount of memory of the system is used, and the running speed of the system is influenced. To address this issue, the Libra crawler provides a variable format selection, and if the inodes are stored in int format, the links can be compressed, thereby reducing the content usage to 1/3 as it was.
4) The injection point information is diversified. Through the Libra crawler technology, the types of the captured URL data are various, and the injection points contained in the URL data include HTML attributes besides HTML tags and HTML events, so that more information references can be provided for a Web administrator.
As an alternative implementation, in some embodiments, threat data is screened out of attack trapping indicators as machine-readable threat intelligence, and existing logs are used to develop trends or clues against matches to guide security responses and to block attacks.
The threat intelligence provides the platform with the ability to identify and deal with the attack and subsidence indexes in time. Although information about attacks is comparable, the essence of threat intelligence in identifying attack behavior in a process is to tightly integrate this information with the context knowledge of the attack method and attack process.
In the invention, a picture content tampering detection technology is researched, the technical route researched by the web security risk intelligent analysis technology is adopted, all picture resources used by a target website are converted into a model by using a CNN (convolutional neural network) algorithm, and after modified or newly added picture resources are found, the modified or newly added picture resources are converted into the model and are compared with the previous model to find suspicious newly added pictures. Meanwhile, the modified or newly added picture model is compared with an FG picture model in threat information provided by the security manufacturer, so that the picture tampered with in the website is actively detected and found from the outside. The user can deal with the continuously developed, large-batch and high-priority website picture content tampering threat in an agile and quick response mode. If no match is made, the user is in a blind effort and also confronted with a confusing alarm.
Observing threats in the present analysis techniques may over-focus internal details. All forms of threat data, whether structured or unstructured, require comprehensive analysis and research from a more "global" perspective. When pre-warned using the screened high quality threat advisors, you can only begin to develop a comprehensive understanding of the threats' perceptibility (what they can do to you and how they do), the hacker infrastructure and weapons (from which they came), the motivation (why they do) and their purpose and resources.
By combining threat intelligence with the platform, threat data can be aggregated and rationalized to automatically screen out an attack and subsidence Index (IOC) as machine-readable threat intelligence (MRTI), and existing log comparison matching is used to easily discover unusual trends or clues and efficiently perform operations thereon. By combining teams, processes, and tools, the threat intelligence platform provides security teams with an unprecedented view of where the threat came from, and can track the entire event from beginning to end, with reports that can guide and block security responses. A large amount of time spent tracking false alarms generated by traditional situational awareness platforms is saved.
The threat intelligence aggregated in the threat intelligence correlation analysis technology can effectively control, verify and measure the value of the threat intelligence, and can be used for alarming and blocking in a mature mode. Through threat intelligence correlation techniques, one can be confident that data is relevant to a threat and has been prioritized to more correctly handle relevant intelligence.
As an optional implementation manner, in some embodiments, a kernel-based driving protection technology, a dynamic webpage script protection technology and a continuous tampering attack protection technology are adopted to prevent website contents from being tampered.
The kernel event triggers the protection mechanism to ensure that system resources are not wasted, and the designed page tamper-proof module adopts the technology of driver-level protection of the bottom file of the operating system and is tightly combined with the operating system, which is different from the Web event triggering mechanism of other tamper-proof software. Even if the server is attacked by hackers to obtain the authority of an operation administrator, the protected content cannot be protected, and a series of risks that the computing verification possibly occurring in the ordinary Web embedded anti-tampering software occupies too many system resources, cannot be recovered after the line is broken and tampered and the like are completely eradicated.
Current websites increasingly use dynamic technologies (e.g., ASP, JSP, PHP) to output web pages. The dynamic web page is composed of web page scripts and content: the Web page script exists on the Web server in a file form; the web page content is taken from the database. Typically, the database is in an intranet, has no external addresses, and can only accept access from internally specified addresses, and thus is generally not subject to attack. Dynamic Web scripts residing on Web servers are vulnerable to attacks as are static Web scripts.
The system adopting the file driving level technology can directly obtain the dynamic webpage script from the Web server without being influenced by the changed content, thereby being capable of protecting the dynamic webpage script like a static webpage.
For large-scale continuous tampering, the detection of the first illegal operation can block other subsequent tampering operations in real time. The system terminates its subsequent tamper operation requests ahead of time for source and operation behavior. The system completes the protection measures at the bottom layer and does not send the large-scale continuous tampering requests to the upper layer application, so that the processing load of the application program is greatly reduced, and the due working efficiency is effectively improved.
When the common Web embedded event triggered tamper-resistant software is subjected to large-scale continuous tampering, the calculation, verification and matching are required to be carried out through an application layer plug-in each time, and as the tampering cannot be prevented, the software needs to continuously and repeatedly recover the original webpage content, so that system resources and network resources are greatly occupied, and display of wrong pages to access users can be caused.
As an optional implementation manner, in some embodiments, after detecting that the website content is tampered, the webpage content in the trusted backup path is quickly restored to the corresponding folder.
The system adopts an advanced algorithm to quickly restore the webpage content under the trusted backup path to the corresponding folder, reduces manual intervention, supports traditional SFTP, network sharing and the like, supports a high-speed uploading function, also supports a function of backing up the webpage to the specified folder, and is convenient for maintenance personnel to perform daily maintenance on the website. Can be seamlessly combined with all content management systems without any modification, and is greatly convenient for user management and deployment.
As an optional implementation manner, in some embodiments, an emergency scenario automatic response is established by using an SOAR technology, where the SOAR technology helps to collect information monitored by web security, perform event analysis and alarm triage on the collected information, and help security operation and maintenance personnel to define, sequence, and drive standardized event response activities in a man-machine combination manner under the guidance of a standard workflow.
The present invention contemplates the use of SOAR, which is a collection of technologies that can help collect various information monitored by web security (including alarms generated by various security systems) and perform event analysis and alarm triage on such information. And then under the guidance of a standard workflow, a man-machine combination mode is utilized to help the safety operation and maintenance personnel define, sequence and drive standardized event response activities. The SOAR tool formalizes the description of the tamper event analysis and response flow.
Meanwhile, the response platform is designed by adopting the method, is based on an SOA architecture, and is a Service-oriented architecture (SOA), namely a whole set of new distributed software system construction method and environment including an operating environment, a programming model, an architecture style, a related methodology and the like, and covers the whole life cycle of the Service. The SOA is service-centric, and the realized IT system is more flexible, easier to reuse, and better (and faster) to cope with changes.
The website content monitoring (detecting) and automatic response platform provides rich visualization capability, and can perform information presentation based on the web security situation according to various web basic data and data after system analysis.
Meanwhile, the web security situation changes with the appearance of new technology and new threats, and the website content monitoring (detecting) and automatic response platform also provides rich interface configuration functions to help users complete the visualization self-defining capability based on the current web security situation.
The platform provides various views, and a user can customize an interface of the user according to the requirement of the user and display data concerned by the user. Through the instrument board and the web safety interface, safety analysis personnel can more easily process various data, associate data in a visual form, find out abnormal behaviors and provide an analysis starting point for safety investigation. The platform provides web security monitoring based analysis reports and reports.
The key innovation points of the invention are as follows:
1. the method is characterized by combining the development and application trend of the current detection technology and analyzing a webshell safety protection mechanism, at present, certain technical limitations exist in a logic association analysis technology of a Web log and the webshell safety detection mechanism, safety protection cannot be effectively provided under the development of the current cloud computing and big data environment, and related data information needs to be subjected to technical research and expansion through sufficient data analysis and data optimization on the basis of combining an AI (artificial intelligence) technology and a big data platform, so that the detection capability of website safety can be effectively improved through researching a corresponding Web attack and a webshell detection and analysis engine.
2. The existing technology and mechanism for detecting and protecting webpage content tampering have certain hysteresis, and the problem of webpage content tampering is solved by two ways of deploying a web firewall and a tamper-proof product, but the web firewall focuses on mainly protecting external web attacks, and the content integrity of a website is not effectively protected; and if the webpage is tamper-proof, the file protection process is used for realizing safety protection, and the protection effect is lost after the protection process is unloaded.
In the face of the technical limitations of the current website content tampering detection and protection, a detection technology and a protection mechanism suitable for the actual service environment need to be researched and expanded, a system driving layer and an information display layer need to be emphasized to develop related technical research, protection research work is developed from different technical layers, and AI and big data technologies are combined to improve the accuracy of information detection, so that the website tampering detection and protection effects can be effectively improved.
3. The SOAR technology is one of the most popular technical topics at present, the working efficiency of operation and maintenance workers can be greatly improved by effectively realizing SOAR automatic response, according to actual use scenes and service data circulation conditions of a plurality of internet applications of an ultra-high voltage company, the overall analysis needs to be carried out by combining the actual scenes and the existing safety protection mechanism of the ultra-high voltage company, the automatic response mechanism and the safety protection technology which accord with the actual service scenes are established, and the automatic safety response of the website content of the ultra-high voltage company can be integrally improved.
In the description herein, references to the description of the term "one embodiment," "some embodiments," "an example," "a specific example," or "some examples," etc., mean that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the invention. In this specification, the schematic representations of the terms used above are not necessarily intended to refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples. Furthermore, various embodiments or examples and features of different embodiments or examples described in this specification can be combined and combined by one skilled in the art without contradiction.
The above embodiments are only for illustrating the technical concept and features of the present invention, and the purpose thereof is to enable those skilled in the art to understand the contents of the present invention and implement the present invention accordingly, and not to limit the protection scope of the present invention accordingly. All equivalent changes or modifications made in accordance with the spirit of the present disclosure are intended to be covered by the scope of the present disclosure.
Claims (10)
1. A website content monitoring and automatic response protection method based on intelligent analysis technology is characterized by comprising the following steps:
detecting an attack behavior of a protected website, wherein the monitoring comprises: web log detection and webshell detection aiming at internet application in a target company, and tampering detection on website content, text content and newly added pages;
establishing a corresponding emergency scene according to different attacked behaviors of a protected website, and when any one condition of the attacked behaviors is monitored, automatically responding to the corresponding emergency scene.
2. The web site content monitoring and automated response protection method based on intelligent analysis technology as claimed in claim 1, wherein the web log detection comprises:
receiving a Web application log submitted by a Syslog client of a Web server;
and carrying out deep learning-based data mining on the Web application logs and carrying out security event correlation analysis on all the normalized Web application logs.
3. The web site content monitoring and automated response prevention method based on intelligent analysis technology of claim 1, wherein the webshell detection comprises: the webshell detection and analysis engine is established based on an artificial intelligence technology, wherein the artificial intelligence technology comprises an expert system, an artificial neural network, a fuzzy detection technology and an Agent technology.
4. The method for web site content monitoring and automated response protection based on intelligent analysis technology as claimed in claim 1, wherein detecting the attack behavior of the protected web site employs an attack monitoring and perception technology combining DPI and DFI.
5. The method for website content monitoring and automated response protection based on intelligent analysis technology as claimed in claim 1, wherein the data is based on a multi-source heterogeneous processing framework, and a big data analysis model platform is established through a relational database technology and a distributed analysis system.
6. The website content monitoring and automated response protection method based on intelligent analysis technology as claimed in claim 1, wherein the tamper detection comprises:
acquiring current picture resources of a target website by using a Libra crawler technology;
converting all picture resources used by a target website into a first model by using a convolutional neural network algorithm;
and after detecting the modified or newly added picture resources, converting the modified or newly added picture resources into a second model and comparing the second model with the previous first model, and meanwhile, comparing the second model with an FG picture model in threat information provided by a security manufacturer to find a tampered picture of the website.
7. The website content monitoring and automated response protection method based on intelligent analysis technology as claimed in claim 1, wherein the website content is protected from tampering by using kernel-based driving protection technology, dynamic webpage script protection technology and continuous tampering attack protection technology.
8. The website content monitoring and automated response protection method based on intelligent analysis technology as claimed in claim 1, wherein the threat data is screened out attack and subsidence indexes as machine readable threat intelligence, and existing logs are used for comparing and matching to form a trend or clue to guide security response and carry out attack behavior blocking.
9. The website content monitoring and automated response protection method based on intelligent analysis technology as claimed in claim 1, wherein an SOAR technology is used to establish an automatic response of an emergency scene, wherein the SOAR technology helps to collect web security monitored information, perform event analysis and alarm triage on the collected information, and help security operation and maintenance personnel to define, sequence and drive standardized event response activities in a man-machine combination manner under the guidance of a standard workflow.
10. The method for website content monitoring and automated response protection based on intelligent analysis technology as claimed in claim 1, wherein after detecting that the website content is tampered with, the webpage content under the trusted backup path is quickly restored to the corresponding folder.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011560810.4A CN112560029A (en) | 2020-12-25 | 2020-12-25 | Website content monitoring and automatic response protection method based on intelligent analysis technology |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011560810.4A CN112560029A (en) | 2020-12-25 | 2020-12-25 | Website content monitoring and automatic response protection method based on intelligent analysis technology |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112560029A true CN112560029A (en) | 2021-03-26 |
Family
ID=75032724
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011560810.4A Pending CN112560029A (en) | 2020-12-25 | 2020-12-25 | Website content monitoring and automatic response protection method based on intelligent analysis technology |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112560029A (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113572764A (en) * | 2021-07-23 | 2021-10-29 | 广东轻工职业技术学院 | Industrial Internet network security situation perception system based on AI |
| CN113938485A (en) * | 2021-11-29 | 2022-01-14 | 东南大学 | LPWANs edge cloud collaborative anti-interference method based on fuzzy detection recovery |
| CN114444127A (en) * | 2021-10-28 | 2022-05-06 | 中国南方电网有限责任公司超高压输电公司 | WEB page tampering detection method and system |
| CN114676330A (en) * | 2022-03-30 | 2022-06-28 | 南京厚建软件有限责任公司 | Method for uniformly recovering interactive data of Internet platform |
| CN115022243A (en) * | 2022-06-28 | 2022-09-06 | 绿盟科技集团股份有限公司 | Data flow control method, device, system, electronic equipment and storage medium |
| CN115174154A (en) * | 2022-06-13 | 2022-10-11 | 盈适慧众(上海)信息咨询合伙企业(有限合伙) | Advanced threat event processing method and device, terminal equipment and storage medium |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109344661A (en) * | 2018-09-06 | 2019-02-15 | 南京聚铭网络科技有限公司 | A kind of webpage integrity assurance of the micro code based on machine learning |
| CN109861995A (en) * | 2019-01-17 | 2019-06-07 | 安徽谛听信息科技有限公司 | A kind of safe big data intelligent analysis method of cyberspace, computer-readable medium |
| CN110516138A (en) * | 2019-08-31 | 2019-11-29 | 武汉理工大学 | A kind of food safety affair early warning system threatening information bank based on multi-source self refresh |
| CN111400572A (en) * | 2020-02-28 | 2020-07-10 | 开普云信息科技股份有限公司 | Content safety monitoring system and method for realizing image feature recognition based on convolutional neural network |
| CN111475818A (en) * | 2020-04-17 | 2020-07-31 | 北京墨云科技有限公司 | Permeation attack method of automatic permeation test system based on AI |
| CN111488587A (en) * | 2020-04-17 | 2020-08-04 | 北京墨云科技有限公司 | Automatic penetration test system based on AI |
| CN111614599A (en) * | 2019-02-25 | 2020-09-01 | 北京金睛云华科技有限公司 | Webshell detection method and device based on artificial intelligence |
| CN113486351A (en) * | 2020-06-15 | 2021-10-08 | 中国民用航空局空中交通管理局 | Civil aviation air traffic control network safety detection early warning platform |
-
2020
- 2020-12-25 CN CN202011560810.4A patent/CN112560029A/en active Pending
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109344661A (en) * | 2018-09-06 | 2019-02-15 | 南京聚铭网络科技有限公司 | A kind of webpage integrity assurance of the micro code based on machine learning |
| CN109861995A (en) * | 2019-01-17 | 2019-06-07 | 安徽谛听信息科技有限公司 | A kind of safe big data intelligent analysis method of cyberspace, computer-readable medium |
| CN111614599A (en) * | 2019-02-25 | 2020-09-01 | 北京金睛云华科技有限公司 | Webshell detection method and device based on artificial intelligence |
| CN110516138A (en) * | 2019-08-31 | 2019-11-29 | 武汉理工大学 | A kind of food safety affair early warning system threatening information bank based on multi-source self refresh |
| CN111400572A (en) * | 2020-02-28 | 2020-07-10 | 开普云信息科技股份有限公司 | Content safety monitoring system and method for realizing image feature recognition based on convolutional neural network |
| CN111475818A (en) * | 2020-04-17 | 2020-07-31 | 北京墨云科技有限公司 | Permeation attack method of automatic permeation test system based on AI |
| CN111488587A (en) * | 2020-04-17 | 2020-08-04 | 北京墨云科技有限公司 | Automatic penetration test system based on AI |
| CN113486351A (en) * | 2020-06-15 | 2021-10-08 | 中国民用航空局空中交通管理局 | Civil aviation air traffic control network safety detection early warning platform |
Non-Patent Citations (2)
| Title |
|---|
| 安全牛: "安全编排自动化与响应(SOAR)技术解析", pages 1 - 9, Retrieved from the Internet <URL:https://mp.weixin.qq.com/s/-72sFTfVDFO-0nod0WH0AA> * |
| 深信服科技有限公司: "深信服科技NGAF下一代防火墙产品白皮书", pages 1 - 41, Retrieved from the Internet <URL:http://download.sangfor.com.cn/Uploads/File/af/%E6%B7%B1%E4%BF%A1%E6%9C%8D_%E4%B8%8B%E4%B8%80%E4%BB%A3%E9%98%B2%E7%81%AB%E5%A2%99NGAF_%E6%8A%80%E6%9C%AF%E7%99%BD%E7%9A%AE%E4%B9%A6.pdf> * |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113572764A (en) * | 2021-07-23 | 2021-10-29 | 广东轻工职业技术学院 | Industrial Internet network security situation perception system based on AI |
| CN114444127A (en) * | 2021-10-28 | 2022-05-06 | 中国南方电网有限责任公司超高压输电公司 | WEB page tampering detection method and system |
| CN113938485A (en) * | 2021-11-29 | 2022-01-14 | 东南大学 | LPWANs edge cloud collaborative anti-interference method based on fuzzy detection recovery |
| CN113938485B (en) * | 2021-11-29 | 2024-03-08 | 东南大学 | LPWANs edge cloud cooperative anti-interference method based on fuzzy detection recovery |
| CN114676330A (en) * | 2022-03-30 | 2022-06-28 | 南京厚建软件有限责任公司 | Method for uniformly recovering interactive data of Internet platform |
| CN114676330B (en) * | 2022-03-30 | 2023-12-08 | 南京厚建软件有限责任公司 | Method for uniformly recovering interactive data of Internet platform |
| CN115174154A (en) * | 2022-06-13 | 2022-10-11 | 盈适慧众(上海)信息咨询合伙企业(有限合伙) | Advanced threat event processing method and device, terminal equipment and storage medium |
| CN115022243A (en) * | 2022-06-28 | 2022-09-06 | 绿盟科技集团股份有限公司 | Data flow control method, device, system, electronic equipment and storage medium |
| CN115022243B (en) * | 2022-06-28 | 2023-05-26 | 绿盟科技集团股份有限公司 | Data flow control method, device and system, electronic equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3528463B1 (en) | An artificial intelligence cyber security analyst | |
| CN107241352B (en) | Network security event classification and prediction method and system | |
| CN112560029A (en) | Website content monitoring and automatic response protection method based on intelligent analysis technology | |
| Pilli et al. | Network forensic frameworks: Survey and research challenges | |
| Lichodzijewski et al. | Host-based intrusion detection using self-organizing maps | |
| Tianfield | Cyber security situational awareness | |
| US10885185B2 (en) | Graph model for alert interpretation in enterprise security system | |
| EP2936772B1 (en) | Network security management | |
| CN112887268B (en) | Network security guarantee method and system based on comprehensive detection and identification | |
| CN115134250B (en) | Network attack tracing evidence obtaining method | |
| CN113794276A (en) | Power distribution network terminal safety behavior monitoring system and method based on artificial intelligence | |
| CN116915484A (en) | Method for deducting threat event of meta-universe network | |
| CN115242438A (en) | Potential victim group positioning method based on heterogeneous information network | |
| CN114006719B (en) | AI verification method, device and system based on situation awareness | |
| Alserhani | A framework for multi-stage attack detection | |
| Yeshwanth et al. | Adoption and Assessment of Machine Learning Algorithms in Security Operations Centre for Critical Infrastructure | |
| Skopik et al. | Intrusion detection in distributed systems using fingerprinting and massive event correlation | |
| CN115706669A (en) | Network security situation prediction method and system | |
| Yu et al. | Mining anomaly communication patterns for industrial control systems | |
| Kawakani et al. | Discovering attackers past behavior to generate online hyper-alerts | |
| Tafazzoli et al. | A proposed architecture for network forensic system in large-scale networks | |
| Cantanhede et al. | Computer network forensics assistance methodology focused on denial of service attacks | |
| KR102592624B1 (en) | Threat hunting system and method for against social issue-based advanced persistent threat using artificial intelligence | |
| CN117220961A (en) | Intrusion detection method and device based on association rule patterns | |
| CN117527412A (en) | Data security monitoring method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |