CN112702335A - Education network malicious IP identification method and device - Google Patents
Education network malicious IP identification method and device Download PDFInfo
- Publication number
- CN112702335A CN112702335A CN202011522079.6A CN202011522079A CN112702335A CN 112702335 A CN112702335 A CN 112702335A CN 202011522079 A CN202011522079 A CN 202011522079A CN 112702335 A CN112702335 A CN 112702335A
- Authority
- CN
- China
- Prior art keywords
- address
- access
- port
- protocol type
- netlow
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2101/00—Indexing scheme associated with group H04L61/00
- H04L2101/60—Types of network addresses
- H04L2101/618—Details of network addresses
- H04L2101/659—Internet protocol version 6 [IPv6] addresses
Abstract
A malicious IP identification method for an education network comprises the following steps: collecting netlow flow of each node of an education network; acquiring an access IP address, a protocol type and a port of netlow flow; identifying whether an access port accessing the IP address is abnormal and/or whether the protocol type of a request sent by the access IP address is abnormal; when there is an anomaly, the access IP address is identified as a malicious IP. In addition, the disclosure also provides a malicious IP identification device for the education network. The method and the device can be used for acquiring, storing, analyzing and displaying the flow of the education network and dynamically protecting the education network.
Description
Technical Field
The disclosure relates to the technical field of network security, in particular to a method and a device for identifying malicious IPv6 of an education network.
Background
With the rapid development of internet technology, the popularization of computer application and the rapid development of the IPv6, a plurality of applications increasingly support the IPv6, and companies provide IPv6 network services and have IPv6 educational network traffic in combination with their advantages, so that the IPv6 traffic can be collected and network attacks on the traffic can be identified, thereby ensuring the security of the educational network.
Disclosure of Invention
In view of the above problems, the present invention provides a method and an apparatus for identifying malicious IPv6 of an education network, so as to identify malicious IPs to ensure the security of the education network.
One aspect of the present disclosure provides a method for identifying malicious IPs of an education network, including: collecting netlow flow of each node of an education network; acquiring an access IP address, a protocol type and a port of the netlow flow; identifying whether the access IP address accesses the port abnormally and/or whether the protocol type of a request sent by the access IP address is abnormal; when there is an anomaly, the access IP address is identified as a malicious IP.
Optionally, the identifying whether the access IP address accesses the port abnormally includes: analyzing the netlow flow to obtain the times of logging in the port by the access IP address; judging whether the number of times of logging in the port by the access IP address is greater than a preset threshold value; and when the times are greater than the preset threshold value, judging that the access IP address is abnormal to access the port.
Optionally, whether the protocol type of the request sent by the access IP address is abnormal includes: analyzing the netlow flow to obtain the protocol type of the request sent by the access IP address; acquiring a preset protocol type of the access IP address; and when the protocol type of the request is different from the preset protocol type, judging that the request for accessing the IP address is abnormal.
Optionally, when there is an anomaly, the method further comprises: identifying a destination IP address of the netlow traffic; judging the attributes of the access IP address and the destination IP address, and acquiring an attack direction; storing the attack direction; wherein the access IP address, the destination IP address, the port, and an exception type.
Optionally, the method further comprises: and displaying the attack direction in a preset window.
Another aspect of the present disclosure provides an apparatus for identifying malicious IP in an education network, including: the acquisition module is used for acquiring the netlow flow of each node of the education network; the information acquisition module is used for acquiring an access IP address, a protocol type and a port of the netlow flow; the analysis module is used for identifying whether the access IP address accesses the port abnormally and/or whether the protocol type of a request sent by the access IP address is abnormal; and the identification module is used for identifying the access IP address as a malicious IP when the abnormality exists.
Optionally, the analysis module comprises: a port access frequency counting unit, configured to analyze the netlow traffic, and obtain the frequency of logging in the port by the access IP address; the access frequency comparison unit is used for judging whether the frequency of logging in the port by the access IP address is greater than a preset threshold value or not; and the port abnormity determining unit is used for determining that the access IP address is abnormally accessed to the port when the times is greater than the preset threshold value.
Optionally, the analysis module comprises: a request type analysis unit, configured to analyze the netlow traffic, and obtain a protocol type of a request sent by the access IP address; a preset protocol type obtaining unit, configured to obtain a preset protocol type of the access IP address; and the protocol abnormity judging unit is used for judging that the request for accessing the IP address is abnormal when the protocol type of the request is different from the preset protocol type.
Optionally, the apparatus further comprises a storage module comprising: a destination IP obtaining unit, configured to identify a destination IP address of the netlow traffic; an attack direction obtaining unit, configured to determine attributes of the access IP address and the destination IP address, and obtain an attack direction; the storage unit is used for storing the attack direction; wherein the access IP address, the destination IP address, the port, and an exception type.
Optionally, the apparatus further comprises: and the display module is used for displaying the attack direction in a preset window.
The at least one technical scheme adopted in the embodiment of the disclosure can achieve the following beneficial effects:
the malicious IP is identified by analyzing the port access times and the transmission protocol type, and through the method, the malicious IP data set can be continuously expanded so as to protect the safety of the education network.
Drawings
For a more complete understanding of the present disclosure and the advantages thereof, reference is now made to the following descriptions taken in conjunction with the accompanying drawings, in which:
fig. 1 schematically shows a flowchart of a malicious IP identification method for an educational network provided by an embodiment of the present disclosure;
fig. 2 is a block diagram schematically illustrating a structure of an apparatus for identifying malicious IPs in an educational network according to an embodiment of the present disclosure;
fig. 3 schematically illustrates an application scenario diagram of a malicious IP identification method for an educational network provided by an embodiment of the present disclosure.
Detailed Description
Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is illustrative only and is not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. Moreover, in the following description, descriptions of well-known structures and techniques are omitted so as to not unnecessarily obscure the concepts of the present disclosure.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.
All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It is noted that the terms used herein should be interpreted as having a meaning that is consistent with the context of this specification and should not be interpreted in an idealized or overly formal sense.
Some block diagrams and/or flow diagrams are shown in the figures. It will be understood that some blocks of the block diagrams and/or flowchart illustrations, or combinations thereof, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the instructions, which execute via the processor, create means for implementing the functions/acts specified in the block diagrams and/or flowchart block or blocks.
Accordingly, the techniques of this disclosure may be implemented in hardware and/or software (including firmware, microcode, etc.). In addition, the techniques of this disclosure may take the form of a computer program product on a computer-readable medium having instructions stored thereon for use by or in connection with an instruction execution system. In the context of this disclosure, a computer-readable medium may be any medium that can contain, store, communicate, propagate, or transport the instructions. For example, the computer readable medium can include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, device, or propagation medium. Specific examples of the computer readable medium include: magnetic storage devices, such as magnetic tape or Hard Disk Drives (HDDs); optical storage devices, such as compact disks (CD-ROMs); a memory, such as a Random Access Memory (RAM) or a flash memory; and/or wired/wireless communication links.
Fig. 1 schematically shows a flowchart of a malicious IP identification method for an educational network provided by an embodiment of the present disclosure.
As shown in fig. 1, the method for identifying malicious IPs in an educational network provided by the present disclosure includes steps S110 to S140.
And S110, collecting netlow flow of each node of the education network.
S120, obtaining the access IP address, the protocol type and the port of the netlow flow.
S130, identifying whether the access port of the access IP address is abnormal and/or identifying whether the protocol type of the request sent by the access IP address is abnormal.
And S140, when the abnormity exists, identifying the access IP address as a malicious IP.
According to the education network malicious IP identification method provided by the disclosure, the malicious IP is identified by analyzing whether the port access times and the transmission protocol types are abnormal, and through the method, the malicious IP data set can be continuously expanded so as to protect the safety of the education network.
Specifically, identifying whether the access IP address access port is abnormal includes steps S131 to S133.
S131, analyzing the netlow flow to obtain the number of times of accessing the IP address login port.
S132, judging whether the number of times of accessing the IP address login port is larger than a preset threshold value.
And S133, when the times are greater than a preset threshold value, judging that the access IP address is abnormal to access the port.
In the embodiment of the disclosure, the types of malicious attacks are classified into a type of attempting to attack a windows operating system, a type of attempting to attack a database, and a type of attempting to attack a linux operating system, and when an access IP continuously detects a high-risk port of the windows operating system, the attack database, or the linux operating system, when the number of times reaches a certain threshold, a behavior of the IP may be defined as a malicious attack behavior. The windows high-risk ports mainly comprise ports with port numbers of 135, 136, 137, 139, 445 and the like; the database types mainly comprise relational databases and NoSQL types, high-risk ports of the relational databases mainly comprise ports with port numbers of 3306, 1433 and 1521, and high-risk ports of non-relational databases (NoSQL) mainly comprise ports with port numbers of 11211, 6379 and 27017; the linux operating system type high-risk port is mainly a ssh port.
Identifying whether the protocol type of the request sent by accessing the IP address is abnormal includes steps S134 to S136.
S134, analyzing the netlow flow to obtain the protocol type of the request sent by the access IP address.
And S135, acquiring the preset protocol type of the access IP address.
S136, when the requested protocol type is different from the preset protocol type, judging that the request for accessing the IP address is abnormal.
For example, if only the destination IP of the TCP protocol is provided, the protocol type of the request sent by accessing the IP address and the protocol type of the request itself are obtained, and when the protocol request of the UDP is received, it may be defined as a malicious attack.
When there is an abnormality, the method further includes steps S151 to S153.
S151, identify the destination IP address of the netlow traffic.
S152, judging the attributes of the access IP address and the destination IP address, and acquiring the attack direction.
And S153, storing the attack direction.
Wherein, the attack direction comprises an access IP address, a destination address IP, a port and an exception type.
In the embodiment of the disclosure, after the access IP is confirmed to have the malicious attack behavior, the current malicious attack behavior needs to be stored, and a malicious IP data set is established, so as to conveniently and rapidly identify the malicious IP in the following. In the education network, the attack direction mainly comprises an education network IP, namely the education network IP, namely the non-education network IP, the non-education network IP and the education network IP, and further comprises an attack port number.
In addition to the above method, the method may further include step S160.
Step S160, displaying the attack direction in a preset window.
By displaying the attack direction in the preset window, technicians can monitor the current network security condition in time and handle the attack in time when malicious attacks occur.
Fig. 2 schematically shows a block diagram of a malicious IP recognition apparatus of an educational network provided in an embodiment of the present disclosure.
As shown in fig. 2, the present disclosure provides an apparatus for identifying malicious IPs in an education network, including: the system comprises an acquisition module 210, an information acquisition module 220, an analysis module 230 and an identification module 240.
The collecting module 210 is configured to collect netlow traffic of each node of the education network.
The information obtaining module 220 is configured to obtain an access IP address, a protocol type, and a port of the netlow traffic.
The analyzing module 230 is configured to identify whether the access port of the access IP address is abnormal and/or identify whether the protocol type of the request sent by the access IP address is abnormal.
And an identifying module 240, configured to identify the access IP address as a malicious IP when there is an anomaly.
According to the malicious IP identification device of the education network, which is provided by the disclosure, the method shown in figure 1 is realized, the malicious IP is identified by analyzing whether the port access times and the transmission protocol types are abnormal, and in this way, the malicious IP data set can be continuously expanded so as to protect the safety of the education network.
Wherein, the analysis module 230 includes: port access frequency counting section 231, access frequency comparing section 232, and port abnormality determining section 233.
The port access frequency counting unit 231 is configured to analyze the netlow traffic and obtain the frequency of accessing the IP address login port.
And an access frequency comparing unit 232, configured to determine whether the frequency of accessing the IP address login port is greater than a preset threshold.
And a port abnormality determination unit 233, configured to determine that the access to the IP address is abnormal when the number of times is greater than a preset threshold.
The analysis module 230 further includes: a request type analysis unit 234, a preset protocol type acquisition unit 235 and a protocol anomaly determination unit 236.
A request type analyzing unit 234, configured to analyze the netlow traffic and obtain a protocol type of the request sent by accessing the IP address.
A preset protocol type obtaining unit 235, configured to obtain a preset protocol type of the access IP address.
And a protocol exception determining unit 236, configured to determine that the request for accessing the IP address is abnormal when the requested protocol type is different from the preset protocol type.
The apparatus may further include a storage module 250 comprising: a destination IP acquiring unit 251, an attack direction acquiring unit 252, and a storage unit 253.
A destination IP obtaining unit 251 for identifying a destination IP address of the netlow traffic.
The attack direction obtaining unit 252 is configured to determine attributes of the access IP address and the destination IP address, and obtain an attack direction.
And a storage unit 253 for storing the attack direction.
Wherein, the attack direction comprises an access IP address, a destination address IP, a port and an exception type.
The apparatus may further comprise: and the display module 260 is configured to display the attack direction in a preset window.
It should be noted that the above-mentioned apparatus has the same technical features and technical effects as the method shown in fig. 1, and therefore, the details are not described herein.
It is understood that the collection module 210, the information acquisition module 220, the analysis module 230, and the identification module 240 may be combined and implemented in one module, or any one of the modules may be split into a plurality of modules. Alternatively, at least part of the functionality of one or more of these modules may be combined with at least part of the functionality of the other modules and implemented in one module. According to an embodiment of the present invention, at least one of the acquisition module 210, the information acquisition module 220, the analysis module 230, and the identification module 240 may be implemented at least partially as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented in hardware or firmware in any other reasonable manner of integrating or packaging a circuit, or in a suitable combination of three implementations of software, hardware, and firmware. Alternatively, at least one of the collection module 210, the information acquisition module 220, the analysis module 230, and the identification module 240 may be implemented at least in part as computer program modules that, when executed by a computer, perform the functions of the respective modules.
Fig. 3 schematically illustrates an application scenario diagram of a malicious IP identification method for an educational network provided by an embodiment of the present disclosure.
As shown in fig. 3, the application scenario includes a netflow collection server 310 for education network traffic, a netflow storage server 320, a netflow analysis server 330, and a visualization presentation server 340. The acquisition server 310 is used for acquiring netflow of each node of the education network and respectively sending the acquisition results to the netflow analysis server 320; the netflow analysis server 320 is used for analyzing the netflow, and sending the analysis result to the netflow storage server 330 for storage; a netflow storage server 330, configured to store an analysis result of the netflow analysis server, and display the analysis result to the visualization server 340; the visualization server 340 is configured to expose malicious IP attack directions, including an access IP, a destination port, an attack type, and other attributes including an IP, including: IP longitude and latitude, affiliated units and the like. The system can be linked with other safety devices to dynamically perform safety protection on the education network.
Those skilled in the art will appreciate that various combinations and/or combinations of features recited in the various embodiments and/or claims of the present disclosure can be made, even if such combinations or combinations are not expressly recited in the present disclosure. In particular, various combinations and/or combinations of the features recited in the various embodiments and/or claims of the present disclosure may be made without departing from the spirit or teaching of the present disclosure. All such combinations and/or associations are within the scope of the present disclosure.
While the disclosure has been shown and described with reference to certain exemplary embodiments thereof, it will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the disclosure as defined by the appended claims and their equivalents. Accordingly, the scope of the present disclosure should not be limited to the above-described embodiments, but should be defined not only by the appended claims, but also by equivalents thereof.
Claims (10)
1. A malicious IP identification method for an education network is characterized by comprising the following steps:
collecting netlow flow of each node of an education network;
acquiring an access IP address, a protocol type and a port of the netlow flow;
identifying whether the access IP address accesses the port abnormally and/or identifying whether the protocol type of a request sent by the access IP address is abnormal;
when there is an anomaly, the access IP address is identified as a malicious IP.
2. The method of claim 1, wherein said identifying whether said accessing said port by said accessing IP address is abnormal comprises:
analyzing the netlow flow to obtain the times of logging in the port by the access IP address;
judging whether the number of times of logging in the port by the access IP address is greater than a preset threshold value;
and when the times are greater than the preset threshold value, judging that the access IP address is abnormal to access the port.
3. The method of claim 1, wherein determining whether the protocol type of the request sent by the access IP address is abnormal comprises:
analyzing the netlow flow to obtain the protocol type of the request sent by the access IP address;
acquiring a preset protocol type of the access IP address;
and when the protocol type of the request is different from the preset protocol type, judging that the request for accessing the IP address is abnormal.
4. The method of claim 1, wherein when there is an anomaly, the method further comprises:
identifying a destination IP address of the netlow traffic;
judging the attributes of the access IP address and the destination IP address, and acquiring an attack direction;
storing the attack direction;
wherein the attack direction comprises the access IP address, the destination IP address, the port and an exception type.
5. The method of claim 4, further comprising:
and displaying the attack direction in a preset window.
6. An apparatus for identifying malicious IPs in an educational network, comprising:
the acquisition module is used for acquiring the netlow flow of each node of the education network;
the information acquisition module is used for acquiring an access IP address, a protocol type and a port of the netlow flow;
the analysis module is used for identifying whether the access IP address accesses the port or not and/or identifying whether the protocol type of a request sent by the access IP address is abnormal or not;
and the identification module is used for identifying the access IP address as a malicious IP when the abnormality exists.
7. The apparatus of claim 6, wherein the analysis module comprises:
a port access frequency counting unit, configured to analyze the netlow traffic, and obtain the frequency of logging in the port by the access IP address;
the access frequency comparison unit is used for judging whether the frequency of logging in the port by the access IP address is greater than a preset threshold value or not;
and the port abnormity determining unit is used for determining that the access IP address is abnormally accessed to the port when the times is greater than the preset threshold value.
8. The apparatus of claim 6, wherein the analysis module further comprises:
a request type analysis unit, configured to analyze the netlow traffic, and obtain a protocol type of a request sent by the access IP address;
a preset protocol type obtaining unit, configured to obtain a preset protocol type of the access IP address;
and the protocol abnormity judging unit is used for judging that the request for accessing the IP address is abnormal when the protocol type of the request is different from the preset protocol type.
9. The apparatus of claim 6, further comprising a storage module comprising:
a destination IP obtaining unit, configured to identify a destination IP address of the netlow traffic;
an attack direction obtaining unit, configured to determine attributes of the access IP address and the destination IP address, and obtain an attack direction;
the storage unit is used for storing the attack direction;
wherein the attack direction comprises the access IP address, the destination IP address, the port and an exception type.
10. The apparatus of claim 9, further comprising:
and the display module is used for displaying the attack direction in a preset window.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011522079.6A CN112702335A (en) | 2020-12-21 | 2020-12-21 | Education network malicious IP identification method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011522079.6A CN112702335A (en) | 2020-12-21 | 2020-12-21 | Education network malicious IP identification method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112702335A true CN112702335A (en) | 2021-04-23 |
Family
ID=75509823
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011522079.6A Pending CN112702335A (en) | 2020-12-21 | 2020-12-21 | Education network malicious IP identification method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112702335A (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102447711A (en) * | 2012-01-18 | 2012-05-09 | 中兴通讯股份有限公司 | Method and device for sending protocol messages |
| US20130212681A1 (en) * | 2012-02-15 | 2013-08-15 | Hitachi, Ltd. | Security Monitoring System and Security Monitoring Method |
| CN106330944A (en) * | 2016-08-31 | 2017-01-11 | 杭州迪普科技有限公司 | Method and device for recognizing malicious system vulnerability scanner |
| CN109962903A (en) * | 2017-12-26 | 2019-07-02 | 中移(杭州)信息技术有限公司 | A kind of home gateway method for safety monitoring, device, system and medium |
| CN111786971A (en) * | 2020-06-19 | 2020-10-16 | 杭州安恒信息技术股份有限公司 | Host blasting attack defense method and device and computer equipment |
-
2020
- 2020-12-21 CN CN202011522079.6A patent/CN112702335A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102447711A (en) * | 2012-01-18 | 2012-05-09 | 中兴通讯股份有限公司 | Method and device for sending protocol messages |
| US20130212681A1 (en) * | 2012-02-15 | 2013-08-15 | Hitachi, Ltd. | Security Monitoring System and Security Monitoring Method |
| CN106330944A (en) * | 2016-08-31 | 2017-01-11 | 杭州迪普科技有限公司 | Method and device for recognizing malicious system vulnerability scanner |
| CN109962903A (en) * | 2017-12-26 | 2019-07-02 | 中移(杭州)信息技术有限公司 | A kind of home gateway method for safety monitoring, device, system and medium |
| CN111786971A (en) * | 2020-06-19 | 2020-10-16 | 杭州安恒信息技术股份有限公司 | Host blasting attack defense method and device and computer equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11025674B2 (en) | Cybersecurity profiling and rating using active and passive external reconnaissance | |
| US20200389495A1 (en) | Secure policy-controlled processing and auditing on regulated data sets | |
| US9654503B1 (en) | Systems and methods for evaluating networks | |
| US20200259866A1 (en) | Rating organization cybersecurity using active and passive external reconnaissance | |
| Bhavsar et al. | Intrusion detection system using data mining technique: Support vector machine | |
| US20230315863A1 (en) | Asset scoring method and apparatus, computer device, and storage medium | |
| CN107465651A (en) | Network attack detecting method and device | |
| US20210360032A1 (en) | Cybersecurity risk analysis and anomaly detection using active and passive external reconnaissance | |
| CN105721188A (en) | Firewall strategy check method and system | |
| CN101588247A (en) | A system and method for detecting server leak | |
| US20200195672A1 (en) | Analyzing user behavior patterns to detect compromised nodes in an enterprise network | |
| CN114124552A (en) | Network attack threat level obtaining method, device and storage medium | |
| CN103731429A (en) | Method and device for web application vulnerability detection | |
| CN111787018A (en) | Method, device, electronic equipment and medium for identifying network attack behaviors | |
| US10609053B2 (en) | Suspicious network traffic identification method and apparatus | |
| WO2020016906A1 (en) | Method and system for intrusion detection in an enterprise | |
| CN116451215A (en) | Correlation analysis method and related equipment | |
| CN113765846A (en) | Intelligent detection and response method and device for network abnormal behavior and electronic equipment | |
| US20200004905A1 (en) | System and methods for complex it process annotation, tracing, analysis, and simulation | |
| US20230344846A1 (en) | Method for network traffic analysis | |
| CN112134870B (en) | Network security threat blocking method, device, equipment and storage medium | |
| CN112702335A (en) | Education network malicious IP identification method and device | |
| CN114553551B (en) | Method and device for testing intrusion prevention system | |
| CN114884748A (en) | Network attack monitoring method and device, electronic equipment and storage medium | |
| CN113395255B (en) | Autossh reverse proxy detection method, system, device and readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210423 |