CN112769729B - Server intrusion alarm method and system - Google Patents

Server intrusion alarm method and system Download PDF

Info

Publication number
CN112769729B
CN112769729B CN201910999325.8A CN201910999325A CN112769729B CN 112769729 B CN112769729 B CN 112769729B CN 201910999325 A CN201910999325 A CN 201910999325A CN 112769729 B CN112769729 B CN 112769729B
Authority
CN
China
Prior art keywords
instruction
basic
instructions
library
accumulated value
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910999325.8A
Other languages
Chinese (zh)
Other versions
CN112769729A (en
Inventor
黄培斌
汤鸿儒
李辉
宋义伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangzhou Automobile Group Co Ltd
Original Assignee
Guangzhou Automobile Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangzhou Automobile Group Co Ltd filed Critical Guangzhou Automobile Group Co Ltd
Priority to CN201910999325.8A priority Critical patent/CN112769729B/en
Publication of CN112769729A publication Critical patent/CN112769729A/en
Application granted granted Critical
Publication of CN112769729B publication Critical patent/CN112769729B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Alarm Systems (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The invention relates to a server intrusion alarm method and a system thereof, wherein the method comprises the following steps: the method comprises the steps of obtaining a server operation instruction in real time, and decomposing the server operation instruction into a basic instruction and a simple instruction; the basic instruction is an initial instruction of system installation without options and parameters, and the simple instruction is an instruction which can completely process an operation and is provided with only one basic instruction; matching the basic instruction with instructions in a basic instruction library to obtain a first matching result, and matching the simple instruction with instructions in a simple instruction library to obtain a second matching result if the basic instruction is matched with the instructions in the basic instruction library; and alarming according to the first matching result or the second matching result. The system corresponds to the method. By implementing the invention, professional hackers and other common workers without server management authority can be prevented from invading the server.

Description

Server intrusion alarm method and system
Technical Field
The invention relates to the field of server operation and maintenance safety, in particular to a server intrusion warning method and a server intrusion warning system.
Background
At present, most server intrusion is protected or monitoring and alarming are set before an intruder enters the server through other technical means. The method is also realized by detecting abnormal instructions, but mostly aims at hackers, and has obvious abnormal characteristics, such as performing a bash command to carry out right-giving, establishing an account and the like. If it is a common person intrusion, the scheme will fail. In daily work, a server needs to be managed, a special person and a special machine need to be used, different workers maintain different servers, and besides the prevention of the invasion of a special hacker, other workers also need to be prevented from invading the server which is not managed by other workers.
Disclosure of Invention
The invention aims to provide a server intrusion warning method and a system thereof, so as to prevent professional hackers and other common workers without the server management authority from intruding into a server.
In a first aspect, an embodiment of the present invention provides a server intrusion alert method, including the following steps:
the method comprises the steps of obtaining a server operation instruction in real time, and decomposing the server operation instruction into a basic instruction and a simple instruction; the basic instruction is an instruction without an option, and the simple instruction is an instruction capable of completely processing an operation;
matching the basic instruction with instructions in a basic instruction library to obtain a first matching result, and matching the simple instruction with instructions in a simple instruction library to obtain a second matching result if the basic instruction is matched with the instructions in the basic instruction library;
and alarming according to the first matching result or the second matching result.
Preferably, the alarming according to the first matching result or the second matching result includes:
and if the basic instruction is not matched with the instruction in the basic instruction library, alarming in a first mode.
Preferably, the alarming according to the first matching result or the second matching result includes:
if the basic instruction is not matched with the instruction in the basic instruction library, adding 1 to update the accumulated value M1 of the number of the basic instruction which is not matched with the instruction in the basic instruction library;
and alarming according to the comparison result of the updated instruction number M1 and a first preset threshold value, and alarming and clearing the instruction number accumulated value M1 in a second mode if the updated instruction number accumulated value M1 is greater than the first preset threshold value.
Preferably, the alarming according to the first matching result or the second matching result includes:
and if the simple instruction is not matched with the instruction in the simple instruction library, alarming in a third mode.
Preferably, the alarming according to the first matching result or the second matching result includes:
if the simple instruction is not matched with the instruction in the simple instruction library, adding 1 to update the accumulated value M2 of the number of the simple instruction which is not matched with the instruction in the simple instruction library;
and alarming according to the comparison result of the updated instruction quantity accumulated value M2 and a second preset threshold value, and alarming and clearing the instruction quantity accumulated value M2 in a fourth mode if the updated instruction quantity accumulated value M2 is greater than the second preset threshold value.
In a second aspect, an embodiment of the present invention provides a server intrusion alert system, including:
the instruction acquisition unit is used for acquiring a server operation instruction in real time and decomposing the server operation instruction into a basic instruction and a simple instruction; the basic instruction is an instruction without an option, and the simple instruction is an instruction capable of completely processing an operation;
the instruction matching unit is used for matching the basic instruction with instructions in a basic instruction library to obtain a first matching result, and matching the simple instruction with instructions in a simple instruction library to obtain a second matching result under the condition that the basic instruction is matched with the instructions in the basic instruction library;
and the alarm unit is used for giving an alarm according to the first matching result or the second matching result.
Preferably, the alarm unit includes:
and the first alarm subunit is used for alarming in a first mode when the basic instruction is not matched with the instruction in the basic instruction library.
Preferably, the alarm unit includes:
the first calculation subunit is used for adding 1 to update the accumulated value M1 of the number of the unmatched basic instructions and the unmatched instructions in the basic instruction library when the basic instructions are unmatched with the instructions in the basic instruction library;
and the second alarm subunit is used for giving an alarm according to a comparison result of the updated instruction quantity accumulated value M1 and a first preset threshold value, and giving an alarm and clearing the instruction quantity accumulated value M1 in a second mode if the updated instruction quantity accumulated value M1 is greater than the first preset threshold value.
Preferably, the alarm unit includes:
and the third alarm subunit is used for alarming in a third mode when the simple instruction is not matched with the instruction in the simple instruction library.
Preferably, the alarm unit includes:
the second calculation subunit is used for adding 1 to update the accumulated value M2 of the number of the unmatched simple instructions and the unmatched instructions in the simple instruction library when the simple instructions are unmatched with the instructions in the simple instruction library;
and the fourth alarm subunit is used for giving an alarm according to a comparison result of the updated instruction quantity accumulated value M2 and the first preset threshold value, and giving an alarm and clearing the instruction quantity accumulated value M2 in a fourth mode if the updated instruction quantity accumulated value M2 is greater than the first preset threshold value.
In the embodiment of the invention, because different administrators have different operating habits and input different instruction contents when the server is managed, the instruction contents of the administrators within a certain time period are obtained and analyzed to obtain basic instruction data and simple instruction data, and a basic instruction library and a simple instruction library are respectively obtained according to the basic instruction data and the simple instruction data, wherein the basic instruction library stores a plurality of basic instructions, and the simple instruction library stores a plurality of simple instructions; the method comprises the steps of obtaining a server operation instruction in real time, and decomposing the server operation instruction into a basic instruction and a simple instruction; and matching the basic instruction and the simple instruction obtained by decomposition with instruction data in a basic instruction library and a simple instruction library, and judging whether the server is invaded by a person without server management authority or not based on a matching result, so that professional hackers and other common workers without server management authority can be prevented from invading the server. The embodiment of the invention can be used for server safety monitoring, preventing the server from being invaded, and maintaining the system safety and the data safety.
Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by the practice of the invention. The objectives and other advantages of the invention will be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings. Of course, it is not necessary for any product or method to achieve all of the above-described advantages at the same time for practicing the invention.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a flowchart of a server intrusion alert method according to an embodiment of the present invention.
Fig. 2 is a schematic diagram of a server intrusion alarm system according to a second embodiment of the present invention.
Detailed Description
Various exemplary embodiments, features and aspects of the present disclosure will be described in detail below with reference to the accompanying drawings. In the drawings, like reference numbers indicate functionally identical or similar elements. While the various aspects of the embodiments are presented in drawings, the drawings are not necessarily drawn to scale unless specifically indicated.
In addition, numerous specific details are set forth in the following description of specific embodiments in order to provide a thorough description of the present invention. It will be understood by those skilled in the art that the present invention may be practiced without some of these specific details. In some instances, well known means have not been described in detail so as not to obscure the present invention.
As shown in fig. 1, a first embodiment of the present invention provides a server intrusion alert method, including the following steps:
s1, acquiring a server operation instruction in real time, and decomposing the server operation instruction into a basic instruction and a simple instruction; the basic instruction is an initial instruction of system installation without options and parameters, and the simple instruction is an instruction which can completely process an operation and is provided with only one basic instruction; for example, the server operation instruction is ls-lart, wherein the simple instruction is ls-lart, and the basic instruction is ls;
s2, matching the basic instruction with an instruction in a basic instruction library to obtain a first matching result, and if the basic instruction is matched with an instruction in the basic instruction library, matching the simple instruction with an instruction in a simple instruction library to obtain a second matching result;
and S3, giving an alarm according to the first matching result or the second matching result.
Specifically, different administrators have different operating habits and input different instruction contents when the server is managed, so that basic instruction data and simple instruction data are obtained by obtaining the instruction contents of the administrators within a certain time period and analyzing the instruction contents, and a basic instruction library and a simple instruction library are respectively obtained according to the basic instruction data and the simple instruction data.
In this embodiment, a longer time period, such as ten days or one month, is set, and the operation instruction of the server manager during the collection period is completed. The collected parameters of the operation instructions are uniformly replaced by the same characters, for example, the characters of 'parameters' are uniformly used for replacing the parameters appearing in the instructions. Some commands may have multiple parameters, and are agreed to be rule parameters and object parameters, for example, "grow-i" wo "parameter. The resolvable complete instruction is then decomposed into simple instructions, for example, the instructions around the pipe sign can be decomposed into simple instructions before the pipe sign and simple instructions after the pipe sign. External instructions called by tools such as awk, sed and perl, which are referenced by the 'symbol', are also decomposed one by one to form simple instructions, such as 'awk' { cmd = 'rm' $0; the system (cmd) } 'filename' can decompose a simple instruction "" rm "$0".
Because the execution rule of the instruction placed after the pipe character may be different from that of the instruction not placed after the pipe character, the pipe character can be brought when the instruction is decomposed, such as a complex instruction: sh | grep-i 333, can be decomposed into two simple instructions: 1. cat test.sh; 2. i grep-i 333. Wherein if there is a blank space between "|" and "grep", it also needs to be kept, since this is also part of the operation habit. Through the above processing of the collected instructions, the number of times of occurrence of each simple instruction is counted, and a simple instruction library is formed, as shown in the following table one:
watch 1
Simple instruction library Number of occurrences (times) Frequency of
ls parameter 3 0.003
grep-i rule parameter object parameter 4 0.004
grep-v rule parameter object parameter 4 0.004
After the collected instructions are processed, all the instructions become simple instructions, and basic instructions, which refer to initial instructions of system installation without options and parameters, such as simple instructions, can be further extracted from the simple instructions: ls-lrt/root, where ls is the basic instruction, -lrt is the option, and/root is the parameter, such as the following table two:
watch 2
Basic instruction Simple instructions Number of appearances (times) Frequency of
ls ls parameter 3 0.003
grep grep-i rule parameter object parameter 4 0.004
grep grep-v rule parameter object parameters 4 0.004
On the basis of the above contents, the basic instructions can be summarized, the number of times of occurrence of each basic instruction is counted, and the obtained result is shown in the following table three:
watch III
Basic instruction library Number of occurrences (times) Frequency of
ls 3 0.003
grep 8 0.008
The following describes the server instruction parameters:
and (4) a complete instruction: only the instructions obtained after the unified replacement of the parameters.
The options are as follows: simple instruction options, such as simple instruction has options-l, -a, etc.
The rule parameters indicate: simple instructions or processing rules of action objects with options, such as instructions "grep-i" wo "file.
Object parameters refer to: the simple instruction or the action object of the instruction with the option, such as "file.txt" in the instruction "grep-i" wo "file.txt" is the object of instruction processing and is agreed as the object parameter.
Complex instructions: the instructions linked by the pipe signs, or the instructions awk, sed, perl, etc. include basic instructions or simple instructions. Such as: "cat filename | grep-i" wo ", as well as: "awk' { cmd =" rm "$0; system (cmd) }' filename ".
Simple instructions: instructions that can completely process an operation, such as: ls, ls-lrt/root.
The basic instruction refers to: instructions without any options, such as ls.
And (3) pipeline marking: one symbol in the Linux operation instruction is generally "|". Instructions following the pipe character operate on the correct output of the preceding instruction.
The ls command is used to display the contents under the designated working directory (listing the files and subdirectories contained in the current working directory).
The a option shows all files and directories (lss is defined as hidden file, not listed, with file name or directory name beginning "-");
-one option implements the detailed listing of the information of document type, authority, owner, document size, etc. in addition to the document name;
the r option enables the files to be displayed in reverse order (originally in alphabetical order in English);
the-t option enables the files to be listed in chronological order of the creation time.
When a plurality of options are combined together, the options are in the forms of-lr and-lrt, and represent that the respective functions of the parameters are simultaneously realized.
grep is a text search tool used to search for files and print out a line or lines of text.
-i parameter implement search by ignoring case;
the-v parameter implements an inverse match, selecting the content that is not matched to.
Based on the above contents, a basic instruction library and a simple instruction library can be obtained, and further, a server operation instruction is obtained in real time and is decomposed into a basic instruction and a simple instruction; and matching the basic instruction and the simple instruction obtained by decomposition with instruction data in a basic instruction library and a simple instruction library, and judging whether the server is invaded by a person without server management authority or not based on a matching result, so that professional hackers and other common workers without server management authority can be prevented from invading the server.
In some embodiments, said step S3 comprises:
and if the basic instruction is not matched with the instruction in the basic instruction library, alarming in a first mode to show that the basic instruction which is not matched with the operation habit of the administrator appears.
In some embodiments, said step S3 comprises:
if the basic instruction is not matched with the instruction in the basic instruction library, adding 1 to update the accumulated value M1 of the number of the basic instruction which is not matched with the instruction in the basic instruction library;
and alarming according to the comparison result of the updated instruction quantity M1 and a first preset threshold value, if the updated instruction quantity accumulated value M1 is larger than the first preset threshold value, indicating that basic instructions which are not matched with the operation habits of an administrator have appeared for many times and the possibility that the server is invaded is high, alarming in a second mode, clearing the instruction quantity accumulated value M1, and returning to the step S1.
In particular, the first preset threshold is preferably, but not limited to, 3.
In some embodiments, said step S3 comprises:
and if the simple instruction is not matched with the instruction in the simple instruction library, alarming in a third mode.
In some embodiments, the step S3 comprises:
if the simple instruction is not matched with the instruction in the simple instruction library, adding 1 to update the accumulated value M2 of the number of the simple instruction which is not matched with the instruction in the simple instruction library;
and alarming according to the comparison result of the updated instruction quantity accumulated value M2 and a second preset threshold, if the updated instruction quantity accumulated value M2 is larger than the second preset threshold, which indicates that simple instructions which are not matched with the operation habits of the administrator have appeared for many times and the possibility that the server is invaded is high, alarming and clearing the instruction quantity accumulated value M2 in a fourth mode, and returning to the step S1.
In particular, the second preset threshold is preferably, but not limited to, 5.
The first mode is different from the second mode, the third mode is different from the fourth mode, regarding the alarm level, the first mode alarm level and the third mode are first-level alarm, the alarm can be performed by adopting the modes of lighting or text prompt and the like, and the server sends first-level alarm information to a mobile phone of an administrator to inform the administrator; the second mode and the fourth mode are two-stage alarm, the alarm can be performed by adopting a voice report mode, and the server sends two-stage alarm information to a mobile phone of an administrator to inform the administrator.
As shown in fig. 2, a second embodiment of the present invention provides a server intrusion alarm system, including:
the instruction acquisition unit 1 is used for acquiring a server operation instruction in real time and decomposing the server operation instruction into a basic instruction and a simple instruction; the basic instruction is an initial instruction of system installation without options and parameters, and the simple instruction is an instruction which can completely process an operation and is provided with only one basic instruction;
the instruction matching unit 2 is used for matching the basic instruction with an instruction in a basic instruction library 4 to obtain a first matching result, and matching the simple instruction with an instruction in a simple instruction library 5 to obtain a second matching result under the condition that the basic instruction is matched with the instruction in the basic instruction library 4;
and the alarm unit 3 is used for giving an alarm according to the first matching result or the second matching result.
In some embodiments, the alarm unit 1 comprises:
a first alarm subunit 31, configured to alarm in a first manner when the basic instruction does not match an instruction in the basic instruction library 4.
In some embodiments, the alarm unit 1 comprises:
the first calculating subunit 32 is configured to, when the basic instruction does not match an instruction in the basic instruction bank 4, add 1 to update an accumulated value M1 of the number of instructions, of which the basic instruction does not match an instruction in the basic instruction bank 4;
and the second warning subunit 33 is configured to perform warning according to a comparison result between the updated instruction quantity accumulated value M1 and the first preset threshold, and perform warning and clear the instruction quantity accumulated value M1 in a second manner if the updated instruction quantity accumulated value M1 is greater than the first preset threshold.
In some embodiments, the alarm unit 1 comprises:
and the third alarm subunit 34 is used for alarming in a third mode when the simple instruction is not matched with the instruction in the simple instruction library 5.
In some embodiments, the alarm unit 1 comprises:
the second calculating subunit 35 is configured to, when the simple instruction does not match an instruction in the simple instruction library 5, add 1 to update the accumulated value M2 of the number of instructions, of which the simple instruction does not match an instruction in the simple instruction library 5;
and the fourth warning subunit 36 is configured to perform warning according to a comparison result between the updated instruction quantity accumulated value M2 and the first preset threshold, and perform warning and clear the instruction quantity accumulated value M2 in a fourth manner if the updated instruction quantity accumulated value M2 is greater than the first preset threshold.
It should be noted that the system according to the second embodiment is used for implementing the method according to the first embodiment, and therefore, relevant portions of the system according to the second embodiment that are not described in detail in the first embodiment can be obtained by referring to the method according to the first embodiment, and are not described herein again.
It should also be appreciated that the method of embodiment one and the system of embodiment two may be implemented in numerous ways, including as a process, an apparatus, or a system. The methods described herein may be implemented in part by program instructions for instructing a processor to perform such methods, as well as instructions recorded on a non-transitory computer-readable storage medium such as a hard disk drive, a floppy disk, an optical disc such as a Compact Disc (CD) or a Digital Versatile Disc (DVD), a flash memory, and the like. In some embodiments, the program instructions may be stored remotely and transmitted over a network via an optical or electronic communication link.
Having described embodiments of the present invention, the foregoing description is intended to be exemplary, not exhaustive, and not limited to the embodiments disclosed. Many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the described embodiments. The terminology used herein is chosen in order to best explain the principles of the embodiments, the practical application, or improvements made to the technology in the marketplace, or to enable others of ordinary skill in the art to understand the embodiments disclosed herein.

Claims (10)

1. A server intrusion alarm method is characterized by comprising the following steps:
the method comprises the steps of obtaining a server operation instruction in real time, and decomposing the server operation instruction into a basic instruction and a simple instruction; the basic instruction is an initial instruction of system installation without options and parameters, and the simple instruction is an instruction which can completely process an operation and is provided with only one basic instruction;
matching the basic instruction with instructions in a basic instruction library to obtain a first matching result, and matching the simple instruction with instructions in a simple instruction library to obtain a second matching result if the basic instruction is matched with the instructions in the basic instruction library;
alarming according to the first matching result or the second matching result; if the basic instruction is not matched with the instructions in the basic instruction library, adding 1 to update an accumulated value M1 of the number of the instructions, of which the basic instruction is not matched with the instructions in the basic instruction library; and if the updated instruction quantity accumulated value M1 is larger than a first preset threshold value, alarming and clearing the instruction quantity accumulated value M1.
2. The server intrusion alert method according to claim 1, wherein the alerting according to the first matching result or the second matching result comprises:
and if the basic instruction is not matched with the instruction in the basic instruction library, alarming in a first mode.
3. The server intrusion alarm method according to claim 2, wherein the alarming and clearing the accumulated value M1 of the number of instructions if the updated accumulated value M1 of the number of instructions is greater than a first preset threshold value comprises:
and alarming and clearing the accumulated value M1 of the instruction quantity in a second mode.
4. The server intrusion alert method according to any one of claims 1 to 3, wherein the alerting according to the first matching result or the second matching result includes:
and if the simple instruction is not matched with the instruction in the simple instruction library, alarming in a third mode.
5. The server intrusion alert method according to claim 4, wherein the alerting according to the first matching result or the second matching result includes:
if the simple instruction is not matched with the instruction in the simple instruction library, adding 1 to update the accumulated value M2 of the number of the simple instruction which is not matched with the instruction in the simple instruction library;
and alarming according to the comparison result of the updated instruction quantity accumulated value M2 and a second preset threshold, and alarming and clearing the instruction quantity accumulated value M2 in a fourth mode if the updated instruction quantity accumulated value M2 is greater than the second preset threshold.
6. A server intrusion alert system comprising:
the instruction acquisition unit is used for acquiring a server operation instruction in real time and decomposing the server operation instruction into a basic instruction and a simple instruction; the basic instruction is an initial instruction of system installation without options and parameters, and the simple instruction is an instruction which can completely process an operation and is provided with only one basic instruction;
the instruction matching unit is used for matching the basic instruction with instructions in a basic instruction library to obtain a first matching result, and matching the simple instruction with instructions in a simple instruction library to obtain a second matching result under the condition that the basic instruction is matched with the instructions in the basic instruction library;
the alarm unit is used for giving an alarm according to the first matching result or the second matching result; if the basic instruction is not matched with the instructions in the basic instruction library, adding 1 to update an accumulated value M1 of the number of the instructions, of which the basic instruction is not matched with the instructions in the basic instruction library; and if the updated instruction quantity accumulated value M1 is larger than a first preset threshold value, alarming and clearing the instruction quantity accumulated value M1.
7. The server intrusion alert system according to claim 6, wherein the alert unit includes:
and the first alarm subunit is used for alarming in a first mode when the basic instruction is not matched with the instruction in the basic instruction library.
8. The server intrusion alert system according to claim 7, wherein the alert unit includes:
the first calculation subunit is used for adding 1 to update an accumulated value M1 of the number of the basic instructions which are not matched with the instructions in the basic instruction library when the basic instructions are not matched with the instructions in the basic instruction library;
and the second alarm subunit is used for giving an alarm according to a comparison result of the updated instruction quantity accumulated value M1 and a first preset threshold value, and giving an alarm and clearing the instruction quantity accumulated value M1 in a second mode if the updated instruction quantity accumulated value M1 is greater than the first preset threshold value.
9. The server intrusion alert system according to any one of claims 6 to 8, wherein the alert unit includes:
and the third alarm subunit is used for alarming in a third mode when the simple instruction is not matched with the instruction in the simple instruction library.
10. The server intrusion alert system according to claim 9, wherein the alert unit includes:
the second calculation subunit is used for adding 1 to update the accumulated value M2 of the number of the unmatched simple instructions and the unmatched instructions in the simple instruction library when the simple instructions are unmatched with the instructions in the simple instruction library;
and the fourth alarm subunit is used for alarming according to the comparison result of the updated instruction quantity accumulated value M2 and the first preset threshold, and alarming and clearing the instruction quantity accumulated value M2 in a fourth mode if the updated instruction quantity accumulated value M2 is greater than the first preset threshold.
CN201910999325.8A 2019-10-21 2019-10-21 Server intrusion alarm method and system Active CN112769729B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910999325.8A CN112769729B (en) 2019-10-21 2019-10-21 Server intrusion alarm method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910999325.8A CN112769729B (en) 2019-10-21 2019-10-21 Server intrusion alarm method and system

Publications (2)

Publication Number Publication Date
CN112769729A CN112769729A (en) 2021-05-07
CN112769729B true CN112769729B (en) 2023-03-03

Family

ID=75691635

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910999325.8A Active CN112769729B (en) 2019-10-21 2019-10-21 Server intrusion alarm method and system

Country Status (1)

Country Link
CN (1) CN112769729B (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103516563A (en) * 2013-10-18 2014-01-15 北京奇虎科技有限公司 Equipment and method for monitoring abnormal or normal command
CN103532760A (en) * 2013-10-18 2014-01-22 北京奇虎科技有限公司 Equipment, system and method for analyzing commands executed on hosts
CN103886250A (en) * 2012-12-19 2014-06-25 中国移动通信集团甘肃有限公司 Data processing method, device, controller and system oriented to business support system
WO2014206129A1 (en) * 2013-06-29 2014-12-31 华为技术有限公司 Computing device and method for executing database operation command
CN107483510A (en) * 2017-10-09 2017-12-15 杭州安恒信息技术有限公司 A kind of method and device of raising Web application layer attack Detection accuracies
WO2019100392A1 (en) * 2017-11-27 2019-05-31 齐心商用设备(深圳)有限公司 Control method and system for clocking in remotely

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103886250A (en) * 2012-12-19 2014-06-25 中国移动通信集团甘肃有限公司 Data processing method, device, controller and system oriented to business support system
WO2014206129A1 (en) * 2013-06-29 2014-12-31 华为技术有限公司 Computing device and method for executing database operation command
CN103516563A (en) * 2013-10-18 2014-01-15 北京奇虎科技有限公司 Equipment and method for monitoring abnormal or normal command
CN103532760A (en) * 2013-10-18 2014-01-22 北京奇虎科技有限公司 Equipment, system and method for analyzing commands executed on hosts
CN107483510A (en) * 2017-10-09 2017-12-15 杭州安恒信息技术有限公司 A kind of method and device of raising Web application layer attack Detection accuracies
WO2019100392A1 (en) * 2017-11-27 2019-05-31 齐心商用设备(深圳)有限公司 Control method and system for clocking in remotely

Also Published As

Publication number Publication date
CN112769729A (en) 2021-05-07

Similar Documents

Publication Publication Date Title
US7200616B2 (en) Information management system, control method thereof, information management server and program for same
US10489711B1 (en) Method and apparatus for predictive behavioral analytics for IT operations
CN103827810A (en) Asset model import connector
CN103763124A (en) Internet user behavior analyzing and early-warning system and method
CN109088773B (en) Fault self-healing method and device, server and storage medium
CN105743730A (en) Method and system used for providing real-time monitoring for webpage service of mobile terminal
CN112905548B (en) Security audit system and method
US20030158944A1 (en) Software control in a business transaction environment
GB2592132A (en) Enterprise network threat detection
CN111274227A (en) Database auditing system and method based on cluster analysis and association rule
CN111046068B (en) Method and device for displaying alarm generation process
CN114968959A (en) Log processing method, log processing device and storage medium
CN112769729B (en) Server intrusion alarm method and system
CN116389148B (en) Network security situation prediction system based on artificial intelligence
CN111737102A (en) Safety early warning method and computer readable storage medium
CN113791943A (en) Website real-time monitoring method, system, equipment and storage medium
JP2006099249A (en) Fault management device and fault management method
US20190363925A1 (en) Cybersecurity Alert Management System
CN114584391A (en) Method, device, equipment and storage medium for generating abnormal flow processing strategy
JP5453871B2 (en) Event determination device, event determination program, and event determination method
CN112131090B (en) Service system performance monitoring method, device, equipment and medium
CN114186278A (en) Database abnormal operation identification method and device and electronic equipment
KR20180118869A (en) Integration security anomaly symptom monitoring system
CN112883739A (en) Abnormal warning method and device for rating system, electronic equipment and storage medium
CN115310139A (en) File monitoring and early warning system, method, computing equipment and computer storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant