CN112887303A - Serial threat access control system and method - Google Patents

Serial threat access control system and method Download PDF

Info

Publication number
CN112887303A
CN112887303A CN202110093253.8A CN202110093253A CN112887303A CN 112887303 A CN112887303 A CN 112887303A CN 202110093253 A CN202110093253 A CN 202110093253A CN 112887303 A CN112887303 A CN 112887303A
Authority
CN
China
Prior art keywords
data
label
module
test
attack
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110093253.8A
Other languages
Chinese (zh)
Other versions
CN112887303B (en
Inventor
吴磊涛
刘继光
姜山
金振中
杨豪璞
佟立飞
陈�峰
丁力军
柳中华
沈斌
丁桐
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Staff Of 92493 Pla
Original Assignee
Staff Of 92493 Pla
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Staff Of 92493 Pla filed Critical Staff Of 92493 Pla
Priority to CN202110093253.8A priority Critical patent/CN112887303B/en
Publication of CN112887303A publication Critical patent/CN112887303A/en
Application granted granted Critical
Publication of CN112887303B publication Critical patent/CN112887303B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/04Processing captured monitoring data, e.g. for logfile generation
    • H04L43/045Processing captured monitoring data, e.g. for logfile generation for graphical visualisation of monitoring data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0805Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters by checking availability

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Data Mining & Analysis (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Environmental & Geological Engineering (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a series-in threat access control system and a method, comprising an application identification module and the like, which are connected in series in a link between a test evaluation system and a tested network; an attack host in the test evaluation system generates attack data, the attack data meeting the white list conditions are identified by an application identification module according to a preset white list, the attack data can be packaged into a data packet through TCP/IP service, a preset label is pressed in by a label press-mounting module, the data packet enters a threat access control system through a gateway, the label is identified, processed and recycled by a label processing module, the attack data packet is transmitted to a data processing module, the data packet is transmitted to a tested network for penetration test, test data generated by the test can directly return to the test evaluation system through the gateway, and a service closed loop is formed. From the test evaluation means strictly controlled on the test source, the network state threat access control system for maintaining the initial evaluation is a unique, safe and controllable access channel between the test evaluation system and the tested network, and the safety of the software and hardware environment of the tested network system in the test evaluation process is ensured on the basis of solving the real-time data transmission.

Description

Serial threat access control system and method
Technical Field
The invention relates to the field of network space security, in particular to a series-in type network threat access control system and a method, and more particularly relates to a network threat access control system for network security test evaluation and network virtualization shooting ranges.
Background
In the face of increasingly complex network security environments and a variety of attack threats, more and more organizations and organizations realize that designing an absolutely secure network system is unrealistic, meanwhile, the security problem cannot be solved by passive response after an attack occurs by means of single defense, the security and the elasticity of the information system network need to be objectively and comprehensively evaluated, and under the demand situation, the research on the test and the evaluation of the network security gradually becomes a research hotspot in the field of network space security.
The network security test evaluation technology can actively evaluate potential security threats and risks in a network system, and provides appropriate security defense strategy selection according to risk evaluation results, so that spreading of the potential threats is effectively restrained, the overall network risk is controlled, and negative effects and huge losses brought by the potential threats are reduced.
The network security test evaluation is not only a non-destructive evaluation based on security compliance, but also covers a penetration test against violent invasion and the like, and inevitably causes certain damage to an evaluated informatization system in the implementation process, and partial damage is even irreversible, so that the popularization of the test evaluation technology is not facilitated. In the network attack and defense counteraction, it is very difficult to strictly limit how the attack and defense parties use the specified technical means, on one hand, the data volume of the attack tool is large, and has higher requirements on the delay of the flow entering the tested network, and on the other hand, once the attack data is encapsulated into a data packet, the attack data is difficult to be efficiently recovered, so that the failure report rate and the false report rate of the attack identification are higher. In view of this, the present patent provides a network threat access control system, which can maintain the network state at the beginning of evaluation by a test evaluation means strictly controlled from a test source, control the adverse effect generated in the evaluation process, greatly reduce the damage to the tested information system, and obtain a good effect.
Disclosure of Invention
In order to solve the defects of the technology, the invention provides a series-in threat access control system and a method.
In order to solve the technical problems, the invention adopts the technical scheme that: a series-in type threat access control system comprises an application identification module, a label press-mounting module, a label processing module, a data processing module, a state monitoring module, an auxiliary decision-making module, an initialization module, a data sensor and a display module, wherein the threat access control system is connected in series with a link between a test evaluation system and a tested network;
the method for threatening access to the management and control system comprises the following steps: an attack host in the test evaluation system generates attack data by using an attack tool, the attack data meeting the white list condition is identified by an application identification module according to a preset attack tool white list, the attack data can be packaged into a data packet through TCP/IP service, a preset label is pressed in by a label press-mounting module, the data packet enters a threat access control system through a gateway, the label is identified, processed and recycled by a label processing module, the attack data packet is transmitted to a data processing module, the data packet is transmitted to a tested network for penetration test, and test data generated by the test can be directly returned to the test evaluation system through the gateway to form a service closed loop; state data generated by the test network in real time are taken out through data sensors arranged in each host and each server and submitted to a data processing module; the data processing module filters, restores and deeply detects the state data and then transmits the state data to the state monitoring module; the state monitoring module is internally provided with a feature library, a rule library and a white list library, and can identify legal attack test flow according to known flow features and preset rules, identify the legality of the process through white list proofreading with a preset application process, and monitor the state of the tested network in real time; the auxiliary decision module provides a decision strategy for selection according to the recognition result of the state monitoring module, and can provide alarm, IP blocking and system initialization operation according to the damage degree; the initialization module records and stores the zero state mirror image of the tested network at the beginning of the test, determines whether the mirror image is loaded on the tested network according to the damage condition of the test evaluation to the tested network, and restores the initial state; the display module displays the state of the tested network in real time and provides necessary support for human-computer interaction.
Furthermore, the application identification module is a host application program, can quickly identify and distinguish attack data and non-attack data according to an application white list, and provides support for data packet label press mounting.
Further, the label press-fitting module is special label press-fitting hardware or a special router, and presses a specific label into the data packet designated by the application identification module.
Furthermore, the label processing module is a special label processing hardware or a special router, and supports label identification operation, label removal operation and label recovery operation on the data packet labels; the operation of the identification tag can quickly detect and identify the designated data packet and discard the data which does not meet the condition; the label removing operation is to return the label bit of the data packet to zero and restore the original state; the label recycling operation is realized by combining the label recycling module with the press-mounting module, so that a small number of label positions are effectively utilized, and the label identification and operation efficiency is improved.
Furthermore, the data processing module processes the data/data packet by relying on the high-speed operation unit; the attack data packet identified by the label can be forwarded, and the problem of real-time data control and forwarding is solved; the data packet can be filtered according to a preset rule, IP data packet recombination and TCP session restoration actions are executed, and the content of the data packet can be deeply detected; the forwarding table can be established based on the policies such as network address, protocol type, etc., and the data message is forwarded.
Furthermore, the state monitoring module can identify the threat flow generated by the test evaluation system according to a preset feature library, manage the legal threat flow according to a preset rule and identify the illegally accessed attack data packet; checking with a process white list is supported, and the legality of the process executed by the tested network is ensured; the state of the network under test may be monitored based on the network state data.
Furthermore, the auxiliary decision module can evaluate the state of the tested network based on various state data and assist in making a coping strategy; providing alarm information in the forms of sound, popup and animation, and supporting inquiry of various alarm information; sending IP blocking instructions to a firewall, a router and a gateway of a network gate to shield an out-of-control host; the state recovery command can be sent to the initialization module to recover the state of the preset recording point of the tested network.
Further, the initialization module can record, store and fill system images of the physical machine and the virtual machine at any appointed time of the tested network.
Further, the data sensor is an embedded program, and can be placed in an operating system of a host and a server to acquire state data such as system logs, application processes and the like.
Furthermore, the situation display module has the graphical display and editing capabilities of the network topology, supports the operations of dragging, amplifying and reducing the network topology graph, and can display the dynamic process of the countermeasure test in the special effect form of primitive size, color and flicker.
The invention has the following characteristics:
(1) by means of pressing the label into the attack data packet, the attack data packet and the non-attack data packet can be identified quickly and accurately, and the assessment system can be ensured to execute a preset test assessment scheme strictly, so that test assessment is executed according to a set route.
(2) The state of the tested network is mastered in real time, the damage to the tested network in the test evaluation process is ensured to be controllable and recoverable, and software and hardware facilities of the tested network are practically protected.
(3) The method has strong data packet and processing capacity, can identify and guarantee that the instantaneous high-peak value flow attack smoothly passes through a preset path, and can quickly identify illegal attack means and cut off a gateway.
Drawings
FIG. 1 is a schematic diagram of the working principle of an embodiment of the present invention;
FIG. 2 is a schematic diagram of the internal structure of the embodiment of the present invention;
FIG. 3 is a schematic diagram of the tag location of a packet according to an embodiment of the present invention;
the same reference numbers will be used throughout the drawings to refer to the same or like elements or structures, wherein:
1-test evaluation system 2-gateway 3-threat access control system 4-tested network 31-application identification module 32-label press-fitting module 33-label processing module 34-data processing module 35-state monitoring module 36-auxiliary decision module 37-initialization module 38-data sensor 39-display module
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings and specific embodiments.
As shown in fig. 1, a schematic structural diagram of the threat access control system of the present invention includes an application identification module 31, a tag press-fitting module 32, a tag processing module 33, a data processing module 34, a status monitoring module 35, an auxiliary decision module 36, an initialization module 37, a data sensor 38, and a display module 39, which are serially connected to a link between the test evaluation system 1 and the tested network 4. The specific action process of the threat access control system is as follows: an attack host in the test evaluation system 1 generates attack data by using an attack tool, the attack data meeting the white list condition is identified by an application identification module 31 according to a preset attack tool white list, the attack data can be packaged into a data packet through TCP/IP service, a preset label is pressed by a label press-mounting module 32, the data packet enters a threat access control system through a gateway 2, the label is identified, processed and recycled by a label processing module 33, the attack data packet is transmitted to a data processing module 34, the data packet is transmitted to a tested network 4 for penetration test, test data generated by the test can directly return to the test evaluation system 1 through the gateway 2, and a service closed loop is formed. The state data generated by the test network 4 in real time is taken out by the data sensor 38 arranged in each host and each server, and is submitted to the data processing module 34; the data processing module 34 filters, restores and deeply detects the state data, and then transmits the state data to the state monitoring module 35; the state monitoring module 35 is internally provided with a feature library, a rule library and a white list library, and can identify legal attack test flow according to known flow features and preset rules, identify the process legality through white list proofreading with a preset application process, and monitor the state of the tested network 4 in real time; the auxiliary decision module 36 provides a decision strategy for selection according to the recognition result of the state monitoring module, and can provide operations such as alarming, IP blocking, system initialization and the like according to the damage degree; the initialization module 38 records and stores the zero state image of the tested network 4 at the beginning of the test, and determines whether to load the image for the tested network 4 or not according to the damage condition of the test evaluation to the tested network 4, and restores the initial state; the display module 39 displays the tested network status in real time, and provides necessary support for human-computer interaction.
In this embodiment, each module inside the system needs a more specific functional module to function, as shown in fig. 2 in particular.
In this embodiment, the application authentication module 31 is a host application program, which is placed at the front end of a TCP/IP service, and performs fast preprocessing on all data to be packaged according to a preset application white list, so as to identify and distinguish attack data and non-attack data, and can mark a preset identifier on a designated data block, thereby providing support for making a data packet label.
In this embodiment, the label pressing module 32 is a router with a label function, and presses a specific label into a data packet specified by the application identification module, where the label position is specifically shown in fig. 3.
In this embodiment, the tag processing module 33 is also a router with a tag function, and on the premise that the total data amount is limited in test and evaluation, the router can be used as a gateway to support operations such as identification, removal, and recovery of a data packet tag; the identification tag can quickly detect and identify the designated data packet and discard the data which does not meet the conditions; the label removing process is to return the label bit of the data packet to zero and restore the original state; the label recycling is combined with the front-end router, so that a small number of label positions are effectively utilized, and the label identification and operation efficiency is improved. Note that in this embodiment, the tag operation is performed only on the uplink traffic (from the testing end to the tested end), and the downlink traffic is only audited after the fact.
The data processing module 34 is based on a high-speed operation unit, such as a server and a high-performance computing terminal, and can process data/data packets; the attack data packet identified by the label can be forwarded, and the problem of real-time data control and forwarding is solved; the data packet can be filtered according to a preset rule, IP data packet recombination and TCP session restoration actions are executed, and the content of the data packet can be deeply detected; the forwarding table can be established based on the policies such as network address, protocol type, etc., and the data message is forwarded.
The state monitoring module 35 can identify threat traffic generated by the test evaluation system according to a preset feature library, manage legal threat traffic according to a preset rule, and identify an illegally accessed attack data packet; checking with a process white list is supported, and the legality of the process executed by the tested network is ensured; the state of the network under test may be monitored based on the network state data.
The assistant decision module 36 can perform state evaluation on the tested network based on various state data to assist in making a coping strategy. Alarm information can be provided in the forms of sound, popup, animation and the like, and various alarm information queries are supported; IP blocking instructions can be sent to gateways such as a firewall, a router and a gateway, and an out-of-control host is shielded; the state recovery command can be sent to the initialization module to recover the state of the preset recording point of the tested network.
The initialization module 37 can record, store, and fill system images of physical and virtual machines at any time in the network under test.
In this embodiment, the data processing module 34, the state monitoring module 35, the assistant decision module 36, and the initialization module 37 are all disposed on the same server.
In this embodiment, the data sensor 38 is a variety of embedded programs, such as a host event sensor, a WEB sensor, a database sensor, a Syslog data diverter, and the like, and may be disposed in the operating systems of the host and the server to obtain status data such as system logs, application processes, and the like.
In this embodiment, the situation display module 39 is a screen splicing module including a video matrix, has graphical display and editing capabilities of a network topology, supports operations of dragging, enlarging and reducing a network topology diagram, and can display a dynamic process of a countermeasure test in multiple special effect forms such as a primitive size, a color and a flicker.
In this embodiment, the designated tag is located between the IP header and the ethernet header, and can be written and erased, as shown in fig. 3.
The tandem-in threat access control system is used between a network security test evaluation system and a tested network in specific engineering application.
The invention has the following characteristics:
(1) by means of pressing the label into the attack data packet, the attack data packet and the non-attack data packet can be identified quickly and accurately, and the assessment system can be ensured to execute a preset test assessment scheme strictly, so that test assessment is executed according to a set route.
(2) The state of the tested network is mastered in real time, the damage to the tested network in the test evaluation process is ensured to be controllable and recoverable, and software and hardware facilities of the tested network are practically protected.
(3) The method has strong data packet and processing capacity, can identify and guarantee that the instantaneous high-peak value flow attack smoothly passes through a preset path, and can quickly identify illegal attack means and cut off a gateway.
The above embodiments are not intended to limit the present invention, and the present invention is not limited to the above examples, and those skilled in the art may make variations, modifications, additions or substitutions within the technical scope of the present invention.

Claims (10)

1. The tandem-in type threat access control system is characterized by comprising an application identification module (31), a label press-fitting module (32), a label processing module (33), a data processing module (34), a state monitoring module (35), an auxiliary decision module (36), an initialization module (37), a data sensor (38) and a display module (39), wherein the threat access control system is in tandem connection with a link between a test evaluation system (1) and a tested network (4);
the method for threatening access to the management and control system comprises the following steps: an attack host in the test evaluation system (1) generates attack data by using an attack tool, the attack data meeting the white list condition is identified by an application identification module (31) according to a preset attack tool white list, the attack data can be packaged into a data packet through a TCP/IP service, a preset label is pressed by a label press-mounting module (32), the data packet enters a threat access control system through a gateway (2), the label is identified, processed and recycled through a label processing module (33), the attack data packet is transmitted to a data processing module (34), the data packet is forwarded to a tested network (4) for penetration test, test data generated by the test can be directly returned to the test evaluation system (1) through the gateway (2), and a service closed loop is formed; the state data generated by the test network (4) in real time are taken out through data sensors (38) arranged in each host and each server and submitted to a data processing module (34); the data processing module (34) filters, restores and deeply detects the state data and then transmits the state data to the state monitoring module (35); the state monitoring module (35) is internally provided with a feature library, a rule library and a white list library, can identify legal attack test flow according to known flow characteristics and preset rules, identifies the process legality through checking with a preset application process white list, and monitors the state of the tested network (4) in real time; the auxiliary decision module (36) provides a decision strategy for selection according to the recognition result of the state monitoring module, and can provide alarm, IP blocking and system initialization operation according to the damage degree; the initialization module (38) records and stores the zero state mirror image of the tested network (4) at the beginning of the test, determines whether to load the mirror image for the tested network (4) or not according to the damage condition of the test evaluation to the tested network (4), and recovers the initial state; the display module (39) displays the state of the tested network in real time and provides necessary support for human-computer interaction.
2. The tandem-in threat access control system according to claim 1, wherein the application authentication module (31) is a host application program, and can rapidly identify and distinguish attack data and non-attack data according to an application white list, so as to provide support for label press-fitting of data packets.
3. The tandem-in threat access management and control system according to claim 1 or 2, wherein the label press-fitting module (32) is dedicated label press-fitting hardware or a special router, and presses a specific label for the data packet designated by the application authentication module (31).
4. The tandem-in threat access management and control system according to any one of claims 1 to 3, wherein the label processing module (33) is a special label processing hardware or a special router, and supports label identification operation, label removal operation and label recycling operation on data packet labels; the operation of the identification tag can quickly detect and identify the designated data packet and discard the data which does not meet the condition; the label removing operation is to return the label bit of the data packet to zero and restore the original state; the label recycling operation is realized by combining the label recycling module with the press-mounting module, so that a small number of label positions are effectively utilized, and the label identification and operation efficiency is improved.
5. The inline threat access management and control system according to any one of claims 1 to 4, wherein the data processing module (34) processes data/data packets depending on a high-speed arithmetic unit; the attack data packet identified by the label can be forwarded, and the problem of real-time data control and forwarding is solved; the data packet can be filtered according to a preset rule, IP data packet recombination and TCP session restoration actions are executed, and the content of the data packet can be deeply detected; the forwarding table can be established based on the policies such as network address, protocol type, etc., and the data message is forwarded.
6. The tandem-in threat access control system according to any one of claims 1 to 5, wherein the state monitoring module (35) is capable of identifying threat traffic generated by the test evaluation system (1) according to a preset feature library, managing legal threat traffic according to a predetermined rule, and identifying illegally accessed attack data packets; checking with a process white list is supported, and the legality of the process executed by the tested network (4) is ensured; the state of the network under test may be monitored based on the network state data.
7. The tandem-in threat access management and control system according to any one of claims 1 to 6, wherein the assistant decision module (36) can perform state evaluation on the tested network based on a plurality of state data to assist in making a coping strategy; providing alarm information in the forms of sound, popup and animation, and supporting inquiry of various alarm information; sending IP blocking instructions to a firewall, a router and a gateway (2) of a network gate to shield an out-of-control host; the initialization module (37) can be sent out a state recovery command to recover the state of the preset recording point of the tested network.
8. The inline threat access management and control system according to any one of claims 1 to 7, wherein the initialization module (37) is configured to record, store and fill system images of physical and virtual machines at any given time in the tested network.
9. The system according to any one of claims 1 to 8, wherein the data sensor (38) is an embedded program that can be placed in an operating system of a host or a server to obtain status data such as system logs and application processes.
10. The inline threat access control system according to any one of claims 1 to 9, wherein the situation display module (39) has a graphical display and editing capability of a network topology, supports operations of dragging, enlarging and reducing a network topology map, and can display a dynamic process of a countermeasure test in a special effect form of primitive size, color and flicker.
CN202110093253.8A 2021-01-25 2021-01-25 Series threat access control system and method Active CN112887303B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110093253.8A CN112887303B (en) 2021-01-25 2021-01-25 Series threat access control system and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110093253.8A CN112887303B (en) 2021-01-25 2021-01-25 Series threat access control system and method

Publications (2)

Publication Number Publication Date
CN112887303A true CN112887303A (en) 2021-06-01
CN112887303B CN112887303B (en) 2022-09-30

Family

ID=76050708

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110093253.8A Active CN112887303B (en) 2021-01-25 2021-01-25 Series threat access control system and method

Country Status (1)

Country Link
CN (1) CN112887303B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113422777A (en) * 2021-06-28 2021-09-21 安天科技集团股份有限公司 Penetration testing method and device based on white list, computing equipment and storage medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060253906A1 (en) * 2004-12-06 2006-11-09 Rubin Shai A Systems and methods for testing and evaluating an intrusion detection system
US20100100962A1 (en) * 2008-10-21 2010-04-22 Lockheed Martin Corporation Internet security dynamics assessment system, program product, and related methods
US20110239303A1 (en) * 2008-09-23 2011-09-29 Savvis, Inc. Threat management system and method
US20170235960A1 (en) * 2016-02-16 2017-08-17 James Andrew Austin Intelligent system for forecasting threats in a virtual attack domain
WO2020183615A1 (en) * 2019-03-12 2020-09-17 三菱電機株式会社 Attack estimation device, attack control method, and attack estimation program
US20210014276A1 (en) * 2019-07-12 2021-01-14 Fujitsu Limited Network management apparatus, and network management method

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060253906A1 (en) * 2004-12-06 2006-11-09 Rubin Shai A Systems and methods for testing and evaluating an intrusion detection system
US20110239303A1 (en) * 2008-09-23 2011-09-29 Savvis, Inc. Threat management system and method
US20100100962A1 (en) * 2008-10-21 2010-04-22 Lockheed Martin Corporation Internet security dynamics assessment system, program product, and related methods
US20170235960A1 (en) * 2016-02-16 2017-08-17 James Andrew Austin Intelligent system for forecasting threats in a virtual attack domain
WO2020183615A1 (en) * 2019-03-12 2020-09-17 三菱電機株式会社 Attack estimation device, attack control method, and attack estimation program
US20210014276A1 (en) * 2019-07-12 2021-01-14 Fujitsu Limited Network management apparatus, and network management method

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
王丹等: "基于虚拟化动态部署的电力监控系统威胁评估体系", 《通信技术》 *
王宇: "受控网络环境下攻击检测体系的构建", 《保密科学技术》 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113422777A (en) * 2021-06-28 2021-09-21 安天科技集团股份有限公司 Penetration testing method and device based on white list, computing equipment and storage medium

Also Published As

Publication number Publication date
CN112887303B (en) 2022-09-30

Similar Documents

Publication Publication Date Title
Khan et al. Software-defined network forensics: Motivation, potential locations, requirements, and challenges
CN110572412A (en) Firewall based on intrusion detection system feedback in cloud environment and implementation method thereof
CN108270716A (en) A kind of audit of information security method based on cloud computing
Kaushik et al. Network forensic system for port scanning attack
CN112788034B (en) Processing method and device for resisting network attack, electronic equipment and storage medium
CN111464526A (en) Network intrusion detection method, device, equipment and readable storage medium
CN112688932A (en) Honeypot generation method, honeypot generation device, honeypot generation equipment and computer readable storage medium
Ma et al. A design of firewall based on feedback of intrusion detection system in cloud environment
CN114826880A (en) Method and system for online monitoring of data safe operation
CN112565197A (en) Third-party interactive honeypot implementation method based on internal and external network drainage abnormity
CN112887303B (en) Series threat access control system and method
Liu et al. Loocipher ransomware detection using lightweight packet characteristics
KR20170081543A (en) Apparatus and method for detecting symptom based on context information
US10404730B1 (en) High-volume network threat trace engine
JP5752020B2 (en) Attack countermeasure device, attack countermeasure method, and attack countermeasure program
CN115664833B (en) Network hijacking detection method based on local area network safety equipment
CN110460558B (en) Method and system for discovering attack model based on visualization
CN113660291B (en) Method and device for preventing malicious tampering of intelligent large-screen display information
CN115694892A (en) Network security defense system and method based on network information security
CN110839045B (en) Abnormal flow detection method for power monitoring system
CN113141274A (en) Method, system and storage medium for detecting sensitive data leakage in real time based on network hologram
CN112769860B (en) Threat management and control system and method for bypass setting
CN116112295B (en) Method and device for researching and judging external connection type attack result
CN116827698B (en) Network gateway flow security situation awareness system and method
EP1293079B1 (en) Method and system for securing a data system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant