CN112887303B - Series threat access control system and method - Google Patents
Series threat access control system and method Download PDFInfo
- Publication number
- CN112887303B CN112887303B CN202110093253.8A CN202110093253A CN112887303B CN 112887303 B CN112887303 B CN 112887303B CN 202110093253 A CN202110093253 A CN 202110093253A CN 112887303 B CN112887303 B CN 112887303B
- Authority
- CN
- China
- Prior art keywords
- data
- label
- module
- test
- attack
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/04—Processing captured monitoring data, e.g. for logfile generation
- H04L43/045—Processing captured monitoring data, e.g. for logfile generation for graphical visualisation of monitoring data
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
- H04L43/0805—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters by checking availability
Abstract
The invention discloses a series-in threat access control system and a method, comprising an application identification module and the like, which are connected in series in a link between a test evaluation system and a tested network; an attack host in the test evaluation system generates attack data, the attack data meeting the white list conditions are identified by an application identification module according to a preset white list, the attack data can be packaged into a data packet through TCP/IP service, a preset label is pressed in by a label press-mounting module, the data packet enters a threat access control system through a gateway, the label is identified, processed and recycled by a label processing module, the attack data packet is transmitted to a data processing module, the data packet is transmitted to a tested network for penetration test, test data generated by the test can directly return to the test evaluation system through the gateway, and a service closed loop is formed. From the test evaluation means strictly controlled on the test source, the network state threat access control system for maintaining the initial evaluation is a unique, safe and controllable access channel between the test evaluation system and the tested network, and the safety of the software and hardware environment of the tested network system in the test evaluation process is ensured on the basis of solving the real-time data transmission.
Description
Technical Field
The invention relates to the field of network space security, in particular to a series-in type network threat access control system and a method, and more particularly relates to a network threat access control system for network security test evaluation and network virtualization shooting ranges.
Background
In the face of increasingly complex network security environments and a variety of attack threats, more and more organizations and organizations realize that designing an absolutely secure network system is unrealistic, meanwhile, the security problem cannot be solved by passive response after an attack occurs by means of single defense, the security and the elasticity of the information system network need to be objectively and comprehensively evaluated, and under the demand situation, the research on the test and the evaluation of the network security gradually becomes a research hotspot in the field of network space security.
The network security test evaluation technology can actively evaluate potential security threats and risks in a network system, and provides appropriate security defense strategy selection according to risk evaluation results, so that spreading of the potential threats is effectively restrained, the overall network risk is controlled, and negative effects and huge losses brought by the potential threats are reduced.
The network security test evaluation is not only a non-destructive evaluation based on security compliance, but also covers a penetration test against violent invasion and the like, and inevitably causes certain damage to an evaluated informatization system in the implementation process, and partial damage is even irreversible, so that the popularization of the test evaluation technology is not facilitated. In the network attack and defense counteraction, it is very difficult to strictly limit how the attack and defense parties use the specified technical means, on one hand, the data volume of the attack tool is large, and has higher requirements on the delay of the flow entering the tested network, and on the other hand, once the attack data is encapsulated into a data packet, the attack data is difficult to be efficiently recovered, so that the failure report rate and the false report rate of the attack identification are higher. In view of this, the present patent provides a network threat access control system, which can maintain the network state at the beginning of evaluation by a test evaluation means strictly controlled from a test source, control the adverse effect generated in the evaluation process, greatly reduce the damage to the tested information system, and obtain a good effect.
Disclosure of Invention
In order to solve the defects of the technology, the invention provides a series threat access control system and a method.
In order to solve the technical problems, the technical scheme adopted by the invention is as follows: a series-in type threat access control system comprises an application identification module, a label press-mounting module, a label processing module, a data processing module, a state monitoring module, an auxiliary decision-making module, an initialization module, a data sensor and a display module, wherein the threat access control system is connected in series with a link between a test evaluation system and a tested network;
the method for threatening access to the management and control system comprises the following steps: an attack host in the test evaluation system generates attack data by using an attack tool, the attack data meeting the white list condition is identified by an application identification module according to a preset attack tool white list, the attack data can be packaged into a data packet through TCP/IP service, a preset label is pressed in by a label press-mounting module, the data packet enters a threat access control system through a gateway, the label is identified, processed and recycled by a label processing module, the attack data packet is transmitted to a data processing module, the data packet is transmitted to a tested network for penetration test, and test data generated by the test can be directly returned to the test evaluation system through the gateway to form a service closed loop; state data generated by the test network in real time are taken out through data sensors arranged in each host and each server and submitted to a data processing module; the data processing module filters, restores and deeply detects the state data and then transmits the state data to the state monitoring module; the state monitoring module is internally provided with a feature library, a rule library and a white list library, can identify legal attack test flow according to known flow features and preset rules, identifies the legality of a process by checking with a white list of a preset application process, and monitors the state of a tested network in real time; the auxiliary decision module provides a decision strategy for selection according to the recognition result of the state monitoring module, and can provide alarm, IP blocking and system initialization operation according to the damage degree; the initialization module records and stores the zero state mirror image of the tested network at the beginning of the test, determines whether the mirror image is loaded on the tested network according to the damage condition of the test evaluation to the tested network, and restores the initial state; the display module displays the state of the tested network in real time and provides necessary support for human-computer interaction.
Furthermore, the application identification module is a host application program, can quickly identify and distinguish attack data and non-attack data according to an application white list, and provides support for data packet label press mounting.
Further, the label press-fitting module is special label press-fitting hardware or a special router, and presses a specific label into the data packet designated by the application identification module.
Furthermore, the label processing module is a special label processing hardware or a special router, and supports label identification operation, label removal operation and label recovery operation on the data packet labels; the operation of the identification tag can quickly detect and identify the designated data packet and discard the data which does not meet the condition; the label removing operation is to return the label bit of the data packet to zero and restore the original state; the label recycling operation is realized by combining the label recycling module with the press-mounting module, so that a small number of label positions are effectively utilized, and the label identification and operation efficiency is improved.
Furthermore, the data processing module processes the data/data packet by relying on the high-speed operation unit; the attack data packet identified by the label can be forwarded, and the problem of real-time data control and forwarding is solved; the data packet can be filtered according to a preset rule, IP data packet recombination and TCP session restoration actions are executed, and the content of the data packet can be deeply detected; the forwarding table can be established based on the policies such as network address, protocol type, etc., and the data message is forwarded.
Furthermore, the state monitoring module can identify the threat flow generated by the test evaluation system according to a preset feature library, manage the legal threat flow according to a preset rule and identify the illegally accessed attack data packet; checking with a process white list is supported, and the legality of the process executed by the tested network is ensured; the state of the network under test may be monitored based on the network state data.
Furthermore, the auxiliary decision module can evaluate the state of the tested network based on various state data and assist in making a coping strategy; providing alarm information in the forms of sound, popup and animation, and supporting inquiry of various alarm information; sending IP blocking instructions to a firewall, a router and a gateway of a network gate to shield an out-of-control host; the state recovery command can be sent to the initialization module to recover the state of the preset recording point of the tested network.
Further, the initialization module can record, store and fill system images of the physical machine and the virtual machine at any appointed time of the tested network.
Further, the data sensor is an embedded program, and can be placed in an operating system of a host and a server to acquire state data such as system logs, application processes and the like.
Furthermore, the situation display module has the graphical display and editing capabilities of the network topology, supports the operations of dragging, amplifying and reducing the network topology graph, and can display the dynamic process of the countermeasure test in the special effect form of primitive size, color and flicker.
The invention has the following characteristics:
(1) by means of pressing the label into the attack data packet, the attack data packet and the non-attack data packet can be identified fast and accurately, and the assessment system can execute the preset test assessment scheme strictly, so that the test assessment is executed according to the set route.
(2) The state of the tested network is mastered in real time, the damage to the tested network in the test evaluation process is ensured to be controllable and recoverable, and software and hardware facilities of the tested network are practically protected.
(3) The method has strong data packet and processing capacity, can identify and guarantee that the instantaneous high-peak value flow attack smoothly passes through a preset path, and can quickly identify illegal attack means and cut off a gateway.
Drawings
FIG. 1 is a schematic diagram of the working principle of an embodiment of the present invention;
FIG. 2 is a schematic diagram of the internal structure of the embodiment of the present invention;
FIG. 3 is a schematic diagram of the tag location of a packet according to an embodiment of the present invention;
the same reference numbers will be used throughout the drawings to refer to the same or like elements or structures, wherein:
1-test evaluation system 2-gateway 3-threat access control system 4-tested network 31-application identification module 32-label press-fitting module 33-label processing module 34-data processing module 35-state monitoring module 36-auxiliary decision module 37-initialization module 38-data sensor 39-display module
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings and specific embodiments.
As shown in fig. 1, a schematic structural diagram of the threat access control system of the present invention includes an application identification module 31, a tag press-fitting module 32, a tag processing module 33, a data processing module 34, a status monitoring module 35, an auxiliary decision module 36, an initialization module 37, a data sensor 38, and a display module 39, which are serially connected to a link between the test evaluation system 1 and the tested network 4. The specific action process of the threat access control system is as follows: an attack host in the test evaluation system 1 generates attack data by using an attack tool, the attack data meeting the white list condition is identified by an application identification module 31 according to a preset attack tool white list, the attack data can be packaged into a data packet through TCP/IP service, a preset label is pressed by a label press-mounting module 32, the data packet enters a threat access control system through a gateway 2, the label is identified, processed and recycled by a label processing module 33, the attack data packet is transmitted to a data processing module 34, the data packet is transmitted to a tested network 4 for penetration test, test data generated by the test can directly return to the test evaluation system 1 through the gateway 2, and a service closed loop is formed. The state data generated by the test network 4 in real time is taken out by the data sensor 38 arranged in each host and each server, and is submitted to the data processing module 34; the data processing module 34 filters, restores and deeply detects the state data, and then transmits the state data to the state monitoring module 35; the state monitoring module 35 is internally provided with a feature library, a rule library and a white list library, and can identify legal attack test flow according to known flow features and preset rules, identify the process legality through white list proofreading with a preset application process, and monitor the state of the tested network 4 in real time; the auxiliary decision module 36 provides a decision strategy for selection according to the recognition result of the state monitoring module, and can provide operations such as alarming, IP blocking, system initialization and the like according to the damage degree; the initialization module 38 records and stores the zero state image of the tested network 4 at the beginning of the test, and determines whether to load the image for the tested network 4 or not according to the damage condition of the test evaluation to the tested network 4, and restores the initial state; the display module 39 displays the tested network status in real time, and provides necessary support for human-computer interaction.
In this embodiment, each module inside the system needs a more specific functional module to function, as shown in fig. 2 in particular.
In this embodiment, the application authentication module 31 is a host application program, which is placed at the front end of a TCP/IP service, and performs fast preprocessing on all data to be packaged according to a preset application white list, so as to identify and distinguish attack data and non-attack data, and can mark a preset identifier on a specific data block, thereby providing support for making a data packet label.
In this embodiment, the label pressing module 32 is a router with a label function, and presses a specific label into a data packet specified by the application identification module, where the label position is specifically shown in fig. 3.
In this embodiment, the tag processing module 33 is also a router with a tag function, and on the premise that the total data amount is limited in test and evaluation, the router can be used as a gateway to support operations such as identification, removal, and recovery of a data packet tag; the identification tag can quickly detect and identify the designated data packet and discard the data which does not meet the conditions; the label removing process is to return the label bit of the data packet to zero and restore the original state; the label recycling is combined with the front-end router, so that a small number of label positions are effectively utilized, and the label identification and operation efficiency is improved. Note that in this embodiment, the tag operation is performed only on the upstream traffic (from the testing end to the tested end), and the downstream traffic is only audited afterwards.
The data processing module 34 relies on a high-speed computing unit, such as a server and a high-performance computing terminal, and can process data/data packets; the attack data packet identified by the label can be forwarded, and the problem of real-time data control and forwarding is solved; the data packet can be filtered according to a preset rule, IP data packet recombination and TCP session restoration actions are executed, and the content of the data packet can be deeply detected; the forwarding table can be established based on the policies such as network address, protocol type, etc., and the data message is forwarded.
The state monitoring module 35 can identify threat traffic generated by the test evaluation system according to a preset feature library, manage legal threat traffic according to a preset rule, and identify an illegally accessed attack data packet; checking with a process white list is supported, and the legality of the process executed by the tested network is ensured; the state of the network under test may be monitored based on the network state data.
The assistant decision module 36 can perform state evaluation on the tested network based on various state data to assist in making a coping strategy. Alarm information can be provided in the forms of sound, pop-up windows, animation and the like, and various kinds of alarm information query are supported; IP blocking instructions can be sent to gateways such as a firewall, a router and a gateway, and an out-of-control host is shielded; the state recovery command can be sent to the initialization module to recover the state of the preset recording point of the tested network.
The initialization module 37 can record, store, and fill system images of physical and virtual machines at any time in the network under test.
In this embodiment, the data processing module 34, the state monitoring module 35, the assistant decision module 36, and the initialization module 37 are all disposed on the same server.
In this embodiment, the data sensor 38 is a variety of embedded programs, such as a host event sensor, a WEB sensor, a database sensor, a Syslog data diverter, and the like, and may be disposed in the operating systems of the host and the server to obtain status data such as system logs, application processes, and the like.
In this embodiment, the situation display module 39 is a screen splicing module including a video matrix, has graphical display and editing capabilities of a network topology, supports operations of dragging, enlarging and reducing a network topology diagram, and can display a dynamic process of a countermeasure test in multiple special effect forms such as a primitive size, a color and a flicker.
In this embodiment, the designated tag is located between the IP header and the ethernet header, and can be written and erased, as shown in fig. 3.
The tandem-in threat access control system is used between a network security test evaluation system and a tested network in specific engineering application.
The invention has the following characteristics:
(1) by means of pressing the label into the attack data packet, the attack data packet and the non-attack data packet can be identified quickly and accurately, and the assessment system can be ensured to execute a preset test assessment scheme strictly, so that test assessment is executed according to a set route.
(2) The state of the tested network is mastered in real time, the damage to the tested network in the test evaluation process is ensured to be controllable and recoverable, and software and hardware facilities of the tested network are practically protected.
(3) The method has strong data packet and processing capacity, can identify and guarantee that the instantaneous high-peak value flow attack smoothly passes through a preset path, and can quickly identify illegal attack means and cut off a gateway.
The above embodiments are not intended to limit the present invention, and the present invention is not limited to the above examples, and variations, modifications, additions and substitutions which may be made by those skilled in the art within the technical scope of the present invention are also within the protective scope of the present invention.
Claims (10)
1. The tandem-in type threat access control system is characterized by comprising an application identification module (31), a label press-fitting module (32), a label processing module (33), a data processing module (34), a state monitoring module (35), an auxiliary decision module (36), an initialization module (37), a data sensor (38) and a display module (39), wherein the threat access control system is in tandem connection with a link between a test evaluation system (1) and a tested network (4);
the method for threatening access to the management and control system comprises the following steps: an attack host in the test evaluation system (1) generates attack data by using an attack tool, the attack data meeting the white list condition is identified by an application identification module (31) according to a preset attack tool white list, the attack data can be packaged into a data packet through a TCP/IP service, a preset label is pressed by a label press-mounting module (32), the data packet enters a threat access control system through a gateway (2), the label is identified, processed and recycled through a label processing module (33), the attack data packet is transmitted to a data processing module (34), the data packet is forwarded to a tested network (4) for penetration test, test data generated by the test can be directly returned to the test evaluation system (1) through the gateway (2), and a service closed loop is formed; state data generated in real time by the tested network (4) are taken out through data sensors (38) arranged in each host and each server and submitted to a data processing module (34); the data processing module (34) filters, restores and deeply detects the state data and then transmits the state data to the state monitoring module (35); the state monitoring module (35) is internally provided with a feature library, a rule library and a white list library, can identify legal attack test flow according to known flow features and preset rules, identifies the process legality through checking with a preset application process white list, and monitors the state of the tested network (4) in real time; the auxiliary decision module (36) provides a decision strategy for selection according to the recognition result of the state monitoring module, and can provide alarm, IP blocking and system initialization operation according to the damage degree; the initialization module (37) records and stores the zero state mirror image of the tested network (4) at the beginning of the test, determines whether to load the mirror image for the tested network (4) or not according to the damage condition of the test evaluation to the tested network (4), and recovers the initial state; the display module (39) displays the state of the tested network in real time and provides necessary support for human-computer interaction.
2. The tandem-in threat access control system according to claim 1, wherein the application authentication module (31) is a host application program, and can rapidly identify and distinguish attack data and non-attack data according to an application white list, so as to provide support for label press-fitting of data packets.
3. The tandem-in threat access management and control system according to claim 1 or 2, wherein the label press-fitting module (32) is dedicated label press-fitting hardware or a special router, and presses a specific label for the data packet designated by the application authentication module (31).
4. The tandem-in threat access control system according to claim 1, wherein the label processing module (33) is a special label processing hardware or a special router, and supports label identification operation, label removal operation, and label recovery operation for the data packet label; the operation of the identification tag can quickly detect and identify the designated data packet and discard the data which does not meet the condition; the label removing operation is to return the label bit of the data packet to zero and restore the original state; the label recycling operation is realized by combining the label recycling module with the press-mounting module, so that a small number of label positions are effectively utilized, and the label identification and operation efficiency is improved.
5. The inline threat access management and control system according to claim 1, wherein the data processing module (34) processes data/data packets depending on a high-speed arithmetic unit; the attack data packet identified by the label can be forwarded, and the problem of real-time data control and forwarding is solved; the data packet can be filtered according to a preset rule, IP data packet recombination and TCP session restoration actions are executed, and the content of the data packet can be deeply detected; a forwarding table can be established based on the network address and the protocol type to forward the data message.
6. The tandem-in threat access control system according to claim 1, wherein the state monitoring module (35) is capable of identifying threat traffic generated by the test evaluation system (1) according to a preset feature library, managing legal threat traffic according to a predetermined rule, and identifying an illegally accessed attack data packet; checking with a process white list is supported, and the legality of the process executed by the tested network (4) is ensured; the status of the network under test may be monitored based on the network status data.
7. The tandem-in threat access control system according to claim 1, wherein the assistant decision module (36) can perform state evaluation on the tested network based on various state data to assist in making a coping strategy; providing alarm information in the forms of sound, popup and animation, and supporting inquiry of various alarm information; sending IP blocking instructions to the firewall, the router and the gateway (2) to shield the out-of-control host; the initialization module (37) can be sent out a state recovery command to recover the state of the preset recording point of the tested network.
8. The inline threat access management and control system according to claim 1, wherein the initialization module (37) is capable of recording, storing, and filling system images of physical and virtual machines at any given time in the tested network.
9. The system of claim 1, wherein the data sensor (38) is an embedded program that can be installed in an operating system of a host or a server to obtain system logs and application process status data.
10. The tandem-in threat access control system according to claim 1, wherein the display module (39) has a graphical display and editing capability of a network topology, supports operations of dragging, enlarging and reducing a network topology graph, and can display a dynamic process of a countermeasure test in a special effect form of primitive size, color and flicker.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110093253.8A CN112887303B (en) | 2021-01-25 | 2021-01-25 | Series threat access control system and method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110093253.8A CN112887303B (en) | 2021-01-25 | 2021-01-25 | Series threat access control system and method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112887303A CN112887303A (en) | 2021-06-01 |
| CN112887303B true CN112887303B (en) | 2022-09-30 |
Family
ID=76050708
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110093253.8A Active CN112887303B (en) | 2021-01-25 | 2021-01-25 | Series threat access control system and method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112887303B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113422777B (en) * | 2021-06-28 | 2022-08-19 | 安天科技集团股份有限公司 | Penetration testing method and device based on white list, computing equipment and storage medium |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2020183615A1 (en) * | 2019-03-12 | 2020-09-17 | 三菱電機株式会社 | Attack estimation device, attack control method, and attack estimation program |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7941856B2 (en) * | 2004-12-06 | 2011-05-10 | Wisconsin Alumni Research Foundation | Systems and methods for testing and evaluating an intrusion detection system |
| US8220056B2 (en) * | 2008-09-23 | 2012-07-10 | Savvis, Inc. | Threat management system and method |
| US8069471B2 (en) * | 2008-10-21 | 2011-11-29 | Lockheed Martin Corporation | Internet security dynamics assessment system, program product, and related methods |
| US20170235960A1 (en) * | 2016-02-16 | 2017-08-17 | James Andrew Austin | Intelligent system for forecasting threats in a virtual attack domain |
| JP2021016104A (en) * | 2019-07-12 | 2021-02-12 | 富士通株式会社 | Network management apparatus, network management method, and network management program |
-
2021
- 2021-01-25 CN CN202110093253.8A patent/CN112887303B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2020183615A1 (en) * | 2019-03-12 | 2020-09-17 | 三菱電機株式会社 | Attack estimation device, attack control method, and attack estimation program |
Non-Patent Citations (2)
| Title |
|---|
| 受控网络环境下攻击检测体系的构建;王宇;《保密科学技术》;20121010(第10期);全文 * |
| 基于虚拟化动态部署的电力监控系统威胁评估体系;王丹等;《通信技术》;20200210(第02期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112887303A (en) | 2021-06-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110535855B (en) | Network event monitoring and analyzing method and system and information data processing terminal | |
| CN114679338A (en) | Network risk assessment method based on network security situation awareness | |
| CN110572412A (en) | Firewall based on intrusion detection system feedback in cloud environment and implementation method thereof | |
| CN108270716A (en) | A kind of audit of information security method based on cloud computing | |
| Alsafi et al. | Idps: An integrated intrusion handling model for cloud | |
| Kaushik et al. | Network forensic system for port scanning attack | |
| CN112688932A (en) | Honeypot generation method, honeypot generation device, honeypot generation equipment and computer readable storage medium | |
| CN112560029A (en) | Website content monitoring and automatic response protection method based on intelligent analysis technology | |
| CN112887303B (en) | Series threat access control system and method | |
| CN114826880A (en) | Method and system for online monitoring of data safe operation | |
| Ma et al. | A design of firewall based on feedback of intrusion detection system in cloud environment | |
| Liu et al. | Loocipher ransomware detection using lightweight packet characteristics | |
| CN113794590B (en) | Method, device and system for processing network security situation awareness information | |
| CN111786986A (en) | Numerical control system network intrusion prevention system and method | |
| US10404730B1 (en) | High-volume network threat trace engine | |
| KR20170081543A (en) | Apparatus and method for detecting symptom based on context information | |
| CN112257069A (en) | Server security event auditing method based on flow data analysis | |
| JP5752020B2 (en) | Attack countermeasure device, attack countermeasure method, and attack countermeasure program | |
| CN114006719B (en) | AI verification method, device and system based on situation awareness | |
| Ahmet et al. | Comparison of the host based intrusion detection systems and network based intrusion detection systems | |
| Araújo et al. | EICIDS-elastic and internal cloud-based detection system | |
| CN115694892A (en) | Network security defense system and method based on network information security | |
| CN110839045B (en) | Abnormal flow detection method for power monitoring system | |
| CN113141274A (en) | Method, system and storage medium for detecting sensitive data leakage in real time based on network hologram | |
| CN112769860B (en) | Threat management and control system and method for bypass setting |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |