CN113094510A - Intelligent processing method and device for network security data mapping - Google Patents

Intelligent processing method and device for network security data mapping Download PDF

Info

Publication number
CN113094510A
CN113094510A CN202110355533.1A CN202110355533A CN113094510A CN 113094510 A CN113094510 A CN 113094510A CN 202110355533 A CN202110355533 A CN 202110355533A CN 113094510 A CN113094510 A CN 113094510A
Authority
CN
China
Prior art keywords
server
network
time
network security
label
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110355533.1A
Other languages
Chinese (zh)
Inventor
孙迪科
肖峰
张亚东
郑俊鹏
林宇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangzhou Jushi Information Technology Co ltd
Original Assignee
Guangzhou Jushi Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangzhou Jushi Information Technology Co ltd filed Critical Guangzhou Jushi Information Technology Co ltd
Priority to CN202110355533.1A priority Critical patent/CN113094510A/en
Publication of CN113094510A publication Critical patent/CN113094510A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/30Information retrieval; Database structures therefor; File system structures therefor of unstructured textual data
    • G06F16/36Creation of semantic tools, e.g. ontology or thesauri
    • G06F16/367Ontology
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N20/00Machine learning
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Physics & Mathematics (AREA)
  • Data Mining & Analysis (AREA)
  • Computing Systems (AREA)
  • Artificial Intelligence (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Mathematical Physics (AREA)
  • Evolutionary Computation (AREA)
  • Computational Linguistics (AREA)
  • Biomedical Technology (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Molecular Biology (AREA)
  • Biophysics (AREA)
  • Animal Behavior & Ethology (AREA)
  • Medical Informatics (AREA)
  • Databases & Information Systems (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The application discloses a method and a device for intelligently processing a network security data atlas, wherein the method comprises the following steps: the network security server monitors that the first server starts providing service for the first application in a time period; generating a network map for providing a server for a first application; calculating the type of attack messages received by each server from the beginning of service provision to the end of the time period within the time period and the attack frequency of the attack messages of the type; and displaying the label corresponding to each server on the corresponding node in the network graph. The method and the device solve the problem that the overall network safety data cannot be provided for all servers providing services for the application in the prior art, are beneficial to a network maintainer to judge the overall network safety condition of the preset application, and improve the network safety to a certain extent.

Description

Intelligent processing method and device for network security data mapping
Technical Field
The application relates to the field of network security, in particular to a method and a device for intelligently processing a network security data atlas.
Background
At present, a great deal of server support is needed for supporting a certain application, and compared with the past technology, the servers are provided to enterprises needing the servers in a cloud computing mode, and for cloud service providers, a great deal of physical server hosts are still needed for supporting cloud services.
For a cloud service provider, the network security is crucial. In the prior art, network data analysis for the servers is basically directed to one server, but a plurality of servers may be used for providing services for a certain application, and the network maintainer can only look at data of each physical server, which cannot make the network maintainer have overall knowledge about network security conditions of all servers providing services for the application, thereby affecting network maintenance to a certain extent.
Disclosure of Invention
The embodiment of the application provides a method and a device for intelligently processing a network security data graph, so as to at least solve the problem that the prior art cannot provide overall network security data for all servers providing services for an application.
According to one aspect of the application, a network security data mapping intelligent processing method is provided, and comprises the following steps: the network security server acquires the starting time and the ending time of a pre-configured time period; the network security server monitors that a first server starts providing service for a first application in the time period, and records first time when the first server starts providing service for the first application, wherein the first server is a physical server or a virtual server; the network security server sends a command message to the first server, wherein the command message carries the termination time, the command message is used for instructing the first server to record an attack message received by a network address and a network port of the first server for providing the first application, the command message is also used for instructing the first server to send the received attack message within a first time range to the network security server when the termination time arrives, the starting time of the first time range is the first time, and the termination time of the first time range is the termination time of the time period; the network security server obtains network information of all servers which provide services for the first application in the time period, wherein the servers comprise: a physical server, a virtual server; the network security server determines the positions of all servers in the machine room according to the network information and generates a network graph of the first application providing server according to the positions, wherein each node in the network graph represents one server; the network security server calculates the type of attack messages received by each server from the beginning of service provision to the end of the time period in the time period and the attack frequency of the attack messages of the type; the network security server uses labels with different shapes to identify the types of attack messages, and uses different color labels to identify different attack frequencies; and the network security server displays the label corresponding to each server on the corresponding node in the network graph.
Further, the method further comprises: the network security server receives click operation of a network maintainer on a first label; and the network security server responds to the click operation to display a first layer, wherein the first layer is displayed on the network graph, and information of all messages corresponding to the label is displayed in the first layer.
Further, the method further comprises: the network security server receives click operation of the network maintainer on a deletion control, wherein the deletion control is arranged on the first layer; the network security server deletes the label from the network map in response to the click operation.
Further, the method further comprises: the network security server receives the dragging operation of a network maintainer on the second label; the network security server determines that the distance between the second label and a node corresponding to the second label in the network graph reaches a preset distance; and the network security server adds the same background color on the partial area of the second label and the node corresponding to the second label.
According to another aspect of the present application, there is also provided a network security data mapping intelligent processing apparatus, which is applied to a network security server, the apparatus including: the first acquisition module is used for acquiring the starting time and the ending time of a pre-configured time period; the monitoring and recording module is used for monitoring that a first server starts to provide service for a first application in the time period and recording first time when the first server starts to provide service for the first application, wherein the first server is a physical server or a virtual server; a command sending module, configured to send a command message to the first server, where the command message carries the termination time, where the command message is used to instruct the first server to record a network address and an attack packet received by a network port of the first server for providing the first application, and is also used to instruct the first server to send the received attack packet within a first time range to the network security server when the termination time arrives, where a start time of the first time range is the first time, and a termination time of the first time range is the termination time of the time period; a second obtaining module, configured to obtain network information of all servers that provide services for the first application in the time period, where the servers include: a physical server, a virtual server; the generating module is used for determining the positions of all servers in the machine room according to the network information and generating a network graph of the first application providing server according to the positions, wherein each node in the network graph represents one server; the calculation module is used for calculating the type of the attack message received by each server from the service providing start to the termination time of the time period in the time period and the attack frequency of the attack message of the type; the identification module is used for identifying the type of the attack message by using labels with different shapes and identifying different attack frequencies by using different color identifications; and the display control module is used for displaying the label corresponding to each server on the corresponding node in the network graph.
Further, the apparatus further comprises: the first receiving module is used for receiving the clicking operation of the network maintainer on the first label; the display control module is further configured to display a first layer in response to the click operation, where the first layer is displayed on the network map, and information of all messages corresponding to the tag is displayed in the first layer.
Further, the first receiving module is further configured to receive a click operation of the network maintainer on a deletion control, where the deletion control is disposed on the first layer; the display control module is also used for responding to the click operation to delete the label from the network map.
Further, the first receiving module is further configured to receive a dragging operation of a second tab by a network maintainer; the display control module is further configured to add the same background color to a partial area of the second label and a node corresponding to the second label after determining that the second label is a predetermined distance away from the node corresponding to the second label in the network map.
According to another aspect of the present application, there is also provided a memory for storing software for performing the above method.
According to another aspect of the present application, there is also provided a processor for executing software, wherein the software is configured to perform the above method.
In the embodiment of the application, a network security server is adopted to obtain the starting time and the ending time of a pre-configured time period; the network security server monitors that a first server starts providing service for a first application in the time period, and records first time when the first server starts providing service for the first application, wherein the first server is a physical server or a virtual server; the network security server sends a command message to the first server, wherein the command message carries the termination time, the command message is used for instructing the first server to record an attack message received by a network address and a network port of the first server for providing the first application, the command message is also used for instructing the first server to send the received attack message within a first time range to the network security server when the termination time arrives, the starting time of the first time range is the first time, and the termination time of the first time range is the termination time of the time period; the network security server obtains network information of all servers which provide services for the first application in the time period, wherein the servers comprise: a physical server, a virtual server; the network security server determines the positions of all servers in the machine room according to the network information and generates a network graph of the first application providing server according to the positions, wherein each node in the network graph represents one server; the network security server calculates the type of attack messages received by each server from the beginning of service provision to the end of the time period in the time period and the attack frequency of the attack messages of the type; the network security server uses labels with different shapes to identify the types of attack messages, and uses different color labels to identify different attack frequencies; and the network security server displays the label corresponding to each server on the corresponding node in the network graph. The method and the device solve the problem that the overall network safety data cannot be provided for all servers providing services for the application in the prior art, are beneficial to a network maintainer to judge the overall network safety condition of the preset application, and improve the network safety to a certain extent.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this application, illustrate embodiments of the application and, together with the description, serve to explain the application and are not intended to limit the application. In the drawings:
FIG. 1 is a flow diagram of a network security data mapping intelligent processing method according to an embodiment of the application.
Detailed Description
It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict. The present application will be described in detail below with reference to the embodiments with reference to the attached drawings.
It should be noted that the steps illustrated in the flowcharts of the figures may be performed in a computer system such as a set of computer-executable instructions and that, although a logical order is illustrated in the flowcharts, in some cases, the steps illustrated or described may be performed in an order different than presented herein.
In this embodiment, a network security data mapping intelligent processing method is provided, and fig. 1 is a flowchart of a network security data mapping intelligent processing method according to an embodiment of the present application, as shown in fig. 1, the flowchart includes the following steps:
step S102, the network security server obtains the starting time and the ending time of a pre-configured time period;
as an optional embodiment, the start time and the end time of the time period may be set by the network maintainer according to the needs. Alternatively, the network security server selects the time period within the day that occupies the most server resources as the time period in step 102 according to the historical occupation of the server resources by the first application. The network server draws the situation that the first application occupies the server resources every day within 30 days as a curve graph, the server compares the 30 curve graphs to find a curve with abnormal resource occupancy in the 30 curve graphs and a time period with abnormal resource occupancy on the curve, and the time period is also used as the time period of the step S102. I.e. two time periods are included in step S102. The resource occupation abnormality means that the resource occupation in the curve is 10% higher than the average value of the resource occupation of 30 curves in the time period.
Step S104, the network security server monitors that a first server starts providing service for a first application in the time period, and records a first time when the first server starts providing service for the first application, wherein the first server is a physical server or a virtual server;
step S106, the network security server sends a command message to the first server, where the command message carries the termination time, the command message is used to instruct the first server to record a network address and an attack packet received by a network port of the first server as the first application providing server, the command message is also used to instruct the first server to send the received attack packet within a first time range to the network security server when the termination time arrives, the start time of the first time range is the first time, and the termination time of the first time range is the termination time of the time period;
as an optional implementation manner that may be added, after the firewall in the first server determines an attack packet, it determines a local storage space, and if the local storage space is smaller than a threshold, the first server sends the attack packet to a cloud storage, where the cloud storage is created by the network security server requesting the cloud storage server at the start time. After the termination time is reached, the first server acquires all attack messages from the cloud storage server and forwards the attack messages to the network security server; after the successful forwarding, the first server sends a deletion command to the cloud storage server, where the deletion command is used to delete the attack packet that has been forwarded by the first server.
Optionally, after a predetermined time (for example, after 1 minute) after the time period end time arrives, the network security server determines whether the cloud storage still stores the attack packet, if the attack packet is still stored, acquires network information of a server from which the attack packet is derived, sends a heartbeat signal to the server according to the network information, and if several heartbeat signals are sent and responses are not received, the network security server sends alarm information to a network maintainer and also sends the remaining attack packets in the cloud storage to the network maintainer.
Optionally, the first server may perform sampling when determining the attack packet, for example, when the number of received packets reaches a predetermined number, perform sampling detection on the number of packets to obtain information of a suspicious packet, and analyze the information of the suspicious packet to obtain the attack packet.
Optionally, when the first server determines the attack packet, the first server may also determine according to a resource occupancy rate, where the resource occupancy rate obtained by the first server in the current period is higher than that in the previous period and is more than twice as high as that in the previous period, and at this time, the first server stores the packets received in the current period and the previous period as the attack packets. Preferably, each second can be counted as one period.
Step 108, the network security server obtains network information of all servers that provide service for the first application in the time period, wherein the servers include: a physical server, a virtual server;
step S110, the network security server determines the positions of the machine rooms where all the servers are located according to the network information, and generates a network graph of the first application providing server according to the positions, wherein each node in the network graph represents one server;
step S112, the network security server calculates the type of the attack message received by each server from the service providing start to the termination time of the time period in the time period and the attack frequency of the attack message of the type;
when the type of the attack message is judged, the judgment can be carried out by using a machine learning mode. A machine-learned model, which is based on a neural network, may be trained using multiple sets of training data, and an open-source model may be employed. Each group of training data comprises a message and a label corresponding to the message, wherein the label is used for indicating the type of the message. After the model is trained to converge, the model can be used. And inputting the attack message into the model, and outputting the type corresponding to the attack message by the model. It should be noted that there may be multiple attack categories in one attack packet.
In the training, if the training data amount is not enough, a method for obtaining the training data amount is further provided in this embodiment, in which a training data set of a machine learning model is evaluated to identify a missing feature subset (for example, a DDOS attack is absent) in a feature space of the training data set; configuring network nodes dedicated to grabbing training data and selecting therefrom a plurality of network nodes suitable for launching an attack on the network to generate the missing feature subset; selecting one or more attack nodes from the plurality of network nodes; providing an attack routine to the one or more attacking nodes to cause the one or more attacking nodes to launch the attack; and receiving an indication from the one or more attacking nodes that the attack has completed. Generating the training data set by randomly selecting an attack node from the plurality of network nodes to launch a network attack. In this way more training data can be obtained.
Step S114, the network security server uses labels with different shapes to identify the types of attack messages, and uses different color labels to identify different attack frequencies;
step S116, the network security server displays the label corresponding to each server on the corresponding node in the network map.
Through the steps, the network security server displays all the servers of the service provided for the first application on one network diagram, and displays the specific situation of each server through the label, so that the problem that the overall network security data cannot be provided for all the servers providing the service for the application in the prior art is solved, a network maintainer can judge the overall network security situation of the preset application, and the network security is improved to a certain extent.
Preferably, the method further comprises: the network security server receives click operation of a network maintainer on a first label; and the network security server responds to the click operation to display a first layer, wherein the first layer is displayed on the network graph, and information of all messages corresponding to the label is displayed in the first layer.
Preferably, the method further comprises: the network security server receives click operation of the network maintainer on a deletion control, wherein the deletion control is arranged on the first layer; the network security server deletes the label from the network map in response to the click operation.
Preferably, the method further comprises: the network security server receives the dragging operation of a network maintainer on the second label; the network security server determines that the distance between the second label and a node corresponding to the second label in the network graph reaches a preset distance; and the network security server adds the same background color on the partial area of the second label and the node corresponding to the second label.
In this embodiment, an electronic device is provided, comprising a memory in which a computer program is stored and a processor configured to run the computer program to perform the method in the above embodiments.
In this embodiment, a network security data mapping intelligent processing apparatus is further provided, where the network security server applied to the network security server may be a physical server or a virtual server, and both the physical server and the virtual server may be understood as an electronic apparatus or a software apparatus, and modules in the apparatus correspond to steps in the method, which has already been described, and are not described herein again. The device comprises: the first acquisition module is used for acquiring the starting time and the ending time of a pre-configured time period; the monitoring and recording module is used for monitoring that a first server starts to provide service for a first application in the time period and recording first time when the first server starts to provide service for the first application, wherein the first server is a physical server or a virtual server; a command sending module, configured to send a command message to the first server, where the command message carries the termination time, where the command message is used to instruct the first server to record a network address and an attack packet received by a network port of the first server for providing the first application, and is also used to instruct the first server to send the received attack packet within a first time range to the network security server when the termination time arrives, where a start time of the first time range is the first time, and a termination time of the first time range is the termination time of the time period; a second obtaining module, configured to obtain network information of all servers that provide services for the first application in the time period, where the servers include: a physical server, a virtual server; the generating module is used for determining the positions of all servers in the machine room according to the network information and generating a network graph of the first application providing server according to the positions, wherein each node in the network graph represents one server; the calculation module is used for calculating the type of the attack message received by each server from the service providing start to the termination time of the time period in the time period and the attack frequency of the attack message of the type; the identification module is used for identifying the type of the attack message by using labels with different shapes and identifying different attack frequencies by using different color identifications; and the display control module is used for displaying the label corresponding to each server on the corresponding node in the network graph.
Preferably, the apparatus further comprises: the first receiving module is used for receiving the clicking operation of the network maintainer on the first label; the display control module is further configured to display a first layer in response to the click operation, where the first layer is displayed on the network map, and information of all messages corresponding to the tag is displayed in the first layer.
Preferably, the first receiving module is further configured to receive a click operation of the network maintainer on a deletion control, where the deletion control is disposed on the first layer; the display control module is also used for responding to the click operation to delete the label from the network map.
Preferably, the first receiving module is further configured to receive a dragging operation of a second tab by a network maintainer; the display control module is further configured to add the same background color to a partial area of the second label and a node corresponding to the second label after determining that the second label is a predetermined distance away from the node corresponding to the second label in the network map.
In this embodiment, there is also provided a memory for storing software for performing the above method.
In this embodiment, a processor for executing software is also provided, wherein the software is configured to perform the above method.
These computer programs or software may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks, and corresponding steps may be implemented by different modules.
The programs or software described above may be run on a processor or may also be stored in memory (or referred to as computer-readable media), which includes both non-transitory and non-transitory, removable and non-removable media, that may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
The above are merely examples of the present application and are not intended to limit the present application. Various modifications and changes may occur to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the scope of the claims of the present application.

Claims (10)

1. A network security data mapping intelligent processing method is characterized by comprising the following steps:
the network security server acquires the starting time and the ending time of a pre-configured time period;
the network security server monitors that a first server starts providing service for a first application in the time period, and records first time when the first server starts providing service for the first application, wherein the first server is a physical server or a virtual server;
the network security server sends a command message to the first server, wherein the command message carries the termination time, the command message is used for instructing the first server to record an attack message received by a network address and a network port of the first server for providing the first application, the command message is also used for instructing the first server to send the received attack message within a first time range to the network security server when the termination time arrives, the starting time of the first time range is the first time, and the termination time of the first time range is the termination time of the time period;
the network security server obtains network information of all servers which provide services for the first application in the time period, wherein the servers comprise: a physical server, a virtual server;
the network security server determines the positions of all servers in the machine room according to the network information and generates a network graph of the first application providing server according to the positions, wherein each node in the network graph represents one server;
the network security server calculates the type of attack messages received by each server from the beginning of service provision to the end of the time period in the time period and the attack frequency of the attack messages of the type;
the network security server uses labels with different shapes to identify the types of attack messages, and uses different color labels to identify different attack frequencies;
and the network security server displays the label corresponding to each server on the corresponding node in the network graph.
2. The method of claim 1, further comprising:
the network security server receives click operation of a network maintainer on a first label;
and the network security server responds to the click operation to display a first layer, wherein the first layer is displayed on the network graph, and information of all messages corresponding to the label is displayed in the first layer.
3. The method according to claim 1 or 2, characterized in that the method further comprises:
the network security server receives click operation of the network maintainer on a deletion control, wherein the deletion control is arranged on the first layer;
the network security server deletes the label from the network map in response to the click operation.
4. The method according to any one of claims 1 to 3, further comprising:
the network security server receives the dragging operation of a network maintainer on the second label;
the network security server determines that the distance between the second label and a node corresponding to the second label in the network graph reaches a preset distance;
and the network security server adds the same background color on the partial area of the second label and the node corresponding to the second label.
5. A network security data mapping intelligent processing device is applied to a network security server, and the device comprises:
the first acquisition module is used for acquiring the starting time and the ending time of a pre-configured time period;
the monitoring and recording module is used for monitoring that a first server starts to provide service for a first application in the time period and recording first time when the first server starts to provide service for the first application, wherein the first server is a physical server or a virtual server;
a command sending module, configured to send a command message to the first server, where the command message carries the termination time, where the command message is used to instruct the first server to record a network address and an attack packet received by a network port of the first server for providing the first application, and is also used to instruct the first server to send the received attack packet within a first time range to the network security server when the termination time arrives, where a start time of the first time range is the first time, and a termination time of the first time range is the termination time of the time period;
a second obtaining module, configured to obtain network information of all servers that provide services for the first application in the time period, where the servers include: a physical server, a virtual server;
the generating module is used for determining the positions of all servers in the machine room according to the network information and generating a network graph of the first application providing server according to the positions, wherein each node in the network graph represents one server;
the calculation module is used for calculating the type of the attack message received by each server from the service providing start to the termination time of the time period in the time period and the attack frequency of the attack message of the type;
the identification module is used for identifying the type of the attack message by using labels with different shapes and identifying different attack frequencies by using different color identifications;
and the display control module is used for displaying the label corresponding to each server on the corresponding node in the network graph.
6. The apparatus of claim 5,
the device further comprises: the first receiving module is used for receiving the clicking operation of the network maintainer on the first label;
the display control module is further configured to display a first layer in response to the click operation, where the first layer is displayed on the network map, and information of all messages corresponding to the tag is displayed in the first layer.
7. The apparatus of claim 5 or 6,
the first receiving module is further configured to receive a click operation of the network maintainer on a deletion control, where the deletion control is disposed on the first layer;
the display control module is also used for responding to the click operation to delete the label from the network map.
8. The apparatus according to any one of claims 5 to 7,
the first receiving module is also used for receiving the dragging operation of a network maintainer on the second label;
the display control module is further configured to add the same background color to a partial area of the second label and a node corresponding to the second label after determining that the second label is a predetermined distance away from the node corresponding to the second label in the network map.
9. A memory for storing software, wherein the software is configured to perform the method of any one of claims 1 to 4.
10. A processor configured to execute software, wherein the software is configured to perform the method of any one of claims 1 to 4.
CN202110355533.1A 2021-04-01 2021-04-01 Intelligent processing method and device for network security data mapping Pending CN113094510A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110355533.1A CN113094510A (en) 2021-04-01 2021-04-01 Intelligent processing method and device for network security data mapping

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110355533.1A CN113094510A (en) 2021-04-01 2021-04-01 Intelligent processing method and device for network security data mapping

Publications (1)

Publication Number Publication Date
CN113094510A true CN113094510A (en) 2021-07-09

Family

ID=76672485

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110355533.1A Pending CN113094510A (en) 2021-04-01 2021-04-01 Intelligent processing method and device for network security data mapping

Country Status (1)

Country Link
CN (1) CN113094510A (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106549950A (en) * 2016-11-01 2017-03-29 南京理工大学 A kind of matrix method for visualizing based on state attacking and defending figure
CN109218276A (en) * 2017-08-01 2019-01-15 全球能源互联网研究院 A kind of network attack drawing generating method and system
CN110245491A (en) * 2019-06-11 2019-09-17 合肥宜拾惠网络科技有限公司 The determination method, apparatus and memory and processor of network attack type
CN110505195A (en) * 2019-06-26 2019-11-26 中电万维信息技术有限责任公司 The dispositions method and system of fictitious host computer
US20200177612A1 (en) * 2018-11-02 2020-06-04 KnowBe4, Inc. Systems and methods of cybersecurity attack simulation for incident response training and awareness
CN112291228A (en) * 2020-04-10 2021-01-29 吴萌萌 Attack behavior mining method and system based on image big data

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106549950A (en) * 2016-11-01 2017-03-29 南京理工大学 A kind of matrix method for visualizing based on state attacking and defending figure
CN109218276A (en) * 2017-08-01 2019-01-15 全球能源互联网研究院 A kind of network attack drawing generating method and system
US20200177612A1 (en) * 2018-11-02 2020-06-04 KnowBe4, Inc. Systems and methods of cybersecurity attack simulation for incident response training and awareness
CN110245491A (en) * 2019-06-11 2019-09-17 合肥宜拾惠网络科技有限公司 The determination method, apparatus and memory and processor of network attack type
CN110505195A (en) * 2019-06-26 2019-11-26 中电万维信息技术有限责任公司 The dispositions method and system of fictitious host computer
CN112291228A (en) * 2020-04-10 2021-01-29 吴萌萌 Attack behavior mining method and system based on image big data

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
登高且赋: "https://www.jianshu.com/p/055e4223d054", 《APM-SKYWALKING UI使用全攻略》 *
蒲彩琳: "https://roombox.xdf.cn/blog/graphical-use-of-skywalking-ui/", 《图解 SKYWALKING UI 的使用》 *

Similar Documents

Publication Publication Date Title
AU2016242813B2 (en) Networking flow logs for multi-tenant environments
CN111935082B (en) Network threat information correlation analysis system and method
CN104348650A (en) Website monitoring method, business device and website monitoring system
US20190089725A1 (en) Deep Architecture for Learning Threat Characterization
CN109302434B (en) Prompt message pushing method and device, service platform and storage medium
CN105207806A (en) Monitoring method and apparatus of distributed service
US20100241907A1 (en) Network monitor and control apparatus
US20180013783A1 (en) Method of protecting a communication network
CN108566317A (en) Business monitoring method, Cloud Server, storage medium and device
WO2023109524A1 (en) Information leakage monitoring method and system, and electronic device
CN105897933A (en) Service request processing method and device
CN108809720A (en) The management method and device of alarming assignment in cloud data system
CN102724195B (en) Access request tracking and relevant apparatus
CN114048090A (en) K8S-based container cloud platform monitoring method and device and storage medium
CN113094510A (en) Intelligent processing method and device for network security data mapping
CN113360752A (en) Message pushing method, device, equipment and readable medium
CN105607983B (en) Data exception monitoring method and device
CN110825542B (en) Method, device and system for detecting fault disc in distributed system
CN109831335A (en) A kind of data monitoring method, monitor terminal, storage medium and data monitoring system
CN112769620B (en) Network deployment method, equipment and computer readable storage medium
CN114595245A (en) Data processing method and device
CN110708180B (en) Fault detection method, fault analysis method and device
CN109120439B (en) Distributed cluster alarm output method, device, equipment and readable storage medium
CN105516521B (en) The detecting system and detection method of recording file
CN110430093B (en) Data processing method and device and computer readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20210709