CN113194087A - Safety risk high-intensity monitoring system for different information domains - Google Patents
Safety risk high-intensity monitoring system for different information domains Download PDFInfo
- Publication number
- CN113194087A CN113194087A CN202110463392.5A CN202110463392A CN113194087A CN 113194087 A CN113194087 A CN 113194087A CN 202110463392 A CN202110463392 A CN 202110463392A CN 113194087 A CN113194087 A CN 113194087A
- Authority
- CN
- China
- Prior art keywords
- monitoring
- module
- network
- security
- monitoring system
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention relates to the technical field of intrusion detection systems, in particular to a high-intensity monitoring system for safety risks in different information domains, which comprises: the system comprises a malicious behavior analysis module, a security risk identification module and a network security strong detection module, wherein the three modules are designed in an integrated manner, and the malicious behavior analysis module is used for analyzing malicious behaviors; the invention carries out integrated design by adopting three modules of malicious behavior analysis, security risk identification and network security strong detection analysis, has higher security detection capability, can be classified according to different risk events, simultaneously generates and forms a dynamic defense system taking active detection as a core, discovers potential safety hazards of a user and an external invasion path as soon as possible, supports a big data platform to carry out big data analysis, storage and backup, and allows the user to carry out penetration test attack on equipment in a network so as to detect the security risk in the system.
Description
Technical Field
The invention relates to the technical field of intrusion detection systems, in particular to a security risk high-intensity monitoring system for different information domains.
Background
The Intrusion Detection System (IDS) can make up for the defects of the firewall, provide real-time intrusion detection for network security and adopt corresponding protection means, such as recording evidence for tracking, recovering and disconnecting network connection and the like. The early IDS was just a listening system. Based on the current way of local area network operation, the IDS can record all the user's access and operation to the server located in the same switch/HuB as the IDS for analysis, similar to the event viewer of our common widnows operating system. Still later, since the IDS had too many records, the new generation of IDS provided for analyzing the recorded data, listing only a portion of the records that are at risk. The current new generation IDS adds functions to analyze application layer data, so that its capability is greatly increased.
Although IDS has many characteristics mentioned above, in practical use, most current access methods for intrusion detection use a pass-by method to intercept data flow on a network, and cannot dynamically set a policy, lack the necessary flexibility for attack, and cannot better protect the security of the network.
Aiming at the existing intrusion detection system, the main innovation point of the security risk high-intensity monitoring system is that various attack behaviors from the outside or the inside of a network can be accurately identified by integrating a multi-IDS packet capturing engine, intrusion information is reported and recorded in real time, a flexible and diversified response mode is provided, and a comprehensive intrusion analysis report suitable for different identities is generated.
Although the existing intrusion detection system can track the attack route of an attacker and catch a troublemaker, the existing intrusion detection system has obvious defects, the system cannot investigate the attack behavior without the participation of a user, the traditional detection technology cannot overcome the defects in the aspect of network protocols, and a lot of security threats are known after the incident, so that the adaptability of the intrusion detection system is poor.
Disclosure of Invention
The present invention is directed to a security risk high-intensity monitoring system for different information domains, so as to solve the problems mentioned in the background art.
In order to achieve the purpose, the invention provides the following technical scheme: a security risk high intensity monitoring system for different information domains, the monitoring system comprising: the network security detection system comprises a malicious behavior analysis module, a security risk identification module and a network security strong detection module, wherein the three modules are designed in an integrated mode, the malicious behavior analysis module is used for analyzing malicious behaviors and executing a malicious behavior analysis function by utilizing Snort, Suricata, BroIDS and OSSEC services, the security risk identification module is used for identifying security risks, the security risk identification module meets the national protection requirements and the like, the security risk identification is divided into four modules of risk monitoring, host monitoring, network monitoring and application monitoring for design, the network security strong detection module is used for network security strong detection and analysis, and the network security strong detection module supports Metaploit security vulnerability detection tools.
Preferably, the malicious behavior analysis module is used for performing packet capturing analysis on the data packets on the network through a snort engine, and responding and processing according to the defined rules.
Preferably, the monitoring system adopts five response mechanisms of Activation (alarming and starting another Dynamic rule chain), Dynamic (called by other rule packets), Alert (alarming), Pass (ignoring) and Log (not alarming but recording network traffic) according to the rule chain.
Preferably, the monitoring system integrates a multiprocess IDS engine suricata, and suricata is composed of a plurality of association modules, the selection of the operation mode of the monitoring system is based on the program priority set by suricata, and the default operation mode is optimized detection.
Preferably, the monitoring system includes a data packet capturing module, a data stream processing module, a detection module, and an output module, the data packet capturing module is configured to acquire data from the network interface and transmit the data to the data packet decoder, and provide data formatting for the processing process of other subsequent modules, the data stream processing module is configured to track the protocol related to the call-back transport layer, reassemble the data packets in a certain order, and take charge of data processing and reordering at the application layer, the detection module analyzes the data packets and matches the characteristics or rules created by the user, and the output module outputs the data in multiple formats.
Preferably, the risk monitoring module is used for providing a special monitoring expert template base, performing efficient data acquisition, analysis, audit and processing, exporting to a safety operation and maintenance platform through monitoring data migration, forming a safety monitoring report through comprehensive evaluation and analysis, early warning and giving a solution in a targeted manner.
Preferably, the host monitoring module is used for monitoring a small computer, a PC server, a desktop computer, a notebook computer, a character terminal, a graphic terminal and a disk cabinet, the event collection mode is that host events are collected by an SNMP and a monitoring agent, and the host monitoring module supports monitoring of CPU load, memory space, disk space, exchange partition, network card flow, host survival state, system user change and server restart.
Preferably, the network monitoring module is used for monitoring switches, routers, firewalls, VPN gateways, security gateways, links and other network devices, the network event collection supports SNMP and OPENFOW protocols, and the network monitoring module monitors network device performance, network traffic, network topology changes, user behavior analysis and can perform network security detection.
Preferably, the application monitoring module is used for monitoring the self-development application software, the outsourced application software, the business application software, the middleware and the database, and the application monitoring module monitors the survival state, the access speed, the return code and the response time of the application and supports monitoring of SSH, APACHE, the database and Ngnix.
Preferably, the monitoring system identifies vulnerabilities in protection capabilities by simulating real world real attacks, including use of a penetration module, password auditing, attacking Web applications, and sending phishing mails, to assist in penetration testing.
Compared with the prior art, the invention has the following beneficial effects:
the invention carries out integrated design by adopting three modules of malicious behavior analysis, security risk identification and network security strong detection and analysis, has higher security detection capability, can be classified according to different risk events, simultaneously generates and forms a dynamic defense system taking active detection as a core, discovers potential safety hazards of a user and an external invasion path early, supports a big data platform to carry out big data analysis, storage and backup, and allows the user to carry out penetration test attack on equipment in a network so as to detect the security risk existing in the system and realize the foreseeing of the security risk.
Drawings
FIG. 1 is a diagram of the system design architecture of the present invention;
FIG. 2 is a risk identification graph according to the present invention;
FIG. 3 is a flow chart of a default packet capture mode of the present invention;
FIG. 4 is a diagram of the pfring mode of operation of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
A security risk high intensity monitoring system for different information domains, the monitoring system comprising: the network security detection system comprises a malicious behavior analysis module, a security risk identification module and a network security strong detection module, wherein the three modules are designed in an integrated mode, the malicious behavior analysis module is used for analyzing malicious behaviors and executing a malicious behavior analysis function by utilizing Snort, Suricata, BroIDS and OSSEC services, the security risk identification module is used for identifying security risks, the security risk identification module meets the national protection requirements and the like, the security risk identification is divided into four modules of risk monitoring, host monitoring, network monitoring and application monitoring for design, the network security strong detection module is used for network security strong detection and analysis, and the network security strong detection module supports Metaploit security vulnerability detection tools.
The security risk identification module can automatically discover the server and the network equipment, and has the following main working characteristics:
1. distributed monitoring network, centralized management;
2. supporting poling and tracing mechanisms;
3. the server side supports Linux, Solaris, HP-UX, AIX, FreeBSD, OpenBSD and OSX systems;
4. high performance local agents (client software supports Linux, Solaris, HP-UX, AIX, FreeBSD, OpenBSD, OSX, Tru64/OSF1, Windows NT4.0, Windows2000, Windows2003, Windows XP, Windows vista systems);
5. monitoring without agents;
6. the safety user authentication function is provided;
7. the user right can be flexibly distributed;
8. a web-based interface;
9. can flexibly reserve network events and use e-mail/short message/Wechat and other informing modes;
10. high-level resource monitoring;
11. a log audit function;
12. monitoring indexes: CPU load, memory usage, disk usage, network conditions, port monitoring, and log monitoring.
The working characteristics of the Metasplait security vulnerability detection tool are as follows:
flexible, open platform: and secondary development of an API interface and import of a third-party report are supported. For example: nexpose, Metasplait, Acunetix, Amp, Apspan, Foundatidstone, Libpcap, Microsoft MBSA, Nessus, Nesparker, Nmap, QualysandRetina.
Rich penetration test: and the penetration test of network equipment, a database, an operating system, web application, a mobile terminal, industrial control equipment and the like is supported.
High efficiency: the security of 1 ten thousand hosts can be penetrated in one task.
Friendly authorization: the penetration test is not limited by the number of Ip.
A Web interface: and the Web interface enables the operation to be more convenient and efficient.
And (3) supporting: a product development team with abundant penetration test experience assists a user in solving problems encountered in a penetration test process.
Integration: the method can be integrated in a security policy management platform (soc platform) of an enterprise.
Horse back door exempts from to kill: supports random killing-free technology and kills 90% of antivirus software in the world.
Breaking violence: support multiple protocols such as: SMB, Postgres, DB2, MySQL, MSSQL, Oracle, HTTP, HTTPS, SSH, Telnet, FTP, POP3, BSDEXEC, BSDLOGIN, BSDSHELL, VMAuthd, VNC, SNMP, AFP.
Further, the malicious behavior analysis module is used for carrying out packet capturing analysis on the data packets on the network through a snort engine, and responding and processing according to the defined rules.
Further, the monitoring system adopts five response mechanisms of Activation (alarming and starting another Dynamic rule chain), Dynamic (called by other rule packages), Alert (alarming), Pass (ignoring) and Log (not alarming but recording network flow) according to the rule chain.
Furthermore, the monitoring system integrates a multiprocess IDS engine suricata, the suricata consists of a plurality of associated modules, the selection of the operation mode of the monitoring system is based on the program priority set by the suricata, the default operation mode is optimized detection, the operation mode of the monitoring system can be controlled, the safety risk is effectively controlled, and therefore a correct decision is made in the safety management process.
Further, the monitoring system comprises a data packet capturing module, a data stream processing module, a detection module and an output module, wherein the data packet capturing module is used for acquiring data from a network interface and transmitting the data to a data packet decoder, and providing data formatting for the processing process of other subsequent modules, the data stream processing module is used for tracking the related protocol of a call-back transmission layer, recombining data packets in a certain sequence and taking charge of data processing and reordering of an application layer, the detection module analyzes the data packets and matches with the characteristics or rules created by a user, and the output module outputs the data in various formats.
Furthermore, the risk monitoring module is used for providing a special monitoring expert template library, carrying out efficient data acquisition, analysis, audit and processing, exporting to a safety operation and maintenance platform through monitoring data migration, forming a safety monitoring report through comprehensive evaluation and analysis, giving an early warning and pertinence solution, and binding a specific host name, a user name or a server name with an IP address.
Furthermore, the host monitoring module is used for monitoring a small computer, a PC server, a desktop computer, a notebook computer, a character terminal, a graphic terminal and a disk cabinet, the event collection mode is that host events are collected by an SNMP and a monitoring agent, and the host monitoring module supports monitoring of CPU load, memory space, disk space, exchange partition, network card flow, host survival state, system user change and server restart, so that IP addresses which are difficult to understand are displayed in a monitoring window, and host names or server names of specific positions are displayed.
Furthermore, the network monitoring module is used for monitoring switches, routers, firewalls, VPN gateways, security gateways, links and other network devices, network event collection supports SNMP and OPENFOW protocols, the network monitoring module monitors network device performance, network flow, network topology change and user behavior analysis, can perform network security detection, and can accurately monitor the running state of a device at a specific position in the monitoring system.
Further, the application monitoring module is used for monitoring the self-development application software, the outsourced application software, the business application software, the middleware and the database, the application monitoring module monitors the survival state, the access speed, the return code and the response time of the application, supports monitoring SSH, APACHE, the database and Ngnix, and can monitor the source host name and the target host name which are related to the security event, so that the network behavior of staff, the access connection to the server and the related person of the security event are clear at a glance.
Furthermore, the monitoring system can identify the weakness of the protection capability by simulating real attack in the real world, and helps to perform penetration testing, the real attack in the real world comprises using a penetration module, password auditing, attacking Web application and sending phishing mails, and the penetration testing can be performed through a proprietary webpage interface design, so that the penetration testing efficiency and the testing effect can be improved.
The security risk high-intensity monitoring system is used for analyzing malicious behaviors, and sensors are distributed in a network to monitor a plurality of VLANs and subnets. Services such as Snort, subcata, BroIDS, and oss are utilized to perform malicious behavior analysis functions of the service. The snort engine is capable of performing packet sniffing analysis on packets on the network, but unlike ordinary sniffers, it is capable of responding and processing according to defined rules. After analyzing each rule of the obtained data packet, according to the rule chain, five response mechanisms of Activation (alarming and starting another Dynamic rule chain), Dynamic (called by other rule packets), Alert (alarming), Pass (ignoring), and Log (not alarming but recording network flow) can be adopted. The system has multiple functions of data packet sniffing, data packet analysis, data packet detection, response processing and the like, each module realizes different functions, and each module is combined with an IDS engine in a plug-in mode, so that the function expansion is convenient. For example, the function of the preprocessing plug-in is to run before the detection of the rule matching misuse, complete the functions of TIP fragment recombination, http decoding, telnet decoding and the like, complete the functions of checking each field of the protocol, closing connection, attacking response and the like, and output the processed various conditions by the output plug-in a log or warning mode.
The system integrates a multiprocess IDS engine suricata, and the suricata consists of a plurality of associated modules, wherein the arrangement of the modules, the thread queues associated with the modules and the like depends on the running mode of the suricata. The selection of this mode of operation is based on the program priority set by suricata, the default mode of operation is an optimization test, which is typically a resource intensive module, and the mode of operation is shown in FIG. 3. In another mode of operation, pfring is used to optimize packet capture and decoding for high throughput connections, as shown in fig. 4.
No matter which operation mode is applied, the predecessor of suricata obtains the data packet by using the data packet capture module. The module takes data from the network interface and passes it to the packet decoder for it to determine the connection type and provide no subsequent data formatting for processing by other modules. After this process is finished, the data is transmitted to the data stream processing module. The data stream processing module is mainly used for tracing a call back transport layer related protocol (such as a TCP protocol) and recombining data packets in a certain sequence. In addition, the data stream processing module is also responsible for data processing and reordering at the application layer (e.g., HTTP protocol). These data are processed properly and then forwarded to the detection module, which analyzes the package data to match the user created features or rules. If an alarm message is generated, the alarm message and its associated data are sent to an output module, which outputs the data in a plurality of formats.
Bro, which is integrated with security risk intensive monitoring systems, is generally the best choice to handle more complex tasks, such as tasks requiring a higher level of protocol knowledge, throughout the work of various network flows or requiring some portion of the currently processed traffic to be calculated using custom algorithms, unlike feature-based IDS such as snort and suricata. Bro not only supports all common network protocols, but even many less common protocols. By virtue of a feature known as dynamic protocol detection, network traffic can be identified even if it appears on a non-standard port. The application layer protocol and the tunneling protocol, which are partially supported by Bro, are as follows: DHCP \ DNS \ FTP \ HTTP \ IRC \ POP3\ SMTP \ SOCKS \ SSH \ SSL \ SYSLOGTeredo \ GTPv 1.
When the Bro detects a known application protocol in the network traffic, the details of this transaction are recorded in a file. A mechanism is also provided for creating custom transaction logic during the process of the Bro performing protocol parsing and decoding on the current traffic. The behavior generated by the protocol may be viewed as a series of events, and the user may register an event handler with Bro to take over event processing. After writing and registering a new event handler for a particular event, the Bro will automatically invoke the event handler to execute the user code once the event occurs in the network traffic. In the event handlers, the user can do anything he wants to do, and the number of event handlers is not limited. Even for the same event, a plurality of event handlers may be used.
Aiming at the functional characteristics of the three modules, the following technology is unique to an information security risk high-intensity monitoring system:
the overall system architecture is designed to be exclusive to the invention, and comprises IDS, the identification of the residual risk of the information security of the equal-level protection and the integration of the penetration test module Metasplait.
The IDS carries out a malicious behavior analysis module, and the invention provides autonomous protocol customization, rule base matching and proprietary interface display of the system.
The system can classify risk events according to event information captured by the malicious behavior analysis module, and provides a corresponding safety mechanism for defense aiming at different risks, wherein risk monitoring, host monitoring, network monitoring and application monitoring are classified protection of a safety strategy center aiming at different assets of a service system.
The system integrates Metasplaint and performs penetration test through a proprietary webpage interface design.
The security risk high-intensity monitoring system provides a host name binding function, and binds a specific host name, a user name or a server name with an IP address. The equipment monitoring topological graph provided by the comprehensive monitoring module can clearly monitor the running state of the equipment at a specific position. In this way, what is displayed in the monitoring window of the console is no longer an IP address that is difficult to understand, but a host name or server name of a specific location. In the security event window, associated with the security event are source and target host names, making the employee's network behavior, access connections to the server, and the correlation of the security event transparent.
The security risk high-intensity monitoring system provides various modes for reporting network security conditions and report form analysis tools with strong functions, and can meet various requirements of users. Such as: the flow chart can reflect the current flow condition of the network, the detail report provides reports of various events according to time periods or severity, the analysis report carries out statistical analysis on data recorded in the alarm database, and statistical results can be reflected in the forms of bar charts, pie charts and the like.
Firstly, the security risk high-intensity monitoring system provides an enterprise-level distributed monitoring solution for software used for monitoring health and integrity states of a plurality of servers, a flexible early warning notification mechanism is adopted, a user is allowed to set any network activity which is warned through email, and therefore problems of the servers can be reflected rapidly, the system also has excellent reporting and data visualization functions, all data are stored in a database, and therefore the information security risk high-intensity monitoring system has good planning capability and supports an active polling and trap mode. Through parameter configuration, all the comprehensive monitoring module reports and statistics can be accessed through a Web-based front end.
Secondly, the system classifies the objects of security risk management, such as: employee objects, service objects, server objects, and the like. Then, various objects are classified and managed, such as: internal employee management, service management, server management. Classifying the security information facilitates the user's browsing of the information and quickly identifies events of interest to the user.
And thirdly, the system also has a network flow counting function and can monitor the service condition of the network segment at any time. Once the network flow is abnormal at a certain moment, a network administrator can analyze whether the phenomenon of resource abuse exists in the current network through other indexes and take corresponding measures. The flow chart function of the security risk high-intensity monitoring system can enable a network administrator to check the flow condition of the network at any time.
In addition to this, there is also a need to specifically manage a set of important servers (destination addresses) or a set of suspicious or specific hosts (source addresses): the objects added into the important server group can be hosts which play key roles in the network and need important protection, and the objects added into the important detection group should be internal or external hosts with suspected attacks. The system not only provides management for a specific source address or a specific target address, but also can generate a corresponding report according to the monitoring condition, thereby realizing the integration of monitoring and reporting.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
Although embodiments of the present invention have been shown and described, it will be appreciated by those skilled in the art that changes, modifications, substitutions and alterations can be made in these embodiments without departing from the principles and spirit of the invention, the scope of which is defined in the appended claims and their equivalents.
Claims (10)
1. A security risk high intensity monitoring system for different information domains, characterized by: the monitoring system includes: the network security detection system comprises a malicious behavior analysis module, a security risk identification module and a network security strong detection module, wherein the three modules are designed in an integrated mode, the malicious behavior analysis module is used for analyzing malicious behaviors and executing a malicious behavior analysis function by utilizing Snort, Suricata, BroIDS and OSSEC services, the security risk identification module is used for identifying security risks, the security risk identification module meets the national protection requirements and the like, the security risk identification is divided into four modules of risk monitoring, host monitoring, network monitoring and application monitoring for design, the network security strong detection module is used for network security strong detection and analysis, and the network security strong detection module supports Metaploit security vulnerability detection tools.
2. A security risk high intensity monitoring system for different information domains according to claim 1, characterized by: the malicious behavior analysis module is used for carrying out packet capturing analysis on the data packets on the network through a snort engine and responding and processing according to the defined rules.
3. A security risk high intensity monitoring system for different information domains according to claim 1, characterized by: the monitoring system adopts five response mechanisms of Activation (alarming and starting another Dynamic rule chain), Dynamic (called by other rule packages), Alert (alarming), Pass (ignoring) and Log (not alarming but recording network flow) according to the rule chain.
4. A security risk high intensity monitoring system for different information domains according to claim 1, characterized by: the monitoring system integrates a multiprocess IDS engine suricata, the suricata is composed of a plurality of association modules, the operation mode of the monitoring system is selected based on the program priority set by the suricata, and the default operation mode is optimized detection.
5. A security risk high intensity monitoring system for different information domains according to claim 1, characterized by: the monitoring system comprises a data packet capturing module, a data stream processing module, a detection module and an output module, wherein the data packet capturing module is used for acquiring data from a network interface and transmitting the data to a data packet decoder, and providing data formatting for the processing process of other follow-up modules, the data stream processing module is used for tracking a related protocol of a call-back transmission layer, recombining data packets in a certain sequence and taking charge of data processing and reordering of an application layer, the detection module analyzes the data packets and matches with characteristics or rules created by a user, and the output module outputs the data in various formats.
6. A security risk high intensity monitoring system for different information domains according to claim 1, characterized by: the risk monitoring module is used for providing a special monitoring expert template base, carrying out efficient data acquisition, analysis, audit and processing, exporting to a safety operation and maintenance platform through monitoring data migration, forming a safety monitoring report through comprehensive evaluation and analysis, early warning and giving a solution in a pertinence manner.
7. A security risk high intensity monitoring system for different information domains according to claim 1, characterized by: the host monitoring module is used for monitoring a small computer, a PC server, a desktop computer, a notebook computer, a character terminal, a graphic terminal and a disk cabinet, host events are collected by an SNMP and a monitoring agent in an event collection mode, and the host monitoring module supports monitoring of CPU load, memory space, disk space, exchange partition, network card flow, host survival state, system user change and server restart.
8. A security risk high intensity monitoring system for different information domains according to claim 1, characterized by: the network monitoring module is used for monitoring switches, routers, firewalls, VPN gateways, security gateways, links and other network equipment, network event collection supports SNMP and OPENFOW protocols, and the network monitoring module monitors performance of the network equipment, network flow, network topology change and user behavior analysis and can perform network security detection.
9. A security risk high intensity monitoring system for different information domains according to claim 1, characterized by: the application program monitoring module is used for monitoring the self-development application software, the outsourced application software, the business application software, the middleware and the database, monitoring the survival state, the access speed, the return code and the response time of the application program and supporting monitoring of SSH, APACHE, the database and Ngnix.
10. A security risk high intensity monitoring system for different information domains according to claim 1, characterized by: the monitoring system identifies weak points of protection capability by simulating real world attacks, which include using a penetration module, password auditing, attacking Web applications and sending phishing mails, to assist in penetration testing.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110463392.5A CN113194087A (en) | 2021-04-23 | 2021-04-23 | Safety risk high-intensity monitoring system for different information domains |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110463392.5A CN113194087A (en) | 2021-04-23 | 2021-04-23 | Safety risk high-intensity monitoring system for different information domains |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113194087A true CN113194087A (en) | 2021-07-30 |
Family
ID=76980229
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110463392.5A Pending CN113194087A (en) | 2021-04-23 | 2021-04-23 | Safety risk high-intensity monitoring system for different information domains |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113194087A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117978541A (en) * | 2024-03-28 | 2024-05-03 | 福州安渡神州科技有限公司 | Enterprise information security monitoring alarm system and method |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106131023A (en) * | 2016-07-15 | 2016-11-16 | 深圳市永达电子信息股份有限公司 | A kind of Information Security Risk strength identifies system |
| CN107241224A (en) * | 2017-06-09 | 2017-10-10 | 珠海市鸿瑞软件技术有限公司 | The network risks monitoring method and system of a kind of transformer station |
-
2021
- 2021-04-23 CN CN202110463392.5A patent/CN113194087A/en active Pending
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106131023A (en) * | 2016-07-15 | 2016-11-16 | 深圳市永达电子信息股份有限公司 | A kind of Information Security Risk strength identifies system |
| CN107241224A (en) * | 2017-06-09 | 2017-10-10 | 珠海市鸿瑞软件技术有限公司 | The network risks monitoring method and system of a kind of transformer station |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117978541A (en) * | 2024-03-28 | 2024-05-03 | 福州安渡神州科技有限公司 | Enterprise information security monitoring alarm system and method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112651006B (en) | Power grid security situation sensing system | |
| Pilli et al. | Network forensic frameworks: Survey and research challenges | |
| Berthier et al. | Nfsight: netflow-based network awareness tool | |
| US8176527B1 (en) | Correlation engine with support for time-based rules | |
| US7752665B1 (en) | Detecting probes and scans over high-bandwidth, long-term, incomplete network traffic information using limited memory | |
| US7197762B2 (en) | Method, computer readable medium, and node for a three-layered intrusion prevention system for detecting network exploits | |
| CN106131023A (en) | A kind of Information Security Risk strength identifies system | |
| US20030084326A1 (en) | Method, node and computer readable medium for identifying data in a network exploit | |
| US20030084328A1 (en) | Method and computer-readable medium for integrating a decode engine with an intrusion detection system | |
| Mukhopadhyay et al. | A comparative study of related technologies of intrusion detection & prevention systems | |
| Amaral et al. | Deep IP flow inspection to detect beyond network anomalies | |
| Fuentes-García et al. | Present and future of network security monitoring | |
| Neu et al. | Lightweight IPS for port scan in OpenFlow SDN networks | |
| US20030084330A1 (en) | Node, method and computer readable medium for optimizing performance of signature rule matching in a network | |
| Frankowski et al. | Application of the Complex Event Processing system for anomaly detection and network monitoring | |
| Hariawan et al. | Design an Intrusion Detection System, Multiple Honeypot and Packet Analyzer Using Raspberry Pi 4 for Home Network | |
| Kecskés et al. | Monitoring 5g networks in security operation center | |
| Abudalfa et al. | Evaluating performance of supervised learning techniques for developing real-time intrusion detection system | |
| Sharma | Honeypots in Network Security | |
| AT&T | h6.ps | |
| CN113194087A (en) | Safety risk high-intensity monitoring system for different information domains | |
| Chen et al. | Active event correlation in Bro IDS to detect multi-stage attacks | |
| Allan | Intrusion Detection Systems (IDSs): Perspective | |
| Brignoli et al. | Combining exposure indicators and predictive analytics for threats detection in real industrial IoT sensor networks | |
| CN116471093A (en) | Safety risk high-intensity monitoring system for different information domains |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20210730 |