CN113242218A - Network security monitoring method and system - Google Patents
Network security monitoring method and system Download PDFInfo
- Publication number
- CN113242218A CN113242218A CN202110442667.7A CN202110442667A CN113242218A CN 113242218 A CN113242218 A CN 113242218A CN 202110442667 A CN202110442667 A CN 202110442667A CN 113242218 A CN113242218 A CN 113242218A
- Authority
- CN
- China
- Prior art keywords
- message data
- network security
- network
- training
- sorted
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/3003—Monitoring arrangements specially adapted to the computing system or computing system component being monitored
- G06F11/3006—Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system is distributed, e.g. networked systems, clusters, multiprocessor systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
Abstract
The invention provides a network security monitoring method and system, and relates to the technical field of internet. The network security monitoring method comprises the following steps: acquiring and storing real-time monitoring network security log message data; sorting and marking the stored message data, and analyzing network description information in the sorted message data; performing safety evaluation on the sorted message data according to a neural network training model, putting the sorted message data into on-line operation after training, and sampling the passed message; if the sampling result shows potential safety hazard, outputting a report and executing decision according to a preset requirement; the method can analyze the type of the security risk through real-time monitoring and analysis of massive network security logs, and perform corresponding processing, thereby ensuring the high-efficiency execution of the network security function. In addition, the invention also provides a network security monitoring system, which comprises: the device comprises an acquisition module, an analysis module, a sampling module and an output module.
Description
Technical Field
The invention relates to the technical field of internet, in particular to a network security monitoring method and system.
Background
With the development and maturity of internet technologies, particularly web2.0 technologies and mobile internet technologies, services and products based on the internet technologies are widely used; on the other hand, as the popularity of products and services based on internet technology is continuously increasing in depth and breadth, the problem of network security is increasingly highlighted. Network security includes network device security, network information security, and network software security. As for any software system accessing the internet, as long as the interfaces are not physically isolated, the software system can be reached at the network level, and the risk of being invaded by malicious software or attack behaviors and even being controlled by bottom-layer hardware and data leakage exists. Currently, a large number of internet products and services all depend on hardware, software and related data deployed on the internet, and therefore, ensuring the network security of various services and products is the fundamental of network space security and stability. However, the network security maintenance cost is high, the related investment of network security is not profitable in a short period, and the internet service providers, especially the small and medium-sized providers, do not pay attention to the investment in security, so various network security accidents still emerge endlessly.
Moreover, the problems of network security are increasingly highlighted due to the continuous development of network technology and the deep popularization of network application. The network security log records the operation record of the user, the operation record of the program and other contents, and can dig out the related events of the network abnormity from the operation record and the operation record of the program, so as to obtain the related information of the network security problem. Because the data volume of the network security log is often the level of mass data, the readability and the utilization rate of the network security log are low.
How to efficiently deal with the security risk possibly existing in the network security by analyzing the massive network security logs becomes a problem to be solved in the industry.
Disclosure of Invention
The invention aims to provide a network security monitoring method which can analyze the type of the security risk through real-time monitoring and analysis of massive network security logs and perform corresponding processing, thereby ensuring the high-efficiency execution of the network security function.
Another object of the present invention is to provide a network security monitoring system, which is capable of operating a network security monitoring method.
The embodiment of the invention is realized by the following steps:
in a first aspect, an embodiment of the present application provides a network security monitoring method, which includes acquiring and storing real-time monitoring network security log message data; sorting and marking the stored message data, and analyzing network description information in the sorted message data; performing safety evaluation on the sorted message data according to a neural network training model, putting the sorted message data into on-line operation after training, and sampling the passed message; and if the sampling result shows potential safety hazard, outputting a report and executing decision according to a preset requirement.
In some embodiments of the present invention, the obtaining and storing the real-time monitoring network security log message data includes: the flow splitter performs flow mirroring operation on the message data of the monitored IP address, and then the network security performs real-time monitoring on the message data after flow mirroring.
In some embodiments of the present invention, the above further includes: the method for acquiring the network security log message data is set according to an information acquisition interface of a network security site, the updating frequency of the updating information is set to continuously acquire the network security log message data, and the network security log message data acquired each time are stored in a database as an entry.
In some embodiments of the present invention, the sorting and labeling the stored message data, and analyzing the network description information in the sorted message data includes: and sorting and marking the stored message data according to the domain name, the protocol characteristics and the data characteristics, wherein the domain name can be classified into three conditions of credibility, untrustworthiness and partial credibility according to the safety.
In some embodiments of the present invention, the above further includes: analyzing the sorted network description information, wherein the network description information comprises IP information, description texts and execution results.
In some embodiments of the present invention, the above-mentioned performing security evaluation on the sorted message data according to a neural network training model, and putting the sorted message data into an on-line operation after training, and sampling the passed message includes: and randomly dividing the sorted message data into a training set and a testing set according to a preset proportion, loading the training set to start neural network training, and testing the neural network in the training.
In some embodiments of the present invention, the above further includes: if the precision of the test output result meets the set threshold, the training of the neural network is finished, and if the precision of the test output result does not reach the set precision, the neural network is started again until the training is finished.
In a second aspect, an embodiment of the present application provides a network security monitoring system, which includes an obtaining module, configured to obtain and store real-time monitoring network security log message data;
the analysis module is used for sorting and marking the stored message data and analyzing the network description information in the sorted message data;
the sampling module is used for carrying out safety evaluation on the sorted message data according to the neural network training model, putting the sorted message data into on-line operation after training, and sampling the passed message;
and the output module is used for outputting a report and executing a decision according to a preset requirement if the sampling result shows potential safety hazard.
In some embodiments of the invention, the above includes: at least one memory for storing computer instructions; at least one processor in communication with the memory, wherein the at least one processor, when executing the computer instructions, causes the system to: the device comprises an acquisition module, an analysis module, a sampling module and an output module.
In a third aspect, an embodiment of the present application provides a computer-readable storage medium, on which a computer program is stored, and the computer program, when executed by a processor, implements a method such as any one of network security monitoring methods.
Compared with the prior art, the embodiment of the invention has at least the following advantages or beneficial effects:
the method can analyze the type of the security risk through real-time monitoring and analysis of massive network security logs, and perform corresponding processing, thereby ensuring the high-efficiency execution of the network security function. And can discern the malicious flow of network through training neural network model, can also assess out the network security state in real time, solve and have the problem of hysteresis quality among the prior art, can also make the prediction to the security state, possess foresight and can the survey nature, can also in time learn latest security technology when network security monitors, can advance with the time, be difficult for becoming invalid.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the embodiments will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present invention and therefore should not be considered as limiting the scope, and for those skilled in the art, other related drawings can be obtained according to the drawings without inventive efforts.
Fig. 1 is a schematic diagram illustrating steps of a network security monitoring method according to an embodiment of the present invention;
fig. 2 is a schematic diagram illustrating detailed steps of a network security monitoring method according to an embodiment of the present invention;
fig. 3 is a schematic block diagram of a network security monitoring system according to an embodiment of the present invention;
fig. 4 is an electronic device according to an embodiment of the present invention.
Icon: 10-an acquisition module; 20-an analysis module; 30-a sampling module; and 40-an output module.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some embodiments of the present application, but not all embodiments. The components of the embodiments of the present application, generally described and illustrated in the figures herein, can be arranged and designed in a wide variety of different configurations.
Thus, the following detailed description of the embodiments of the present application, presented in the accompanying drawings, is not intended to limit the scope of the claimed application, but is merely representative of selected embodiments of the application. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures. Meanwhile, in the description of the present application, the terms "first", "second", and the like are used only for distinguishing the description, and are not to be construed as indicating or implying relative importance.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
Some embodiments of the present application will be described in detail below with reference to the accompanying drawings. The embodiments described below and the individual features of the embodiments can be combined with one another without conflict.
Example 1
Referring to fig. 1, fig. 1 is a schematic diagram illustrating steps of a network security monitoring method according to an embodiment of the present invention, which is shown as follows:
step S100, acquiring and storing real-time monitoring network security log message data;
in some embodiments, the network security logs obtained from the network security log message data are monitored in real time, and the network security logs include system logs, firewall logs, intrusion detection logs and the like. By analyzing the network security log, network faults can be positioned, and information such as traces left by network attacks can be obtained. Then, analyzing the network description information in the network security log, wherein the network description information comprises: any one or more of IP information, port information, descriptive text, time stamp and execution result; the description text comprises any one or more of survival time, size of TCP window and TCP identification; the IP information comprises any one or more of source address information, target address information and IP protocol; the execution result includes any one or more of receiving, dropping, and rejecting a connection.
Step S110, sorting and marking the stored message data, and analyzing network description information in the sorted message data;
in some embodiments, the security risk types of the monitoring network security logs are evaluated according to the network description information. Calling a preset security risk assessment analysis system to assess the network description information to obtain a first assessment result, wherein the first assessment result comprises a security risk type, and the security risk type comprises any one or more of network faults, network intrusion, network trojans and network vulnerabilities; correcting the first evaluation result through a preset historical security risk evaluation result database to obtain a second evaluation result; and confirming that the security risk type in the second evaluation result is the security risk type of the network security monitoring platform.
In some embodiments, the matched security event processing strategy is called for network security event processing according to the security risk type. Inquiring a security event processing strategy with the priority ranking of N before corresponding to the security risk type in a preset security risk processing strategy database; analyzing an optimal security event processing strategy in the security event processing strategies N before the priority ranking by combining the processing capacity and the available resources of the network security monitoring platform; and calling the optimal security event processing strategy to process the network security event.
Step S120, safety evaluation is carried out on the sorted message data according to a neural network training model, the sorted message data is put into on-line operation after training, and the passed message is sampled;
in some embodiments, various known network potential safety hazard characteristics and typical potential safety hazard flow data are obtained from a safety mechanism and a research mechanism, flow in a typical time period is obtained from a network, the obtained flow is analyzed one by one to judge whether the known potential safety hazard characteristics are met, classification and marking are carried out according to a matching result, the classified flow data are randomly divided into a training set and a testing set according to a ratio of 8:2, the training set is loaded, neural network training is started, the testing set is loaded, the neural network in training is tested, and if the precision of a test output result meets a set threshold value, the training of the neural network is finished; and if the precision of the test output result does not reach the set precision, repeating the step five until the training is finished.
And step S130, if the sampling result shows potential safety hazard, outputting a report and executing decision according to a preset requirement.
In some embodiments, a preset security risk processing policy database is used for querying a security event processing policy with a priority ranking of N before corresponding to the security risk type;
in step S52, in combination with the processing capability and the callable resources of the network security monitoring platform, an optimal security event processing policy is analyzed from the security event processing policies of N before the priority ranking;
in step S53, the optimal security event processing policy is invoked for network security event processing.
In one embodiment, for the same type of security risk type, more than one solution may be used, from which the security event processing policy with the priority of N top may be selected, where the comprehensive factors of the priority include processing time cost, system performance overhead cost, system I/O overhead, and the like. And analyzing the optimal security event processing strategy in the security event processing strategies of the N top-ranked priorities by combining the actual processing capacity and the actual callable resources of the network security monitoring. For example, the priority ranking first security event processing policy, while requiring only 10 seconds of processing event cost, requires a CPU of 16 threads of parallel processing capability; prioritization the first security event processing strategy requires only 20 seconds of CPU processing event cost and 2 threads of parallel processing power, but one additional system function. Therefore, the processing capability and the callable resources of network security monitoring are comprehensively considered, and on the basis of ensuring that the security event processing strategy can run, the optimal security event processing strategy is analyzed from the security event processing strategies N before the priority ranking. After the steps, the optimal security event processing strategy is called to process the network security event.
Example 2
Referring to fig. 2, fig. 2 is a detailed step diagram of a network security monitoring method according to an embodiment of the present invention, which is shown as follows:
step S200, the flow splitter performs flow mirroring operation on the message data of the monitored IP address, and then the network security performs real-time monitoring on the message data after flow mirroring.
Step S210, according to the information acquisition interface of the network security site, setting an acquisition method of the network security log message data, setting the update frequency of the update information to continuously acquire the network security log message data, and storing the network security log message data obtained each time in a database as an entry.
Step S220, sorting and marking the stored message data according to domain names, protocol characteristics and data characteristics, wherein the domain names can be classified into three conditions of credibility, untrustworthiness and partial credibility according to the safety.
Step S230, analyzing the sorted network description information, where the network description information includes IP information, description text, and execution result.
And S240, randomly dividing the sorted message data into a training set and a testing set according to a preset proportion, loading the training set to start neural network training, and testing the neural network in the training.
And step S250, if the precision of the test output result meets the set threshold, the training of the neural network is finished, and if the precision of the test output result does not reach the set precision, the neural network is started again until the training is finished.
In some embodiments, the neural network trained by deep learning is used, the network model is integrated into the network security monitoring and the network security monitoring is installed on a computing terminal, which may be a router, a switch, a server or other independent monitoring device. And connecting the computing terminal with an Ethernet interface, adopting a parallel network, judging the network flow in real time, and executing a preset action if suspicious data is found. Meanwhile, the computing terminal can continuously learn through the current network flow, and the identification precision is continuously improved.
And by adopting a machine learning method, the training and computing terminal intelligently judges the safety state through network flow and then makes a decision. The method comprises the steps of obtaining flow in a certain period of time on a network, sorting and marking flow data, and meanwhile, constructing and marking corresponding data as a training set through various potential safety hazard characteristics issued by domestic and international safety agencies. After training, putting the training terminal into online operation, sampling the passing messages, sorting the data, and then making security assessment according to the training model. After new potential safety hazards are proved, the corresponding data can be subjected to incremental learning in time, and therefore the data can be mastered quickly. Dynamic incremental learning is still performed in actual operation, so that the tracking of the security technology can be kept at all times. Splitting an input message into specified categories, then matching and evaluating, if potential safety hazards are found, outputting a report to a management platform, and executing a decision according to a preset requirement. The management station simultaneously gives an assessment of the reports received, which is fed back to the devices as incrementally learned data. Meanwhile, if the management console finds new potential safety hazard characteristics, the potential safety hazard characteristics can be input into the equipment as a learning sample.
Example 3
Referring to fig. 3, fig. 3 is a schematic diagram of a network security monitoring system module according to an embodiment of the present invention, which is shown as follows:
the acquisition module 10 is used for acquiring and storing real-time monitoring network security log message data;
the analysis module 20 is configured to sort and label the stored message data, and analyze network description information in the sorted message data;
the sampling module 30 is used for making safety evaluation on the sorted message data according to a neural network training model, putting the sorted message data into on-line operation after training, and sampling the passed message;
and the output module 40 is used for outputting a report and executing a decision according to a preset requirement if the sampling result shows potential safety hazard.
As shown in fig. 4, an embodiment of the present application provides an electronic device, which includes a memory 101 for storing one or more programs; a processor 102. The one or more programs, when executed by the processor 102, implement the method of any of the first aspects as described above.
Also included is a communication interface 103, and the memory 101, processor 102 and communication interface 103 are electrically connected to each other, directly or indirectly, to enable transfer or interaction of data. For example, the components may be electrically connected to each other via one or more communication buses or signal lines. The memory 101 may be used to store software programs and modules, and the processor 102 executes the software programs and modules stored in the memory 101 to thereby execute various functional applications and data processing. The communication interface 103 may be used for communicating signaling or data with other node devices.
The Memory 101 may be, but is not limited to, a Random Access Memory 101 (RAM), a Read Only Memory 101 (ROM), a Programmable Read Only Memory 101 (PROM), an Erasable Read Only Memory 101 (EPROM), an electrically Erasable Read Only Memory 101 (EEPROM), and the like.
The processor 102 may be an integrated circuit chip having signal processing capabilities. The Processor 102 may be a general-purpose Processor 102, including a Central Processing Unit (CPU) 102, a Network Processor 102 (NP), and the like; but may also be a Digital Signal processor 102 (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other Programmable logic device, discrete Gate or transistor logic device, discrete hardware components.
In the embodiments provided in the present application, it should be understood that the disclosed method and system and method can be implemented in other ways. The method and system embodiments described above are merely illustrative, for example, the flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of methods and systems, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, functional modules in the embodiments of the present application may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
In another aspect, embodiments of the present application provide a computer-readable storage medium, on which a computer program is stored, which, when executed by the processor 102, implements the method according to any one of the first aspect described above. The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory 101 (ROM), a Random Access Memory 101 (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
In summary, the network security monitoring method and system provided by the embodiments of the present application can analyze the type of the security risk through real-time monitoring and analyzing the massive network security logs, and perform corresponding processing, thereby ensuring efficient execution of the network security function. And can discern the malicious flow of network through training neural network model, can also assess out the network security state in real time, solve and have the problem of hysteresis quality among the prior art, can also make the prediction to the security state, possess foresight and can the survey nature, can also in time learn latest security technology when network security monitors, can advance with the time, be difficult for becoming invalid.
The above is only a preferred embodiment of the present invention, and is not intended to limit the present invention, and various modifications and changes will occur to those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
It will be evident to those skilled in the art that the present application is not limited to the details of the foregoing illustrative embodiments, and that the present application may be embodied in other specific forms without departing from the spirit or essential attributes thereof. The present embodiments are therefore to be considered in all respects as illustrative and not restrictive, the scope of the application being indicated by the appended claims rather than by the foregoing description, and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein. Any reference sign in a claim should not be construed as limiting the claim concerned.
Claims (10)
1. A network security monitoring method is characterized by comprising the following steps:
acquiring and storing real-time monitoring network security log message data;
sorting and marking the stored message data, and analyzing network description information in the sorted message data;
performing safety evaluation on the sorted message data according to a neural network training model, putting the sorted message data into on-line operation after training, and sampling the passed message;
and if the sampling result shows potential safety hazard, outputting a report and executing decision according to a preset requirement.
2. The network security monitoring method of claim 1, wherein the acquiring and storing the real-time monitoring network security log message data comprises:
the flow splitter performs flow mirroring operation on the message data of the monitored IP address, and then the network security performs real-time monitoring on the message data after flow mirroring.
3. The network security monitoring method of claim 2, further comprising:
the method for acquiring the network security log message data is set according to an information acquisition interface of a network security site, the updating frequency of the updating information is set to continuously acquire the network security log message data, and the network security log message data acquired each time are stored in a database as an entry.
4. The network security monitoring method of claim 1, wherein the sorting and labeling of the stored message data, and the analyzing of the network description information in the sorted message data comprises:
and sorting and marking the stored message data according to the domain name, the protocol characteristics and the data characteristics, wherein the domain name can be classified into three conditions of credibility, untrustworthiness and partial credibility according to the safety.
5. The network security monitoring method of claim 4, further comprising:
analyzing the sorted network description information, wherein the network description information comprises IP information, description texts and execution results.
6. The network security monitoring method of claim 1, wherein the safety evaluation of the sorted message data is performed according to a neural network training model, and the sorted message data is put into on-line operation after training, and the sampling of the passed message data comprises:
and randomly dividing the sorted message data into a training set and a testing set according to a preset proportion, loading the training set to start neural network training, and testing the neural network in the training.
7. The network security monitoring method of claim 6, further comprising:
if the precision of the test output result meets the set threshold, the training of the neural network is finished, and if the precision of the test output result does not reach the set precision, the neural network is started again until the training is finished.
8. A network security monitoring system, comprising:
the acquisition module is used for acquiring and storing real-time monitoring network security log message data;
the analysis module is used for sorting and marking the stored message data and analyzing the network description information in the sorted message data;
the sampling module is used for carrying out safety evaluation on the sorted message data according to the neural network training model, putting the sorted message data into on-line operation after training, and sampling the passed message;
and the output module is used for outputting a report and executing a decision according to a preset requirement if the sampling result shows potential safety hazard.
9. The network security monitoring system of claim 8, comprising:
at least one memory for storing computer instructions;
at least one processor in communication with the memory, wherein the at least one processor, when executing the computer instructions, causes the system to perform: the device comprises an acquisition module, an analysis module, a sampling module and an output module.
10. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the method according to any one of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110442667.7A CN113242218A (en) | 2021-04-23 | 2021-04-23 | Network security monitoring method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110442667.7A CN113242218A (en) | 2021-04-23 | 2021-04-23 | Network security monitoring method and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113242218A true CN113242218A (en) | 2021-08-10 |
Family
ID=77128962
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110442667.7A Pending CN113242218A (en) | 2021-04-23 | 2021-04-23 | Network security monitoring method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113242218A (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114598621A (en) * | 2022-03-07 | 2022-06-07 | 广东电网有限责任公司 | Power communication network reliability assessment system |
| CN115361308A (en) * | 2022-08-19 | 2022-11-18 | 一汽解放汽车有限公司 | Industrial control network data risk determination method, device, equipment and storage medium |
| CN115510984A (en) * | 2022-09-29 | 2022-12-23 | 刘家杰 | Anti-intrusion method and system for payment platform and cloud platform |
| CN115604018A (en) * | 2022-11-02 | 2023-01-13 | 广东网安科技有限公司(Cn) | Network security monitoring method, system, equipment and storage medium |
| CN116775496A (en) * | 2023-07-20 | 2023-09-19 | 哈尔滨梦思达数据科技开发有限公司 | Computer network test system and method based on big data |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107483472A (en) * | 2017-09-05 | 2017-12-15 | 中国科学院计算机网络信息中心 | A kind of method, apparatus of network security monitoring, storage medium and server |
| CN107682351A (en) * | 2017-10-20 | 2018-02-09 | 携程旅游网络技术(上海)有限公司 | Method, system, equipment and the storage medium of network security monitoring |
| CN111786950A (en) * | 2020-05-28 | 2020-10-16 | 中国平安财产保险股份有限公司 | Situation awareness-based network security monitoring method, device, equipment and medium |
| CN112311744A (en) * | 2019-08-02 | 2021-02-02 | 南京信安融慧网络技术有限公司 | Monitoring system and monitoring method for monitoring network security in real time |
-
2021
- 2021-04-23 CN CN202110442667.7A patent/CN113242218A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107483472A (en) * | 2017-09-05 | 2017-12-15 | 中国科学院计算机网络信息中心 | A kind of method, apparatus of network security monitoring, storage medium and server |
| CN107682351A (en) * | 2017-10-20 | 2018-02-09 | 携程旅游网络技术(上海)有限公司 | Method, system, equipment and the storage medium of network security monitoring |
| CN112311744A (en) * | 2019-08-02 | 2021-02-02 | 南京信安融慧网络技术有限公司 | Monitoring system and monitoring method for monitoring network security in real time |
| CN111786950A (en) * | 2020-05-28 | 2020-10-16 | 中国平安财产保险股份有限公司 | Situation awareness-based network security monitoring method, device, equipment and medium |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114598621A (en) * | 2022-03-07 | 2022-06-07 | 广东电网有限责任公司 | Power communication network reliability assessment system |
| CN114598621B (en) * | 2022-03-07 | 2023-09-05 | 广东电网有限责任公司 | Power communication network reliability evaluation system |
| CN115361308A (en) * | 2022-08-19 | 2022-11-18 | 一汽解放汽车有限公司 | Industrial control network data risk determination method, device, equipment and storage medium |
| CN115510984A (en) * | 2022-09-29 | 2022-12-23 | 刘家杰 | Anti-intrusion method and system for payment platform and cloud platform |
| CN115510984B (en) * | 2022-09-29 | 2024-01-02 | 广州合利宝支付科技有限公司 | Anti-intrusion method and system for payment platform and cloud platform |
| CN115604018A (en) * | 2022-11-02 | 2023-01-13 | 广东网安科技有限公司(Cn) | Network security monitoring method, system, equipment and storage medium |
| CN116775496A (en) * | 2023-07-20 | 2023-09-19 | 哈尔滨梦思达数据科技开发有限公司 | Computer network test system and method based on big data |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113242218A (en) | Network security monitoring method and system | |
| CN108200054B (en) | Malicious domain name detection method and device based on DNS (Domain name Server) resolution | |
| CN110602029B (en) | Method and system for identifying network attack | |
| CN116366374B (en) | Security assessment method, system and medium for power grid network management based on big data | |
| US20220253526A1 (en) | Incremental updates to malware detection models | |
| CN112540905A (en) | System risk assessment method, device, equipment and medium under micro-service architecture | |
| CN113704328B (en) | User behavior big data mining method and system based on artificial intelligence | |
| CN109344042B (en) | Abnormal operation behavior identification method, device, equipment and medium | |
| CN115396324A (en) | Network security situation perception early warning processing system | |
| CN113704772B (en) | Safety protection processing method and system based on user behavior big data mining | |
| CN114785710A (en) | Method and system for evaluating service capability of industrial internet identification analysis secondary node | |
| WO2010011181A1 (en) | System and method for searching network-accessible sites for leaked source code | |
| CN111371581A (en) | Method, device, equipment and medium for detecting business abnormity of Internet of things card | |
| CN113328914A (en) | Fuzzy test method and device for industrial control protocol, storage medium and processor | |
| CN112073396A (en) | Method and device for detecting transverse movement attack behavior of intranet | |
| CN115643044A (en) | Data processing method, device, server and storage medium | |
| CN112464218B (en) | Model training method and device, electronic equipment and storage medium | |
| CN114579636A (en) | Data security risk prediction method, device, computer equipment and medium | |
| CN115913789B (en) | Network attack identification method and device | |
| CN114584391A (en) | Method, device, equipment and storage medium for generating abnormal flow processing strategy | |
| CN114422168A (en) | Malicious machine traffic identification method and system | |
| CN115706669A (en) | Network security situation prediction method and system | |
| CN112583825A (en) | Method and device for detecting abnormality of industrial system | |
| Khorev et al. | Assessing Information Risks When Using Web Applications Using Fuzzy Logic | |
| CN113032774A (en) | Training method, device and equipment of anomaly detection model and computer storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210810 |
|
| RJ01 | Rejection of invention patent application after publication |