CN113573350A - Wireless equipment risk monitoring method and device - Google Patents
Wireless equipment risk monitoring method and device Download PDFInfo
- Publication number
- CN113573350A CN113573350A CN202110667622.XA CN202110667622A CN113573350A CN 113573350 A CN113573350 A CN 113573350A CN 202110667622 A CN202110667622 A CN 202110667622A CN 113573350 A CN113573350 A CN 113573350A
- Authority
- CN
- China
- Prior art keywords
- risk
- communication
- communication address
- wireless device
- target wireless
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 44
- 238000012544 monitoring process Methods 0.000 title claims abstract description 28
- 238000004891 communication Methods 0.000 claims abstract description 140
- 238000012954 risk control Methods 0.000 claims abstract description 78
- 238000012545 processing Methods 0.000 claims abstract description 23
- 238000012953 risk communication Methods 0.000 claims abstract description 18
- 238000003860 storage Methods 0.000 claims description 15
- 238000004590 computer program Methods 0.000 claims description 13
- 238000012163 sequencing technique Methods 0.000 claims description 3
- 230000002349 favourable effect Effects 0.000 abstract 1
- 238000001514 detection method Methods 0.000 description 22
- 238000007726 management method Methods 0.000 description 18
- 230000008569 process Effects 0.000 description 6
- 238000004458 analytical method Methods 0.000 description 5
- 230000006399 behavior Effects 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 4
- 230000007246 mechanism Effects 0.000 description 4
- 230000004044 response Effects 0.000 description 4
- 230000002776 aggregation Effects 0.000 description 3
- 238000004220 aggregation Methods 0.000 description 3
- 238000012098 association analyses Methods 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 238000004519 manufacturing process Methods 0.000 description 3
- 241001501944 Suricata Species 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 238000010219 correlation analysis Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000036541 health Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 230000003211 malignant effect Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012806 monitoring device Methods 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 238000010223 real-time analysis Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W24/00—Supervisory, monitoring or testing arrangements
- H04W24/08—Testing, supervising or monitoring using real traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/60—Context-dependent security
- H04W12/67—Risk-dependent, e.g. selecting a security level depending on risk profiles
Abstract
The invention discloses a method and a device for monitoring risks of wireless equipment, which are used for solving the problem of low efficiency of positioning high-risk wireless equipment. This scheme includes: obtaining communication traffic data of at least one wireless device; processing based on the communication flow data to obtain log data; according to log data of at least one wireless device, the wireless device, of which the communication address is located in a preset risk communication address range and the sum of flow values in a preset time interval is larger than a flow early warning value in the preset time interval, is used as a target wireless device; determining a risk control strategy corresponding to the target wireless equipment according to the corresponding relation between the preset communication address and the risk control strategy; and executing corresponding risk control on the target wireless equipment according to the risk control strategy. The method and the device can quickly and accurately determine the high-risk target wireless equipment based on the flow, carry out risk control on the target wireless equipment based on the risk control strategy, and are favorable for timely and effectively controlling the risk.
Description
Technical Field
The present invention relates to the field of communications, and in particular, to a method and an apparatus for risk monitoring of a wireless device.
Background
In the field of communication technology, after a wireless device accesses a network system, the network system may be overloaded due to excessive wireless device traffic. Wherein, the excessive traffic of part of the wireless devices may be caused by malicious scanning behaviors, hacking attacks and the like. The malicious attacks are various in forms, and it is often difficult to accurately and quickly determine the risky wireless devices causing the overload of the network system, so that the risks are difficult to quickly block.
How to accurately and quickly locate high-risk wireless equipment is a technical problem to be solved by the application.
Disclosure of Invention
The embodiment of the application aims to provide a wireless equipment risk monitoring method and a wireless equipment risk monitoring device, which are used for solving the problem of low efficiency of positioning high-risk wireless equipment.
In a first aspect, a method for risk monitoring of a wireless device is provided, including:
obtaining communication traffic data of at least one wireless device;
processing based on the communication flow data to obtain log data, wherein the log data comprises a communication address, a flow value and a timestamp;
according to the log data of the at least one wireless device, the wireless device, of which the communication address is located in a preset risk communication address range and the sum of flow values in a preset time interval is larger than a flow early warning value in the preset time interval, is used as a target wireless device;
determining a risk control strategy corresponding to the target wireless equipment according to a corresponding relation between a preset communication address and the risk control strategy;
and executing corresponding risk control on the target wireless equipment according to the risk control strategy.
In a second aspect, a wireless device risk monitoring apparatus is provided, including:
the acquisition module acquires communication traffic data of at least one wireless device;
the processing module is used for processing the communication flow data to obtain log data, and the log data comprises a communication address, a flow value and a timestamp;
the first determining module is used for taking the wireless equipment of which the communication address is positioned in a preset risk communication address range and the sum of flow values in a preset time interval is greater than a flow early warning value in the preset time interval as target wireless equipment according to the log data of the at least one wireless equipment;
the second determining module is used for determining a risk control strategy corresponding to the target wireless equipment according to the corresponding relation between a preset communication address and the risk control strategy;
and the control module executes corresponding risk control on the target wireless equipment according to the risk control strategy.
In a third aspect, an electronic device is provided, the electronic device comprising a processor, a memory and a computer program stored on the memory and executable on the processor, the computer program, when executed by the processor, implementing the steps of the method according to the first aspect.
In a fourth aspect, a computer-readable storage medium is provided, on which a computer program is stored, which computer program, when being executed by a processor, realizes the steps of the method as in the first aspect.
In the embodiment of the application, communication traffic data of at least one wireless device is obtained; processing based on the communication flow data to obtain log data, wherein the log data comprises a communication address, a flow value and a timestamp; according to the log data of the at least one wireless device, the wireless device, of which the communication address is located in a preset risk communication address range and the sum of flow values in a preset time interval is larger than a flow early warning value in the preset time interval, is used as a target wireless device; determining a risk control strategy corresponding to the target wireless equipment according to a corresponding relation between a preset communication address and the risk control strategy; and executing corresponding risk control on the target wireless equipment according to the risk control strategy. The scheme of the embodiment of the invention can quickly and accurately determine the high-risk target wireless equipment based on the flow, further carry out risk control on the target wireless equipment based on the risk control strategy and is beneficial to timely and effectively controlling the risk.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the description serve to explain the invention and not to limit the invention. In the drawings:
fig. 1 is a flowchart illustrating a method for risk monitoring of a wireless device according to an embodiment of the present invention.
Fig. 2 is a second flowchart illustrating a method for risk monitoring of a wireless device according to an embodiment of the present invention.
Fig. 3 is a third flowchart illustrating a method for risk monitoring of a wireless device according to an embodiment of the present invention.
Fig. 4 is a fourth flowchart illustrating a method for risk monitoring of a wireless device according to an embodiment of the invention.
Fig. 5 is a fifth flowchart illustrating a method for risk monitoring of a wireless device according to an embodiment of the invention.
Fig. 6 is a sixth flowchart illustrating a method for risk monitoring of a wireless device according to an embodiment of the present invention.
Fig. 7 is a schematic structural diagram of a system applying the wireless device risk monitoring method according to an embodiment of the present invention.
Fig. 8 is a schematic structural diagram of a wireless device risk monitoring apparatus according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention. The reference numbers in the present application are only used for distinguishing the steps in the scheme and are not used for limiting the execution sequence of the steps, and the specific execution sequence is described in the specification.
In a risk monitoring scene in the field of communication technology, a native self-contained monitoring mechanism of a wireless device access system is often relied on, an early warning mechanism for effectively positioning risks and tracing to the source to cause network traffic overload of wireless access devices is difficult to realize, and the devices cannot be positioned, particularly, the devices cause processing bottlenecks of the wireless devices, so that network traffic load is too high. It is also difficult to determine whether the access device is caused by malicious scanning behavior of the intranet or by using a hacker organization to execute a Distributed Denial of Service (DDOS) or the like, and the high-risk wireless device cannot be located quickly and efficiently.
In order to solve the problems in the prior art, an embodiment of the present application provides a method for monitoring a risk of a wireless device, as shown in fig. 1, including the following steps:
s11: communication traffic data of at least one wireless device is obtained.
In the embodiment of the present application, the communication traffic data of the wireless device may be monitored and copied and forwarded to a server, so as to further process the communication traffic data in the subsequent steps. The server may be, for example, a Linux server, where Suricata software may be deployed on the Linux server, and key fields in the communication traffic data are acquired by the software and stored as logs, and then the logs are forwarded by KafkaCat software to be sent to a Kafka queue. Subsequently, the data of the Kafka queue can be read by the log aggregation management system Graylog and saved in an ElasticSearch cluster database for subsequent association analysis.
S12: and processing based on the communication flow data to obtain log data, wherein the log data comprises a communication address, a flow value and a timestamp.
For example, in this step, communication traffic data may be read by Suricata, and a log file may be generated. And then sending the log file read by the KafkaCat to a Kafka queue, reading queue data by Graylog, and storing the queue data in an ElasticSearch database, wherein the log format can be as follows:
[ Source IP ] [ destination IP ] [ network packet size ] [ timestamp ]
Wherein, IP is an abbreviation of Internet Protocol (Internet Protocol), which is an Internet layer Protocol in the TCP/IP system. The source IP, i.e., source communication address, the destination IP, i.e., destination communication address, and the network packet size may be used to determine the flow value in the log data. A timestamp is data generated using digital signature techniques that can be used to prove that corresponding communication traffic data existed prior to the time of the signature.
Optionally, the log data may include only the source IP or only the destination IP, or may include both the source IP and the destination IP.
In addition, the log data can be written into a database so as to be stored and called. Optionally, the log data may be stored in the ElasticSearch database according to the following format:
[ INDEX NAME ] [ SOURCE IP ] [ PROJECT IP ] [ NETWORK PACKET SIZE ] [ TIME STAMP ]
Wherein [ index name ] may refer to the table index name of the elastic search. It should be understood that other types of databases may be used depending on the actual request, and that the log data may be stored in other formats.
S13: and according to the log data of the at least one wireless device, taking the wireless device of which the communication address is in a preset risk communication address range and the sum of the flow values in a preset time interval is greater than the flow early warning value in the preset time interval as a target wireless device.
The preset risk communication address range, the preset time interval and the traffic early warning value in the step can be used for indicating which wireless devices are to be monitored in communication, and can also indicate which key data need to be monitored in a key mode. For example, the following may be preset:
[ ID ] [ Source IP network segment IP address range ] [ destination network segment IP address range ] [ detection interval time ] [ Pre-warning threshold ]
Wherein id (identity document) may refer to an identification of a preset rule. In practical application, multiple sets of rules can be preset, each set of rules includes corresponding risk communication address range, time interval and traffic early warning value, and one or multiple sets of rules are selected according to actual requirements to perform monitoring.
The source IP network segment IP address range, the destination network segment IP address range, and the risk communication address range in this step, in this embodiment, the risk communication address range specifically includes a risk source communication address range and a risk destination communication address range.
The detection interval, i.e. the preset time interval in this step, may be represented in various forms, for example, if the preset time interval is "5 minutes", it indicates that the monitoring is performed at 5 minutes. In practical applications, it may be determined whether the wireless device is the target wireless device for communication traffic data within 5 minutes before the current time.
The early warning threshold is the flow early warning value in this step, and the flow early warning value corresponds to the preset time interval, and may indicate a flow value generated within the preset time interval under normal conditions. If the traffic early warning value is exceeded, the traffic of the wireless device is over-large, and risks often exist.
In addition, for the convenience of storage and calling, the preset rule may also be stored in a database, for example, the preset rule may be stored in the following form:
[ INDEX NAME ] [ ID ] [ Source IP network segment IP Address Range ] [ destination network segment IP Address Range ] [ detection Interval time ] [ Pre-warning threshold ]
Wherein [ index name ] may refer to the table index name of the elastic search.
S14: and determining a risk control strategy corresponding to the target wireless equipment according to the corresponding relation between the preset communication address and the risk control strategy.
In practical applications, different risk control strategies are often required to be implemented for different risks. The correspondence between the communication address and the risk control policy in this step may be preset according to an actual situation, so as to perform effective risk control for the risk existing in the target wireless device.
In this embodiment, the corresponding risk control policy is determined based on the communication address of the target wireless device. The risk control policy may specifically include a risk type, a risk content, and a risk control measure.
S15: and executing corresponding risk control on the target wireless equipment according to the risk control strategy.
In this step, a risk control measure is performed on the target wireless device according to the determined risk control policy. Wherein the risk control may be performed according to the respective risk type, risk content and risk control measures of the target wireless device. There may be multiple risk control measures that are actually implemented to quickly and efficiently control the risk of the targeted wireless device.
According to the scheme provided by the embodiment of the application, communication flow data of at least one wireless device is obtained; processing based on the communication flow data to obtain log data, wherein the log data comprises a communication address, a flow value and a timestamp; according to the log data of the at least one wireless device, the wireless device, of which the communication address is located in a preset risk communication address range and the sum of flow values in a preset time interval is larger than a flow early warning value in the preset time interval, is used as a target wireless device; determining a risk control strategy corresponding to the target wireless equipment according to a corresponding relation between a preset communication address and the risk control strategy; and executing corresponding risk control on the target wireless equipment according to the risk control strategy. The scheme of the embodiment of the invention can quickly and accurately determine the high-risk target wireless equipment based on the flow, further carry out risk control on the target wireless equipment based on the risk control strategy and is beneficial to timely and effectively controlling the risk. In practical application, the scheme can copy the flow of the wireless equipment access system, log the key network statistical field data in the flow for storage, and then carry out threat association analysis on the key statistical data and other log data, trace the source under the current network environment, specifically cause the specific threat problem reason of the problem generated by the wireless access equipment, specifically associate and analyze the specific security threat reason according to the specific IP and the data statistical condition correspondingly occupying the bandwidth, and cause whether the problem IP equipment has malicious intranet scanning behaviors, is attacked by hacker organizations and the like, so that the method can be used for safety operation emergency response processing.
Based on the solution provided in the foregoing embodiment, optionally, the determining that the communication address of the target wireless device is located in the risk communication address range includes:
the source communication address of the target wireless device is within the risk source communication address range or the destination communication address of the target wireless device is within the risk destination communication address range.
In this embodiment, the risk communication address range includes a risk source communication address range for the source communication address and a risk destination communication address range for the destination communication address. In the step of determining whether the wireless device is a target wireless device, it may be determined whether the wireless device is at risk from both the source communication address and the destination communication address, respectively.
For example, a wireless device is determined to be a target wireless device when its source communication address is within a risk source communication address range and its destination communication address is within a risk destination communication address range.
By the scheme provided by the embodiment of the application, whether the wireless device has risks or not can be determined according to the source communication address and the destination communication address of the wireless device. A target wireless device at risk can be quickly and efficiently identified.
Based on the solution provided by the foregoing embodiment, optionally, as shown in fig. 2, the foregoing step S14 includes:
s21: and determining a risk control strategy corresponding to the target communication address of the target wireless equipment according to the corresponding relation between the preset communication address and the risk control strategy.
In the solution provided by the embodiment of the present application, a risk control policy to be executed is determined for a destination communication address of a target wireless device. In practical applications, the destination communication address can indicate the type of risk, thereby facilitating determination of an effective risk control policy. By the scheme provided by the embodiment of the application, the effectiveness of the determined risk control strategy on the risk control of the target wireless equipment can be improved.
Based on the solution provided by the foregoing embodiment, optionally, as shown in fig. 3, after step S13, the method further includes:
s31: and determining an alarm target corresponding to the source communication address of the target wireless equipment according to the corresponding relation between the wireless equipment and the alarm target.
In this step, the corresponding relationship between the wireless device and the alarm target may be determined according to the configuration management information of the CMDB, where the configuration management information may specifically include an identifier, a communication address, a communication mode, or other information related to the alarm of the security operator. For example, the CMDB configuration management information system association information may be stored in the following form:
[ IP ] [ departments ] [ administrators ] [ contact means ]
The alarm target comprises an alarm target corresponding to the source communication address of the target wireless equipment in the preset alarm information. In practical application, the alarm target may be determined by performing matching between the IP of the CMDB configuration management information and the source IP of the target wireless device, and specifically may include information such as department, administrator, and contact information.
S32: and executing the alarm to the alarm target according to the target wireless equipment and the log data of the target wireless equipment.
After the alarm target is determined, an alarm may be performed according to department, administrator, contact information, etc. recorded in the CMDB. Specifically, the information of the target wireless device and the log data thereof may be transmitted to the corresponding department and administrator in the exercise mode recorded in the CMDB. Therefore, a corresponding administrator can check the progress of the risk control in time, and can intervene in time according to actual requirements, so that the effectiveness of the risk control is further improved.
Based on the solution provided in the foregoing embodiment, optionally, when the number of the target wireless devices is multiple, as shown in fig. 4, the foregoing step S15 includes:
s41: and respectively determining the sum of the flow values of the target wireless devices in the preset time interval.
In this embodiment, the number of target wireless devices may be large, and performing risk control entirely increases the load on the system. Also, if the target wireless device is not transceiving packets, it will not cause overload. In this step, the sum of the flow values of the target wireless devices in the preset time interval is determined respectively. The sum of the traffic values is the sum of the capacities of the data packets in the communication traffic data of the target wireless device within the preset time interval.
S42: and sequencing the target wireless devices according to the sum of the flow values of the target wireless devices.
In this step, the ranking is performed on the plurality of target wireless devices according to the flow value sum determined in the above step. For example, the target wireless devices are sorted in the order of the sum of the flow values from large to small, and a sorting result is generated.
S43: and executing corresponding risk control on the preset number of target wireless devices according to the sequencing result.
When the ranking results are generated in the descending order described above, risk control may be performed on the top preset number of target wireless devices in the ranking results in this step. The target wireless devices with the preset number have certain risks, and communication traffic is high in a preset time interval, which may cause system overload. In the step, risk control is executed for the target wireless devices with more communication flow, so that overload of the system can be effectively avoided, the system safety is ensured, and the risk is effectively controlled in time.
Based on the solution provided by the foregoing embodiment, optionally, as shown in fig. 5, the foregoing step S12 includes:
s51: processing the communication flow data of at least one wireless device to obtain a plurality of communication flow messages;
s52: inserting the communication traffic message into a message queue;
s53: sequentially acquiring communication flow messages in the message queue and storing the communication flow messages in a database;
s54: and analyzing the communication flow messages stored in the database to obtain the log data.
In practical application, the communication traffic data can be copied and forwarded to another Linux server, Suricata software is deployed on the Linux server, key fields in the traffic data are obtained through the software, logs are stored, the logs are forwarded through KafkaCat software and sent to a Kafka queue, and the data of the Kafka queue is read through the log aggregation management system Graylog and stored in an ElasticSearch cluster database for subsequent threat association analysis.
Subsequently, network traffic is read by Suricata to generate a log file, the log file is read by KafkaCat and sent to a Kafka queue, the data of the queue is read by Graylog and stored in an ElasticSearch database, and the log format is as follows:
[ Source IP ] [ destination IP ] [ network packet size ] [ timestamp ]
The following information logs are formed by collecting network traffic field data and writing the data into an index table of an ElasticSearch database for storage, wherein the split fields are as follows:
[ INDEX NAME ] [ SOURCE IP ] [ PROJECT IP ] [ NETWORK PACKET SIZE ] [ TIME STAMP ]
Wherein [ index name ] refers to the table index name of the elastic search.
According to the scheme provided by the embodiment of the application, the key network data fields in the communication traffic data are obtained through Suricata software and stored into the log file, the content in the log file is sent to a Kafka queue through KafkaCat, and the Graylog log acquisition system obtains the data on the Kafka queue and stores the data in an ElasticSearch database. Safety operators can create threat detection rules in advance through a threat detection rule creation system according to malignant traffic threat characteristics existing in network traffic, call REST API provided by Graylog to send the REST API to Graylog, and the Graylog receives data and stores the data in an ElasticSearch database. By periodically inquiring and accessing a REST API (representational State application program interface) provided by Graylog, inquiring wireless equipment access information network flow log data and created threat detection rules in an ElasticSearch database, carrying out data statistics on key data fields in logs of wireless access equipment according to the obtained threat detection rules, carrying out correlation analysis on the key data fields, CMDB configuration management information and threat information, and informing safety operators of the analysis result to carry out safety event emergency response processing.
This solution is further explained below with reference to fig. 6 and 7. Fig. 6 is a schematic flowchart of a method provided in an embodiment of the present application, and fig. 7 is a schematic structural diagram of a system to which the scheme provided in the embodiment of the present application can be applied.
According to the above scheme provided by the embodiment of the present application, a plurality of information such as communication traffic data CMDB configuration management information, threat intelligence base IP information, and the like can be associated and analyzed, for example, the following associated field information can be involved:
wireless device access system traffic log information
[ Source IP ] [ destination IP ] [ network packet size ] [ timestamp ]
Wireless device access threat detection rule information
[ ID ] [ Source IP network segment IP address range ] [ destination network segment IP address range ] [ detection interval time ] [ Pre-warning threshold ]
CMDB configuration management information system association information
[ IP ] [ departments ] [ administrators ] [ contact means ]
Threat intelligence repository IP query information
[ IP ] [ types of threats ] [ content of threats ]
Specifically, the main key log field data can be obtained through a REST API interface provided by gray, the communication traffic data is counted according to the established rules according to the communication traffic data, and the REST API interface is provided through a CMDB configuration management information system and a threat information management system to obtain the field data of the corresponding system for correlation analysis.
The threat analysis system obtains a wireless equipment threat detection rule provided by safety operators in the ElasticSearch data according to a specified time period, generally a B-segment network address according to the contents of a [ source IP network segment IP address range ] and a [ target network segment IP address range ] in the rule, and for a [ source IP ] of a plurality of source IPs and a [ target IP ] which accord with a [ source IP network segment IP address range ] in network data in a wireless equipment access system, according to a [ detection interval time ] specified in wireless equipment access threat detection rule information, wherein the general content value is minutes and seconds, the current time is the retrieval starting time, the current time plus the [ detection interval time ] is the retrieval ending time, N source IPs and the [ IP ] which accord with the [ source IP network segment IP address range ] are counted, and the [ network packet communication size ] of the [ IP ] and the [ network packet size ] are calculated, the source IP and the destination IP are in a many-to-many relationship, and the correlation relationship is formed by counting the sum of the correspondence [ network packet size ] corresponding to the communication from the source IP to the destination IP from the specified starting time to the ending time, and can be stored in the following form:
source IP … 1, destination IP … 2, current time + [ detection interval time ], and total communication network packet size.
……
Source IP … N, destination IP … N, current time + [ detection interval time ], total communication network packet size.
And accumulating and summing the ' total communication network packet size ' recorded by all fields taking ' the current time as the starting time ' and ' the current time + [ detection interval time ] as the ending time, if the summation result is greater than the ' early warning threshold ' in the wireless device access threat detection rule information, performing threat warning, and associating N [ source IP ] in the statistical table with a CMDB configuration information system [ IP ] to obtain a ' department ' corresponding to the ' source IP ' [ contact mode ]. N [ destination IPs ] are associated with information of a threat information base IP inquiry [ IP ], and [ threat types ] are obtained.
Forming new statistical content, which can be stored in the following form:
source IP … 1 department administrator, destination IP … 2 threat type, threat content, current time + [ detection interval ] and total communication network packet size.
……
Source IP … N [ department ] [ administrator ] [ contact means ], [ destination IP … N ] [ threat type ] [ threat content ], "current time", "current time + [ detection interval time ]," total communication network packet size ".
Then, the 'total communication network packet size' in the above contents is sorted in a descending order, the 'source IP' and the 'destination IP' occupy N pieces of recorded information with the largest network bandwidth to be sent to the security operator, the security operator generates a new sorting sequence table according to the statistics of N pieces of the 'source IP' equipment causing the overload of the wireless equipment access system network communication with the highest number of the 'source IP' equipment and the 'threat type' and the 'threat content' which are searched in the threat information corresponding to the accessed 'destination IP', informs the manager of the 'source IP' and carries out security emergency response processing according to the threat degree of the 'threat type' and the 'threat content', so as to effectively control the risk in time.
The following disadvantages often exist in the risk monitoring scenario in the field of communications technology: the source tracing and positioning of specific equipment causing the overload of wireless equipment flow can not be carried out, the reason of specific threat can not be obtained, data acquisition can not be directly carried out on an access equipment system, and the problems that an administrator of the equipment with the largest consumed bandwidth amount belongs to the administrator and the like can not be obtained.
Specifically, currently, the fixed system health monitoring mechanism provided by the manufacturer of the related wireless device access system is often relied on, but the traditional monitoring mechanism does not provide the traceability capability that causes the consumption of network communication bandwidth, and once an internal network malicious scanning behavior occurs, or a certain device accessed in is used for DDOS attack utilization, the traceability positioning of a specific IP device cannot be performed.
Moreover, various customized software analysis systems cannot be deployed on equipment of a manufacturer, so that the scheme provided by the embodiment of the application can deploy related services on another server to perform related analysis statistics on related threat data in a form of copying network traffic of the equipment to another common Linux service.
In addition, it is difficult to clearly find the responsible person of the IP device responsible for the failure at the time of the failure, the closed third-party system cannot be associated with the Configuration Management information of the existing Configuration Management Database (CMDB), and further it is difficult to locate the administrator and the contact of the failed IP device, and the threat alarm cannot be automatically completed.
In addition, the conventional Syslog log is only output by the system, the content of the log is only related to user management information and is not related to network flow information of a specific device, and the provided Syslog cannot determine the security threat of the device traffic. The log storage history time is limited, the data log storage time cannot be defined by user, and the effective storage time length of the log data of the system cannot be managed automatically.
The scheme provided by the embodiment of the scheme copies the network transmission flow entering the wireless access equipment by using a flow copying technology, logs key data in the copied flow and transfers the key data into a database, creates a threat detection strategy rule according to a characteristic pattern of risk threat, applies a statistical principle definition and an alarm domain value definition in the threat detection strategy rule to count the potential abnormal threat flow of the wireless access equipment, traces the IP equipment to cause the network communication flow overload of the wireless equipment access system, associates the counted IP with a threat situation library system and a CMDB configuration management information system to judge a specific threat type, causes malicious scanning attack, DDOS threat attack and the like, causes the system network communication congestion and the system load to be overhigh, and simultaneously positions the administrator of the IP equipment causing the problem, and the contact way automatically informs the safety operation and maintenance personnel of equipment, threat reasons and associated personnel information which specifically cause problems, and quickly carries out emergency response, so that the safe and smooth operation of the wireless equipment access system in the production environment is ensured.
By the scheme provided by the embodiment of the application, the real-time analysis and judgment capacity of the network transmission traffic overload of the wireless equipment and the statistical traceability of the specific IP equipment causing the system network traffic processing overload can be formed without changing the configuration of the existing wireless equipment access system and adding new functions. The flow entering the wireless equipment access system is subjected to performance and threat analysis in a flow copying mode, the stable operation of the system in a normal production environment is not influenced, and the normal operation of an original production system is not interrupted no matter how a safety detection strategy is changed. The flow log data of the access equipment system is stored in a queue cache mode, so that the analysis system has higher data real-time log processing capacity. The method improves the mode that the traditional wireless equipment access system can only output the logs through syslog, and realizes a convenient data log query mode in an RESTAPI form. The log aggregation system can automatically manage the storage time of the log data, avoid the traditional artificial management mode of deleting the expired log and the low-efficiency log management mode of processing the expired log data by using a traditional script, and quickly configure the storage time of the log data through the background of the log management system.
In order to solve the problems in the prior art, an embodiment of the present application further provides a wireless device risk monitoring apparatus 80, as shown in fig. 8, including:
the acquisition module acquires communication traffic data of at least one wireless device;
the processing module is used for processing the communication flow data to obtain log data, and the log data comprises a communication address, a flow value and a timestamp;
the first determining module is used for taking the wireless equipment of which the communication address is positioned in a preset risk communication address range and the sum of flow values in a preset time interval is greater than a flow early warning value in the preset time interval as target wireless equipment according to the log data of the at least one wireless equipment;
the second determining module is used for determining a risk control strategy corresponding to the target wireless equipment according to the corresponding relation between a preset communication address and the risk control strategy;
and the control module executes corresponding risk control on the target wireless equipment according to the risk control strategy.
By the device provided by the embodiment of the application, communication flow data of at least one wireless device is obtained; processing based on the communication flow data to obtain log data, wherein the log data comprises a communication address, a flow value and a timestamp; according to the log data of the at least one wireless device, the wireless device, of which the communication address is located in a preset risk communication address range and the sum of flow values in a preset time interval is larger than a flow early warning value in the preset time interval, is used as a target wireless device; determining a risk control strategy corresponding to the target wireless equipment according to a corresponding relation between a preset communication address and the risk control strategy; and executing corresponding risk control on the target wireless equipment according to the risk control strategy. The scheme of the embodiment of the invention can quickly and accurately determine the high-risk target wireless equipment based on the flow, further carry out risk control on the target wireless equipment based on the risk control strategy and is beneficial to timely and effectively controlling the risk.
Preferably, an embodiment of the present invention further provides an electronic device, which includes a processor, a memory, and a computer program stored in the memory and capable of running on the processor, where the computer program, when executed by the processor, implements each process of the above-mentioned embodiment of the method for monitoring risk of a wireless device, and can achieve the same technical effect, and in order to avoid repetition, details are not described here again.
The embodiment of the present invention further provides a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the computer program implements each process of the above-mentioned wireless device risk monitoring method embodiment, and can achieve the same technical effect, and in order to avoid repetition, the detailed description is omitted here. The computer-readable storage medium may be a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which is stored in a storage medium (such as ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal (such as a mobile phone, a computer, a server, an air conditioner, or a network device) to execute the method according to the embodiments of the present invention.
While the present invention has been described with reference to the embodiments shown in the drawings, the present invention is not limited to the embodiments, which are illustrative and not restrictive, and it will be apparent to those skilled in the art that various changes and modifications can be made therein without departing from the spirit and scope of the invention as defined in the appended claims.
Claims (10)
1. A method for risk monitoring of a wireless device, comprising:
obtaining communication traffic data of at least one wireless device;
processing based on the communication flow data to obtain log data, wherein the log data comprises a communication address, a flow value and a timestamp;
according to the log data of the at least one wireless device, the wireless device, of which the communication address is located in a preset risk communication address range and the sum of flow values in a preset time interval is larger than a flow early warning value in the preset time interval, is used as a target wireless device;
determining a risk control strategy corresponding to the target wireless equipment according to a corresponding relation between a preset communication address and the risk control strategy;
and executing corresponding risk control on the target wireless equipment according to the risk control strategy.
2. The method of claim 1, wherein the communication addresses comprise source communication addresses and destination communication addresses, and wherein the risk communication address range comprises a risk source communication address range and/or a risk destination communication address range.
3. The method of claim 2, wherein the communication address is within the risky communication address range, comprising:
the source communication address is located within the risk source communication address range, or the destination communication address is located within the risk destination communication address range.
4. The method of claim 3, wherein determining the risk control policy corresponding to the target wireless device according to a preset correspondence between communication addresses and risk control policies comprises:
and determining a risk control strategy corresponding to the target communication address of the target wireless equipment according to the corresponding relation between the preset communication address and the risk control strategy.
5. The method of claim 2, further comprising, after regarding a wireless device having a communication address within a preset risk communication address range and a sum of traffic values within a preset time interval greater than a traffic warning value within the preset time interval as a target wireless device according to log data of the at least one wireless device:
determining an alarm target corresponding to a source communication address of target wireless equipment according to the corresponding relation between the wireless equipment and the alarm target;
and executing the alarm to the alarm target according to the target wireless equipment and the log data of the target wireless equipment.
6. The method of claim 1, wherein when the number of the target wireless devices is multiple, performing corresponding risk control on the target wireless devices according to the risk control policy comprises:
respectively determining the sum of flow values of the target wireless devices in the preset time interval;
sorting the target wireless devices according to the sum of the flow values of the target wireless devices;
and executing corresponding risk control on the preset number of target wireless devices according to the sequencing result.
7. The method of claim 1, wherein processing based on the communication traffic data to obtain log data comprises:
processing the communication flow data of at least one wireless device to obtain a plurality of communication flow messages;
inserting the communication traffic message into a message queue;
sequentially acquiring communication flow messages in the message queue and storing the communication flow messages in a database;
and analyzing the communication flow messages stored in the database to obtain the log data.
8. A wireless device risk monitoring apparatus, comprising:
the acquisition module acquires communication traffic data of at least one wireless device;
the processing module is used for processing the communication flow data to obtain log data, and the log data comprises a communication address, a flow value and a timestamp;
the first determining module is used for taking the wireless equipment of which the communication address is positioned in a preset risk communication address range and the sum of flow values in a preset time interval is greater than a flow early warning value in the preset time interval as target wireless equipment according to the log data of the at least one wireless equipment;
the second determining module is used for determining a risk control strategy corresponding to the target wireless equipment according to the corresponding relation between a preset communication address and the risk control strategy;
and the control module executes corresponding risk control on the target wireless equipment according to the risk control strategy.
9. An electronic device, comprising: memory, processor and computer program stored on the memory and executable on the processor, which computer program, when executed by the processor, carries out the steps of the method according to any one of claims 1 to 7.
10. A computer-readable storage medium, characterized in that a computer program is stored on the computer-readable storage medium, which computer program, when being executed by a processor, carries out the steps of the method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110667622.XA CN113573350A (en) | 2021-06-16 | 2021-06-16 | Wireless equipment risk monitoring method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110667622.XA CN113573350A (en) | 2021-06-16 | 2021-06-16 | Wireless equipment risk monitoring method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113573350A true CN113573350A (en) | 2021-10-29 |
Family
ID=78162089
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110667622.XA Pending CN113573350A (en) | 2021-06-16 | 2021-06-16 | Wireless equipment risk monitoring method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113573350A (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070153689A1 (en) * | 2006-01-03 | 2007-07-05 | Alcatel | Method and apparatus for monitoring malicious traffic in communication networks |
| CN110445770A (en) * | 2019-07-18 | 2019-11-12 | 平安科技(深圳)有限公司 | Attack Source positioning and means of defence, electronic equipment and computer storage medium |
| WO2021023053A1 (en) * | 2019-08-05 | 2021-02-11 | 阿里巴巴集团控股有限公司 | Data processing method and device, and storage medium |
-
2021
- 2021-06-16 CN CN202110667622.XA patent/CN113573350A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070153689A1 (en) * | 2006-01-03 | 2007-07-05 | Alcatel | Method and apparatus for monitoring malicious traffic in communication networks |
| CN110445770A (en) * | 2019-07-18 | 2019-11-12 | 平安科技(深圳)有限公司 | Attack Source positioning and means of defence, electronic equipment and computer storage medium |
| WO2021023053A1 (en) * | 2019-08-05 | 2021-02-11 | 阿里巴巴集团控股有限公司 | Data processing method and device, and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3430560B1 (en) | Using private threat intelligence in public cloud | |
| KR100942456B1 (en) | Method for detecting and protecting ddos attack by using cloud computing and server thereof | |
| US10432650B2 (en) | System and method to protect a webserver against application exploits and attacks | |
| CN111935082B (en) | Network threat information correlation analysis system and method | |
| US10348754B2 (en) | Data security incident correlation and dissemination system and method | |
| CN114465739A (en) | Abnormality recognition method and system, storage medium, and electronic apparatus | |
| WO2011153227A2 (en) | Dynamic multidimensional schemas for event monitoring priority | |
| CN112905548B (en) | Security audit system and method | |
| CN114598525A (en) | IP automatic blocking method and device for network attack | |
| CN108551449B (en) | Anti-virus management system and method | |
| US20170318037A1 (en) | Distributed anomaly management | |
| CN111740868A (en) | Alarm data processing method and device and storage medium | |
| CN114615016A (en) | Enterprise network security assessment method and device, mobile terminal and storage medium | |
| CN113497797A (en) | Method and device for detecting abnormality of ICMP tunnel transmission data | |
| CN114301700B (en) | Method, device, system and storage medium for adjusting network security defense scheme | |
| CN117478433B (en) | Network and information security dynamic early warning system | |
| CN113595981B (en) | Method and device for detecting threat of uploading file and computer readable storage medium | |
| CN110798353A (en) | Network behavior risk perception and defense method based on behavior characteristic big data analysis | |
| CN112217777A (en) | Attack backtracking method and equipment | |
| CN115712646A (en) | Alarm strategy generation method, device and storage medium | |
| CN115017502A (en) | Flow processing method and protection system | |
| CN113098852A (en) | Log processing method and device | |
| CN110213301B (en) | Method, server and system for transferring network attack plane | |
| CN115801305B (en) | Network attack detection and identification method and related equipment | |
| CN114189361B (en) | Situation awareness method, device and system for defending threat |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20230317 Address after: Room 501-502, 5/F, Sina Headquarters Scientific Research Building, Block N-1 and N-2, Zhongguancun Software Park, Dongbei Wangxi Road, Haidian District, Beijing, 100193 Applicant after: Sina Technology (China) Co.,Ltd. Address before: 100080 7th floor, Sina headquarters scientific research building, plot n-1 and n-2, Zhongguancun Software Park Phase II (West Expansion), Dongbeiwang West Road, Haidian District, Beijing Applicant before: Sina.com Technology (China) Co.,Ltd. |