CN114039777B - Intelligent threat perception method - Google Patents
Intelligent threat perception method Download PDFInfo
- Publication number
- CN114039777B CN114039777B CN202111319288.5A CN202111319288A CN114039777B CN 114039777 B CN114039777 B CN 114039777B CN 202111319288 A CN202111319288 A CN 202111319288A CN 114039777 B CN114039777 B CN 114039777B
- Authority
- CN
- China
- Prior art keywords
- access
- nodes
- management system
- certain
- behaviors
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N20/00—Machine learning
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computer Hardware Design (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Mathematical Physics (AREA)
- Medical Informatics (AREA)
- Evolutionary Computation (AREA)
- Data Mining & Analysis (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Artificial Intelligence (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to an intelligent threat perception method. The method comprises the following steps: the method comprises the steps that a comprehensive management system collects flow data of a plurality of nodes in a network; analyzing the traffic data of a plurality of nodes to generate access behaviors corresponding to the nodes; performing correlation analysis on access behaviors corresponding to the nodes to form access behaviors among the nodes; training based on access behaviors among a plurality of nodes to generate an access rule; generating an access control strategy according to the access rule; the comprehensive management system also issues the access control strategy to a detection terminal; and the detection terminal intercepts the user access behavior in the non-rule according to the access control strategy. The method of the invention is used for carrying out correlation analysis on the access behaviors based on each network node aiming at the whole network flow, can find potential security risks in advance, find attack sources more accurately and realize intelligent attack interception or detection behaviors.
Description
Technical Field
The invention relates to the technical field of network security, in particular to an intelligent threat perception method.
Background
The existing threat perception technology is mainly divided into two types, one is to collect terminal logs and realize detection and interception of attack behaviors based on log analysis; and the other method is that the flow monitoring equipment is deployed at a single network node, the content of the data packet is extracted, the network flow passing through the single node is analyzed based on time, operation behaviors and the like, and an access control rule is generated to form a threat perception system.
However, with the generalization of 0day attacks, the requirements for deep protection and joint defense linkage in a network are increasingly urgent, the current detection or defense means cannot realize intelligent joint defense linkage aiming at the monitored weak points, and the realization of automatically intercepting potential attack behaviors based on behavior association of a plurality of network nodes is a technical problem to be solved urgently in the field of network security defense research at present.
Disclosure of Invention
The invention aims to provide an intelligent threat perception method, which is used for automatically intercepting potential attack behaviors based on behavior association of a plurality of network nodes.
In order to achieve the purpose, the invention provides the following scheme:
an intelligent threat awareness method, comprising:
the method comprises the steps that a comprehensive management system collects flow data of a plurality of nodes in a network; the plurality of nodes comprise a core switch, an access switch and a router; the integrated management system is in communication connection with the plurality of nodes;
the comprehensive management system analyzes the flow data of the nodes and generates access behaviors corresponding to the nodes;
the comprehensive management system performs correlation analysis on access behaviors corresponding to the nodes to form the access behaviors among the nodes;
the comprehensive management system is trained based on access behaviors among the nodes to generate access rules;
the comprehensive management system generates an access control strategy according to the access rule;
the comprehensive management system issues the access control strategy to a detection terminal; the detection terminal is deployed at a network boundary;
and the detection terminal intercepts the user access behavior in the non-rule according to the access control strategy.
Optionally, the acquiring, by the integrated management system, traffic data of a plurality of nodes in a network specifically includes:
and mirroring the flow data of the plurality of nodes to the integrated management system.
Optionally, the analyzing, by the integrated management system, the traffic data of the multiple nodes to generate access behaviors corresponding to the multiple nodes includes:
the integrated management system extracts behavior content included in the traffic data of each of the plurality of nodes; the behavior content comprises time, a user name, a source IP address, a source IP port, a destination IP port and an operation behavior;
and the comprehensive management system generates an access behavior corresponding to each node according to the behavior content of each node in the plurality of nodes.
Optionally, the comprehensive management system performs association analysis on the access behaviors corresponding to the multiple nodes to form the access behaviors among the multiple nodes, and specifically includes:
and splicing the access behaviors of two adjacent nodes at the same time to form the access behaviors among the nodes.
Optionally, the comprehensive management system trains based on the access behavior among the multiple nodes to generate an access rule, and specifically includes:
and the comprehensive management system utilizes a deep learning algorithm to train the access behaviors among the nodes for preset time by taking the access behaviors as sample files, and generates a stable access rule as the access rule.
Optionally, the detecting terminal is deployed at a network boundary, and specifically includes:
the detection terminal is deployed between a user and a router or a switch.
According to the specific embodiment provided by the invention, the invention discloses the following technical effects:
the invention provides an intelligent threat perception method, which comprises the following steps: the method comprises the steps that a comprehensive management system collects flow data of a plurality of nodes in a network; the plurality of nodes comprise a core switch, an access switch and a router; the integrated management system is in communication connection with the plurality of nodes; the comprehensive management system analyzes the flow data of the nodes and generates access behaviors corresponding to the nodes; the comprehensive management system performs correlation analysis on access behaviors corresponding to the nodes to form the access behaviors among the nodes; the comprehensive management system is trained based on access behaviors among the nodes to generate access rules; the comprehensive management system generates an access control strategy according to the access rule; the comprehensive management system issues the access control strategy to a detection terminal; the detection terminal is deployed at a network boundary; and the detection terminal intercepts the user access behavior in the non-rule according to the access control strategy. The method of the invention is used for carrying out correlation analysis on the access behaviors based on each network node aiming at the whole network flow, can find potential security risks in advance, find attack sources more accurately and realize intelligent attack interception or detection behaviors.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings without inventive exercise.
FIG. 1 is a flow chart of an intelligent threat awareness method of the present invention;
fig. 2 is a schematic diagram of the deployment of the integrated management system and the detection terminal of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The invention aims to provide an intelligent threat perception method, which is used for automatically intercepting potential attack behaviors based on behavior association of a plurality of network nodes.
In order to make the aforementioned objects, features and advantages of the present invention comprehensible, embodiments accompanied with figures are described in further detail below.
FIG. 1 is a flow chart of an intelligent threat awareness method of the present invention. As shown in fig. 1, the intelligent threat sensing method of the invention includes:
step 101: the integrated management system collects traffic data of a plurality of nodes in a network.
Fig. 2 is a schematic diagram of the integrated management system and the detection terminal according to the present invention. As shown in fig. 2, taking a current simple network topology as an example, an integrated management system is accessed by a bypass at a network core switch, traffic of key network nodes (i.e., network devices such as a core switch, an access switch, a router, etc.) in a network is mirrored to the integrated management system, and a detection terminal is deployed at a network boundary (i.e., between a user and a router or a switch), and is used for implementing an access control policy issued by the integrated management system and executing an interception behavior.
Therefore, the plurality of nodes of the present invention include network devices such as core switches, access switches, routers, and the like. And the integrated management system is communicatively coupled to the plurality of nodes.
Step 102: and the comprehensive management system analyzes the flow data of the nodes and generates access behaviors corresponding to the nodes.
The comprehensive management system collects flow data of each node (network equipment such as a core switch, an access switch and a router) in a network, analyzes the flow data of each node, and extracts behavior contents such as time, a user name, a source IP address, a source IP port, a destination IP port and an operation behavior contained in the flow of a single node, so that an access behavior that a user 1 performs certain operation on a 2 port of an IP2 address through a 1 port of the IP1 address at the time of 1 is formed.
Therefore, the step 102 specifically includes:
the integrated management system extracts behavior content included in the traffic data of each of the plurality of nodes; the behavior content comprises time, a user name, a source IP address, a source IP port, a destination IP port and an operation behavior;
and the comprehensive management system generates an access behavior corresponding to each node according to the behavior content of each node in the plurality of nodes.
Step 103: and the comprehensive management system performs correlation analysis on the access behaviors corresponding to the nodes to form the access behaviors among the nodes.
The integrated management system performs correlation analysis on the access behaviors formed by the nodes in the step 102, and the analysis method is to splice the access behaviors passing through two adjacent nodes at the same time: that is, at time 1, the user 1 performs XX operation on the 2 port of the IP2 address through the 1 port of the IP1 address, and at the same time, at time 1, the user 2 performs certain operation on the 4 port of the IP3 address through the 3 port of the IP2 address, thereby forming the access behavior among a plurality of nodes.
Therefore, the step 103 specifically includes:
and splicing the access behaviors of two adjacent nodes at the same time to form the access behaviors among the nodes.
Step 104: and the comprehensive management system trains based on the access behaviors among the nodes to generate an access rule.
The comprehensive management system utilizes a deep learning algorithm, trains the access behaviors formed in the steps 102 and 103 for a certain time (at least one month) by taking the access behaviors as sample files, and forms a stable access rule, namely an access rule.
That is, the step 104 specifically includes:
and the comprehensive management system utilizes a deep learning algorithm to train the access behaviors among the nodes for preset time by taking the access behaviors as sample files, and generates a stable access rule as the access rule.
Step 105: and the comprehensive management system generates an access control strategy according to the access rule.
The integrated management system generates an access control policy using the access rules formed in step 104, that is: at a certain time point, a certain user accesses a certain IP port through a certain IP port to perform a certain operation, or at the same time, a certain user accesses a certain IP2 port through a certain IP1 port to perform a certain operation, and a certain IP2 port performs a certain operation on a certain IP3 port.
Step 106: and the comprehensive management system issues the access control strategy to a detection terminal.
And the comprehensive management system issues the access control strategy formed in the step 105 to the detection terminal, and the detection terminal intercepts the user access behaviors in the non-rule so as to realize the behavior of automatically intercepting the potential attacks. Wherein the detection terminal is deployed at the network boundary, i.e. between the user and the router or switch.
Step 107: and the detection terminal intercepts the user access behavior in the non-rule according to the access control strategy.
The detection terminal intercepts the user access behaviors in the non-rule, and the behavior of automatically intercepting potential attacks is realized.
The comprehensive management system continuously trains and optimizes the step 102, the step 103 and the step 104 by utilizing deep learning, and continuously perfects the access rules.
The invention discloses an intelligent threat perception method, which analyzes the flow of a plurality of network nodes (including network equipment such as a switch, a router and the like), associates or splices the behaviors between more than two adjacent network nodes according to the name of a user, time, a source IP address, a source IP port, a destination IP port, an execution operation and the like, namely splices the behaviors between two network nodes at the same time point to form an access rule, and mines potential network attack or detection behaviors based on the time point, the user, an access target, the execution operation and the like. In other words, the method of the invention performs correlation analysis on the access behavior of the whole network flow based on each network node, can discover potential security risk in advance, discover an attack source more accurately, and realize intelligent attack interception or behavior detection.
The embodiments in the present description are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other.
The principles and embodiments of the present invention have been described herein using specific examples, which are provided only to help understand the method and the core concept of the present invention; meanwhile, for a person skilled in the art, according to the idea of the present invention, the specific embodiments and the application range may be changed. In view of the above, the present disclosure should not be construed as limiting the invention.
Claims (1)
1. An intelligent threat awareness method, comprising:
the method comprises the steps that a comprehensive management system collects flow data of a plurality of nodes in a network; the plurality of nodes comprise a core switch, an access switch and a router; the integrated management system is in communication connection with the plurality of nodes;
the integrated management system collects flow data of a plurality of nodes in a network, and specifically comprises:
mirroring the traffic data of the plurality of nodes to the integrated management system;
the comprehensive management system analyzes the flow data of the nodes and generates access behaviors corresponding to the nodes;
the integrated management system analyzes the traffic data of the nodes, generates access behaviors corresponding to the nodes, and specifically comprises:
the integrated management system extracts behavior content included in the traffic data of each of the plurality of nodes; the behavior content comprises time, a user name, a source IP address, a source IP port, a destination IP port and an operation behavior;
the integrated management system generates an access behavior corresponding to each node according to the behavior content of each node in the plurality of nodes; the access behavior corresponding to each node comprises that a certain user accesses a certain IP port to perform certain operation through a certain IP port at a certain time point;
the comprehensive management system performs correlation analysis on access behaviors corresponding to the multiple nodes to form access behaviors among the multiple nodes;
the comprehensive management system performs association analysis on the access behaviors corresponding to the nodes to form the access behaviors among the nodes, and specifically includes:
splicing the access behaviors of two adjacent nodes at the same time to form the access behaviors among the nodes; the access behaviors among the plurality of nodes comprise that at a certain time point, a certain user 1 accesses a certain IP2 port through a certain IP1 port to perform a certain operation, and simultaneously a certain user 2 performs a certain operation on a certain IP3 port through a certain IP2 port;
the comprehensive management system is trained based on access behaviors among the nodes to generate access rules;
the comprehensive management system trains based on the access behaviors among the nodes to generate an access rule, and specifically comprises the following steps:
the comprehensive management system utilizes a deep learning algorithm to train the access behaviors among the nodes for preset time by taking the access behaviors as sample files, and generates a stable access rule as the access rule; the preset time is at least one month; the comprehensive management system continuously performs training optimization by utilizing deep learning, and continuously perfects access rules;
the comprehensive management system generates an access control strategy according to the access rule; the access control policy generated by the integrated management system using the access rule includes: at a certain time point, a certain user accesses a certain IP2 port through a certain IP1 port to perform a certain operation, and simultaneously, a certain IP2 port performs a certain operation on a certain IP3 port;
the comprehensive management system issues the access control strategy to a detection terminal; the detection terminal is deployed at a network boundary;
the detecting terminal is deployed at a network boundary, and specifically includes:
the detection terminal is deployed between a user and a router or a switch; the detection terminal is used for realizing an access control strategy and an execution interception behavior issued by the comprehensive management system;
and the detection terminal intercepts the user access behavior in the non-rule according to the access control strategy.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111319288.5A CN114039777B (en) | 2021-11-09 | 2021-11-09 | Intelligent threat perception method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111319288.5A CN114039777B (en) | 2021-11-09 | 2021-11-09 | Intelligent threat perception method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114039777A CN114039777A (en) | 2022-02-11 |
| CN114039777B true CN114039777B (en) | 2022-09-20 |
Family
ID=80143669
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111319288.5A Active CN114039777B (en) | 2021-11-09 | 2021-11-09 | Intelligent threat perception method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114039777B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116032570A (en) * | 2022-12-15 | 2023-04-28 | 中国联合网络通信集团有限公司 | Network access management method, device, electronic equipment and storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107995162A (en) * | 2017-10-27 | 2018-05-04 | 深信服科技股份有限公司 | Network security sensory perceptual system, method and readable storage medium storing program for executing |
| CN112491872A (en) * | 2020-11-25 | 2021-03-12 | 国网辽宁省电力有限公司信息通信分公司 | Abnormal network access behavior detection method and system based on equipment image |
| CN112543176A (en) * | 2020-10-22 | 2021-03-23 | 新华三信息安全技术有限公司 | Abnormal network access detection method, device, storage medium and terminal |
| CN112543186A (en) * | 2020-11-23 | 2021-03-23 | 西安四叶草信息技术有限公司 | Network behavior detection method and device, storage medium and electronic equipment |
| CN113572752A (en) * | 2021-07-20 | 2021-10-29 | 上海明略人工智能(集团)有限公司 | Abnormal flow detection method and device, electronic equipment and storage medium |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10951645B2 (en) * | 2018-08-28 | 2021-03-16 | Marlabs Innovations Private Limited | System and method for prevention of threat |
-
2021
- 2021-11-09 CN CN202111319288.5A patent/CN114039777B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107995162A (en) * | 2017-10-27 | 2018-05-04 | 深信服科技股份有限公司 | Network security sensory perceptual system, method and readable storage medium storing program for executing |
| CN112543176A (en) * | 2020-10-22 | 2021-03-23 | 新华三信息安全技术有限公司 | Abnormal network access detection method, device, storage medium and terminal |
| CN112543186A (en) * | 2020-11-23 | 2021-03-23 | 西安四叶草信息技术有限公司 | Network behavior detection method and device, storage medium and electronic equipment |
| CN112491872A (en) * | 2020-11-25 | 2021-03-12 | 国网辽宁省电力有限公司信息通信分公司 | Abnormal network access behavior detection method and system based on equipment image |
| CN113572752A (en) * | 2021-07-20 | 2021-10-29 | 上海明略人工智能(集团)有限公司 | Abnormal flow detection method and device, electronic equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114039777A (en) | 2022-02-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Ujjan et al. | Towards sFlow and adaptive polling sampling for deep learning based DDoS detection in SDN | |
| Parra et al. | Implementation of deep packet inspection in smart grids and industrial Internet of Things: Challenges and opportunities | |
| Fachkha et al. | Darknet as a source of cyber intelligence: Survey, taxonomy, and characterization | |
| CN108768921B (en) | Malicious webpage discovery method and system based on feature detection | |
| CN101262491A (en) | Application layer network analysis method and system | |
| Nugraha et al. | Utilizing OpenFlow and sFlow to detect and mitigate SYN flooding attack | |
| CN110392039A (en) | Network system events source tracing method and system based on log and flow collection | |
| Ujjan et al. | Suspicious traffic detection in SDN with collaborative techniques of snort and deep neural networks | |
| CN114039777B (en) | Intelligent threat perception method | |
| CN106452955A (en) | Abnormal network connection detection method and system | |
| Koning et al. | CoreFlow: Enriching Bro security events using network traffic monitoring data | |
| Jarmakiewicz et al. | Development of cyber security testbed for critical infrastructure | |
| CN111193640B (en) | Stateful data plane fault detection method using policy decomposition and symbolic execution | |
| Waagsnes et al. | Intrusion Detection System Test Framework for SCADA Systems. | |
| Jarraya et al. | Verification of firewall reconfiguration for virtual machines migrations in the cloud | |
| CN117459365A (en) | Fault cause determining method, device, equipment and storage medium | |
| CN103795565A (en) | Network event correlation analysis method and device | |
| Patel et al. | An intelligent collaborative intrusion detection and prevention system for smart grid environments | |
| Schmitt | Advanced threat hunting over software-defined networks in smart cities | |
| Crooks et al. | Operational security, threat intelligence & distributed computing: the WLCG Security Operations Center Working Group | |
| Ahmed et al. | Effective and Efficient DDoS Attack Detection Using Deep Learning Algorithm, Multi-Layer Perceptron. Future Internet 2023, 15, 76 | |
| Lange et al. | Event Prioritization and Correlation based on Pattern Mining Techniques | |
| Yichiet et al. | A semantic-aware log generation method for network activities | |
| Umunnakwe et al. | Openconduit: A tool for recreating power system communication networks automatically | |
| Rakha et al. | Generating a real-time constraint engine for network protocols |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |