CN114285617A - Network threat monitoring method and device, electronic equipment and readable storage medium - Google Patents
Network threat monitoring method and device, electronic equipment and readable storage medium Download PDFInfo
- Publication number
- CN114285617A CN114285617A CN202111564274.XA CN202111564274A CN114285617A CN 114285617 A CN114285617 A CN 114285617A CN 202111564274 A CN202111564274 A CN 202111564274A CN 114285617 A CN114285617 A CN 114285617A
- Authority
- CN
- China
- Prior art keywords
- threat
- elements
- preset
- module
- security service
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the application discloses a network threat monitoring method, a network threat monitoring device, electronic equipment and a readable storage medium, relates to the technical field of network security, and aims to improve the security of user data. The method comprises the following steps: acquiring a flow element corresponding to a process of networking; determining whether the flow element is a threat element according to a preset threat judgment strategy; and in response to the traffic element being a threat element, finding a process corresponding to the threat element. The method and the device are suitable for searching the process corresponding to the threat elements.
Description
Technical Field
The present application relates to the field of network security technologies, and in particular, to a network threat monitoring method and apparatus, an electronic device, and a readable storage medium.
Background
A large number of viruses exist in the current network world, some rootkit viruses are not lacked, some viruses have legal certificate signatures or have soft killing protection, so that the viruses are prevented from being killed by antivirus software and can be executed in an operating system (such as windows), and meanwhile, the viruses can hide the viruses, so that a user cannot find the existence of the viruses in a task manager (or some third-party task viewers) of the windows, but can steal local data of the user in the background, and great threat is formed on network security. However, it is difficult to determine the process in which the virus is located or the process infected by the virus, so that it is difficult to check and kill the virus, and the security of the user data is low.
Disclosure of Invention
In view of this, embodiments of the present application provide a method and an apparatus for monitoring a cyber threat, an electronic device, and a readable storage medium, which are convenient for improving security of user data.
In a first aspect, an embodiment of the present application provides a cyber-threat monitoring method, including: acquiring a flow element corresponding to a process of networking; determining whether the flow element is a threat element according to a preset threat judgment strategy; and in response to the traffic element being a threat element, finding a process corresponding to the threat element.
According to a specific implementation manner of the embodiment of the present application, the acquiring a traffic element corresponding to a process of networking includes: monitoring whether a process establishes network connection in a kernel of an operating system; and responding to the process to establish network connection, and acquiring the flow elements corresponding to the networked processes.
According to a specific implementation manner of the embodiment of the present application, determining whether the traffic element is a threat element according to a preset threat determination policy includes: and sending the flow element corresponding to the process to a preset safety service so as to determine whether the flow element is a threat element through a threat element determination module in the preset safety service.
According to a specific implementation manner of the embodiment of the present application, the method further includes: acquiring process information of a process of networking, wherein the process information comprises memory information corresponding to the process, environment variables of the process and/or files on a hard disk corresponding to the process; after the process of finding a corresponding threat element, the method further comprises: sending the memory information corresponding to the process, the environment variable of the process and/or the file on the hard disk corresponding to the process to the preset security service, so as to extract the memory information corresponding to the process, the environment variable of the process and/or the threat elements included in the file on the hard disk corresponding to the process through a threat element extraction module of the preset security service; and receiving the threat elements sent by the preset security service.
According to a specific implementation manner of the embodiment of the present application, the method further includes: and receiving an interception rule sent by the preset security service so as to intercept the threat elements by using the interception rule, wherein the interception rule is determined according to the threat elements.
According to a specific implementation manner of the embodiment of the application, the preset security service runs in the local or server side.
In a second aspect, an embodiment of the present application provides a cyber-threat monitoring apparatus, including: the first acquisition module is used for acquiring flow elements corresponding to the networked processes; the determining module is used for determining whether the flow element is a threat element according to a preset threat judgment strategy; and the searching module is used for responding to the fact that the flow element is a threat element and searching the process corresponding to the threat element.
According to a specific implementation manner of the embodiment of the present application, the first obtaining module is specifically configured to: monitoring whether a process establishes network connection in a kernel of an operating system; and responding to the process to establish network connection, and acquiring the flow elements corresponding to the networked processes.
According to a specific implementation manner of the embodiment of the present application, the determining module is specifically configured to: and sending the flow element corresponding to the process to a preset safety service so as to determine whether the flow element is a threat element through a threat element determination module in the preset safety service.
According to a specific implementation manner of the embodiment of the present application, the apparatus further includes: the second acquisition module is used for acquiring process information of a networked process, wherein the process information comprises memory information corresponding to the process, environment variables of the process and/or files on a hard disk corresponding to the process; a sending module, configured to send, after the search module searches for the process corresponding to the threat element, memory information corresponding to the process, an environment variable of the process, and/or a file on a hard disk corresponding to the process to the preset security service, so as to extract, by using a threat element extraction module of the preset security service, the memory information corresponding to the process, the environment variable of the process, and/or the threat element included in the file on the hard disk corresponding to the process; and the first receiving module is used for receiving the threat elements sent by the preset security service.
According to a specific implementation manner of the embodiment of the present application, the apparatus further includes: and the second receiving module is used for receiving an interception rule sent by the preset security service so as to intercept the threat elements by using the interception rule, wherein the interception rule is a rule determined according to the threat elements.
According to a specific implementation manner of the embodiment of the application, the preset security service runs in the local or server side.
In a third aspect, an embodiment of the present application provides an electronic device, including: the device comprises a shell, a processor, a memory, a circuit board and a power circuit, wherein the circuit board is arranged in a space enclosed by the shell, and the processor and the memory are arranged on the circuit board; a power supply circuit for supplying power to each circuit or device of the electronic apparatus; the memory is used for storing executable program codes; the processor executes a program corresponding to the executable program code by reading the executable program code stored in the memory, and is used for executing the network threat monitoring method in any one of the foregoing implementation modes.
In a fourth aspect, embodiments of the present application provide a computer-readable storage medium storing one or more programs, which are executable by one or more processors to implement the cyber-threat monitoring described in any of the foregoing implementations.
According to the method, the device, the electronic equipment and the readable storage medium for monitoring the network threats, the corresponding relation between the networked processes and the flow elements is obtained as the flow elements corresponding to the networked processes are obtained, then, whether the flow elements are the threat elements is determined through the preset threat judgment strategy, when the flow elements are the threat elements, the processes corresponding to the threat elements can be searched, and then, the processes where viruses are located or the processes infected with the viruses can be determined, so that the processes can be conveniently searched and killed by adopting the corresponding processing strategies, and the safety of user data is improved.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present application, and other drawings can be obtained by those skilled in the art without creative efforts.
Fig. 1 is a schematic flowchart of a cyber-threat monitoring method according to an embodiment of the present application;
fig. 2 is a schematic flow chart of a cyber-threat monitoring method according to another embodiment of the present application;
fig. 3 is a schematic structural diagram of a cyber-threat monitoring apparatus according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
The embodiments of the present application will be described in detail below with reference to the accompanying drawings. It should be understood that the embodiments described are only a few embodiments of the present application, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
In order to make those skilled in the art better understand the technical concepts, embodiments and advantages of the examples of the present application, the following detailed description is given by way of specific examples.
An embodiment of the present application provides a network threat monitoring method, including: acquiring a flow element corresponding to a process of networking; determining whether the flow element is a threat element according to a preset threat judgment strategy; and responding to the fact that the flow elements are threat elements, determining the processes corresponding to the threat elements, facilitating virus searching and killing, and improving the safety of user data.
Fig. 1 is a schematic flow diagram of a cyber-threat monitoring method according to an embodiment of the present application, and as shown in fig. 1, the cyber-threat monitoring method according to the embodiment may include:
s101, acquiring a flow element corresponding to the networking process.
Networking may refer to communication between processes running on different computers, which may occur over a closed local area network, or may be communicated over the internet.
The traffic elements may include the size of the packet, source IP address, source port, destination IP address, destination port, transport protocol, and/or protocol content.
And acquiring the traffic element corresponding to the networked process, namely acquiring the corresponding relation between the networked process and the traffic element.
S102, determining whether the flow elements are threat elements or not according to a preset threat judgment strategy.
The preset threat judgment policy can be made according to the network environment.
S103, in response to the fact that the flow elements are threat elements, searching processes corresponding to the threat elements.
If it is determined through S102 that the traffic element is a threat element, a process corresponding to the threat element is searched, and it can be determined that the process in which the virus is located or the process is infected with the virus.
In this embodiment, because the traffic element corresponding to the networked process is obtained, that is, the corresponding relationship between the networked process and the traffic element is obtained, and then whether the traffic element is a threat element is determined according to a preset threat judgment policy, when the traffic element is a threat element, the process corresponding to the threat element can be searched, and further, the process where a virus is located or the process infected with the virus can be determined, so that the corresponding processing policy is conveniently adopted for the process to perform killing, and thus, the security of user data is improved.
Fig. 2 is a schematic flow diagram of a cyber-threat monitoring method according to another embodiment of the present application, and as shown in fig. 2, the another embodiment of the present application is basically the same as the above embodiment, except that acquiring a traffic element corresponding to a process of networking (S101) in this embodiment may include:
s101a, in the kernel of the operating system, monitoring whether a process establishes a network connection.
In the kernel of the operating system (ring0), a network connection is established to whether a process exists. In some examples, a process may establish a network connection if it has a three-way handshake behavior according to the TCP protocol.
S101b, responding to the process to establish network connection, and acquiring the traffic element corresponding to the process of networking.
After the process establishes the network connection, the flow element corresponding to the process can be acquired.
In this embodiment, a monitor may be provided in each layer of the system interconnection model to monitor traffic information, so as to obtain traffic elements in the kernel layer.
In this embodiment, whether a process establishes a network connection is monitored in a kernel of an operating system, and when the process establishes the network connection, a traffic element corresponding to the networked process is acquired.
In some examples, determining whether the traffic element is a threat element according to a preset threat determination policy (S102) may include:
s102a, sending the flow element corresponding to the process to a preset security service, and determining whether the flow element is a threat element through a threat element determination module in the preset security service.
The preset security service of this embodiment has a powerful function of determining the threat elements, and a threat determination rule and a machine learning model related to the determination of the threat elements may be set in the preset security service, so as to determine whether the traffic elements corresponding to the process are threat elements. In some examples, the preset security service may be a security brain, the security brain may implement a radar system for intelligent upgrade of network security defense, and help clients to solve the key of network security defense, i.e., "see" network threats and attacks, the security brain enables users and traditional security products based on security big data analysis by using key capabilities of threat intelligence, knowledge bases, security experts, and the like, improves the detection and discovery capabilities of advanced threats and attack behaviors, and has five core capabilities of perception, learning, reasoning, prediction, and decision making. The method utilizes hundreds of millions of intelligent terminals to acquire data and information, and senses security risks through intelligent analysis; the system has the capabilities of self-learning and self-evolution, and realizes the identification of new threats; reasoning can be carried out according to the safety big data and the prior knowledge or rule; predicting the network security threat and attack which may occur in the future; meanwhile, various technologies are comprehensively utilized to assist decisions such as analysis, judgment, disposal, response, countermeasures and the like of the network security threat.
In some examples, the preset security service is operated locally or at a server, the preset security service is provided locally, whether the traffic element is a threat element can be determined more efficiently, and the preset security service is provided at the server, so that local computing resources can be saved.
The present application further provides a method, which is substantially the same as the foregoing embodiments, except that the method of the present embodiment further includes:
s104, acquiring the process information of the networking process.
In this embodiment, the process information includes memory information corresponding to the process, an environment variable of the process, and/or a file on a hard disk corresponding to the process.
This step may be performed before S101, after S103, or at any position between S101 and S103.
After determining the processes corresponding to the threat elements, to obtain more detailed threat elements, after finding the processes corresponding to the threat elements (S103), the method may further include:
and S105, sending the memory information corresponding to the process, the environment variable of the process and/or the file on the hard disk corresponding to the process to a preset security service, and extracting the memory information corresponding to the process, the environment variable of the process and/or the threat elements included in the file on the hard disk corresponding to the process through a threat element extraction module of the preset security service.
The threat element extraction module of the preset security service can extract a threat instruction or a threat code, i.e. a threat element, from the process information, such as the memory information corresponding to the process, the environment variable of the process and/or the file on the hard disk corresponding to the process.
And S106, receiving the threat elements sent by the preset security service.
After receiving the threat elements, corresponding processing strategies can be formulated according to the threat elements so as to improve the safety of user data.
In this embodiment, the acquired memory information corresponding to the process, the environment variable of the process, and/or the file on the hard disk corresponding to the process are sent to the preset security service, so that the memory information corresponding to the process, the environment variable of the process, and/or the threat elements included in the file on the hard disk corresponding to the process are extracted through the threat element extraction module of the preset security service, and the threat elements sent by the preset security service are received.
In order to simplify the technical solution of this embodiment and improve the processing efficiency, in an embodiment of the present application, the method further includes:
and S107, receiving an interception rule sent by the preset security service so as to intercept the threat elements by using the interception rule.
In this embodiment, the interception rule is a rule determined according to the threat elements.
In this embodiment, the interception rule is directly received, that is, the interception rule can be directly used, so that the process of determining the interception rule is avoided, and the processing efficiency is improved.
The following describes the embodiments of the present application in detail with reference to a specific example.
Referring to fig. 2, the cyber-threat monitoring method according to the embodiment may include:
(1) according to the scheme, a filter driver is specially installed on an operating system kernel layer aiming at network connection, and the filter driver monitors the establishment of the network connection and IO data packets of each process in real time.
(2) Sending the corresponding process information and the networking information corresponding to the process information to an application layer, and judging and processing the networking information of each process by the application layer, specifically, the method can include two modes:
A. the process is monitored by a flow monitoring system,
because each networking process and the flow data packet thereof can be obtained in the step (1), wherein the data packet comprises the threat elements, the flow monitoring system can record the information of the process and the flow data packet, and can determine the threat elements according to the preset threat judgment rule, thereby further tracing back to the program which is operated by the terminal and corresponds to the threat elements.
B. And sending the samples and the corresponding flow packets to a safety brain for learning and extracting characteristics, and then sending the characteristics to a terminal antivirus engine, so that all terminals obtain the immunity.
The sample in this embodiment may be related information of the process, and specifically may include file path information serving as process identification information, memory information corresponding to the process, an environment variable of the process, and/or a file on a hard disk corresponding to the process.
The features in this embodiment may be threat elements, including threat elements determined from traffic elements in the traffic packets, and threat elements such as code or instructions that generate threats determined from information about the processes.
In the safety brain, a continuous probability distribution model can be constructed by disassembling the assembled instructions and the corresponding flow attack loads, and features are extracted by derivation.
After the characteristics are obtained, the characteristics can be issued to the terminal, and the corresponding processing rules can be determined according to the characteristics and issued to the terminal, so that the terminal is intercepted when the same characteristics appear again, and the threat risk is reduced.
In this embodiment, because the traffic element corresponding to the networked process is obtained, that is, the corresponding relationship between the networked process and the traffic element is obtained, and then the preset threat judgment policy is used to determine whether the traffic element is a threat element, when the traffic element is a threat element, the process corresponding to the threat element can be searched, and further, the process where a virus is located or a process infected with a virus can be determined, so that the process is conveniently subjected to a corresponding processing policy for killing, thereby improving the security of user data, in order to reliably obtain the networked process and the traffic element corresponding to the process, in a kernel of an operating system, whether a process establishes network connection is monitored, if a process establishes network connection, the traffic element corresponding to the networked process is obtained, and in order to make the technical scheme of the present application simpler, the traffic element corresponding to the process can be sent to a preset security service, determining whether the flow element is the threat element through a threat element determining module in the preset security service, in order to efficiently determine whether the flow element is the threat element, operating the preset security service locally, in order to save local computing resources, operating the preset security service at a service end, acquiring more threat elements so as to improve the security of user data, sending the acquired memory information corresponding to the process, the environment variable of the process and/or a file on a hard disk corresponding to the process to the preset security service, in order to extract the memory information corresponding to the process, the environment variable of the process and/or the threat element included in the file on the hard disk corresponding to the process through a threat element extracting module of the preset security service, receiving the threat element sent by the preset security service, in order to improve the processing efficiency, and intercepting the threat elements by using the interception rules by receiving the interception rules sent by the preset security service.
An embodiment of the present application provides a cyber-threat monitoring apparatus, including: the first acquisition module is used for acquiring flow elements corresponding to the networked processes; the determining module is used for determining whether the flow element is a threat element according to a preset threat judgment strategy; and the searching module is used for responding to the fact that the flow element is a threat element, searching the process corresponding to the threat element, conveniently searching and killing viruses and improving the safety of user data.
Fig. 3 is a schematic structural diagram of a cyber-threat monitoring apparatus according to an embodiment of the present application, and as shown in fig. 3, the cyber-threat monitoring apparatus according to the embodiment may include: a first obtaining module 11, configured to obtain a traffic element corresponding to a networked process; a determining module 12, configured to determine whether the traffic element is a threat element according to a preset threat determination policy; and the searching module 13 is configured to search, in response to that the traffic element is a threat element, a process corresponding to the threat element.
The apparatus of this embodiment may be used to implement the technical solution of the method embodiment shown in fig. 1, and the implementation principle and the technical effect are similar, which are not described herein again.
According to the device of the embodiment, the traffic element corresponding to the networked process is obtained, namely, the corresponding relation between the networked process and the traffic element is obtained, whether the traffic element is a threat element is determined according to the preset threat judgment strategy, when the traffic element is the threat element, the process corresponding to the threat element can be searched, and then the process where the virus is located or the process infected with the virus can be determined, so that the corresponding processing strategy is adopted for the process to check and kill, and the safety of user data is improved.
As an optional implementation manner, the first obtaining module is specifically configured to: monitoring whether a process establishes network connection in a kernel of an operating system; and responding to the process to establish network connection, and acquiring the flow elements corresponding to the networked processes.
As an optional implementation manner, the determining module is specifically configured to: and sending the flow element corresponding to the process to a preset safety service so as to determine whether the flow element is a threat element through a threat element determination module in the preset safety service.
As an optional embodiment, the apparatus further comprises: the second acquisition module is used for acquiring process information of a networked process, wherein the process information comprises memory information corresponding to the process, environment variables of the process and/or files on a hard disk corresponding to the process; a sending module, configured to send, after the search module searches for the process corresponding to the threat element, memory information corresponding to the process, an environment variable of the process, and/or a file on a hard disk corresponding to the process to the preset security service, so as to extract, by using a threat element extraction module of the preset security service, the memory information corresponding to the process, the environment variable of the process, and/or the threat element included in the file on the hard disk corresponding to the process; and the first receiving module is used for receiving the threat elements sent by the preset security service.
As an optional embodiment, the apparatus further comprises: and the second receiving module is used for receiving an interception rule sent by the preset security service so as to intercept the threat elements by using the interception rule, wherein the interception rule is a rule determined according to the threat elements.
As an optional implementation manner, the preset security service is executed locally or at a server.
The apparatus of the foregoing embodiment may be configured to implement the technical solution of the foregoing method embodiment, and the implementation principle and the technical effect are similar, which are not described herein again.
Fig. 4 is a schematic structural diagram of an electronic device according to an embodiment of the present application, and as shown in fig. 4, the electronic device may include: the electronic device comprises a shell 61, a processor 62, a memory 63, a circuit board 64 and a power circuit 65, wherein the circuit board 64 is arranged inside a space enclosed by the shell 61, and the processor 62 and the memory 63 are arranged on the circuit board 64; a power supply circuit 65 for supplying power to each circuit or device of the electronic apparatus; the memory 63 is used to store executable program code; the processor 62 reads the executable program code stored in the memory 63 to run the program corresponding to the executable program code, so as to execute any one of the cyber-threat monitoring methods provided in the foregoing embodiments, and therefore, corresponding advantageous technical effects can also be achieved.
The above electronic devices exist in a variety of forms, including but not limited to:
(1) a mobile communication device: such devices are characterized by mobile communications capabilities and are primarily targeted at providing voice, data communications. Such terminals include: smart phones (e.g., iphones), multimedia phones, functional phones, and low-end phones, among others.
(2) Ultra mobile personal computer device: the equipment belongs to the category of personal computers, has calculation and processing functions and generally has the characteristic of mobile internet access. Such terminals include: PDA, MID, and UMPC devices, etc., such as ipads.
(3) A portable entertainment device: such devices can display and play multimedia content. This type of device comprises: audio, video players (e.g., ipods), handheld game consoles, electronic books, and smart toys and portable car navigation devices.
(4) A server: the device for providing the computing service comprises a processor, a hard disk, a memory, a system bus and the like, and the server is similar to a general computer architecture, but has higher requirements on processing capacity, stability, reliability, safety, expandability, manageability and the like because of the need of providing high-reliability service.
(5) And other electronic equipment with data interaction function.
Accordingly, embodiments of the present application further provide a computer-readable storage medium, where one or more programs are stored, and the one or more programs can be executed by one or more processors to implement any one of the network threat monitoring methods provided in the foregoing embodiments, so that corresponding technical effects can also be achieved, which have been described in detail above and are not described herein again.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments.
In particular, as for the apparatus embodiment, since it is substantially similar to the method embodiment, the description is relatively simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
For convenience of description, the above devices are described separately in terms of functional division into various units/modules. Of course, the functionality of the units/modules may be implemented in one or more software and/or hardware implementations when the present application is implemented.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by a computer program, which can be stored in a computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. The storage medium may be a magnetic disk, an optical disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), or the like.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present application should be covered within the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (14)
1. A cyber-threat monitoring method, comprising:
acquiring a flow element corresponding to a process of networking;
determining whether the flow element is a threat element according to a preset threat judgment strategy;
and in response to the traffic element being a threat element, finding a process corresponding to the threat element.
2. The method according to claim 1, wherein the obtaining of the traffic element corresponding to the networked process includes:
monitoring whether a process establishes network connection in a kernel of an operating system;
and responding to the process to establish network connection, and acquiring the flow elements corresponding to the networked processes.
3. The method of claim 1, wherein determining whether the traffic element is a threat element according to a predetermined threat determination policy comprises:
and sending the flow element corresponding to the process to a preset safety service so as to determine whether the flow element is a threat element through a threat element determination module in the preset safety service.
4. The method of claim 3, further comprising:
acquiring process information of a process of networking, wherein the process information comprises memory information corresponding to the process, environment variables of the process and/or files on a hard disk corresponding to the process;
after the process of finding a corresponding threat element, the method further comprises:
sending the memory information corresponding to the process, the environment variable of the process and/or the file on the hard disk corresponding to the process to the preset security service, so as to extract the memory information corresponding to the process, the environment variable of the process and/or the threat elements included in the file on the hard disk corresponding to the process through a threat element extraction module of the preset security service;
and receiving the threat elements sent by the preset security service.
5. The method of claim 4, further comprising:
and receiving an interception rule sent by the preset security service so as to intercept the threat elements by using the interception rule, wherein the interception rule is determined according to the threat elements.
6. The method of claim 3, wherein the predetermined security service is run locally or at a server side.
7. A cyber-threat monitoring apparatus, comprising:
the first acquisition module is used for acquiring flow elements corresponding to the networked processes;
the determining module is used for determining whether the flow element is a threat element according to a preset threat judgment strategy;
and the searching module is used for responding to the fact that the flow element is a threat element and searching the process corresponding to the threat element.
8. The apparatus of claim 7, wherein the first obtaining module is specifically configured to:
monitoring whether a process establishes network connection in a kernel of an operating system;
and responding to the process to establish network connection, and acquiring the flow elements corresponding to the networked processes.
9. The apparatus of claim 7, wherein the determining module is specifically configured to:
and sending the flow element corresponding to the process to a preset safety service so as to determine whether the flow element is a threat element through a threat element determination module in the preset safety service.
10. The apparatus of claim 9, further comprising:
the second acquisition module is used for acquiring process information of a networked process, wherein the process information comprises memory information corresponding to the process, environment variables of the process and/or files on a hard disk corresponding to the process;
a sending module, configured to send, after the search module searches for the process corresponding to the threat element, memory information corresponding to the process, an environment variable of the process, and/or a file on a hard disk corresponding to the process to the preset security service, so as to extract, by using a threat element extraction module of the preset security service, the memory information corresponding to the process, the environment variable of the process, and/or the threat element included in the file on the hard disk corresponding to the process;
and the first receiving module is used for receiving the threat elements sent by the preset security service.
11. The apparatus of claim 10, further comprising:
and the second receiving module is used for receiving an interception rule sent by the preset security service so as to intercept the threat elements by using the interception rule, wherein the interception rule is a rule determined according to the threat elements.
12. The apparatus of claim 9, wherein the predetermined security service is run locally or at a server side.
13. An electronic device, characterized in that the electronic device comprises: the device comprises a shell, a processor, a memory, a circuit board and a power circuit, wherein the circuit board is arranged in a space enclosed by the shell, and the processor and the memory are arranged on the circuit board; a power supply circuit for supplying power to each circuit or device of the electronic apparatus; the memory is used for storing executable program codes; the processor executes a program corresponding to the executable program code by reading the executable program code stored in the memory, for performing the cyber-threat monitoring method of any one of the preceding claims 1 to 6.
14. A computer-readable storage medium storing one or more programs, the one or more programs being executable by one or more processors to implement the cyber-threat monitoring method of any one of the preceding claims 1-6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111564274.XA CN114285617A (en) | 2021-12-20 | 2021-12-20 | Network threat monitoring method and device, electronic equipment and readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111564274.XA CN114285617A (en) | 2021-12-20 | 2021-12-20 | Network threat monitoring method and device, electronic equipment and readable storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114285617A true CN114285617A (en) | 2022-04-05 |
Family
ID=80873239
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111564274.XA Pending CN114285617A (en) | 2021-12-20 | 2021-12-20 | Network threat monitoring method and device, electronic equipment and readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114285617A (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103067384A (en) * | 2012-12-27 | 2013-04-24 | 华为技术有限公司 | Threat processing method, system, linkage client, safety equipment and host |
| CN104732145A (en) * | 2015-03-31 | 2015-06-24 | 北京奇虎科技有限公司 | Parasitic course detection method and device in virtual machine |
| EP2955894A1 (en) * | 2014-06-11 | 2015-12-16 | Accenture Global Services Limited | Deception network system |
| CN109271789A (en) * | 2018-09-27 | 2019-01-25 | 珠海市君天电子科技有限公司 | Malicious process detection method, device, electronic equipment and storage medium |
| CN111786964A (en) * | 2020-06-12 | 2020-10-16 | 深信服科技股份有限公司 | Network security detection method, terminal and network security equipment |
| CN113452717A (en) * | 2021-07-02 | 2021-09-28 | 安天科技集团股份有限公司 | Method and device for communication software safety protection, electronic equipment and storage medium |
-
2021
- 2021-12-20 CN CN202111564274.XA patent/CN114285617A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103067384A (en) * | 2012-12-27 | 2013-04-24 | 华为技术有限公司 | Threat processing method, system, linkage client, safety equipment and host |
| EP2955894A1 (en) * | 2014-06-11 | 2015-12-16 | Accenture Global Services Limited | Deception network system |
| CN104732145A (en) * | 2015-03-31 | 2015-06-24 | 北京奇虎科技有限公司 | Parasitic course detection method and device in virtual machine |
| CN109271789A (en) * | 2018-09-27 | 2019-01-25 | 珠海市君天电子科技有限公司 | Malicious process detection method, device, electronic equipment and storage medium |
| CN111786964A (en) * | 2020-06-12 | 2020-10-16 | 深信服科技股份有限公司 | Network security detection method, terminal and network security equipment |
| CN113452717A (en) * | 2021-07-02 | 2021-09-28 | 安天科技集团股份有限公司 | Method and device for communication software safety protection, electronic equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111079104B (en) | Authority control method, device, equipment and storage medium | |
| US10354072B2 (en) | System and method for detection of malicious hypertext transfer protocol chains | |
| JP2019021294A (en) | SYSTEM AND METHOD OF DETERMINING DDoS ATTACKS | |
| CN104426906A (en) | Identifying malicious devices within a computer network | |
| CN111565203B (en) | Method, device and system for protecting service request and computer equipment | |
| CN110381041B (en) | Distributed denial of service attack situation detection method and device | |
| Bhatt et al. | HADS: Hybrid anomaly detection system for IoT environments | |
| CN112600852B (en) | Vulnerability attack processing method, device, equipment and storage medium | |
| CN106789486B (en) | Method and device for detecting shared access, electronic equipment and computer readable storage medium | |
| Kandoussi et al. | Toward an integrated dynamic defense system for strategic detecting attacks in cloud networks using stochastic game | |
| CN109474567B (en) | DDOS attack tracing method and device, storage medium and electronic equipment | |
| US10963562B2 (en) | Malicious event detection device, malicious event detection method, and malicious event detection program | |
| CN112765613A (en) | Vulnerability detection method and system for vehicle-mounted terminal system | |
| CN114285617A (en) | Network threat monitoring method and device, electronic equipment and readable storage medium | |
| CN111030977A (en) | Attack event tracking method and device and storage medium | |
| CN115865739A (en) | Network asset detection method and device, electronic equipment and storage medium | |
| CN112202821B (en) | Identification defense system and method for CC attack | |
| CN114760216A (en) | Scanning detection event determination method and device and electronic equipment | |
| CN114285621A (en) | Network threat monitoring method and device and electronic equipment | |
| CN114285619A (en) | Network information display method and device and electronic equipment | |
| Sabir | DDoS Attacks Detection using Machine Learning | |
| CN114553513A (en) | Communication detection method, device and equipment | |
| Davanian | Techniques for Detecting Intrusions | |
| CN117544429B (en) | Attack protection method, apparatus, electronic device and computer readable storage medium | |
| CN109218315A (en) | A kind of method for managing security and security control apparatus |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |