CN114465741A - Anomaly detection method and device, computer equipment and storage medium - Google Patents
Anomaly detection method and device, computer equipment and storage medium Download PDFInfo
- Publication number
- CN114465741A CN114465741A CN202011237341.2A CN202011237341A CN114465741A CN 114465741 A CN114465741 A CN 114465741A CN 202011237341 A CN202011237341 A CN 202011237341A CN 114465741 A CN114465741 A CN 114465741A
- Authority
- CN
- China
- Prior art keywords
- information
- characteristic information
- sample
- flow data
- abnormal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Abstract
The embodiment of the application discloses an anomaly detection method, an anomaly detection device, computer equipment and a storage medium, and can acquire configuration information of a network port of a preset network card; acquiring flow data generated by the network port based on script operation based on the configuration information; analyzing the flow data to obtain flow information; extracting transmission characteristic information of the traffic data from the traffic information; matching the transmission characteristic information with sample characteristic information of a preset abnormal sample; and when sample characteristic information successfully matched with the transmission characteristic information exists, determining that an abnormal script exists in the flow data, and generating a log file corresponding to the abnormal script in the flow data, so that the accuracy and timeliness of abnormal detection are improved.
Description
Technical Field
The present application relates to the field of internet technologies, and in particular, to an anomaly detection method and apparatus, a computer device, and a storage medium.
Background
WebShell is a command execution environment in the form of web page files such as asp, php, jsp or cgi, etc., and is usually used by hackers as a backdoor tool for hacking a server of a website, with the purpose of obtaining the execution operation authority of the server, such as executing system commands, stealing user data, deleting web pages, and modifying homepages, etc., which is self-evident in harm. For example, WebShell can implant dynamic WebShell scripts (also called backdoor or trojan) into the WebShell by using server bugs, the scripts are mixed with normal WEB page files in a WEB directory of a website server, and then a browser is used for WEB access and uploading to the WebShell scripts to obtain a command execution environment so as to achieve the purpose of controlling the website server, so that the WebShell often causes great potential safety hazards to the server.
At present, in order to discover the WebShell in time so as to take corresponding countermeasures, the WebShell can be detected, and in the process of detecting the WebShell, the detection can be performed by using a static detection or log detection mode. The static detection is to search the WebShell by matching the feature codes, the danger functions and the like, and because the static detection can only search the known WebShell, the false alarm rate of the detection result is high, the reliability is low, and the analysis can be performed only after the detection result is finished, so that the timeliness of finding the WebShell is reduced. The log detection is to establish a request model through a large amount of web log files to detect the WebShell, but because the log files generally only record a small amount of information such as Uniform Resource Locators (URLs) or Internet Protocol addresses (Internet Protocol addresses), the log detection only has a detection effect under the condition of abundant logs, so that the detection accuracy is reduced, and only the analysis can be performed afterwards, so that the timeliness of finding the WebShell is reduced.
Disclosure of Invention
The embodiment of the application provides an anomaly detection method, an anomaly detection device, computer equipment and a storage medium, which can improve the accuracy and timeliness of anomaly detection.
In order to solve the above technical problem, an embodiment of the present application provides the following technical solutions:
the embodiment of the application provides an anomaly detection method, which comprises the following steps:
acquiring configuration information of a network port of a preset network card;
acquiring flow data generated by the network port based on script operation based on the configuration information;
analyzing the flow data to obtain flow information;
extracting transmission characteristic information of the traffic data from the traffic information;
matching the transmission characteristic information with sample characteristic information of a preset abnormal sample;
and when sample characteristic information successfully matched with the transmission characteristic information exists, determining that an abnormal script exists in the flow data, and generating a log file corresponding to the abnormal script existing in the flow data.
According to an aspect of the present application, there is also provided an abnormality detection apparatus including:
the first acquisition unit is used for acquiring configuration information of a network port of a preset network card;
a second obtaining unit, configured to obtain, based on the configuration information, traffic data that flows through the network port and is generated based on script operation;
the analysis unit is used for analyzing the flow data to obtain flow information;
an extraction unit, configured to extract transmission characteristic information of the traffic data from the traffic information;
the matching unit is used for matching the transmission characteristic information with sample characteristic information of a preset abnormal sample;
and the determining unit is used for determining that the abnormal script exists in the flow data and generating a log file corresponding to the abnormal script existing in the flow data when the sample characteristic information successfully matched with the transmission characteristic information exists.
According to an aspect of the present application, there is also provided a computer device, including a processor and a memory, where the memory stores a computer program, and the processor executes any one of the abnormality detection methods provided by the embodiments of the present application when calling the computer program in the memory.
According to an aspect of the present application, there is also provided a storage medium for storing a computer program, which is loaded by a processor to execute any one of the abnormality detection methods provided by the embodiments of the present application.
The method and the device for obtaining the network port configuration information can obtain the configuration information of the network port of the preset network card, and obtain the flow data generated by the network port based on script operation based on the configuration information; the traffic data may then be parsed to obtain traffic information, and transmission characteristic information of the traffic data may be extracted from the traffic information. At this time, the transmission characteristic information may be matched with sample characteristic information of a preset abnormal sample, and when sample characteristic information successfully matched with the transmission characteristic information exists, it is determined that an abnormal script exists in the flow data, and a log file corresponding to the abnormal script exists in the flow data is generated. According to the scheme, the flow data is accurately acquired through the configuration information, and whether the abnormal script exists or not is quickly determined based on the matching result of the transmission characteristic information of the flow data and the sample characteristic information of the preset abnormal sample, so that the accuracy and timeliness of the abnormal detection are improved.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a schematic view of a scenario in which an anomaly detection method provided in an embodiment of the present application is applied;
FIG. 2 is a schematic flow chart of an anomaly detection method according to an embodiment of the present application;
fig. 3 is a schematic diagram of a terminal and a server performing data interaction through a network according to an embodiment of the present application;
fig. 4 is a schematic diagram illustrating detection performed by a deployment proxy server according to an embodiment of the present application;
FIG. 5 is a schematic illustration of a configuration interface display provided by an embodiment of the present application;
FIG. 6 is another schematic illustration of a configuration interface display provided by an embodiment of the present application;
fig. 7 is a schematic diagram of a protocol format of an HTTP protocol provided in an embodiment of the present application;
FIG. 8 is another schematic flow chart diagram of an anomaly detection method according to an embodiment of the present application;
FIG. 9 is a schematic diagram of a tree structure provided by an embodiment of the present application;
FIG. 10 is a diagram illustrating background processing of data provided by an embodiment of the present application;
FIG. 11 is a schematic illustration of a monitor interface display provided by an embodiment of the present application;
FIG. 12 is a schematic diagram of an anomaly detection apparatus provided in an embodiment of the present application;
fig. 13 is a schematic structural diagram of a computer device provided in an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The embodiment of the application provides an anomaly detection method and device, computer equipment and a storage medium.
Referring to fig. 1, fig. 1 is a schematic view of a scene of an application of an anomaly detection method provided in an embodiment of the present application, where the application of the anomaly detection method may include an anomaly detection device, the anomaly detection device may be specifically integrated in a computer device, and the computer device may be a terminal or a server, where the server may be an independent physical server, may also be a server cluster or a distributed system formed by a plurality of physical servers, and may also be a cloud server that provides basic cloud computing services such as a cloud service, a cloud database, cloud computing, a cloud function, cloud storage, a Network service, cloud communication, middleware service, a domain name service, a security service, a Content Delivery Network (CDN), and a large data and artificial intelligence platform, but is not limited thereto. The terminal can be a mobile phone, a tablet computer, a notebook computer, a desktop computer, a wearable device or the like. The terminal and the server may be directly or indirectly connected through wired or wireless communication, and the application is not limited herein.
In short, the Database (Database) can be regarded as an electronic file cabinet, i.e., a place for storing electronic files, and a user can add, query, update, delete, etc. to data in the files. A "database" is a collection of data stored together in a manner that can be shared with multiple users, has as little redundancy as possible, and is independent of applications.
Cloud computing (cloud computing) is a computing model that distributes computing tasks over a pool of resources formed by a large number of computers, enabling various application systems to obtain computing power, storage space, and information services as needed. The network that provides the resources is referred to as the "cloud". Resources in the "cloud" appear to the user as being infinitely expandable and available at any time, available on demand, expandable at any time, and paid for on-demand.
A distributed cloud storage system (hereinafter, referred to as a storage system) refers to a storage system that integrates a large number of storage devices (storage devices are also referred to as storage nodes) of different types in a network through application software or application interfaces to cooperatively work by using functions such as cluster application, grid technology, and a distributed storage file system, and provides a data storage function and a service access function to the outside.
A proxy service may be provided on the computer device, which may refer to a program running on the computer device. The computer equipment can be used for acquiring configuration information of a network port of a preset network card through proxy service and acquiring flow data generated by the network port based on script operation based on the configuration information; then analyzing the flow data to obtain flow information, and extracting transmission characteristic information of the flow data from the flow information; at this time, the transmission characteristic information can be matched with the sample characteristic information of the preset abnormal sample, and when the sample characteristic information successfully matched with the transmission characteristic information exists, the abnormal script of the flow data is determined, and a log file corresponding to the abnormal script of the flow data is generated. And at the moment, alarm information corresponding to the abnormal script of the flow data can be generated based on the log file, and the alarm information is output. Therefore, abnormal scripts can be found in time and corresponding measures can be taken, and information safety and cloud safety are improved.
The Cloud Security (Cloud Security) refers to a generic term of Security software, hardware, users, organizations, and Security Cloud platforms applied based on a Cloud computing business model. The cloud security integrates emerging technologies and concepts such as parallel processing, grid computing and unknown virus behavior judgment, abnormal monitoring of software behaviors in the network is performed through a large number of meshed clients, the latest information of trojans and malicious programs in the internet is obtained and sent to a server (namely a server) for automatic analysis and processing, and then the virus and trojan solution is distributed to each client (namely the client on the terminal).
It should be noted that the scenario diagram of the application of the anomaly detection method shown in fig. 1 is only an example, and the application of the anomaly detection method and the scenario described in the embodiment of the present application are for more clearly explaining the technical solution of the embodiment of the present application, and do not form a limitation on the technical solution provided in the embodiment of the present application.
The following are detailed below. It should be noted that the following description of the embodiments is not intended to limit the preferred order of the embodiments.
In the present embodiment, description will be made from the perspective of an abnormality detection apparatus, which may be specifically integrated in a computer device such as a server or a terminal.
Referring to fig. 2, fig. 2 is a schematic flow chart of an anomaly detection method according to an embodiment of the present application. The abnormality detection method may include:
s101, obtaining configuration information of a network port of a preset network card.
The type of the preset network card may be flexibly set according to actual needs, the preset network card may be a network card to be monitored, configuration information of a network port of the preset network card may be acquired through a preset proxy service, the proxy service may refer to a program running on a computer device, and the configuration information may include network card information, port information, a policy for acquiring traffic data (which may be referred to as a traffic filtering rule, for example, port information for capturing traffic data, and the like).
For example, as shown in fig. 3, data interaction may be performed between a terminal and a computer device such as a server through a network, and at this time, a network card on the terminal may be monitored to obtain configuration information of a network port of the network card, and traffic data flowing through the network port is obtained based on the configuration information. For another example, as shown in fig. 4, an agent service agent may be deployed on a computer device such as a terminal in a local area network or a data center, for example, an agent service agent may be deployed on a physical machine, a virtual machine, or a container of the computer device, and the abnormality detection method in the embodiment of the present application may be implemented by the agent service agent, for example, traffic data of the terminal may be captured by the agent service agent (which may be simply referred to as terminal traffic capture), terminal traffic restoration analysis, feature matching, and alarm, which will be described in detail below.
In one embodiment, the abnormality detection method may further include: displaying a configuration interface, wherein the configuration interface comprises an information input area and a confirmation control; and receiving the configuration information of the network port input in the information input area, responding to the trigger operation aiming at the confirmation control, and storing the configuration information of the network port into a configuration file.
In order to improve the convenience of acquiring the configuration information and improve the efficiency of abnormality detection, the configuration information can be configured in advance through a configuration interface. For example, as shown in fig. 5, a configuration interface may be displayed, where the configuration interface may include an information input area and a confirmation control, and may also include a cancel control or other content, and then may receive configuration information of a network port input by a user in the information input area, for example, configuration information such as network card information, port information, and a policy for acquiring traffic data may be input, and at this time, a trigger operation for the confirmation control may be responded, configuration of the configuration information may be completed, and the configuration information of the network port may be stored in a configuration file. When the configuration information of the network port needs to be acquired, the configuration file can be loaded, and the configuration information of the network port can be extracted from the configuration file.
In one embodiment, the abnormality detection method may further include: and displaying a configuration interface, wherein the configuration interface comprises an information input area, responding to the selection operation input in the information input area, displaying an information list, selecting the configuration information of the network port from the information list, and storing the configuration information of the network port into a configuration file. The obtaining of the configuration information of the network port of the preset network card may include: and extracting configuration information of the network port from the configuration file.
In order to improve the flexibility and convenience of acquiring the configuration information and improve the efficiency of abnormality detection, the configuration information can be configured in advance through a configuration interface. For example, as shown in fig. 6, a configuration interface may be displayed, where the configuration interface may include an information input area, and may also include other contents such as a confirmation control and a cancel control, and then an information list may be displayed in response to a selection operation input in the information input area, where the information list may include a plurality of pieces of selectable configuration information, for example, configuration information such as network card information, port information, and a policy for acquiring traffic data. At this time, a selection instruction input based on the displayed information list may be received, configuration information of the network port may be selected from the information list based on the selection instruction, and the configuration information of the network port may be stored in the configuration file after the configuration of the configuration information is completed. When the configuration information of the network port needs to be acquired, the configuration file can be loaded, and the configuration information of the network port can be extracted from the configuration file.
And S102, acquiring flow data generated by the network port based on script operation based on the configuration information.
The type of the script may be flexibly set according to actual needs, for example, based on port information carried in the configuration information, traffic data generated by running a specified network port corresponding to the port information based on the script may be captured. The traffic may refer to data traffic generated on the network by a device capable of connecting to the network, and the traffic data may refer to traffic data generated by incoming and outgoing traffic between the terminal and other network devices. The traffic may include north-south traffic, east-west traffic, and the like, and the north-south traffic may be traffic between the terminal and the data center, that is, traffic from a network entrance to the inside of the network; the east-west traffic may be traffic between servers and network traffic between different data centers, i.e. traffic within a cluster of servers that process data.
And S103, analyzing the flow data to obtain flow information.
The traffic data may exist in the form of a data packet, and at this time, the traffic data (i.e., the traffic data packet) may be analyzed (may also be referred to as "restoration") to obtain traffic information included in the traffic data. For example, the traffic data may be sequentially restored to link layer data, Internet Protocol (IP) layer data, transport layer data, and application layer data, and then traffic information may be extracted from the application layer data, where the traffic information may include traffic information such as a request method, a Resource Locator (URL), a Protocol version of data transmission, and transmission characteristic information corresponding to the traffic data, and the transmission characteristic information may include a transmission function, a data encoding and decoding method, and the like.
In an embodiment, analyzing the traffic data to obtain the traffic information may include: extracting a preset character string from the flow data; and when the transmission protocol of the flow data is determined to be the target protocol based on the preset character string, analyzing the flow data according to the protocol format of the target protocol to obtain the flow information.
In order to improve the accuracy of analyzing the flow data, the flow data may be analyzed based on a protocol format, for example, a preset character string may be extracted from the flow data, the type, specific content, and the like of the preset character string may be flexibly set according to actual needs, the preset character string may be used to identify a protocol for data transmission, and a transmission protocol for the flow data may be determined based on the preset character string. When the transmission protocol of the traffic data is determined to be the target protocol based on the preset character string, the traffic data can be analyzed according to the protocol format of the target protocol to obtain the traffic information. The target Protocol may include a HyperText Transfer Protocol (HTTP), a Transmission Control Protocol (TCP), a User Datagram Protocol (UDP), and the like. Taking the HTTP protocol as an example, the traffic data may be analyzed according to a protocol format of the HTTP protocol, and the obtained analyzed data may include, as shown in fig. 7, a request line, a request header, request data (which may be referred to as payload data), and the like, where the request line may include a request method, a URL of the request, a protocol version, and the like, the request header may include a header field name, and the like, and the request data may include transmission characteristic information, and the like.
And S104, extracting the transmission characteristic information of the flow data from the flow information.
After obtaining the traffic information, the transmission characteristic information of the traffic data may be extracted from the traffic information, and the transmission characteristic information may include a transmission function, a data encoding and decoding manner, and the like of the traffic data.
And S105, matching the transmission characteristic information with the sample characteristic information of the preset abnormal sample.
The preset abnormal sample can comprise a webshell script or other malicious scripts, the sample characteristic information can comprise a transmission function, a data encoding and decoding mode and the like of the abnormal sample, and the sample characteristic information of the preset abnormal sample can be obtained from a database or other storage spaces. For example, taking a chinese kitchen knife corresponding to a webshell as an example, the php type webshell traffic may include the following sample feature information: the eval function is used to perform the transmitted attack payload data, the attack payload data is subjected to Base64 decoding (because chinese kitchen knife defaults to encode the attack payload using Base64 to avoid detection) through (Base64_ decode ($ _ POST [ z0]), & z0 ═ qgluv9zzzxq.
After the transmission characteristic information of the flow data and the sample characteristic information of the preset abnormal sample are obtained, the transmission characteristic information and the sample characteristic information of the preset abnormal sample can be matched through a multi-mode matching algorithm (Wu-Manber, WM) or an AC automaton and the like. For example, the sample feature information may be loaded to an AC automaton, which may store the sample feature information in the form of a tree structure, and the transmission feature information and the sample feature information are automatically matched by the AC automaton. For example, as shown in fig. 8, configuration information such as a designated network card monitor (i.e. network card information of a network card to be monitored) and a traffic filtering rule (i.e. a policy for acquiring traffic data) may be preset, the configuration information is stored in a configuration file, then the configuration file may be loaded, sample feature information of a preset abnormal sample may be acquired, the sample feature information is loaded to an AC automaton, a traffic packet at a port of the network card may be captured based on the configuration information in the configuration file, whether a transmission protocol of the traffic packet is an HTTP protocol or not may be determined, when the transmission protocol of the traffic packet is the HTTP protocol, the traffic packet may be parsed according to a protocol format of the HTTP protocol to extract the transmission feature information of the traffic data, at this time, the transmission feature information and the sample feature information may be rule-matched by the AC automaton, when matching is successful, and determining that the abnormal script exists in the flow data, generating a log file corresponding to the abnormal script existing in the flow data, outputting alarm information and the like.
In one embodiment, the abnormality detection method may further include: constructing a tree structure, wherein the tree structure comprises at least one layer of storage space; and acquiring sample characteristic information of a preset abnormal sample, and loading the sample characteristic information into a storage space of a tree structure.
In order to improve the efficiency and accuracy of subsequent matching, the sample characteristic information of the preset abnormal sample can be stored in a tree structure form to perform multi-mode matching. For example, as shown in fig. 9, a tree structure may be constructed, where the tree structure may include at least one storage space, the number of layers and a specific structure of the tree structure may be flexibly set according to actual needs, for example, the tree structure may be a Trie tree or a Btree tree, and sample feature information of a preset abnormal sample may be obtained from a local database or a server, where the sample feature information may include a plurality of kinds of information, and then the sample feature information may be loaded into the storage space of the tree structure, for example, each sample feature information may be stored in each storage space of the tree structure.
In an embodiment, matching the transmission characteristic information with sample characteristic information of a preset abnormal sample, and when there is sample characteristic information successfully matched with the transmission characteristic information, determining that the abnormal script exists in the flow data may include: matching the transmission characteristic information with sample characteristic information of a preset abnormal sample of a storage space in a tree structure based on a preset hierarchical sequence; and when sample characteristic information successfully matched with the flow characteristic information exists in the storage space in the tree structure, determining that an abnormal script exists in the flow data.
Specifically, the transmission characteristic information of the traffic data may be matched with sample characteristic information pre-loaded into a storage space of the tree structure, and it is determined whether the transmission characteristic information has information consistent with the sample characteristic information, and if yes, it indicates that a risk of a malicious script exists. In order to improve the convenience and efficiency of matching, the transmission characteristic information may be matched with the sample characteristic information of the preset abnormal sample in the storage space in the tree structure based on a predetermined hierarchical order, which may be flexibly set according to actual needs, for example, the predetermined hierarchical order may be set to be matched in order from the first layer to the last layer. For example, the transmission characteristic information may be matched in a first storage space of the tree structure, when the transmission characteristic information is not matched in the first storage space, a target pointer may be determined according to the transmission characteristic information, and the transmission characteristic information may be matched in a second storage space of the tree structure according to the pointing direction of the target pointer, so as to perform multi-path search until the transmission characteristic information is matched or the tree structure is traversed. When the sample characteristic information stored in the storage space does not have information successfully matched with the transmission characteristic information after searching all the hierarchies, the sample characteristic information successfully matched with the flow characteristic information does not exist in the storage space in the tree structure, and the fact that no abnormal script exists can be determined. And when sample characteristic information successfully matched with the flow characteristic information exists in the storage space in the tree structure, determining that an abnormal script exists in the flow data.
S106, when sample characteristic information successfully matched with the transmission characteristic information exists, determining that an abnormal script exists in the flow data, and generating a log file corresponding to the abnormal script existing in the flow data.
When sample characteristic information successfully matched with the transmission characteristic information exists, it may be determined that an abnormal script exists in the flow data, at this time, a log file corresponding to the abnormal script may be generated, for example, a data identifier, detection time, detection detail information, a URL, a detection result, and the like of the flow data may be acquired, the data identifier may be used to uniquely identify the flow data, and then, a log file corresponding to the abnormal script may be generated according to the data identifier, the detection time, the detection detail information, and the detection result. The method and the device realize real-time detection on the webshell on the terminal by capturing, restoring and analyzing the flow data and combining feature matching and the like, and further ensure the safety of the flow.
For convenience of subsequently obtaining a related detection result of the traffic data according to an actual demand for displaying, the data may be collected in the background, for example, as shown in fig. 10, when it is determined that an abnormal script exists in the traffic data, the traffic data may be extracted by a lightweight log analysis module Filebeat, queue-cached by a message middleware Kafka, and processed in real time by a real-time processing service flash/Spark to be respectively stored in a database DB and a database of a distributed Search service Elastc Search, and when it is necessary to display related information of the traffic data, the traffic data may be obtained from the database DB for analyzing, and a time consumption distribution graph, a request quantity trend graph (i.e., a request quantity trend graph of a network port), a time consumption comparison graph, a time delay graph, a time delay graph, a delay graph, query rate per second (QPS), time-consuming multiple-day comparison graph, and other information, and may obtain traffic data and related information from the Elastc Search, and send the traffic data and related information to data followers such as technicians, operation and maintenance personnel, operators, and merchants.
In one embodiment, the abnormality detection method may further include: generating alarm information corresponding to the abnormal script of the flow data based on the log file; and outputting alarm information.
In order to enable related personnel to know that the flow data has the abnormal script in time and take corresponding measures in time, after the flow data is determined to have the abnormal script, alarm information corresponding to the abnormal script of the flow data can be generated and output, for example, the alarm information corresponding to the abnormal script of the flow data can be generated based on information recorded in a log file, the form, specific content, output mode and the like of the alarm information can be flexibly set according to actual needs, for example, the alarm information can be displayed in a monitoring interface of the flow data, or the alarm information can be indicated through a buzzer, voice broadcast, indicator light flashing and other modes.
In one embodiment, outputting the alarm information may include: displaying a monitoring interface, wherein the monitoring interface comprises an information display area and a display control; and responding to the selection operation aiming at the display control, and displaying the alarm information in the information display area.
In order to improve the flexibility of outputting the alarm information, the alarm information may be displayed through a monitoring interface, for example, as shown in fig. 11, a monitoring interface may be displayed, the monitoring interface may include an information display area and a display control, and then the alarm information may be displayed in the information display area in response to a selection operation of the display control for the flow data that needs to be queried. The type of the display control can be flexibly set according to actual needs, for example, relevant information such as a detection time consumption distribution diagram, a request quantity trend diagram, a time consumption comparison diagram, a QPS and the like of flow data which needs to be inquired can be selected, an inquiry button (namely, the display control) is clicked, and alarm information is displayed in an information display area.
The method and the device for obtaining the network port configuration information can obtain the configuration information of the network port of the preset network card, and obtain the flow data generated by the network port based on script operation based on the configuration information; the traffic data may then be parsed to obtain traffic information, and transmission characteristic information of the traffic data may be extracted from the traffic information. At this time, the transmission characteristic information can be matched with the sample characteristic information of the preset abnormal sample, and when the sample characteristic information successfully matched with the transmission characteristic information exists, the abnormal script of the flow data is determined, and a log file corresponding to the abnormal script of the flow data is generated. According to the scheme, the flow data is accurately acquired through the configuration information, and whether the abnormal script exists or not is quickly determined based on the matching result of the transmission characteristic information of the flow data and the sample characteristic information of the preset abnormal sample, so that the accuracy and timeliness of the abnormal detection are improved.
In order to better implement the abnormality detection method provided by the embodiment of the present application, the embodiment of the present application further provides a device based on the abnormality detection method. The terms are the same as those in the above-described abnormality detection method, and details of implementation may refer to the description in the method embodiment.
Referring to fig. 12, fig. 12 is a schematic structural diagram of an abnormality detection apparatus according to an embodiment of the present disclosure, where the abnormality detection apparatus may include a first obtaining unit 301, a second obtaining unit 302, an analyzing unit 303, an extracting unit 304, a matching unit 305, a determining unit 306, and the like.
The first obtaining unit 301 is configured to obtain configuration information of a network port of a preset network card.
A second obtaining unit 302, configured to obtain, based on the configuration information, traffic data generated based on script operation via the network port.
An analyzing unit 303 is configured to analyze the traffic data to obtain traffic information.
An extracting unit 304, configured to extract transmission characteristic information of the traffic data from the traffic information.
A matching unit 305, configured to match the transmission characteristic information with sample characteristic information of a preset abnormal sample.
And the determining unit 306 is configured to determine that an abnormal script exists in the flow data when sample feature information successfully matched with the transmission feature information exists, and generate a log file corresponding to the abnormal script in the flow data.
In one embodiment, the abnormality detection apparatus may further include:
the device comprises a construction unit, a storage unit and a control unit, wherein the construction unit is used for constructing a tree structure, and the tree structure comprises at least one layer of storage space;
and loading and acquiring sample characteristic information of a preset abnormal sample, and loading the sample characteristic information into a storage space of the tree structure.
In an embodiment, the matching unit 305 may specifically be configured to: and matching the transmission characteristic information with sample characteristic information of preset abnormal samples of the storage space in the tree structure based on the preset hierarchical sequence.
The determining unit 306 may specifically be configured to: and when sample characteristic information successfully matched with the flow characteristic information exists in the storage space in the tree structure, determining that an abnormal script exists in the flow data.
In an embodiment, the parsing unit 303 may specifically be configured to: extracting a preset character string from the flow data; and when the transmission protocol of the flow data is determined to be the target protocol based on the preset character string, analyzing the flow data according to the protocol format of the target protocol to obtain the flow information.
In one embodiment, the abnormality detection apparatus may further include:
the first display unit is used for displaying a configuration interface, and the configuration interface comprises an information input area and a confirmation control;
the response unit is used for receiving the configuration information of the network port input in the information input area, responding to the trigger operation aiming at the confirmation control and storing the configuration information of the network port into a configuration file; or responding to the selection operation input in the information input area, displaying the information list, selecting the configuration information of the network port from the information list, and storing the configuration information of the network port into the configuration file. The first obtaining unit 301 may specifically be configured to: and extracting configuration information of the network port from the configuration file.
In one embodiment, the abnormality detection apparatus may further include:
the generating unit is used for generating alarm information corresponding to the abnormal script of the flow data based on the log file;
and the output unit is used for outputting the alarm information.
In an embodiment, the output unit may be specifically configured to: displaying a monitoring interface, wherein the monitoring interface comprises an information display area and a display control; and responding to the selection operation aiming at the display control, and displaying the alarm information in the information display area.
In the embodiment of the application, the first obtaining unit 301 may obtain the configuration information of the network port of the preset network card, and the second obtaining unit 302 may obtain the flow data generated by the network port based on the script operation based on the configuration information; the traffic data may then be parsed by the parsing unit 303 to obtain traffic information, and the transmission characteristic information of the traffic data may be extracted from the traffic information by the extracting unit 304. At this time, the matching unit 305 may match the transmission characteristic information with the sample characteristic information of the preset abnormal sample, and when there is sample characteristic information successfully matched with the transmission characteristic information, the determining unit 306 may determine that an abnormal script exists in the flow data, and generate a log file corresponding to the abnormal script. According to the scheme, the flow data is accurately acquired through the configuration information, and whether the abnormal script exists or not is quickly determined based on the matching result of the transmission characteristic information of the flow data and the sample characteristic information of the preset abnormal sample, so that the accuracy and timeliness of the abnormal detection are improved.
An embodiment of the present application further provides a computer device, where the computer device may be a computer device, as shown in fig. 13, which shows a schematic structural diagram of the computer device according to the embodiment of the present application, specifically:
the computer device may include components such as a processor 401 of one or more processing cores, memory 402 of one or more computer-readable storage media, a power supply 403, and an input unit 404. Those skilled in the art will appreciate that the computer device configuration illustrated in FIG. 13 is not meant to be limiting of the computer device, and may include more or fewer components than those shown, or some components may be combined, or a different arrangement of components. Wherein:
the processor 401 is a control center of the computer device, connects various parts of the entire computer device using various interfaces and lines, performs various functions of the computer device and processes data by operating or executing software programs and/or modules stored in the memory 402 and calling data stored in the memory 402, thereby integrally monitoring the computer device. Optionally, processor 401 may include one or more processing cores; preferably, the processor 401 may integrate an application processor, which mainly handles operating systems, user interfaces, application programs, etc., and a modem processor, which mainly handles wireless communications. It will be appreciated that the modem processor described above may not be integrated into the processor 401.
The memory 402 may be used to store software programs and modules, and the processor 401 executes various functional applications and data processing by operating the software programs and modules stored in the memory 402. The memory 402 may mainly include a program storage area and a data storage area, wherein the program storage area may store an operating system, an application program required by at least one function (such as a sound playing function, an image playing function, etc.), and the like; the storage data area may store data created according to use of the computer device, and the like. Further, the memory 402 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid state storage device. Accordingly, the memory 402 may also include a memory controller to provide the processor 401 access to the memory 402.
The computer device further comprises a power supply 403 for supplying power to the various components, and preferably, the power supply 403 is logically connected to the processor 401 via a power management system, so that functions of managing charging, discharging, and power consumption are implemented via the power management system. The power supply 403 may also include any component of one or more dc or ac power sources, recharging systems, power failure detection circuitry, power converters or inverters, power status indicators, and the like.
The computer device may also include an input unit 404, the input unit 404 being operable to receive input numeric or character information and to generate keyboard, mouse, joystick, optical or trackball signal inputs related to user settings and function control.
Although not shown, the computer device may further include a display unit and the like, which are not described in detail herein. Specifically, in this embodiment, the processor 401 in the computer device loads the executable file corresponding to the process of one or more application programs into the memory 402 according to the following instructions, and the processor 401 runs the application programs stored in the memory 402, thereby implementing various functions as follows:
acquiring configuration information of a network port of a preset network card; acquiring flow data generated by a network port based on script operation based on the configuration information; analyzing the flow data to obtain flow information; extracting transmission characteristic information of flow data from the flow information; matching the transmission characteristic information with sample characteristic information of a preset abnormal sample; and when sample characteristic information successfully matched with the transmission characteristic information exists, determining that an abnormal script exists in the flow data, and generating a log file corresponding to the abnormal script existing in the flow data.
In one embodiment, the processor 401 may be configured to perform: constructing a tree structure, wherein the tree structure comprises at least one layer of storage space; and acquiring sample characteristic information of a preset abnormal sample, and loading the sample characteristic information into a storage space of a tree structure.
In an embodiment, when the transmission characteristic information is matched with sample characteristic information of a preset abnormal sample, and when there is sample characteristic information successfully matched with the transmission characteristic information, and it is determined that an abnormal script exists in the flow data, the processor 401 may be configured to: matching the transmission characteristic information with sample characteristic information of a preset abnormal sample of a storage space in a tree structure based on a preset hierarchical sequence; and when sample characteristic information successfully matched with the flow characteristic information exists in the storage space in the tree structure, determining that an abnormal script exists in the flow data.
In an embodiment, when analyzing the traffic data to obtain the traffic information, the processor 401 may be configured to perform: extracting a preset character string from the flow data; and when the transmission protocol of the flow data is determined to be the target protocol based on the preset character string, analyzing the flow data according to the protocol format of the target protocol to obtain the flow information.
In one embodiment, the processor 401 may be configured to perform: displaying a configuration interface, wherein the configuration interface comprises an information input area and a confirmation control; receiving configuration information of the network port input in the information input area, responding to the trigger operation aiming at the confirmation control, and storing the configuration information of the network port into a configuration file; or responding to the selection operation input in the information input area, displaying an information list, selecting the configuration information of the network port from the information list, and storing the configuration information of the network port into a configuration file; when obtaining the configuration information of the network port of the preset network card, the processor 401 may be configured to: and extracting configuration information of the network port from the configuration file.
In one embodiment, the processor 401 may be configured to perform: generating alarm information corresponding to the abnormal script of the flow data based on the log file; and outputting alarm information.
In one embodiment, when outputting the alarm information, the processor 401 may be configured to perform: displaying a monitoring interface, wherein the monitoring interface comprises an information display area and a display control; and responding to the selection operation aiming at the display control, and displaying the alarm information in the information display area.
In the above embodiments, the descriptions of the embodiments have respective emphasis, and parts that are not described in detail in a certain embodiment may refer to the above detailed description of the abnormality detection method, and are not described herein again.
The method and the device for obtaining the network port configuration information can obtain the configuration information of the network port of the preset network card, and obtain the flow data generated by the network port based on script operation based on the configuration information; the traffic data may then be parsed to obtain traffic information, and transmission characteristic information of the traffic data may be extracted from the traffic information. At this time, the transmission characteristic information may be matched with sample characteristic information of a preset abnormal sample, and when sample characteristic information successfully matched with the transmission characteristic information exists, it is determined that an abnormal script exists in the flow data, and a log file corresponding to the abnormal script exists in the flow data is generated. According to the scheme, the flow data is accurately acquired through the configuration information, and whether the abnormal script exists or not is quickly determined based on the matching result of the transmission characteristic information of the flow data and the sample characteristic information of the preset abnormal sample, so that the accuracy and timeliness of the abnormal detection are improved.
According to an aspect of the application, a computer program product or computer program is provided, comprising computer instructions, the computer instructions being stored in a computer readable storage medium. The processor of the computer device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions to cause the computer device to perform the method provided in the various alternative implementations of the above embodiments.
It will be understood by those skilled in the art that all or part of the steps of the methods of the embodiments described above may be performed by computer instructions, or by computer instructions controlling associated hardware, which may be stored in a computer-readable storage medium and loaded and executed by a processor. To this end, the present application provides a storage medium, in which a computer program is stored, where the computer program may include computer instructions, and the computer program can be loaded by a processor to execute any one of the abnormality detection methods provided by the present application.
The above operations can be implemented in the foregoing embodiments, and are not described in detail herein.
Wherein the storage medium may include: read Only Memory (ROM), Random Access Memory (RAM), magnetic or optical disks, and the like.
Since the instructions stored in the storage medium can execute the steps in any of the abnormality detection methods provided in the embodiments of the present application, the beneficial effects that can be achieved by any of the abnormality detection methods provided in the embodiments of the present application can be achieved, which are detailed in the foregoing embodiments and will not be described again here.
The foregoing describes in detail an anomaly detection method, an anomaly detection apparatus, a computer device, and a storage medium provided in the embodiments of the present application, and specific examples are applied herein to explain the principles and implementations of the present application, and the descriptions of the foregoing embodiments are only used to help understand the methods and core ideas of the present application; meanwhile, for those skilled in the art, according to the idea of the present application, the specific implementation manner and the application scope may be changed, and in summary, the content of the present specification should not be construed as a limitation to the present application.
Claims (10)
1. An abnormality detection method characterized by comprising:
acquiring configuration information of a network port of a preset network card;
acquiring flow data generated by the network port based on script operation based on the configuration information;
analyzing the flow data to obtain flow information;
extracting transmission characteristic information of the traffic data from the traffic information;
matching the transmission characteristic information with sample characteristic information of a preset abnormal sample;
and when sample characteristic information successfully matched with the transmission characteristic information exists, determining that an abnormal script exists in the flow data, and generating a log file corresponding to the abnormal script existing in the flow data.
2. The abnormality detection method according to claim 1, characterized in that the abnormality detection method further comprises:
constructing a tree structure, wherein the tree structure comprises at least one layer of storage space;
and acquiring sample characteristic information of a preset abnormal sample, and loading the sample characteristic information into a storage space of the tree structure.
3. The anomaly detection method according to claim 2, wherein the matching of the transmission characteristic information with sample characteristic information of a preset anomaly sample, and when there is sample characteristic information successfully matched with the transmission characteristic information, the determining that the traffic data has an anomaly script comprises:
matching the transmission characteristic information with sample characteristic information of a preset abnormal sample of a storage space in the tree structure based on a preset hierarchical sequence;
and when sample characteristic information successfully matched with the flow characteristic information exists in a storage space in the tree structure, determining that an abnormal script exists in the flow data.
4. The anomaly detection method according to claim 1, wherein said analyzing said traffic data to obtain traffic information comprises:
extracting a preset character string from the flow data;
and when the transmission protocol of the flow data is determined to be a target protocol based on the preset character string, analyzing the flow data according to the protocol format of the target protocol to obtain flow information.
5. The abnormality detection method according to claim 1, characterized in that the abnormality detection method further comprises:
displaying a configuration interface, wherein the configuration interface comprises an information input area and a confirmation control;
receiving configuration information of the network port input in the information input area, responding to the trigger operation aiming at the confirmation control, and storing the configuration information of the network port into a configuration file; alternatively, the first and second liquid crystal display panels may be,
responding to the selection operation input in the information input area, displaying an information list, selecting the configuration information of the network port from the information list, and storing the configuration information of the network port into a configuration file;
the acquiring configuration information of the network port of the preset network card includes: and extracting the configuration information of the network port from the configuration file.
6. The abnormality detection method according to any one of claims 1 to 5, characterized in that the abnormality detection method further comprises:
generating alarm information corresponding to the abnormal script of the flow data based on the log file;
and outputting the alarm information.
7. The abnormality detection method according to claim 6, wherein said outputting the alarm information includes:
displaying a monitoring interface, wherein the monitoring interface comprises an information display area and a display control;
and responding to the selection operation aiming at the display control, and displaying the alarm information in the information display area.
8. An abnormality detection device characterized by comprising:
the first acquisition unit is used for acquiring configuration information of a network port of a preset network card;
a second obtaining unit, configured to obtain, based on the configuration information, traffic data that flows through the network port and is generated based on script operation;
the analysis unit is used for analyzing the flow data to obtain flow information;
an extraction unit, configured to extract transmission characteristic information of the traffic data from the traffic information;
the matching unit is used for matching the transmission characteristic information with sample characteristic information of a preset abnormal sample;
and the determining unit is used for determining that the abnormal script exists in the flow data and generating a log file corresponding to the abnormal script existing in the flow data when the sample characteristic information successfully matched with the transmission characteristic information exists.
9. A computer device comprising a processor and a memory, the memory having stored therein a computer program, the processor executing the anomaly detection method of any one of claims 1 to 7 when calling the computer program in the memory.
10. A storage medium for storing a computer program which is loaded by a processor to perform the anomaly detection method of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011237341.2A CN114465741B (en) | 2020-11-09 | 2020-11-09 | Abnormality detection method, abnormality detection device, computer equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011237341.2A CN114465741B (en) | 2020-11-09 | 2020-11-09 | Abnormality detection method, abnormality detection device, computer equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114465741A true CN114465741A (en) | 2022-05-10 |
| CN114465741B CN114465741B (en) | 2023-09-26 |
Family
ID=81403793
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011237341.2A Active CN114465741B (en) | 2020-11-09 | 2020-11-09 | Abnormality detection method, abnormality detection device, computer equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114465741B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116170352A (en) * | 2023-02-01 | 2023-05-26 | 北京首都在线科技股份有限公司 | Network traffic processing method and device, electronic equipment and storage medium |
| CN116366346A (en) * | 2023-04-04 | 2023-06-30 | 中国华能集团有限公司北京招标分公司 | DNS traffic reduction method |
Citations (19)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101547207A (en) * | 2009-05-07 | 2009-09-30 | 杭州迪普科技有限公司 | Protocol identification control method and equipment based on application behavior mode |
| CN102567419A (en) * | 2010-12-31 | 2012-07-11 | 中国银联股份有限公司 | Mass data storage device and method based on tree structure |
| CN103188112A (en) * | 2011-12-28 | 2013-07-03 | 阿里巴巴集团控股有限公司 | Network flow detection method and network flow detection device |
| CN105812196A (en) * | 2014-12-30 | 2016-07-27 | 中国移动通信集团公司 | WebShell detection method and electronic device |
| CN106453438A (en) * | 2016-12-23 | 2017-02-22 | 北京奇虎科技有限公司 | Network attack identification method and apparatus |
| CN107294982A (en) * | 2017-06-29 | 2017-10-24 | 深信服科技股份有限公司 | Webpage back door detection method, device and computer-readable recording medium |
| CN107634931A (en) * | 2016-07-18 | 2018-01-26 | 深圳市深信服电子科技有限公司 | Processing method, cloud server, gateway and the terminal of abnormal data |
| CN107689940A (en) * | 2016-08-04 | 2018-02-13 | 深圳市深信服电子科技有限公司 | WebShell detection method and device |
| CN108040036A (en) * | 2017-11-22 | 2018-05-15 | 江苏翼企云通信科技有限公司 | A kind of industry cloud Webshell safety protecting methods |
| CN108206802A (en) * | 2016-12-16 | 2018-06-26 | 华为技术有限公司 | The method and apparatus for detecting webpage back door |
| CN109309591A (en) * | 2018-10-31 | 2019-02-05 | 掌阅科技股份有限公司 | Data on flows statistical method, electronic equipment and storage medium |
| CN109450842A (en) * | 2018-09-06 | 2019-03-08 | 南京聚铭网络科技有限公司 | A kind of network malicious act recognition methods neural network based |
| CN109495521A (en) * | 2019-01-18 | 2019-03-19 | 新华三信息安全技术有限公司 | A kind of anomalous traffic detection method and device |
| CN109525558A (en) * | 2018-10-22 | 2019-03-26 | 深信服科技股份有限公司 | Leaking data detection method, system, device and storage medium |
| CN110096872A (en) * | 2018-01-30 | 2019-08-06 | 中国移动通信有限公司研究院 | The detection method and server of homepage invasion script attack tool |
| CN110855661A (en) * | 2019-11-11 | 2020-02-28 | 杭州安恒信息技术股份有限公司 | WebShell detection method, device, equipment and medium |
| CN110868431A (en) * | 2019-12-24 | 2020-03-06 | 华北电力大学 | Network flow abnormity detection method |
| US20200089877A1 (en) * | 2016-06-16 | 2020-03-19 | Nippon Telegraph And Telephone Corporation | Malicious event detection device, malicious event detection method, and malicious event detection program |
| CN111884876A (en) * | 2020-07-22 | 2020-11-03 | 杭州安恒信息技术股份有限公司 | Method, device, equipment and medium for detecting protocol type of network protocol |
-
2020
- 2020-11-09 CN CN202011237341.2A patent/CN114465741B/en active Active
Patent Citations (19)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101547207A (en) * | 2009-05-07 | 2009-09-30 | 杭州迪普科技有限公司 | Protocol identification control method and equipment based on application behavior mode |
| CN102567419A (en) * | 2010-12-31 | 2012-07-11 | 中国银联股份有限公司 | Mass data storage device and method based on tree structure |
| CN103188112A (en) * | 2011-12-28 | 2013-07-03 | 阿里巴巴集团控股有限公司 | Network flow detection method and network flow detection device |
| CN105812196A (en) * | 2014-12-30 | 2016-07-27 | 中国移动通信集团公司 | WebShell detection method and electronic device |
| US20200089877A1 (en) * | 2016-06-16 | 2020-03-19 | Nippon Telegraph And Telephone Corporation | Malicious event detection device, malicious event detection method, and malicious event detection program |
| CN107634931A (en) * | 2016-07-18 | 2018-01-26 | 深圳市深信服电子科技有限公司 | Processing method, cloud server, gateway and the terminal of abnormal data |
| CN107689940A (en) * | 2016-08-04 | 2018-02-13 | 深圳市深信服电子科技有限公司 | WebShell detection method and device |
| CN108206802A (en) * | 2016-12-16 | 2018-06-26 | 华为技术有限公司 | The method and apparatus for detecting webpage back door |
| CN106453438A (en) * | 2016-12-23 | 2017-02-22 | 北京奇虎科技有限公司 | Network attack identification method and apparatus |
| CN107294982A (en) * | 2017-06-29 | 2017-10-24 | 深信服科技股份有限公司 | Webpage back door detection method, device and computer-readable recording medium |
| CN108040036A (en) * | 2017-11-22 | 2018-05-15 | 江苏翼企云通信科技有限公司 | A kind of industry cloud Webshell safety protecting methods |
| CN110096872A (en) * | 2018-01-30 | 2019-08-06 | 中国移动通信有限公司研究院 | The detection method and server of homepage invasion script attack tool |
| CN109450842A (en) * | 2018-09-06 | 2019-03-08 | 南京聚铭网络科技有限公司 | A kind of network malicious act recognition methods neural network based |
| CN109525558A (en) * | 2018-10-22 | 2019-03-26 | 深信服科技股份有限公司 | Leaking data detection method, system, device and storage medium |
| CN109309591A (en) * | 2018-10-31 | 2019-02-05 | 掌阅科技股份有限公司 | Data on flows statistical method, electronic equipment and storage medium |
| CN109495521A (en) * | 2019-01-18 | 2019-03-19 | 新华三信息安全技术有限公司 | A kind of anomalous traffic detection method and device |
| CN110855661A (en) * | 2019-11-11 | 2020-02-28 | 杭州安恒信息技术股份有限公司 | WebShell detection method, device, equipment and medium |
| CN110868431A (en) * | 2019-12-24 | 2020-03-06 | 华北电力大学 | Network flow abnormity detection method |
| CN111884876A (en) * | 2020-07-22 | 2020-11-03 | 杭州安恒信息技术股份有限公司 | Method, device, equipment and medium for detecting protocol type of network protocol |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116170352A (en) * | 2023-02-01 | 2023-05-26 | 北京首都在线科技股份有限公司 | Network traffic processing method and device, electronic equipment and storage medium |
| CN116366346A (en) * | 2023-04-04 | 2023-06-30 | 中国华能集团有限公司北京招标分公司 | DNS traffic reduction method |
| CN116366346B (en) * | 2023-04-04 | 2024-03-22 | 中国华能集团有限公司北京招标分公司 | DNS traffic reduction method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114465741B (en) | 2023-09-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20200052983A1 (en) | Data leakage protection in cloud applications | |
| CN101605074B (en) | Method and system for monitoring Trojan Horse based on network communication behavior characteristic | |
| US9208309B2 (en) | Dynamically scanning a web application through use of web traffic information | |
| CN112383546A (en) | Method for processing network attack behavior, related device and storage medium | |
| CN111400722B (en) | Method, apparatus, computer device and storage medium for scanning small program | |
| CN111221625B (en) | File detection method, device and equipment | |
| CN105376251A (en) | Intrusion detection method and intrusion detection system based on cloud computing | |
| CN103593613A (en) | Method, terminal, server and system for computer virus detection | |
| CN111338893A (en) | Process log processing method and device, computer equipment and storage medium | |
| CN114465741B (en) | Abnormality detection method, abnormality detection device, computer equipment and storage medium | |
| CN107168844B (en) | Performance monitoring method and device | |
| CN111787030A (en) | Network security inspection method, device, equipment and storage medium | |
| CN111404937B (en) | Method and device for detecting server vulnerability | |
| CN113810408A (en) | Network attack organization detection method, device, equipment and readable storage medium | |
| CN104539449B (en) | A kind of failure information processing method and relevant apparatus | |
| CN111177623A (en) | Information processing method and device | |
| CN103036895B (en) | A kind of status tracking method and system | |
| CN113778709B (en) | Interface calling method, device, server and storage medium | |
| CN115484326A (en) | Method, system and storage medium for processing data | |
| CN103457771A (en) | Method and device for HA virtual machine cluster management | |
| CN111385293B (en) | Network risk detection method and device | |
| CN111176782B (en) | Online experiment method and device | |
| CN116074280A (en) | Application intrusion prevention system identification method, device, equipment and storage medium | |
| CN110837612B (en) | Uniform Resource Identifier (URI) data acquisition method and device and storage medium | |
| Sharma et al. | A Graph Database-Based Method for Network Log File Analysis |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |