CN114500038A - Network security detection method and device, electronic equipment and readable storage medium - Google Patents
Network security detection method and device, electronic equipment and readable storage medium Download PDFInfo
- Publication number
- CN114500038A CN114500038A CN202210081681.3A CN202210081681A CN114500038A CN 114500038 A CN114500038 A CN 114500038A CN 202210081681 A CN202210081681 A CN 202210081681A CN 114500038 A CN114500038 A CN 114500038A
- Authority
- CN
- China
- Prior art keywords
- detection
- network security
- task
- detected
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 393
- 230000008030 elimination Effects 0.000 claims description 22
- 238000003379 elimination reaction Methods 0.000 claims description 22
- 230000003993 interaction Effects 0.000 claims description 12
- 238000012544 monitoring process Methods 0.000 claims description 11
- 238000004590 computer program Methods 0.000 claims description 10
- 238000012098 association analyses Methods 0.000 claims description 8
- 238000010219 correlation analysis Methods 0.000 claims description 8
- 238000000605 extraction Methods 0.000 claims description 7
- 238000012545 processing Methods 0.000 claims description 7
- 238000000034 method Methods 0.000 abstract description 22
- 238000013519 translation Methods 0.000 description 13
- 238000004364 calculation method Methods 0.000 description 12
- 230000009467 reduction Effects 0.000 description 12
- 230000000875 corresponding effect Effects 0.000 description 8
- 230000008569 process Effects 0.000 description 8
- 238000004458 analytical method Methods 0.000 description 7
- 238000004891 communication Methods 0.000 description 7
- 238000012790 confirmation Methods 0.000 description 7
- 230000005856 abnormality Effects 0.000 description 6
- 230000009471 action Effects 0.000 description 4
- 230000008859 change Effects 0.000 description 4
- 238000006243 chemical reaction Methods 0.000 description 4
- 238000010586 diagram Methods 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 4
- 238000001914 filtration Methods 0.000 description 4
- 238000004806 packaging method and process Methods 0.000 description 4
- 230000002085 persistent effect Effects 0.000 description 4
- 238000007781 pre-processing Methods 0.000 description 4
- 230000005236 sound signal Effects 0.000 description 4
- 238000004422 calculation algorithm Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 238000012805 post-processing Methods 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 238000007792 addition Methods 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000002596 correlated effect Effects 0.000 description 1
- 238000013135 deep learning Methods 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005538 encapsulation Methods 0.000 description 1
- 238000011156 evaluation Methods 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 239000013589 supplement Substances 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Abstract
The application discloses a network security detection method, a device, an electronic device and a computer readable storage medium, wherein the method comprises the following steps: acquiring a plurality of preset detection rules; acquiring a rule selection instruction, and determining a target detection rule in preset detection rules according to the rule selection instruction; acquiring data to be detected; based on a target detection rule, carrying out security detection on the data to be detected to obtain a network security detection result; the method can flexibly and quickly modify the used network security detection rules by setting a plurality of preset detection rules and selecting a mode of a specific used detection rule from the rule selection instructions according to the rule selection instructions, and can timely cope with various attack modes.
Description
Technical Field
The present disclosure relates to the field of computer technologies, and in particular, to a network security detection method, a network security detection apparatus, an electronic device, and a computer-readable storage medium.
Background
With the popularization of internet technology and the development of enterprises, the network environment of enterprises is also continuously expanded, and the problem of network security is increasingly prominent. According to the technical scheme of the traditional network attack detection implementation, firstly, security researchers are required to analyze network attack characteristics and compile a network security detection model (namely a detection rule), then the network security detection model is delivered to software developers to be coded, and finally, attack detection is realized by means of software deliverer deployment programs. The method needs various personnel cooperation, is complex and has long online period in the online process of the network attack detection rule, can not realize flexible modification of the network security detection rule, and can not timely cope with the continuously changed attack mode of an intruder.
Disclosure of Invention
In view of the above, an object of the present application is to provide a network security detection method, a network security detection apparatus, an electronic device and a computer-readable storage medium, which can flexibly and quickly modify a network security detection rule to be used.
In order to solve the above technical problem, the present application provides a network security detection method, including:
acquiring a plurality of preset detection rules;
acquiring a rule selection instruction, and determining a target detection rule in the preset detection rules according to the rule selection instruction;
acquiring data to be detected;
and carrying out security detection on the data to be detected based on the target detection rule to obtain a network security detection result.
Optionally, the obtaining rule selection instruction includes:
and monitoring a data interaction channel between the terminal and the terminal in real time, and acquiring the rule selection instruction sent by the terminal from the data interaction channel.
Optionally, the performing security detection on the data to be detected based on the target detection rule to obtain a network security detection result includes:
performing feature extraction processing on the data to be detected to obtain features to be detected;
and generating a detection task based on the target detection rule, and executing the detection task by using the to-be-detected features to obtain the network security detection result.
Optionally, the detection task includes an initial detection task and an associated analysis task;
the executing the detection task by using the feature to be detected to obtain the network security detection result includes:
determining corresponding target characteristics to be detected based on each initial detection task respectively;
respectively executing each initial detection task by using the target characteristics to be detected to obtain a first detection result;
and executing the correlation analysis task by using the first detection result to obtain the network security detection result.
Optionally, the detection task includes an initial detection task and an alarm elimination task;
the executing the detection task by using the feature to be detected to obtain the network security detection result includes:
executing the initial detection task by using the features to be detected to obtain a second detection result;
executing the alarm elimination task by using the second detection result to obtain an elimination detection result;
if the elimination detection result is hit, determining that the network security detection result is secure;
and if the elimination detection result is not hit, determining that the network security detection result is the second detection result.
Optionally, the detection task includes an initial detection task and a history association task;
the executing the detection task by using the feature to be detected to obtain the network security detection result includes:
executing the initial detection task by using the features to be detected to obtain a third detection result;
acquiring a historical detection result corresponding to the historical data; the historical data is context data of the data to be detected;
and executing the historical associated task by using the third detection result and the historical detection result to obtain the network security detection result.
Optionally, the method further comprises:
acquiring a code packet sent by a terminal, and generating a self-defined safety detection task by using the code packet;
and executing the user-defined safety detection task by using the data to be detected to obtain a user-defined network safety detection result.
The application also provides a network security detection device, including:
the rule acquisition module is used for acquiring a plurality of preset detection rules;
the target determination module is used for acquiring a rule selection instruction and determining a target detection rule in the preset detection rules according to the rule selection instruction;
the data acquisition module is used for acquiring data to be detected;
and the safety detection module is used for carrying out safety detection on the data to be detected based on the target detection rule to obtain a network safety detection result.
The present application further provides an electronic device comprising a memory and a processor, wherein:
the memory is used for storing a computer program;
the processor is configured to execute the computer program to implement the network security detection method.
The present application also provides a computer-readable storage medium for storing a computer program, wherein the computer program, when executed by a processor, implements the network security detection method described above.
The network security detection method provided by the application obtains a plurality of preset detection rules; acquiring a rule selection instruction, and determining a target detection rule in preset detection rules according to the rule selection instruction; acquiring data to be detected; and carrying out safety detection on the data to be detected based on the target detection rule to obtain a network safety detection result.
Therefore, the method is preset with a plurality of preset detection rules in advance, and different detection rules have different detection modes, angles and other factors for network security. By obtaining the rule selection instruction, the target detection rule can be determined, and then the target detection rule is utilized to perform security detection on the data to be detected, so that a ten-thousand-Row security detection result is obtained. By setting a plurality of preset detection rules and selecting a specific used detection rule from the rule selection instructions according to the rule selection instructions, the used network security detection rules can be flexibly and quickly modified, and various attack modes can be dealt with in time.
In addition, the application also provides a network security detection device, electronic equipment and a computer readable storage medium, and the network security detection device, the electronic equipment and the computer readable storage medium also have the beneficial effects.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments or related technologies of the present application, the drawings needed to be used in the description of the embodiments or related technologies are briefly introduced below, it is obvious that the drawings in the following description are only embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a flowchart of a network security detection method according to an embodiment of the present disclosure;
fig. 2 is a flowchart of a specific network security detection method according to an embodiment of the present disclosure;
fig. 3 is a schematic structural diagram of a network security detection apparatus according to an embodiment of the present disclosure;
fig. 4 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
Referring to fig. 1, fig. 1 is a flowchart of a network security detection method according to an embodiment of the present disclosure.
The method comprises the following steps:
s101: and acquiring a plurality of preset detection rules.
It should be noted that, in the present application, each step may be executed by a specific electronic device, for example, a server with a strong computing power, and the specific number is not limited, and may be executed by one electronic device alone, or may be completed by multiple electronic devices in a matching manner, that is, different electronic devices execute different steps, and all electronic devices can finally execute all steps.
The preset detection rule may be referred to as a network security detection model, and refers to a preset rule for detecting data to be detected to determine whether a network attack exists, and a specific form is not limited. In the application, in order to timely and flexibly replace the applicable detection rules, a plurality of preset detection rules can be obtained in advance and stored, the advance deployment of the preset detection rules is completed, and the rules can be directly called when needed, so that the flexible configuration and management of the rules can be realized.
The embodiment does not limit the specific obtaining manner of the preset detection rule, for example, the preset detection rule may be obtained by performing data interaction with a designated electronic device, where the designated electronic device may be a device that a user logs in, or may be an electronic device with a designated network address or a designated physical address.
It should be noted that this step may be performed once or more, for example, once during initialization of the server, or may be performed again during operation, so as to supplement or modify the preset detection rule.
S102: and acquiring a rule selection instruction, and determining a target detection rule in preset detection rules according to the rule selection instruction.
The rule selection instruction is an instruction for determining a currently used target detection rule from preset detection rules. Specifically, the rule selection instruction may include unique identification information of the target detection rule, and the unique identification information may be used to indicate the identity of the target detection rule, and may specifically be in the form of a serial number, a name, or the like. In general, the number of target detection rules is one, and may be more than one in a special scenario.
The rule selection instruction may be sent to the electronic device as the execution subject by a device such as a terminal operated by a user, and a generation process of the rule selection instruction is not limited, for example, the user may perform human-computer interaction with the device such as the terminal through an interaction component of the device such as the terminal, and the device such as the terminal obtains the unique identification information of the target detection rule through human-computer interaction, and encapsulates the unique identification information according to a preset message format to obtain the rule selection instruction.
By acquiring the rule selection instruction, the target detection rule can be flexibly and quickly selected, the hot loading of the target detection rule is realized, the deployment is not needed during the change, and the attack mode of the change of an intruder is responded in time. In one embodiment, in order to improve the replacement speed of the target detection rule, a data interaction channel with the terminal may be monitored in real time, and the rule selection instruction sent by the terminal may be acquired from the data interaction channel. The terminal is the terminal operated by the user.
S103: and acquiring data to be detected.
The data to be detected refers to data that needs to be detected by the target detection rule, and the specific type of the data is not limited, and may be, for example, network data, operating state data, log data, and the like. The data to be measured may be obtained locally or may be obtained from other electronic devices, for example from the terminals described above.
It should be noted that the execution timing of step S103 is not limited, and for example, the execution timing may be executed in parallel with step S101, or may be executed after step S102 is executed, and may be specifically set as needed.
S104: and carrying out safety detection on the data to be detected based on the target detection rule to obtain a network safety detection result.
After the target detection is determined, the security detection is carried out on the data to be detected by using the target detection, and the obtained detection result is the network security detection result. It can be understood that, according to different target detection rules, the security detection process may be different, and the type and content of the obtained network security detection result may be different. Specifically, the data to be detected is subjected to feature extraction processing to obtain the features to be detected, and the specific process of the feature extraction processing is not limited, and may be, for example, statistical feature extraction, data format encapsulation, invalid data filtering, and the like. And generating a detection task based on the target detection rule, and executing the detection task by using the characteristics to be detected to obtain a network security detection result. The security detection of the data to be detected is completed by executing the detection task, the task may specifically be content such as numerical value judgment, condition matching, and the like, and the number, the priority relationship between the tasks, and the like are not limited. The generation process of the detection task may refer to the related art.
In a first embodiment, the detection tasks include a plurality of initial detection tasks and associated analysis tasks. In this case, the corresponding target feature to be detected may be determined based on each initial detection task, where the target feature to be detected is a feature to be detected corresponding to the initial detection task, and each initial detection task is executed by using the target feature to be detected, so as to obtain first detection results, where each initial detection task corresponds to one first detection result, and the form and content of each first detection result may be different according to the type of the initial detection task. In this embodiment, the correlation analysis task may be executed by using the first detection result to obtain a network security detection result. Specifically, each initial detection task has an association relationship, the association relationship may be a priority relationship or other logical relationship, and when performing security detection, the association relationship is used to process the first detection result, so that each first detection result can be synthesized to perform overall evaluation on network security, and the accuracy and reliability of the network security detection result are improved.
In the second embodiment, for some anomalies which have been detected for a sufficient number of times or recorded in the white list, it is not necessary to alarm or record them, and the effective information ratio of the alarm or record is increased. Specifically, the detection task may include an initial detection task and an alarm elimination task, and in this case, the initial detection task may be executed by using the feature to be detected, so as to obtain a second detection result; the second detection result may be the first detection result in the first embodiment, or may be the network security detection result in the first embodiment. And executing the alarm elimination task by using the second detection result to obtain an elimination detection result. The alarm elimination task is a task of judging whether to ignore abnormality, and specifically, when the second detection result is detected to be abnormal, whether the same type of abnormality has been detected or is alarmed for a sufficient number of times after being detected may be judged, or whether the type of abnormality is recorded in a white list may be judged. If the elimination detection result is hit, the exception needs to be ignored, so that the network security detection result is determined to be safe; if the elimination detection result is a miss, the abnormality is not detected, or the abnormality does not need to be ignored, so that the network security detection result can be determined to be a second detection result.
In the third embodiment, in order to improve the accuracy and reliability of the network security detection result, the current detection and the previous detection result may be correlated to determine whether there is an abnormality from a large detection dimension. Specifically, the detection task may include an initial detection task and a history association task. And executing an initial detection task by using the characteristics to be detected to obtain a third detection result. And acquiring a historical detection result corresponding to the historical data, wherein the historical data is context data of the data to be detected, and therefore the historical association task can also be called a context association task. And executing the historical associated task by using the third detection result and the historical detection result to obtain a network security detection result.
In another embodiment, in order to further improve the flexibility of selecting security detection, a code packet sent by a terminal may be acquired, and a custom security detection task may be generated by using the code packet. The code packet comprises a self-defined detection rule, the self-defined detection rule is processed according to a preset task generation mode, a self-defined safety detection task can be obtained, and the specific type of the self-defined safety detection task is not limited. And executing the self-defined safety detection task by using the data to be detected to obtain a self-defined network safety detection result. By means of uploading the code packet, a user is allowed to self-define the detection rule, and the flexibility degree of safety detection is improved.
After the network security detection result is obtained or the user-defined network security detection result is obtained, the network security detection result can be output, and the data can be in the form of alarm or log record generation and the like.
Referring to fig. 2, fig. 2 is a flowchart illustrating a specific network security detection method according to an embodiment of the present disclosure. The network security detection system based on stream processing is shown, and comprises a network security detection model configuration and display subsystem, a translation subsystem, a data access subsystem, a stream computing subsystem, a secondary detection subsystem, an association analysis subsystem, a result confirmation subsystem, an alarm reduction subsystem, a context association subsystem, an alarm output subsystem and a monitoring subsystem. The network security detection model configuration and display subsystem can persistently store the network security detection model (namely, the preset detection rule) configured by the user on the webpage; the translation subsystem translates the network security detection model into a task executable by the streaming computing subsystem or packages user-defined codes (namely code packets) into the task to be registered in the streaming computing subsystem by monitoring the persistent storage and the specified file directory; the data access subsystem can read the original log and the alarm log submitted by the secondary detection subsystem in real time and orderly, preprocesses the original log and the alarm log, converts the preprocessed original log and the alarm log into an event (namely to-be-detected data), and sends the event (namely to-be-detected data) to the streaming computation subsystem; the stream type computing subsystem computes data submitted by the data access subsystem and sends a detection result (primary result) to the secondary detection subsystem and the correlation analysis subsystem by loading tasks and code packets submitted by the translation subsystem; the secondary detection subsystem packages a primary calculation result of the stream type calculation subsystem into an alarm log and sends the alarm log to the data access subsystem; the correlation analysis subsystem can perform correlation analysis on the primary result according to the correlation analysis configuration of the network security detection model, generate a secondary result and send the secondary result to the result confirmation subsystem; the result confirmation subsystem can judge the attack effect of the secondary result according to the result analysis configuration of the network security detection model to generate a tertiary result; the alarm reduction subsystem can reduce the third-level calculation result according to the alarm reduction configuration and the white list configuration of the network security detection model to generate a fourth-level result; the context association subsystem can carry out context information filling on the four-level result according to the alarm description configuration of the network security detection model to generate a five-level result; the alarm output subsystem packages the five-level result into an alarm and outputs the alarm; the monitoring subsystem can monitor the running conditions of the translation subsystem, the data access subsystem, the streaming computing subsystem, the secondary detection subsystem, the association analysis subsystem, the result confirmation subsystem, the alarm reduction subsystem, the context association subsystem and the alarm output subsystem in real time, and regulates and controls task submission of the translation subsystem and log reading of the data access subsystem.
Specifically, the network security detection rule configuration and display subsystem comprises a model display module, a model configuration module and a model storage module. The model display module comprises a series of operation interfaces for displaying the network security detection models set by the user, the operation records of the network security detection models, and the built-in data filtering operators and operator sets. Further, the network security detection model includes association analysis configuration, result analysis configuration, alarm reduction configuration, white list configuration, alarm description configuration and detection rule configuration. Further, the operation records of the network security detection model include, but are not limited to, record number, action, operator, and time. Further, the built-in data filter operator includes, but is not limited to, a number operator, a string operator, a boolean operator, a set operator, an IP operator, an asset operator, a certificate operator, a machine learning operator, a deep learning operator, a new occurrence operator, a rarity operator, and the built-in data filter operator supports extension. Further, the operator set is a preset combination of built-in data filtering operators commonly used when the detection rules of the network security detection model are configured. The model configuration module is used for realizing the addition, modification, deletion and deleted recovery of the network security detection model. The model storage module is used for storing the network security detection model set by the user in a persistent mode. Further, the persistent storage includes, but is not limited to, a file system, a database, and a network storage. Based on the network security detection rule configuration and display subsystem, a user can configure a network security detection model in an operation interface, namely, a rule selection instruction is initiated to select a target detection rule (or called a target network security detection model), and the network security detection model configuration in a code-free mode is realized.
The translation subsystem comprises a model acquisition module, a semantic conversion module, a translation extension module and a task submission module. The model obtaining module is used for obtaining a network security detection model needing translation, and the model obtaining mode includes but is not limited to: obtaining a persistently stored network security detection model from a model storage module of a network security detection model configuration and display subsystem rule; and acquiring a network security detection model from a preset file directory. The model acquisition module monitors a change instruction (namely a rule selection instruction) for selecting the network security detection model in the persistent storage or the file directory in real time in a monitoring mode, and submits the network security detection model specified by the change instruction to the semantic conversion module in real time, so that the hot loading of the network security detection model is realized. The semantic conversion module translates the network security detection model into a semantic format which can be recognized by the stream computing engine subsystem, and sends the translated network security detection model to the task submission module. The translation extension module is used for realizing the calculation logic of the stream type calculation subsystem by the user-defined codes, packaging the user-defined codes into code packets which can be identified by the stream type calculation subsystem and sending the code packets to the task submission module, and realizing the low code configuration of the network security detection model. And the task submitting module is responsible for receiving the translated network security detection model and the code packet submitted by the semantic conversion module and the translation expansion module, packaging the translated network security detection model and the code packet into tasks and submitting the tasks to the streaming computing subsystem.
The data access subsystem comprises a connection module, a data reading module, a data preprocessing module and a data sending module. The connection module is used for establishing connection with a data source, and can simultaneously access logs of various data sources, wherein the data sources include but are not limited to Kafka, elastic search, MongoDB, a file system and a secondary detection subsystem, and the data source access is configurable and pluggable. The data reading module reads the original log and the alarm log from the data source in real time and sends the original log and the alarm log to the data preprocessing module. Further, the original log includes, but is not limited to, a network flow log, a terminal operation log, and a security log. The data preprocessing module analyzes and expands the log to generate an event, and supports user-defined codes so as to realize user-defined original log analysis and expansion logic. And the data sending module packages the event generated by the data preprocessing module and sends the packaged event to the streaming computing subsystem.
The streaming computing subsystem comprises a streaming computing engine module and a result collecting module. The stream type calculation engine module is used for loading tasks submitted by the translation subsystem, calculating events submitted by the data access subsystem and generating a primary result. Further, the Streaming computing engine module includes, but is not limited to, Siddhi, Flink, Storm, Spark Streaming, Esper and supports plugging and unplugging of the engine. The result collection module is used for collecting the calculation result of the elapsed calculation engine module and sending the primary calculation result to the secondary detection subsystem and the correlation analysis subsystem.
The secondary detection subsystem is used for receiving the primary result of the stream type calculation subsystem, storing the primary result, packaging the primary result into an alarm log and sending the alarm log to the data access subsystem.
The association analysis subsystem is used for analyzing the association analysis configuration of the network security detection model into association rules comprising association relations, association fields and time limits, wherein the association relations comprise but are not limited to any, sequence, scoring and all, the association fields comprise but not limited to domain names, IP addresses, user names and asset IDs, association calculation is carried out on the primary results according to the association relations and the association fields within the time limits of the association rules, and the secondary results are sent to the result confirmation subsystem.
And the result confirmation subsystem is used for further judging and marking the credibility, attack stage and attack state of the secondary result according to the result analysis configuration of the network security detection model, generating a tertiary result and sending the tertiary result to the alarm reduction subsystem.
And the alarm reduction subsystem is used for reducing and filtering the three-level results according to the alarm reduction configuration and the white list configuration of the network security detection model. Alarm reduction strategies and alarm update rules may be set in the alarm reduction configuration. White lists that do not generate alarms may be set in the white list configuration, and the content of the white lists includes, but is not limited to, domain name, IP address, user name, asset ID.
The context association subsystem is used for analyzing the four-level result generated by the alarm reduction subsystem according to the alarm description configuration of the network security detection model and adding the proof-taking information and the association alarm information to the four-level result.
The alarm output subsystem comprises an alarm post-processing module and an output source connecting module. The alarm post-processing module is used for receiving the five-level result generated by the context correlation subsystem and packaging the five-level result into an alarm according to an alarm format configured by a user. The output source connection module is used for establishing connection with external middleware and outputting an alarm. Further, the external middleware includes, but is not limited to, Rabbitmq, elastic search, Mysql, and file system.
The monitoring subsystem is used for monitoring the detailed operation conditions of the translation subsystem, the data access subsystem, the streaming computation subsystem, the secondary detection subsystem, the association analysis subsystem, the result confirmation subsystem, the alarm reduction subsystem, the context association subsystem and the alarm output subsystem in real time, can count the detection conditions of a network security detection model, the data distribution conditions and the data quantity of an original log and an alarm log, the CPU and the memory occupation of each subsystem in real time, can calculate the negative pressure condition of each subsystem in real time according to user configuration, regulates and controls the task submission of the translation subsystem and the log reading of the data access subsystem, and ensures the stable operation of each subsystem.
By applying the network security detection method provided by the embodiment of the application, a plurality of preset detection rules are preset in advance, and different detection rules have different factors such as detection modes, angles and the like for network security. By obtaining the rule selection instruction, the target detection rule can be determined, and then the target detection rule is utilized to perform security detection on the data to be detected, so that a ten-thousand-Row security detection result is obtained. By setting a plurality of preset detection rules and selecting a specific used detection rule from the rule selection instructions according to the rule selection instructions, the used network security detection rules can be flexibly and quickly modified, and various attack modes can be dealt with in time.
In the following, the network security detection apparatus provided in the embodiment of the present application is introduced, and the network security detection apparatus described below and the network security detection method described above may be referred to correspondingly.
Referring to fig. 3, fig. 3 is a schematic structural diagram of a network security detection apparatus according to an embodiment of the present application, including:
a rule obtaining module 110, configured to obtain a plurality of preset detection rules;
a target determining module 120, configured to obtain a rule selection instruction, and determine a target detection rule in preset detection rules according to the rule selection instruction;
a data obtaining module 130, configured to obtain data to be detected;
and the safety detection module 140 is configured to perform safety detection on the data to be detected based on the target detection rule to obtain a network safety detection result.
Optionally, the goal determination module 120 includes:
and the real-time monitoring unit is used for monitoring a data interaction channel between the real-time monitoring unit and the terminal in real time and acquiring a rule selection instruction sent by the terminal from the data interaction channel.
Optionally, the security detection module 140 includes:
the characteristic extraction unit is used for carrying out characteristic extraction processing on the data to be detected to obtain the characteristics to be detected;
and the detection unit is used for generating a detection task based on the target detection rule and executing the detection task by using the characteristics to be detected to obtain a network security detection result.
Optionally, the detection task includes an initial detection task and an associated analysis task;
a detection unit comprising:
the target data determining subunit is used for determining corresponding target characteristics to be detected based on each initial detection task;
the first initial detection subunit is used for respectively executing each initial detection task by using the target to-be-detected feature to obtain a first detection result;
and the association detection subunit is used for executing an association analysis task by using the first detection result to obtain a network security detection result.
Optionally, the detection task includes an initial detection task and an alarm elimination task;
a detection unit comprising:
the second initial detection subunit is used for executing an initial detection task by using the feature to be detected to obtain a second detection result;
the elimination detection subunit is used for executing the alarm elimination task by utilizing the second detection result to obtain an elimination detection result;
the first result determining subunit is used for determining that the network security detection result is safe if the elimination detection result is hit;
and the second result determining subunit is configured to determine that the network security detection result is the second detection result if the elimination detection result is a miss.
Optionally, the detection task includes an initial detection task and a history association task;
a detection unit comprising:
the third initial detection subunit is used for executing an initial detection task by using the feature to be detected to obtain a third detection result;
the history acquisition subunit is used for acquiring a history detection result corresponding to the history data; the historical data is context data of the data to be detected;
and the historical association detection subunit is used for executing the historical association task by using the third detection result and the historical detection result to obtain a network security detection result.
Optionally, the method further comprises:
the user-defined task generating module is used for acquiring a code packet sent by the terminal and generating a user-defined safety detection task by using the code packet;
and the custom detection module is used for executing a custom security detection task by using the data to be detected to obtain a custom network security detection result.
In the following, the electronic device provided by the embodiment of the present application is introduced, and the electronic device described below and the network security detection method described above may be referred to correspondingly.
Referring to fig. 4, fig. 4 is a schematic structural diagram of an electronic device according to an embodiment of the present disclosure. Wherein the electronic device 100 may include a processor 101 and a memory 102, and may further include one or more of a multimedia component 103, an information input/information output (I/O) interface 104, and a communication component 105.
The processor 101 is configured to control the overall operation of the electronic device 100, so as to complete all or part of the steps in the network security detection method; the memory 102 is used to store various types of data to support operation at the electronic device 100, such data may include, for example, instructions for any application or method operating on the electronic device 100, as well as application-related data. The Memory 102 may be implemented by any type or combination of volatile and non-volatile Memory devices, such as one or more of Static Random Access Memory (SRAM), Electrically Erasable Programmable Read-Only Memory (EEPROM), Erasable Programmable Read-Only Memory (EPROM), Programmable Read-Only Memory (PROM), Read-Only Memory (ROM), magnetic Memory, flash Memory, magnetic or optical disk.
The multimedia component 103 may include a screen and an audio component. Wherein the screen may be, for example, a touch screen and the audio component is used for outputting and/or inputting audio signals. For example, the audio component may include a microphone for receiving external audio signals. The received audio signal may further be stored in the memory 102 or transmitted through the communication component 105. The audio assembly also includes at least one speaker for outputting audio signals. The I/O interface 104 provides an interface between the processor 101 and other interface modules, such as a keyboard, mouse, buttons, etc. These buttons may be virtual buttons or physical buttons. The communication component 105 is used for wired or wireless communication between the electronic device 100 and other devices. Wireless Communication, such as Wi-Fi, bluetooth, Near Field Communication (NFC for short), 2G, 3G or 4G, or a combination of one or more of them, so that the corresponding Communication component 105 may include: Wi-Fi part, Bluetooth part, NFC part.
The electronic Device 100 may be implemented by one or more Application Specific Integrated Circuits (ASICs), Digital Signal Processors (DSPs), Digital Signal Processing Devices (DSPDs), Programmable Logic Devices (PLDs), Field Programmable Gate Arrays (FPGAs), controllers, microcontrollers, microprocessors or other electronic components, and is configured to perform the network security detection method according to the above embodiments.
In the following, a computer-readable storage medium provided in an embodiment of the present application is introduced, and the computer-readable storage medium described below and the network security detection method described above may be referred to correspondingly.
The present application further provides a computer-readable storage medium, on which a computer program is stored, and the computer program, when executed by a processor, implements the steps of the network security detection method described above.
The computer-readable storage medium may include: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
The embodiments are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same or similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description.
Those of skill would further appreciate that the various illustrative components and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the technical solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
Finally, it should also be noted that, herein, relationships such as first and second, etc., are intended only to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms include, or any other variation is intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that includes a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus.
The principle and the implementation of the present application are explained herein by applying specific examples, and the above description of the embodiments is only used to help understand the method and the core idea of the present application; meanwhile, for a person skilled in the art, according to the idea of the present application, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present application.
Claims (10)
1. A network security detection method is characterized by comprising the following steps:
acquiring a plurality of preset detection rules;
acquiring a rule selection instruction, and determining a target detection rule in the preset detection rules according to the rule selection instruction;
acquiring data to be detected;
and carrying out security detection on the data to be detected based on the target detection rule to obtain a network security detection result.
2. The network security detection method of claim 1, wherein the obtaining a rule selection instruction comprises:
and monitoring a data interaction channel between the terminal and the terminal in real time, and acquiring the rule selection instruction sent by the terminal from the data interaction channel.
3. The network security detection method according to claim 1, wherein the performing security detection on the data to be detected based on the target detection rule to obtain a network security detection result includes:
performing feature extraction processing on the data to be detected to obtain features to be detected;
and generating a detection task based on the target detection rule, and executing the detection task by using the features to be detected to obtain the network security detection result.
4. The network security detection method of claim 3, wherein the detection tasks include an initial detection task and an association analysis task;
the executing the detection task by using the feature to be detected to obtain the network security detection result includes:
determining corresponding target characteristics to be detected based on each initial detection task respectively;
respectively executing each initial detection task by using the target characteristics to be detected to obtain a first detection result;
and executing the correlation analysis task by using the first detection result to obtain the network security detection result.
5. The network security detection method according to claim 3, wherein the detection tasks include an initial detection task and an alarm elimination task;
the executing the detection task by using the feature to be detected to obtain the network security detection result includes:
executing the initial detection task by using the features to be detected to obtain a second detection result;
executing the alarm elimination task by using the second detection result to obtain an elimination detection result;
if the elimination detection result is hit, determining that the network security detection result is secure;
and if the elimination detection result is not hit, determining that the network security detection result is the second detection result.
6. The network security detection method according to claim 3, wherein the detection task includes an initial detection task and a history association task;
the executing the detection task by using the feature to be detected to obtain the network security detection result includes:
executing the initial detection task by using the features to be detected to obtain a third detection result;
obtaining a historical detection result corresponding to the historical data; the historical data is context data of the data to be detected;
and executing the historical associated task by using the third detection result and the historical detection result to obtain the network security detection result.
7. The network security detection method of claim 1, further comprising:
acquiring a code packet sent by a terminal, and generating a self-defined safety detection task by using the code packet;
and executing the user-defined safety detection task by using the data to be detected to obtain a user-defined network safety detection result.
8. A network security detection apparatus, comprising:
the rule acquisition module is used for acquiring a plurality of preset detection rules;
the target determination module is used for acquiring a rule selection instruction and determining a target detection rule in the preset detection rules according to the rule selection instruction;
the data acquisition module is used for acquiring data to be detected;
and the safety detection module is used for carrying out safety detection on the data to be detected based on the target detection rule to obtain a network safety detection result.
9. An electronic device comprising a memory and a processor, wherein:
the memory is used for storing a computer program;
the processor is configured to execute the computer program to implement the network security detection method according to any one of claims 1 to 7.
10. A computer-readable storage medium for storing a computer program, wherein the computer program, when executed by a processor, implements the network security detection method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210081681.3A CN114500038A (en) | 2022-01-24 | 2022-01-24 | Network security detection method and device, electronic equipment and readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210081681.3A CN114500038A (en) | 2022-01-24 | 2022-01-24 | Network security detection method and device, electronic equipment and readable storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114500038A true CN114500038A (en) | 2022-05-13 |
Family
ID=81473776
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210081681.3A Pending CN114500038A (en) | 2022-01-24 | 2022-01-24 | Network security detection method and device, electronic equipment and readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114500038A (en) |
Citations (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7408458B1 (en) * | 2005-12-29 | 2008-08-05 | At&T Corp. | Method and apparatus for suppressing duplicate alarms |
| JP2009140455A (en) * | 2007-12-11 | 2009-06-25 | Yazaki Corp | Operation history collection device, and abnormality cause analysis support system |
| CN105376245A (en) * | 2015-11-27 | 2016-03-02 | 杭州安恒信息技术有限公司 | Rule-based detection method of ATP attack behavior |
| CN105871571A (en) * | 2015-01-20 | 2016-08-17 | 中国科学院上海高等研究院 | Method and system for managing sensor network |
| CN108765362A (en) * | 2017-04-20 | 2018-11-06 | 优信数享(北京)信息技术有限公司 | A kind of vehicle checking method and device |
| US20190020669A1 (en) * | 2017-07-11 | 2019-01-17 | The Boeing Company | Cyber security system with adaptive machine learning features |
| CN110334119A (en) * | 2019-06-21 | 2019-10-15 | 腾讯科技(深圳)有限公司 | A kind of data correlation processing method, device, equipment and medium |
| CN111414619A (en) * | 2020-03-17 | 2020-07-14 | 深信服科技股份有限公司 | Data security detection method, device, equipment and readable storage medium |
| US20200311261A1 (en) * | 2019-03-27 | 2020-10-01 | Webroot Inc. | Behavioral threat detection virtual machine |
| US20200320986A1 (en) * | 2017-11-27 | 2020-10-08 | Xi'an Zhongxing New Software Co. Ltd. | Smart control implementation method, device, and computer readable storage medium |
| WO2021120775A1 (en) * | 2019-12-19 | 2021-06-24 | 中国银联股份有限公司 | Method and device for detecting data abnormality |
| CN113179271A (en) * | 2021-04-28 | 2021-07-27 | 深圳前海微众银行股份有限公司 | Intranet security policy detection method and device |
| CN113343228A (en) * | 2021-06-30 | 2021-09-03 | 北京天融信网络安全技术有限公司 | Event credibility analysis method and device, electronic equipment and readable storage medium |
-
2022
- 2022-01-24 CN CN202210081681.3A patent/CN114500038A/en active Pending
Patent Citations (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7408458B1 (en) * | 2005-12-29 | 2008-08-05 | At&T Corp. | Method and apparatus for suppressing duplicate alarms |
| JP2009140455A (en) * | 2007-12-11 | 2009-06-25 | Yazaki Corp | Operation history collection device, and abnormality cause analysis support system |
| CN105871571A (en) * | 2015-01-20 | 2016-08-17 | 中国科学院上海高等研究院 | Method and system for managing sensor network |
| CN105376245A (en) * | 2015-11-27 | 2016-03-02 | 杭州安恒信息技术有限公司 | Rule-based detection method of ATP attack behavior |
| CN108765362A (en) * | 2017-04-20 | 2018-11-06 | 优信数享(北京)信息技术有限公司 | A kind of vehicle checking method and device |
| US20190020669A1 (en) * | 2017-07-11 | 2019-01-17 | The Boeing Company | Cyber security system with adaptive machine learning features |
| US20200320986A1 (en) * | 2017-11-27 | 2020-10-08 | Xi'an Zhongxing New Software Co. Ltd. | Smart control implementation method, device, and computer readable storage medium |
| US20200311261A1 (en) * | 2019-03-27 | 2020-10-01 | Webroot Inc. | Behavioral threat detection virtual machine |
| CN110334119A (en) * | 2019-06-21 | 2019-10-15 | 腾讯科技(深圳)有限公司 | A kind of data correlation processing method, device, equipment and medium |
| WO2021120775A1 (en) * | 2019-12-19 | 2021-06-24 | 中国银联股份有限公司 | Method and device for detecting data abnormality |
| CN111414619A (en) * | 2020-03-17 | 2020-07-14 | 深信服科技股份有限公司 | Data security detection method, device, equipment and readable storage medium |
| CN113179271A (en) * | 2021-04-28 | 2021-07-27 | 深圳前海微众银行股份有限公司 | Intranet security policy detection method and device |
| CN113343228A (en) * | 2021-06-30 | 2021-09-03 | 北京天融信网络安全技术有限公司 | Event credibility analysis method and device, electronic equipment and readable storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108965340B (en) | Industrial control system intrusion detection method and system | |
| CN110460591B (en) | CDN flow abnormity detection device and method based on improved hierarchical time memory network | |
| CN111176202A (en) | Safety management method, device, terminal equipment and medium for industrial control network | |
| CN113890821B (en) | Log association method and device and electronic equipment | |
| CN112131571B (en) | Threat tracing method and related equipment | |
| CN111414619B (en) | Data security detection method, device, equipment and readable storage medium | |
| CN107168844B (en) | Performance monitoring method and device | |
| CN110245077A (en) | A kind of response method and equipment of program exception | |
| CN110830500B (en) | Network attack tracking method and device, electronic equipment and readable storage medium | |
| CN112463432A (en) | Inspection method, device and system based on index data | |
| CN110012000B (en) | Command detection method and device, computer equipment and storage medium | |
| CN111090593A (en) | Method, device, electronic equipment and storage medium for determining crash attribution | |
| CN112565232B (en) | Log analysis method and system based on template and flow state | |
| CN114461864A (en) | Alarm tracing method and device | |
| CN114500038A (en) | Network security detection method and device, electronic equipment and readable storage medium | |
| CN115396199A (en) | Attack path visual restoration method, device, equipment and medium | |
| CN111209158B (en) | Mining monitoring method and cluster monitoring system for server cluster | |
| CN112804104A (en) | Early warning method, device, equipment and medium | |
| CN110971483B (en) | Pressure testing method and device and computer system | |
| CN113836539A (en) | Power engineering control system leak full-flow disposal system and method based on precise test | |
| CN112379656A (en) | Processing method, device, equipment and medium for detecting abnormal data of industrial system | |
| CN111641643A (en) | Web crawler detection method, web crawler detection device and terminal equipment | |
| CN113055396B (en) | Cross-terminal traceability analysis method, device, system and storage medium | |
| CN115913896A (en) | Device detection method, server and medium | |
| Zhou et al. | VarLog: Mining Invariants with Variables for Log Anomaly Detection |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |