CN114598615B - Firewall abnormality monitoring method, device, equipment and medium - Google Patents
Firewall abnormality monitoring method, device, equipment and medium Download PDFInfo
- Publication number
- CN114598615B CN114598615B CN202210223961.3A CN202210223961A CN114598615B CN 114598615 B CN114598615 B CN 114598615B CN 202210223961 A CN202210223961 A CN 202210223961A CN 114598615 B CN114598615 B CN 114598615B
- Authority
- CN
- China
- Prior art keywords
- firewall
- data packets
- refused
- accessed
- abnormal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/14—Arrangements for monitoring or testing data switching networks using software, i.e. software packages
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0209—Architectural arrangements, e.g. perimeter networks or demilitarized zones
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application provides a firewall anomaly monitoring method. According to the method, the number of data packets received by the firewall in preset time and the number of data packets refused to be accessed by the firewall in preset time are obtained, the ratio of the data packets refused to be accessed by the firewall in the number of the data packets received by the firewall is calculated, when the number and the ratio of the data packets refused to be accessed exceed a preset threshold, abnormal points are detected by a machine learning method, so that whether the firewall is abnormal or not is determined according to an abnormal point detection result, monitoring on the abnormality of the firewall is realized, and when the ratio exceeds the preset threshold, abnormal point detection is carried out, loss expansion caused by the abnormality of the firewall is avoided, and the abnormality is processed as soon as possible.
Description
Technical Field
The present application relates to the field of computer technologies, and in particular, to a method, an apparatus, a device, and a computer readable storage medium for monitoring firewall anomalies.
Background
A firewall is a network security device in a network system that isolates two network domains and may act as a protective barrier between an intranet and an extranet, or between different network partitions. When the firewall is abnormal, normal access between the internal network and the external network or between different network partitions is possibly interrupted, and the firewall can not play a role in isolating the internal network and the external network or between different network partitions, so that service abnormality is caused.
In general, the firewall abnormality is determined by checking a script of a configuration change before the configuration change, and predicting whether the configuration change causes an abnormality, but many problems in practice cannot be predicted, so that the firewall abnormality cannot be acquired in time.
Therefore, there is a need for a method for monitoring the abnormality of a firewall.
Disclosure of Invention
The application provides an anomaly monitoring method for a firewall. The method can realize the monitoring of the firewall state, and timely find out abnormal conditions for processing. The application also provides a device, equipment and medium corresponding to the method.
In a first aspect, the present application provides a method for monitoring firewall anomalies, where the method includes:
acquiring the number of data packets received by the firewall in preset time and the number of data packets refused to be accessed by the firewall in the preset time, wherein the number of data packets received by the firewall comprises the number of data packets refused to be accessed by the firewall;
calculating the duty ratio of the data packet number refused to access by the firewall to the data packet number received by the firewall according to the data packet number received by the firewall and the data packet number refused to access by the firewall;
when the number of the data packets refused to access and the duty ratio exceed a preset threshold value, detecting abnormal points by a machine learning method;
and determining whether the firewall is abnormal according to the abnormal point detection result.
In some possible implementations, the outlier detection result is used to determine whether or not it is a connectivity configuration change error of the firewall or specifically which one of the firewalls is a connectivity configuration change error.
In some possible implementations, the method includes:
and when the abnormal point detection result represents that the firewall is abnormal, sending the abnormal point detection result to an alarm system.
In some possible implementations, the method includes:
and when the abnormal point detection result represents that the firewall is abnormal, carrying out automatic configuration rollback.
In some possible implementations, when the number of the data packets refused to access and the duty ratio exceed preset thresholds, the abnormal point detection is performed by a machine learning method, including:
and when the number of the data packets refused to be accessed and the duty ratio exceed a preset threshold, detecting abnormal points by a machine learning method based on the number of the data packets received by the firewall, the number of the data packets refused to be accessed by the firewall and a configuration change issuing record, wherein the abnormal point detection result is used for determining whether the connectivity configuration of the firewall is changed in error or specifically which one of the firewalls is changed in connectivity configuration.
In some possible implementations, the obtaining the number of data packets received by the firewall in the preset time and the number of data packets refused to be accessed by the firewall in the preset time include:
and acquiring the number of data packets received by the firewall in unit time and the number of data packets refused to be accessed by the firewall in unit time.
In a second aspect, the present application provides a device for monitoring firewall anomalies, including:
the obtaining module is used for obtaining the number of data packets received by the firewall in preset time and the number of data packets refused to be accessed by the firewall in the preset time, wherein the number of data packets received by the firewall comprises the number of data packets refused to be accessed by the firewall;
the calculation module is used for calculating the duty ratio of the number of the data packets refused to be accessed by the firewall in the number of the data packets received by the firewall according to the number of the data packets received by the firewall and the number of the data packets refused to be accessed by the firewall;
the detection module is used for detecting abnormal points through a machine learning method when the number of the data packets refused to access and the duty ratio exceed a preset threshold value;
and the judging module is used for determining whether the firewall is abnormal according to the abnormal point detection result.
In some possible implementations, the outlier detection result is used to determine whether or not it is a connectivity configuration change error of the firewall or specifically which one of the firewalls is a connectivity configuration change error.
In some possible implementations, the apparatus further includes an alert module for:
and when the abnormal point detection result represents that the firewall is abnormal, sending the abnormal point detection result to an alarm system.
In some possible implementations, the apparatus further includes a rollback module to:
and when the abnormal point detection result represents that the firewall is abnormal, carrying out automatic configuration rollback.
In some possible implementations, the detection module is specifically configured to:
and when the number of the data packets refused to be accessed and the duty ratio exceed a preset threshold, detecting abnormal points by a machine learning method based on the number of the data packets received by the firewall, the number of the data packets refused to be accessed by the firewall and a configuration change issuing record, wherein the abnormal point detection result is used for determining whether the connectivity configuration of the firewall is changed in error or specifically which one of the firewalls is changed in connectivity configuration.
In some possible implementations, the obtaining module is specifically configured to:
and acquiring the number of data packets received by the firewall in unit time and the number of data packets refused to be accessed by the firewall in unit time.
In a third aspect, the present application provides an apparatus comprising a processor and a memory. The processor and the memory communicate with each other. The processor is configured to execute instructions stored in the memory to cause the apparatus to perform a method of monitoring for firewall anomalies as in the first aspect or any implementation of the first aspect.
In a fourth aspect, the present application provides a computer readable storage medium, where instructions are stored to instruct a device to execute the method for monitoring firewall anomalies according to the first aspect or any implementation manner of the first aspect.
In a fifth aspect, the present application provides a computer program product comprising instructions which, when run on a device, cause the device to perform the method of monitoring for firewall anomalies described in the first aspect or any implementation of the first aspect.
Further combinations of the present application may be made to provide further implementations based on the implementations provided in the above aspects.
From the above technical solutions, the embodiment of the present application has the following advantages:
the application provides a firewall anomaly monitoring method, which comprises the steps of obtaining the quantity of data packets received by a firewall in preset time and the quantity of data packets refused to access, calculating the ratio of the quantity of the data packets refused to access by the firewall to the total quantity of the data packets received by the firewall (the quantity of the data packets received by the firewall) according to the quantity of the data packets received by the firewall and the quantity of the data packets refused to access, and carrying out anomaly point detection by a machine learning method when the quantity of the data packets refused to access and the ratio of the data packets refused to access exceed a preset threshold value, and determining whether the firewall is anomaly according to the result of anomaly point detection.
Therefore, the electronic equipment can determine the duty ratio through the number of data packets received by the firewall and the number of data packets refused to be accessed by the firewall in preset time, and determine whether to start abnormal point detection according to the duty ratio, so that the monitoring of the firewall function is realized. And the electronic equipment detects the abnormal point by a machine learning method, so that whether the firewall is abnormal or not can be quickly determined, and the specific type of the abnormality is determined, so that the electronic equipment executes the corresponding function, and the abnormality is quickly recovered.
Drawings
In order to more clearly illustrate the technical method of the embodiments of the present application, the drawings required for the embodiments will be briefly described below, and it is apparent that the drawings in the following description are only some embodiments of the present application, and other drawings may be obtained according to the drawings without inventive effort for those skilled in the art.
Fig. 1 is a flow chart of a method for monitoring firewall anomalies according to an embodiment of the present application;
FIG. 2 is a line graph of the density per unit time and the density per unit time according to an embodiment of the present application;
fig. 3 is a schematic diagram of a method for monitoring firewall anomalies according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of a firewall anomaly monitoring device according to an embodiment of the present application.
Detailed Description
The embodiments of the present application will be described below with reference to the drawings.
The terms "first", "second" in embodiments of the application are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defining "a first" or "a second" may explicitly or implicitly include one or more such feature.
Some technical terms related to the embodiments of the present application will be described first.
A firewall is a network security device in a network system that isolates two network domains and may act as a protective barrier between an intranet and an extranet, or between different network partitions. Firewall function implementations rely on firewall connectivity policy configuration. In general, the implementation of the firewall isolation function depends on the configuration of firewall connectivity policies, and one firewall needs to configure a large number of connectivity policies, and the incorrect configuration may cause the interruption of normal service access between an intranet and an extranet or between different network partitions, resulting in abnormal service.
In general, before the configuration is changed, a script of the configuration change can be checked to predict whether the configuration change causes an abnormality, but in practice, many problems may exist, which cannot be predicted, and thus a firewall abnormality cannot be acquired in time.
In view of this, the present application provides a method for monitoring firewall anomalies, which can be performed by an electronic device. The electronic device refers to a device having data processing capabilities, and may be, for example, a server, or a terminal. The terminal includes, but is not limited to, an identification system, a smart phone, a tablet computer, a notebook computer, a personal digital assistant (personal digital assistant, PDA), etc. The server may be a cloud server, for example, a central server in a central cloud computing cluster, or an edge server in an edge cloud computing cluster. Of course, the server may also be a server in a local data center. The local data center refers to a data center directly controlled by a user.
Specifically, the electronic device obtains the number of data packets received by the firewall in a preset time and the number of data packets refused to access, calculates the ratio of the number of data packets refused to access by the firewall to the total number of data packets received by the firewall (the number of data packets received by the firewall) according to the number of data packets received by the firewall and the number of data packets refused to access by the firewall, and when the number of data packets refused to access and the ratio exceed a preset threshold, performs outlier detection by a machine learning method, and determines whether the firewall is outlier according to the outlier detection result.
Therefore, the electronic equipment can determine the duty ratio through the number of data packets received by the firewall and the number of data packets refused to be accessed by the firewall in preset time, and determine whether to start abnormal point detection according to the duty ratio, so that the monitoring of the firewall function is realized.
And the electronic equipment detects the abnormal point by a machine learning method, so that whether the firewall is abnormal or not can be quickly determined, and the specific type of the abnormality is determined, so that the electronic equipment executes the corresponding function, and the abnormality is quickly recovered.
In order to facilitate understanding, a method for monitoring firewall anomalies provided by the embodiment of the application is specifically described below with reference to the accompanying drawings.
Referring to a flowchart of a method for monitoring firewall anomalies shown in fig. 1, the method comprises:
s102: the electronic equipment acquires the number of data packets received by the firewall in preset time and the number of data packets refused to be accessed by the firewall in the preset time.
Wherein the number of packets received by the firewall includes the number of packets that the firewall denies access to.
In the normal course of firewall operation, the data received by the firewall is generally divided into two types, one type is the flow conforming to the passing strategy, and the firewall passes through; one is traffic that does not conform to its passing policy, and firewall refuses. Network access is typically composed of five elements, source IP, destination IP, source port, destination port, and protocol. And when the firewall works normally, matching with the five-tuple according to the configured access strategy, so as to judge whether the access is allowed to pass.
The inventors have found that the firewall allows and denies access to pass through with regularity over a period. Specifically, the firewall refuses the number of data packets accessed within a preset time, and the ratio of the number of the data packets refused to access to the total number of the received data packets is regular. Taking the preset time as the unit time, the unit time is usually one week or one day, the number of the data packets refused to be accessed in the unit time of the firewall is recorded as the density in the unit time, the number of the data packets refused to be accessed in the unit time of the firewall is occupied by the number of the data packets received by the firewall in the preset time of the receiving unit, and the number of the data packets refused to be accessed by the firewall in the unit time, thereby acquiring the density in the unit time and calculating the density ratio in the unit time.
S104: and the electronic equipment calculates the duty ratio of the number of the data packets refused to be accessed by the firewall in the number of the data packets received by the firewall according to the number of the data packets received by the firewall and the number of the data packets refused to be accessed by the firewall.
In the preset time, the ratio of the number of the data packets which are refused to be accessed by the firewall to the number of the data packets received by the firewall is regular under normal conditions, so that the ratio of the number of the data packets which are refused to be accessed by the firewall to the number of the data packets received by the firewall can be calculated according to the number of the data packets received by the firewall and the number of the data packets refused to be accessed by the firewall, and preliminary judgment can be carried out.
Specifically, the density amount in unit time and the number of data packets received by the firewall in unit time are obtained, and the density duty ratio in unit time is calculated. In some possible implementations, the electronic device may periodically log in the monitored firewall, perform a query on the data amount, and obtain the number of data packets received by the firewall in a preset time and the number of data packets that the firewall refuses to access in the preset time. In other possible implementations, the electronic device may also obtain, from the other device, the number of packets received by the firewall in the preset interval, and the number of packets that the firewall refuses to access in the preset time.
The electronic device periodically logs in the firewall, sends the query number of data packets received in preset time and the number of data packets refused to access to the firewall, and then obtains the ratio of the number of data packets refused to access to the firewall to the number of data packets received by the firewall through calculation.
S106: and when the number and the duty ratio of the data packets refused to access exceed the preset threshold, the electronic equipment detects abnormal points through a machine learning method.
In some possible implementations, the electronic device may also plot a line graph of the density amount per unit time and the density ratio per unit time, as shown in fig. 2, so as to obtain preset thresholds for the number of data packets and the density ratio of data packets that are denied access, so as to discover an abnormal situation in the form of an image.
When the number and the duty ratio of the data packets refused to access exceed the preset threshold, the electronic equipment can detect the abnormal point through a machine learning method based on the number of the data packets received by the firewall, the number of the data packets refused to access by the firewall and the configuration change issuing record.
The number of data packets, the duty ratio and the configuration change issuing record of the firewall under the normal working condition can be used as a normal label, and the number of data packets, the duty ratio and the configuration change issuing record of the firewall under the abnormal working condition can be used as an abnormal label for training, so that an abnormal point detection model is obtained. The abnormal point detection model can judge what abnormal conditions are according to the number, the duty ratio and the configuration change issuing records of the input data packets which are refused to be accessed. For example, whether or not the connectivity configuration of the firewall is changed in error or which of the firewalls is changed in connectivity configuration in error S108: and the electronic equipment determines whether the firewall is abnormal according to the abnormal point detection result.
The abnormal point detection result is used for determining whether the connectivity configuration of the firewall is changed wrongly or specifically which firewall is changed wrongly. Specifically, the electronic device can combine the line graph of the density quantity in unit time and the density duty ratio in unit time, the abnormal alarm and the configuration change issuing record to quickly judge whether the abnormal configuration is caused by the abnormal configuration of the firewall policy and quickly locate on which firewall the abnormal occurs
S110: and when the abnormal point detection result represents that the firewall is abnormal, the electronic equipment sends the abnormal point detection result to the alarm system.
In some possible implementations, when the abnormal point detection result characterizes that the firewall is abnormal, the electronic device may send the abnormal point detection result to the alarm system to prompt the firewall to be abnormal, so as to avoid causing greater loss.
S112: and when the abnormal point detection result represents that the firewall is abnormal, the electronic equipment performs automatic configuration rollback.
In other possible implementations, when the abnormal point detection result indicates that the firewall is abnormal, the electronic device performs automatic configuration rollback to realize automatic recovery. The electronic side can trigger the automatic rollback of the configuration in a one-key emergency mode or bypass firewall to complete the rapid recovery of the fault.
The above S110 and S112 are optional steps, and the electronic device may alarm or fall back to solve the problem when an abnormality is determined. The electronic device may also execute S110 and S112 simultaneously, and trigger automatic rollback of the configuration while alerting, so that the anomaly is recovered as soon as possible.
Based on the description of the above, the present application provides a method for monitoring firewall anomaly, as shown in fig. 3, an electronic device may periodically query the density of a monitored network device (firewall) through a device interaction module, return the queried data to a result processing module, and meanwhile, a total packet number collector queries the total data receiving condition of the firewall, and returns the density number and the total data receiving condition to an index calculator.
Therefore, the electronic equipment can determine the duty ratio through the number of data packets received by the firewall and the number of data packets refused to be accessed by the firewall in preset time, and determine whether to start abnormal point detection according to the duty ratio, so that the monitoring of the firewall function is realized. And the electronic equipment detects the abnormal point by a machine learning method, so that whether the firewall is abnormal or not can be quickly determined, and the specific type of the abnormality is determined, so that the electronic equipment executes the corresponding function, and the abnormality is quickly recovered.
Corresponding to the above method embodiment, the present application further provides an abnormality monitoring device for a firewall, as shown in fig. 4, where the device 400 includes: an acquisition module 402, a calculation module 404, a detection module 406, and a determination module 408.
The obtaining module is used for obtaining the number of data packets received by the firewall in preset time and the number of data packets refused to be accessed by the firewall in the preset time, wherein the number of data packets received by the firewall comprises the number of data packets refused to be accessed by the firewall;
the calculation module is used for calculating the duty ratio of the number of the data packets refused to be accessed by the firewall in the number of the data packets received by the firewall according to the number of the data packets received by the firewall and the number of the data packets refused to be accessed by the firewall;
the detection module is used for detecting abnormal points through a machine learning method when the number of the data packets refused to access and the duty ratio exceed a preset threshold value;
and the judging module is used for determining whether the firewall is abnormal according to the abnormal point detection result.
In some possible implementations, the outlier detection result is used to determine whether or not it is a connectivity configuration change error of the firewall or specifically which one of the firewalls is a connectivity configuration change error.
In some possible implementations, the apparatus further includes an alert module for:
and when the abnormal point detection result represents that the firewall is abnormal, sending the abnormal point detection result to an alarm system.
In some possible implementations, the apparatus further includes a rollback module to:
and when the abnormal point detection result represents that the firewall is abnormal, carrying out automatic configuration rollback.
In some possible implementations, the detection module is specifically configured to:
and when the number of the data packets refused to be accessed and the duty ratio exceed a preset threshold, detecting abnormal points by a machine learning method based on the number of the data packets received by the firewall, the number of the data packets refused to be accessed by the firewall and a configuration change issuing record, wherein the abnormal point detection result is used for determining whether the connectivity configuration of the firewall is changed in error or specifically which one of the firewalls is changed in connectivity configuration.
In some possible implementations, the obtaining module is specifically configured to:
and acquiring the number of data packets received by the firewall in unit time and the number of data packets refused to be accessed by the firewall in unit time.
The application provides equipment for realizing a firewall anomaly monitoring method. The apparatus includes a processor and a memory. The processor and the memory communicate with each other. The processor is configured to execute the instructions stored in the memory, so that the device executes a method for monitoring firewall anomalies.
The present application provides a computer readable storage medium having instructions stored therein that, when executed on a device, cause the device to perform the method of monitoring for firewall anomalies described above.
The present application provides a computer program product comprising instructions which, when run on a device, cause the device to perform the method of monitoring for firewall anomalies described above.
It should be further noted that the above-described apparatus embodiments are merely illustrative, and that the units described as separate units may or may not be physically separate, and that units shown as units may or may not be physical units, may be located in one place, or may be distributed over a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment. In addition, in the drawings of the embodiment of the device provided by the application, the connection relation between the modules represents that the modules have communication connection, and can be specifically implemented as one or more communication buses or signal lines.
From the above description of the embodiments, it will be apparent to those skilled in the art that the present application may be implemented by means of software plus necessary general purpose hardware, or of course by means of special purpose hardware including application specific integrated circuits, special purpose CPUs, special purpose memories, special purpose components, etc. Generally, functions performed by computer programs can be easily implemented by corresponding hardware, and specific hardware structures for implementing the same functions can be varied, such as analog circuits, digital circuits, or dedicated circuits. However, a software program implementation is a preferred embodiment for many more of the cases of the present application. Based on such understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art in the form of a software product stored in a readable storage medium, such as a floppy disk, a usb disk, a removable hard disk, a ROM, a RAM, a magnetic disk or an optical disk of a computer, etc., comprising several instructions for causing a computer device (which may be a personal computer, a training device, a network device, etc.) to perform the method according to the embodiments of the present application.
In the above embodiments, it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product.
The computer program product includes one or more computer instructions. When loaded and executed on a computer, produces a flow or function in accordance with embodiments of the present application, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a computer network, or other programmable apparatus. The computer instructions may be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer instructions may be transmitted from one website, computer, training device, or data center to another website, computer, training device, or data center via a wired (e.g., coaxial cable, optical fiber, digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer readable storage medium may be any available medium that can be stored by a computer or a data storage device such as a training device, a data center, or the like that contains an integration of one or more available media. The usable medium may be a magnetic medium (e.g., a floppy Disk, a hard Disk, a magnetic tape), an optical medium (e.g., a DVD), or a semiconductor medium (e.g., a Solid State Disk (SSD)), or the like.
Claims (7)
1. A method for monitoring firewall anomalies, the method comprising:
acquiring the number of data packets received by the firewall in preset time and the number of data packets refused to be accessed by the firewall in the preset time, wherein the number of data packets received by the firewall comprises the number of data packets refused to be accessed by the firewall;
calculating the duty ratio of the data packet number refused to access by the firewall to the data packet number received by the firewall according to the data packet number received by the firewall and the data packet number refused to access by the firewall;
when the number of the data packets refused to access and the duty ratio exceed a preset threshold, based on the number of the data packets received by the firewall, the number of the data packets refused to access by the firewall and a configuration change issuing record, performing outlier detection by a machine learning method, wherein the outlier detection result is used for determining whether the connectivity configuration of the firewall is changed in error or not and determining which specific firewall is changed in connectivity configuration when the connectivity configuration of the firewall is changed in error;
and determining whether the firewall is abnormal according to the abnormal point detection result.
2. The method according to claim 1, characterized in that the method comprises:
and when the abnormal point detection result represents that the firewall is abnormal, sending the abnormal point detection result to an alarm system.
3. The method according to claim 1, characterized in that the method comprises:
and when the abnormal point detection result represents that the firewall is abnormal, carrying out automatic configuration rollback.
4. The method of claim 1, wherein the obtaining the number of packets received by the firewall in the preset time and the number of packets denied access by the firewall in the preset time includes:
and acquiring the number of data packets received by the firewall in unit time and the number of data packets refused to be accessed by the firewall in unit time.
5. A firewall anomaly monitoring device, the device comprising:
the obtaining module is used for obtaining the number of data packets received by the firewall in preset time and the number of data packets refused to be accessed by the firewall in the preset time, wherein the number of data packets received by the firewall comprises the number of data packets refused to be accessed by the firewall;
the calculation module is used for calculating the duty ratio of the number of the data packets refused to be accessed by the firewall in the number of the data packets received by the firewall according to the number of the data packets received by the firewall and the number of the data packets refused to be accessed by the firewall;
the detection module is used for detecting abnormal points according to the number of the data packets which are refused to be accessed by the firewall, the number of the data packets which are refused to be accessed by the firewall and the configuration change issuing record when the number of the data packets which are refused to be accessed by the firewall and the duty ratio exceed a preset threshold value, and the detection result of the abnormal points is used for determining whether the connectivity configuration of the firewall is changed in error or not and determining which specific firewall is changed in connectivity configuration when the connectivity configuration of the firewall is changed in error;
and the judging module is used for determining whether the firewall is abnormal according to the abnormal point detection result.
6. An apparatus comprising a processor and a memory;
the processor is configured to execute instructions stored in the memory to cause the apparatus to perform the method of any one of claims 1 to 4.
7. A computer readable storage medium comprising instructions that instruct a device to perform the method of any one of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210223961.3A CN114598615B (en) | 2022-03-07 | 2022-03-07 | Firewall abnormality monitoring method, device, equipment and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210223961.3A CN114598615B (en) | 2022-03-07 | 2022-03-07 | Firewall abnormality monitoring method, device, equipment and medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114598615A CN114598615A (en) | 2022-06-07 |
| CN114598615B true CN114598615B (en) | 2023-10-13 |
Family
ID=81814714
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210223961.3A Active CN114598615B (en) | 2022-03-07 | 2022-03-07 | Firewall abnormality monitoring method, device, equipment and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114598615B (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112114993A (en) * | 2020-09-28 | 2020-12-22 | 中国建设银行股份有限公司 | Configuration information processing method and device of application system |
| CN112787883A (en) * | 2020-12-26 | 2021-05-11 | 中国农业银行股份有限公司 | Method, device and equipment for detecting NAT (network Address translation) fault of equipment |
| CN113660215A (en) * | 2021-07-26 | 2021-11-16 | 杭州安恒信息技术股份有限公司 | Attack behavior detection method and device based on Web application firewall |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US11258816B2 (en) * | 2019-07-23 | 2022-02-22 | Vmware, Inc. | Managing firewall rules based on triggering statistics |
| US11831606B2 (en) * | 2020-04-29 | 2023-11-28 | Kyndryl, Inc. | Dynamically managing firewall ports of an enterprise network |
-
2022
- 2022-03-07 CN CN202210223961.3A patent/CN114598615B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112114993A (en) * | 2020-09-28 | 2020-12-22 | 中国建设银行股份有限公司 | Configuration information processing method and device of application system |
| CN112787883A (en) * | 2020-12-26 | 2021-05-11 | 中国农业银行股份有限公司 | Method, device and equipment for detecting NAT (network Address translation) fault of equipment |
| CN113660215A (en) * | 2021-07-26 | 2021-11-16 | 杭州安恒信息技术股份有限公司 | Attack behavior detection method and device based on Web application firewall |
Non-Patent Citations (1)
| Title |
|---|
| 基于时间的多层防火墙访问控制列表策略审计方案;王旭东;陈清萍;李文;张信明;;计算机应用(01);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114598615A (en) | 2022-06-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20180075240A1 (en) | Method and device for detecting a suspicious process by analyzing data flow characteristics of a computing device | |
| CN108931968B (en) | Network security protection system applied to industrial control system and protection method thereof | |
| CN111274583A (en) | Big data computer network safety protection device and control method thereof | |
| US20200302054A1 (en) | Method for detecting physical intrusion attack in industrial control system based on analysis of signals on serial communication bus | |
| US20060294596A1 (en) | Methods, systems, and apparatus to detect unauthorized resource accesses | |
| CN105553740A (en) | Data interface monitoring method and device | |
| CN114006723B (en) | Network security prediction method, device and system based on threat information | |
| CN114124655A (en) | Network monitoring method, system, device, computer equipment and storage medium | |
| CN114363151A (en) | Fault detection method and device, electronic equipment and storage medium | |
| CN113438110A (en) | Cluster performance evaluation method, device, equipment and storage medium | |
| CN111526109B (en) | Method and device for automatically detecting running state of web threat recognition defense system | |
| CN114598615B (en) | Firewall abnormality monitoring method, device, equipment and medium | |
| CN114301700A (en) | Method, device, system and storage medium for adjusting network security defense scheme | |
| CN111654405B (en) | Method, device, equipment and storage medium for fault node of communication link | |
| WO2024007615A1 (en) | Model training method and apparatus, and related device | |
| CN115567258A (en) | Network security situation awareness method, system, electronic device and storage medium | |
| CN117391214A (en) | Model training method and device and related equipment | |
| CN114244685A (en) | Cloud service center access exception handling system | |
| CN114090293A (en) | Service providing method and electronic equipment | |
| CN118018264B (en) | Detection blocking method and system for network malicious attack | |
| CN114567539B (en) | Network system exception handling method, device, equipment and medium | |
| CN114710389B (en) | Information processing method and information processing apparatus | |
| CN107968721B (en) | Method for actively releasing server, network management and control system and managed and controlled terminal | |
| CN117390707B (en) | Data security detection system and detection method based on data storage equipment | |
| CN117290151B (en) | Method, device, equipment, system and medium for determining fault cause of power supply module |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |