CN114884707A - Intelligent security monitoring and networking alarm method and system for large-scale network attack - Google Patents
Intelligent security monitoring and networking alarm method and system for large-scale network attack Download PDFInfo
- Publication number
- CN114884707A CN114884707A CN202210435854.7A CN202210435854A CN114884707A CN 114884707 A CN114884707 A CN 114884707A CN 202210435854 A CN202210435854 A CN 202210435854A CN 114884707 A CN114884707 A CN 114884707A
- Authority
- CN
- China
- Prior art keywords
- network
- attack
- blocking
- detecting
- bypass
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Abstract
The invention discloses an intelligent security monitoring and networking alarm method and system for large-scale network attack, which comprises network attack detection, bypass blocking equipment, specific network flow blocking and internet behavior management; the network attack detection supports fine-grained network attack detection, and supports correlation analysis with network assets, bypass deployment, zero delay and zero fault risk; the system is connected with the switch in a bypass mode, service interruption is not needed during access, no delay or interruption is brought to the network during operation, and the reliability reaches the requirement of carrier class 99.99%; mass bandwidth processing capacity: the single machine processing capacity of the system can reach 10Gbps, and fine-grained detection and accurate blocking of network data messages are supported; the system supports more than 30 protocol identifications, 13 file type detections, 3000 malicious code detections and custom detection rules.
Description
Technical Field
The invention relates to the technical field of network security, in particular to an intelligent security monitoring and networking alarm method and system for large-scale network attack.
Background
With the continuous development of computer technology, network security becomes more and more concerned, information networks and security systems become the basis and guarantee of informatization healthy development, and currently, no matter an operating system, application software, network equipment or a business system generally has unknown vulnerabilities, so that under the large background of civilization of network munitions and organization of network attacks, network security faces more serious challenges, and higher requirements are provided for network security monitoring.
The security of a network in use is always a problem of public worry, the traditional network security is that a set of security protection system is established, the security protection system is installed on a computer or a background server, when malicious network attack behaviors occur, blocking is performed through the security protection system, but in the running process of the computer, the security protection system cannot perform intelligent self-test and analysis, so that the stability of the network cannot be better stabilized, and when the security protection system blocks the malicious network attack behaviors, a large amount of network resources can be occupied, so that the problem that the network speed of uploading and downloading speed is slow when the citizen uses the network is caused, and therefore, the intelligent security monitoring and networking alarm method and system facing large-scale network attack are provided.
Disclosure of Invention
Technical problem to be solved
Aiming at the defects of the prior art, the invention provides an intelligent security monitoring and networking alarm method and system for large-scale network attack, aiming at solving the problems in the background technology.
(II) technical scheme
In order to achieve the purpose, the invention provides the following technical scheme: an intelligent security monitoring and networking alarm method facing large-scale network attack comprises network attack detection, bypass blocking equipment, specific network flow blocking and internet behavior management;
the network attack detection supports fine-grained network attack detection and supports correlation analysis with network assets, and comprises the following steps:
s01, detecting each piece of information in the full flow: the method comprises the steps of including a domain name, a URL, a Referer, a Post message, a Cookie and parameters;
s02, detecting abnormal IP communicated with the assets;
s03, detecting an abnormal domain name communicated with the asset;
s04, detecting abnormal mails interacted with the assets;
s05, detecting the malicious files in the asset communication flow: the system comprises PDF files, PE files and OFFICE macro viruses;
s06, detecting the detection action of the network assets: including Nessus, Nikto, and Port scans;
s07, detecting the attack related to the asset INFO: including backdoors and trojan horses;
s08, detecting WEB relevant attacks;
s09, detecting the communication situation of the asset infected special Trojan horse and the C & C server thereof;
s10, detecting other abnormal behaviors related to the assets: including worms and shellcodes.
Preferably, according to the abnormal IP proposed in step S02, the following two steps are included:
firstly, before detection: classifying specific IP in a mode of black list, white list and grey list according to the requirement of a user;
secondly, during detection: and monitoring and early warning the access behavior of the abnormal IP aiming at specific blacklist, white list and grey list IP lists, and supporting the access early warning of unauthorized users.
Preferably, as set forth in step S03, the detecting the category of the abnormal domain name includes the following:
firstly, aiming at malicious domain names;
secondly, domain name DGA attack;
thirdly, random two-level domain DDOS attack;
and fourthly, detecting the DNS reflection amplification attack.
Preferably, the categories of the abnormal mail risk behaviors detected according to the step S04 include the following:
firstly, Trojan mail;
② fishing mails;
thirdly, cross-site mail;
fourthly, controlled mailbox.
Preferably, according to the step S08, the detecting the type of WEB related attack includes the following steps:
firstly, detecting an XSS cross-site script;
detecting an abnormal structure XSS;
thirdly, WebShell detection;
fourthly, SQL injection detection;
and fifthly, Web behavior analysis.
Preferably, the bypass blocking device, the specific network traffic blocking device and the internet behavior management proposed in the method have the following respective details:
bypass blocking device: the product is connected to the switch in a bypass mode, and real-time and accurate blocking is carried out on the detected and discovered network attack under the condition that stable operation of the network is not influenced;
specific network traffic blocking: supporting the setting of fine-grained protection blocking rules, including a specified source IP, a source port, a destination IP, a destination port and a specified protocol, and accurately intercepting specific network flow;
and (3) internet behavior management: the method supports the setting of sensitive or forbidden websites, URLs and special applications, and the monitoring, early warning or blocking of the internet access behaviors of accessing such network targets.
Preferably, the intelligent security monitoring and networking alarm system for large-scale network attack comprises: the system comprises an asset attack bypass blocking system, and the functions of the system comprise the following steps:
1) shielding the IP address and the port; the asset attack bypass blocking system supports setting of fine-grained protection rules, accurate interception is achieved, and products support shielding of specified IP addresses and ports;
2) and shielding the specified domain name and the URL: blocking the formulated domain name and URL access communication behaviors aiming at the application and internet surfing behaviors passing through an application layer;
3) shielding the specified TCP message: blocking TCP communication messages, and interrupting corresponding application layer network communication flow and data;
the asset attack bypass blocking system is installed and used, and does not bring any delay and interruption to the network;
4) highly customizable safety rules: the asset attack bypass blocking system provides a flexible 'self-defining rule' function, supports ten-million-level self-defining rules, supports keyword filtering and parameter binding filtering, and can configure file path keywords, parameter names, parameter types and parameter lengths.
Preferably, the deployment mode of the asset attack bypass blocking system comprises the following two points:
firstly, the method comprises the following steps: the asset attack bypass blocking system supports a mirror image interception mode, is connected to a mirror image port of the switch and carries out network protection in a bypass message injection mode;
secondly, the method comprises the following steps: the asset attack bypass blocking system is deployed at a switch position towards an external network (an internet gateway) for interception.
(III) advantageous effects
Compared with the prior art, the invention provides an intelligent security monitoring and networking alarm method and system for large-scale network attack, which have the following beneficial effects:
1. bypass deployment, zero delay, zero failure risk; the system is connected with the switch in a bypass mode, service interruption is not needed during access, no delay or interruption is brought to the network during operation, and the reliability reaches the requirement of carrier class 99.99%;
2. mass bandwidth processing capacity: the single machine processing capacity of the system can reach 10Gbps, and fine-grained detection and accurate blocking of network data messages are supported;
3. the system supports more than 30 protocol identifications, 13 file type detections, 3000 malicious code detections and custom detection rules.
4. Service interruption is not needed during access: the bypass deployed equipment can not bring any delay and interruption to the network, so that the technologies of multi-core calculation, DPI deep packet analysis, multi-session association analysis and the like can be fully utilized to realize accurate protection;
5. second order delay, zero failure risk: the asset attack bypass blocking system solves the problems that the traditional protective equipment has high delay, high downtime risk, high false alarm rate, can not recombine Layer7 Layer session and the like, can be linked with products such as WeblDS, NIDS, APT and the like, and is effective supplement to network safety products such as traditional IDS/IPS and the like;
6. the single machine processing capacity reaches 10Gbps, and the reliability exceeds the requirement of carrier grade by 99.99 percent;
the asset attack bypass blocking system is an accurate protection system which is deployed in a network in a bypass mode and can detect, analyze and identify blocking of network attack flow, and management of user internet surfing behaviors and effective detection and accurate blocking of network attack behaviors are achieved on the premise that a user network is not affected.
Drawings
FIG. 1 is a diagram illustrating the steps of the network attack detection method of the present invention;
fig. 2 is a schematic diagram of an asset attack bypass blocking system deployment mode according to the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The invention provides a technical scheme, as shown in fig. 1 and 2, an intelligent security monitoring and networking alarm method for large-scale network attack comprises network attack detection, bypass blocking equipment, specific network flow blocking and internet behavior management;
the network attack detection supports fine-grained network attack detection and supports correlation analysis with network assets, and comprises the following steps:
s01, detecting each piece of information in the full flow: the method comprises the steps of including a domain name, a URL, a Referer, a Post message, a Cookie and parameters;
s02, detecting abnormal IP communicated with the assets;
s03, detecting an abnormal domain name communicated with the asset;
s04, detecting abnormal mails interacted with the assets;
s05, detecting the malicious files in the asset communication flow: the system comprises PDF files, PE files and OFFICE macro viruses;
s06, detecting the detection action of the network assets: including Nessus, Nikto, and port scanning;
s07, detecting the attack related to the asset INFO: including backdoors and trojan horses;
s08, detecting WEB relevant attacks;
s09, detecting the communication situation of the asset infected special Trojan horse and the C & C server thereof;
s10, detecting other abnormal behaviors related to the assets: including worms and shellcodes.
Specifically, according to the abnormal IP proposed in step S02, the method includes the following two steps:
firstly, before detection: classifying specific IP in a mode of black list, white list and grey list according to the requirement of a user;
secondly, during detection: and monitoring and early warning the access behavior of abnormal IP aiming at specific blacklist, white list and grey list IP lists, and supporting the access early warning of unauthorized users.
Specifically, according to the step S03, the detecting of the abnormal domain name includes the following steps:
firstly, aiming at malicious domain names;
secondly, domain name DGA attack;
thirdly, random two-level domain DDOS attack;
and fourthly, detecting the DNS reflection amplification attack.
Specifically, the categories of the abnormal mail risk behaviors detected according to the step S04 include the following:
firstly, Trojan mail;
② fishing mails;
thirdly, cross-site mail;
fourthly, controlled mailbox.
Specifically, according to the step S08, the following steps are included in the category of detecting the WEB related attack:
firstly, detecting an XSS cross-site script;
detecting an abnormal structure XSS;
thirdly, WebShell detection;
fourthly, SQL injection detection;
and fifthly, Web behavior analysis.
Specifically, the bypass blocking device, the specific network traffic blocking device and the internet access behavior management provided in the method have the following respective details:
bypass blocking device: the product is connected to the switch in a bypass mode, and real-time and accurate blocking is carried out on the detected and discovered network attack under the condition that stable operation of the network is not influenced;
specific network traffic blocking: supporting the setting of fine-grained protection blocking rules, including a specified source IP, a source port, a destination IP, a destination port and a specified protocol, and accurately intercepting specific network flow;
and (3) internet behavior management: the method supports the setting of sensitive or forbidden websites, URLs and special applications, and the monitoring, early warning or blocking of the internet access behaviors of accessing such network targets.
Specifically, an intelligent security monitoring and networking alarm system for large-scale network attack: the system comprises an asset attack bypass blocking system, and the functions of the system comprise the following steps:
1) shielding the IP address and the port; the asset attack bypass blocking system supports setting of fine-grained protection rules, accurate interception is achieved, and products support shielding of specified IP addresses and ports;
2) and shielding the specified domain name and the URL: blocking the formulated domain name and URL access communication behaviors aiming at the application and internet surfing behaviors through an application layer;
3) shielding the specified TCP message: blocking TCP communication messages, and interrupting corresponding application layer network communication flow and data;
the asset attack bypass blocking system is installed and used, and does not bring any delay and interruption to the network;
4) highly customizable safety rules: the asset attack bypass blocking system provides a flexible 'self-defining rule' function, supports ten-million-level self-defining rules, supports keyword filtering and parameter binding filtering, and can configure file path keywords, parameter names, parameter types and parameter lengths.
Specifically, the deployment mode of the asset attack bypass blocking system includes the following two points:
firstly, the method comprises the following steps: the asset attack bypass blocking system supports a mirror image interception mode, is connected to a mirror image port of the switch and carries out network protection in a bypass message injection mode;
secondly, the method comprises the following steps: the asset attack bypass blocking system is deployed at a switch position towards an external network (an internet gateway) for interception.
The working principle of the device is as follows: the following is done by network attack detection:
(1) detecting information such as domain names, URLs, referers, Post messages, Cookies, parameters and the like in the full flow, and detecting the exploitations of the assets;
detecting abnormal IP communicated with assets, monitoring and early warning the access behavior of the abnormal IP aiming at a specific blacklist, a white list and a grey list IP list, and supporting the access early warning of unauthorized users;
detecting abnormal domain names communicated with assets, and aiming at detection of malicious domain names, domain name DGA attack, random secondary domain name DDOS attack and DNS reflection amplification attack;
detecting abnormal mails interacted with assets, including Trojan mails, phishing mails, cross-site mails, controlled mailboxes and other risk behaviors;
detecting malicious files in asset communication flow, wherein the malicious files comprise PDF files, PE files, OFFICE macro viruses and the like;
detecting probe activity for a network asset: including Nessus, Nikto, port scanning, etc.;
detection of attacks related to the asset INFO: including backdoors, trojan horses, etc.;
detecting WEB related attacks, including XSS cross-site script detection, abnormal structure XSS detection, WebShell detection, SQL injection detection, Web behavior analysis and the like;
detecting a special Trojan infected by assets and the communication condition of a C & C server thereof;
detecting other abnormal behaviors related to assets, including worms, shellcodes, etc.;
(2) and bypass blocking: the product is connected to the switch in a bypass mode, so that the network attack detected and discovered can be blocked accurately in real time under the condition of not influencing the stable operation of the network;
(3) specific network traffic blocking; supporting the setting of fine-grained protection blocking rules, including a specified source IP, a source port, a destination IP, a destination port and a specified protocol, and realizing the accurate interception of specific network flow;
(4) and managing the internet surfing behavior: the method supports the setting of sensitive or forbidden websites, URLs and special applications, and realizes monitoring, early warning or blocking of internet access behaviors of accessing such network targets;
the asset attack bypass blocking system is an accurate protection system which is deployed in a network in a bypass mode and can detect, analyze and identify blocking network attack flow, management of user internet surfing behaviors and effective detection and accurate blocking of network attack behaviors are achieved on the premise that a user network is not affected, the asset attack bypass blocking system supports a mirror image interception mode, the asset attack bypass blocking system can be connected to a mirror image port of a switch, and network protection is conducted by the system in a bypass message mode;
the system functions are divided into the following four points:
firstly, shielding an IP address and a port; the asset attack bypass blocking system supports setting of fine-grained protection rules, so that accurate interception is achieved, and products support shielding of specified IP addresses and ports;
secondly, shielding the specified domain name and URL: aiming at the application and internet surfing behaviors through an application layer, the formulated domain name and URL access communication behaviors can be effectively blocked;
thirdly, shielding the appointed TCP message: the TCP communication message can be effectively blocked, so that the corresponding application layer network communication flow and data are interrupted;
the asset attack bypass blocking system is installed and used, and does not bring any delay and interruption to the network;
fourthly, highly customizable safety rules: the asset attack bypass blocking system provides a flexible self-defining rule function, supports ten-million-level self-defining rules, supports keyword filtering and parameter binding filtering, and can configure file path keywords, parameter names, parameter types and parameter lengths;
the system performance comprises the following three points:
firstly, service interruption is not needed during access: the bypass deployed equipment can not bring any delay and interruption to the network, so that the technologies of multi-core calculation, DPI deep packet analysis, multi-session association analysis and the like can be fully utilized to realize accurate protection;
second-order delay, zero fault risk: the asset attack bypass blocking system solves the problems that the traditional protective equipment has high delay, high downtime risk, high false alarm rate, can not recombine Layer7 Layer session and the like, can be linked with products such as WeblDS, NIDS, APT and the like, and is effective supplement to network safety products such as traditional IDS/IPS and the like;
thirdly, the single machine processing capacity reaches 10Gbps, and the reliability exceeds the requirement of the carrier grade by 99.99 percent;
the asset attack bypass blocking system is deployed at a switch position closest to an external network (an internet access); high-efficiency interception efficiency can be realized;
bypass deployment, zero delay, zero failure risk; the system is connected with the switch in a bypass mode, service interruption is not needed during access, no delay or interruption is brought to the network during operation, and the reliability reaches the requirement of carrier class 99.99%;
mass bandwidth processing capacity: the single machine processing capacity of the system can reach 10Gbps, and fine-grained detection and accurate blocking of network data messages are supported;
the system supports more than 30 protocol identifications, 13 file type detections, 3000 malicious code detections and custom detection rules.
Although embodiments of the present invention have been shown and described, it will be appreciated by those skilled in the art that changes, modifications, substitutions and alterations can be made in these embodiments without departing from the principles and spirit of the invention, the scope of which is defined in the appended claims and their equivalents.
Claims (8)
1. An intelligent security monitoring and networking alarm method for large-scale network attack is characterized in that: the method comprises the steps of network attack detection, bypass blocking equipment, specific network flow blocking and internet access behavior management;
the network attack detection supports fine-grained network attack detection and supports correlation analysis with network assets, and comprises the following steps:
s01, detecting each piece of information in the full flow: the domain name, URL, Referer, Post message, Cookie and parameters are included;
s02, detecting abnormal IP communicated with the assets;
s03, detecting an abnormal domain name communicated with the asset;
s04, detecting abnormal mails interacted with the assets;
s05, detecting the malicious files in the asset communication flow: the system comprises PDF files, PE files and OFFICE macro viruses;
s06, detecting the detection action of the network assets: including Nessus, Nikto, and Port scans;
s07, detecting the attack related to the asset INFO: including backdoors and trojan horses;
s08, detecting WEB relevant attacks;
s09, detecting the communication situation of the asset infected special Trojan horse and the C & C server thereof;
s10, detecting other abnormal behaviors related to the assets: including worms and shellcodes.
2. The intelligent security monitoring and networking alarm method for large-scale network attack according to claim 1, wherein: according to the abnormal IP proposed in step S02, the following two steps are included:
firstly, before detection: classifying specific IP in a mode of black list, white list and grey list according to the requirement of a user;
secondly, during detection: and monitoring and early warning the access behavior of abnormal IP aiming at specific blacklist, white list and grey list IP lists, and supporting the access early warning of unauthorized users.
3. The intelligent security monitoring and networking alarm method for large-scale network attack according to claim 1, wherein: according to the step S03, the categories of the domain name detected as abnormal include the following:
firstly, aiming at malicious domain names;
secondly, domain name DGA attack;
thirdly, random two-level domain DDOS attack;
and fourthly, detecting the DNS reflection amplification attack.
4. The intelligent security monitoring and networking alarm method and system for large-scale network attack according to claim 1, wherein: the categories of which the abnormal mail risk behaviors are detected according to the proposal in the step S04 include the following:
firstly, Trojan mail;
② fishing mails;
thirdly, cross-site mail;
fourthly, controlled mailbox.
5. The intelligent security monitoring and networking alarm method for large-scale network attack according to claim 1, wherein: according to the step S08, the detection of the WEB related attack includes the following steps:
firstly, detecting an XSS cross-site script;
detecting an abnormal structure XSS;
thirdly, WebShell detection;
fourthly, SQL injection detection;
and fifthly, Web behavior analysis.
6. The intelligent security monitoring and networking alarm method for large-scale network attack according to claim 1, wherein: the bypass blocking equipment, the specific network flow blocking and the internet access behavior management are provided by the method, and the detailed contents of the bypass blocking equipment, the specific network flow blocking and the internet access behavior management are as follows:
bypass blocking device: the product is connected to the switch in a bypass mode, and real-time and accurate blocking is carried out on the detected and discovered network attack under the condition that stable operation of the network is not influenced;
specific network traffic blocking: supporting the setting of fine-grained protection blocking rules, including a specified source IP, a source port, a destination IP, a destination port and a specified protocol, and accurately intercepting specific network flow;
and (3) internet behavior management: the method supports the setting of sensitive or forbidden websites, URLs and special applications, and the monitoring, early warning or blocking of the internet access behaviors of accessing such network targets.
7. The intelligent security monitoring and networking alarm system for large-scale network attack according to claim 1, wherein: the system comprises an asset attack bypass blocking system, and the functions of the system comprise the following steps:
1) shielding the IP address and the port; the asset attack bypass blocking system supports setting of fine-grained protection rules, accurate interception is achieved, and products support shielding of specified IP addresses and ports;
2) and shielding the specified domain name and the URL: blocking the formulated domain name and URL access communication behaviors aiming at the application and internet surfing behaviors passing through an application layer;
3) shielding the specified TCP message: blocking TCP communication messages, and interrupting corresponding application layer network communication flow and data;
the asset attack bypass blocking system is installed and used, and does not bring any delay and interruption to the network;
4) highly customizable safety rules: the asset attack bypass blocking system provides a flexible 'self-defining rule' function, supports ten-million-level self-defining rules, supports keyword filtering and parameter binding filtering, and can configure file path keywords, parameter names, parameter types and parameter lengths.
8. The intelligent security monitoring and networking alarm system for large-scale network attack according to claim 7, wherein: the deployment mode of the asset attack bypass blocking system comprises the following two points:
firstly, the method comprises the following steps: the asset attack bypass blocking system supports a mirror image interception mode, is connected to a mirror image port of the switch and carries out network protection in a bypass message injection mode;
secondly, the method comprises the following steps: the asset attack bypass blocking system is deployed at a switch position towards an external network (an internet gateway) for interception.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210435854.7A CN114884707A (en) | 2022-04-24 | 2022-04-24 | Intelligent security monitoring and networking alarm method and system for large-scale network attack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210435854.7A CN114884707A (en) | 2022-04-24 | 2022-04-24 | Intelligent security monitoring and networking alarm method and system for large-scale network attack |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114884707A true CN114884707A (en) | 2022-08-09 |
Family
ID=82672137
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210435854.7A Pending CN114884707A (en) | 2022-04-24 | 2022-04-24 | Intelligent security monitoring and networking alarm method and system for large-scale network attack |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114884707A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116633656A (en) * | 2023-06-09 | 2023-08-22 | 北京源堡科技有限公司 | Application network traffic blocking method and device, computer equipment and storage medium |
| CN117294538A (en) * | 2023-11-27 | 2023-12-26 | 华信咨询设计研究院有限公司 | Bypass detection and blocking method and system for data security risk behaviors |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106656922A (en) * | 2015-10-30 | 2017-05-10 | 阿里巴巴集团控股有限公司 | Flow analysis based protective method and device against network attack |
| CN110149350A (en) * | 2019-06-24 | 2019-08-20 | 国网安徽省电力有限公司信息通信分公司 | A kind of associated assault analysis method of alarm log and device |
| CN111711599A (en) * | 2020-04-23 | 2020-09-25 | 北京凌云信安科技有限公司 | Safety situation perception system based on multivariate mass data fusion association analysis |
| CN112350939A (en) * | 2020-10-29 | 2021-02-09 | 腾讯科技(深圳)有限公司 | Bypass blocking method, system, device, computer equipment and storage medium |
| CN113422771A (en) * | 2021-06-22 | 2021-09-21 | 北京华圣龙源科技有限公司 | Threat early warning method and system |
-
2022
- 2022-04-24 CN CN202210435854.7A patent/CN114884707A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106656922A (en) * | 2015-10-30 | 2017-05-10 | 阿里巴巴集团控股有限公司 | Flow analysis based protective method and device against network attack |
| CN110149350A (en) * | 2019-06-24 | 2019-08-20 | 国网安徽省电力有限公司信息通信分公司 | A kind of associated assault analysis method of alarm log and device |
| CN111711599A (en) * | 2020-04-23 | 2020-09-25 | 北京凌云信安科技有限公司 | Safety situation perception system based on multivariate mass data fusion association analysis |
| CN112350939A (en) * | 2020-10-29 | 2021-02-09 | 腾讯科技(深圳)有限公司 | Bypass blocking method, system, device, computer equipment and storage medium |
| CN113422771A (en) * | 2021-06-22 | 2021-09-21 | 北京华圣龙源科技有限公司 | Threat early warning method and system |
Non-Patent Citations (2)
| Title |
|---|
| 孔睿;何韶军;: "基于效果和经验术语的网络攻击分类研究" * |
| 陈兴蜀;曾雪梅;王文贤;邵国林;: "基于大数据的网络安全与情报分析" * |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116633656A (en) * | 2023-06-09 | 2023-08-22 | 北京源堡科技有限公司 | Application network traffic blocking method and device, computer equipment and storage medium |
| CN117294538A (en) * | 2023-11-27 | 2023-12-26 | 华信咨询设计研究院有限公司 | Bypass detection and blocking method and system for data security risk behaviors |
| CN117294538B (en) * | 2023-11-27 | 2024-04-02 | 华信咨询设计研究院有限公司 | Bypass detection and blocking method and system for data security risk behaviors |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Dayal et al. | Research trends in security and DDoS in SDN | |
| Srivastava et al. | A recent survey on DDoS attacks and defense mechanisms | |
| US8230505B1 (en) | Method for cooperative intrusion prevention through collaborative inference | |
| US7234168B2 (en) | Hierarchy-based method and apparatus for detecting attacks on a computer system | |
| US20030188189A1 (en) | Multi-level and multi-platform intrusion detection and response system | |
| Bulajoul et al. | Network intrusion detection systems in high-speed traffic in computer networks | |
| Haris et al. | Detecting TCP SYN flood attack based on anomaly detection | |
| Gao et al. | A dos resilient flow-level intrusion detection approach for high-speed networks | |
| GB2422224A (en) | An anti-phishing system for enhancing network security | |
| CN114884707A (en) | Intelligent security monitoring and networking alarm method and system for large-scale network attack | |
| EP1595193B1 (en) | Detecting and protecting against worm traffic on a network | |
| CN112583845A (en) | Access detection method and device, electronic equipment and computer storage medium | |
| Alparslan et al. | BotNet detection: Enhancing analysis by using data mining techniques | |
| Yan et al. | Unwanted traffic control via hybrid trust management | |
| Alhasan et al. | Evaluation of Data Center Network Security based on Next-Generation Firewall | |
| Dzurenda et al. | Network protection against DDoS attacks | |
| Behal et al. | Signature-based botnet detection and prevention | |
| Qinquan et al. | Research on network attack and detection methods | |
| Gaylah et al. | Mitigation and prevention methods for distributed denial-of-service attacks on network servers | |
| Rm et al. | A comprehensive approach for network security | |
| Kunhare et al. | Network packet analysis in real time traffic and study of snort IDS during the variants of DoS attacks | |
| Prabhu et al. | Network intrusion detection system | |
| Zamil et al. | A behavior based algorithm to detect spam bots | |
| Pandey et al. | IDS CRITERIA FOR ENHANCED SECURITY OVER CLOUD. | |
| Alaidaros et al. | From Packet-based Towards Hybrid Packet-based and Flow-based Monitoring for Efficient Intrusion Detection: An overview |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |