CN114884748A - Network attack monitoring method and device, electronic equipment and storage medium - Google Patents
Network attack monitoring method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN114884748A CN114884748A CN202210694259.5A CN202210694259A CN114884748A CN 114884748 A CN114884748 A CN 114884748A CN 202210694259 A CN202210694259 A CN 202210694259A CN 114884748 A CN114884748 A CN 114884748A
- Authority
- CN
- China
- Prior art keywords
- preset
- network
- message
- attribute
- network attack
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Abstract
The present disclosure provides a network attack monitoring method, which can be applied to the technical field of information security. The network attack monitoring method comprises the following steps: acquiring a suspicious network attack log; determining a network protocol corresponding to the suspicious network attack log according to the suspicious network attack log; extracting attribute content corresponding to the preset attribute from the suspicious network attack log according to the preset attribute corresponding to the network protocol and the message format of the network protocol; analyzing the attribute content according to a preset monitoring strategy corresponding to the network protocol to obtain an analysis result; and generating alarm information under the condition that the analysis result shows that the suspicious network attack log representation has network attacks. The disclosure also provides a monitoring device, equipment and storage medium for network attack.
Description
Technical Field
The present disclosure relates to the field of information security, and more particularly, to a method, an apparatus, a device, a medium, and a program product for monitoring a network attack.
Background
As network applications develop, more and more services are transferred from offline to online, and service systems also bear more access requirements. Meanwhile, network attacks are also in endless, and especially in some important network nodes, various threats of network attacks are faced. At present, network attack protection equipment is generally used for protection, and network attack is monitored by periodically analyzing a network attack log generated by the network attack protection equipment, so that alarm information is generated to remind a manager to improve network protection.
In carrying out the inventive concept of the present disclosure, the inventors found that at least the following problems exist in the related art: the existing network attack monitoring method has the technical problem that the real network attack is difficult to accurately identify, so that the accuracy rate of alarm information is low.
Disclosure of Invention
In view of the foregoing, the present disclosure provides a method, an apparatus, a device, a medium, and a program product for monitoring a network attack.
According to an aspect of the present disclosure, there is provided a network attack monitoring method, including:
acquiring a suspicious network attack log;
determining a network protocol corresponding to the suspicious network attack log according to the suspicious network attack log;
extracting attribute content corresponding to the preset attribute from the suspicious network attack log according to the preset attribute corresponding to the network protocol and the message format of the network protocol;
analyzing the attribute content according to a preset monitoring strategy corresponding to the network protocol to obtain an analysis result; and
and generating alarm information under the condition that the suspicious network attack log representation has network attack according to the analysis result.
According to the embodiment of the disclosure, the network protocol includes n preset attributes, wherein n is greater than or equal to 1;
the analyzing the attribute content according to the preset monitoring policy corresponding to the network protocol to obtain an analysis result includes:
according to a preset arrangement sequence of n preset attributes, sequentially analyzing attribute contents corresponding to the preset attributes to obtain sub-analysis results corresponding to the preset attributes;
and determining the analysis result according to the sub-analysis result.
According to an embodiment of the present disclosure, each of the preset attributes has a corresponding preset condition;
the analyzing the attribute content corresponding to the preset attribute in sequence according to the preset arrangement sequence of the n preset attributes to obtain the sub-analysis result corresponding to the preset attribute comprises:
s1, aiming at the ith preset attribute in the n preset attributes, analyzing the content of the ith attribute corresponding to the ith preset attribute according to the ith preset condition corresponding to the ith preset attribute to obtain an ith sub-analysis result corresponding to the ith preset attribute;
s2, stopping the analysis of the subsequent preset attributes to obtain i sub-analysis results when the i sub-analysis results show that the content of the i attribute does not meet the i preset condition, wherein the subsequent preset attributes comprise preset attributes behind the i preset attribute in the preset arrangement sequence, and i is greater than or equal to 1;
s3, analyzing the i +1 th attribute content corresponding to the i +1 th preset attribute when the i-th sub-analysis result indicates that the i-th attribute content satisfies the i-th preset condition;
and sequentially executing the steps S1 to S3 on the n preset attributes to finally obtain m sub-analysis results, wherein m is more than or equal to 1 and less than or equal to n.
According to an embodiment of the present disclosure, the determining the analysis result according to the sub-analysis result includes:
under the condition that m is less than n, determining that the analysis result comprises the suspicious network attack log with network attacks according to the m sub-analysis results;
when m is equal to n, judging whether the m sub-analysis results include sub-analysis results of which the attribute contents do not meet the corresponding preset conditions;
determining that the analysis result includes that the suspicious cyber attack log has cyber attacks under the condition that the m sub-analysis results include sub-analysis results of which the attribute contents do not meet the corresponding preset conditions;
and under the condition that the m sub-analysis results do not contain the sub-analysis results of which the attribute contents do not meet the corresponding preset conditions, determining that the analysis results comprise that the suspicious network attack log does not have network attacks.
According to an embodiment of the present disclosure, the network protocol includes one of: network layer protocol, transport layer protocol, application layer protocol.
According to an embodiment of the present disclosure, the preset attribute corresponding to the network layer protocol includes: message length, message identification information and message survival time;
the preset attributes corresponding to the transport layer protocol include: message serial number, message confirmation number, message checksum, message synchronization flag bit, message confirmation flag bit and message reset flag bit;
the preset attributes corresponding to the application layer protocol include: the system comprises a request method and a user agent, wherein the request method comprises a communication method actually used by a message, and the user agent comprises user information contained in the message.
According to an embodiment of the present disclosure, the preset monitoring policy corresponding to the network layer protocol includes: whether the length of the message meets a preset value or not and whether the message identification information in the same communication session is the same or not are judged, and whether the message is an effective message or not is judged according to the survival time of the message;
the preset monitoring strategy corresponding to the transport layer protocol comprises the following steps: whether the message confirmation number is the same as the message serial number or not, whether the numerical value obtained by adopting a preset calculation mode is the same as the message checksum or not, and whether the synchronous flag bit of the message, the confirmation flag bit of the message and the reset flag bit of the message are all 1 or not;
the preset monitoring strategy corresponding to the application layer protocol comprises the following steps: whether a communication method actually used by the message is included in a preset communication method or not, and whether the user information included in the message is included in the preset user information base or not.
Another aspect of the present disclosure provides a network attack monitoring apparatus, including:
the acquisition module is used for acquiring the suspicious network attack log;
a determining module, configured to determine, according to the suspicious network attack log, a network protocol corresponding to the suspicious network attack log;
an extracting module, configured to extract, according to a preset attribute corresponding to the network protocol and a packet format of the network protocol, attribute content corresponding to the preset attribute from the suspicious network attack log;
the analysis module is used for analyzing the attribute content according to a preset monitoring strategy corresponding to the network protocol to obtain an analysis result; and
and the generating module is used for generating alarm information under the condition that the analysis result shows that the suspicious network attack log is characterized by having network attacks.
Another aspect of the present disclosure provides an electronic device including: one or more processors; and a memory for storing one or more programs, wherein when the one or more programs are executed by the one or more processors, the one or more processors are caused to perform the method for monitoring network attacks.
Another aspect of the present disclosure also provides a computer-readable storage medium having stored thereon executable instructions, which when executed by a processor, cause the processor to perform the above network attack monitoring method.
Another aspect of the present disclosure also provides a computer program product including a computer program, which when executed by a processor, implements the network attack monitoring method described above.
According to the embodiment of the disclosure, because the network protocol corresponding to the suspicious network attack log is determined according to the suspicious network attack log, and then the attribute content corresponding to the preset attribute is extracted from the suspicious network attack log according to the preset attribute corresponding to the network protocol and the message format of the network protocol, and further the attribute content is analyzed according to the preset monitoring strategy, and the alarm information is generated according to the analysis result, the technical problem that the accuracy of the alarm information is low due to the fact that the real network attack is difficult to accurately identify by the existing network attack monitoring method is at least partially overcome, and the technical effect that the accuracy of the alarm information is improved by accurately identifying the real network attack through accurate and precise attack identification is achieved.
Drawings
The foregoing and other objects, features and advantages of the disclosure will be apparent from the following description of embodiments of the disclosure, taken in conjunction with the accompanying drawings of which:
fig. 1 schematically illustrates an application scenario diagram of a method, apparatus, device, medium, and program product for monitoring network attacks according to an embodiment of the present disclosure;
FIG. 2 schematically illustrates a flow chart of a method of monitoring for network attacks in accordance with an embodiment of the present disclosure;
FIG. 3 schematically illustrates a flow chart of a method of attributed content analysis according to an embodiment of the present disclosure;
FIG. 4 schematically illustrates a flow chart of a method of monitoring for network attacks according to another embodiment of the present disclosure;
fig. 5 is a block diagram schematically illustrating a network attack monitoring apparatus according to an embodiment of the present disclosure; and
fig. 6 schematically shows a block diagram of an electronic device adapted to implement a monitoring method of network attacks according to an embodiment of the present disclosure.
Detailed Description
Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is illustrative only and is not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. Moreover, in the following description, descriptions of well-known structures and techniques are omitted so as to not unnecessarily obscure the concepts of the present disclosure.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.
All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It is noted that the terms used herein should be interpreted as having a meaning that is consistent with the context of this specification and should not be interpreted in an idealized or overly formal sense.
Where a convention analogous to "at least one of A, B and C, etc." is used, in general such a construction is intended in the sense one having skill in the art would understand the convention (e.g., "a system having at least one of A, B and C" would include but not be limited to systems that have a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.).
As network applications develop, more and more services are transferred from offline to online, and service systems also bear more access requirements. Meanwhile, network attacks are also in endless, and especially in some important network nodes, various threats of network attacks are faced. At present, network attack is generally protected by using network attack protection equipment, and network attack is monitored by periodically analyzing a network attack log generated by the network attack protection equipment, so that alarm information is generated to remind a manager to improve network protection.
In carrying out the inventive concept of the present disclosure, the inventors found that at least the following problems exist in the related art: the existing network attack monitoring method generally judges based on conventional characteristics, such as attack source address, attack destination address, source port, target port and the like, so that the real network attack is difficult to accurately identify, and the accuracy of alarm information is low.
In view of the above, the present disclosure provides an analysis result by formulating a corresponding preset attribute and a monitoring policy according to a network protocol, extracting attribute content corresponding to the preset attribute from a suspected network attack log based on a message format of the network protocol, and analyzing the attribute content by using the monitoring policy. The method can provide more accurate and precise attack identification degree, so that real network attacks can be accurately identified, and the accuracy of alarm information is further improved.
Specifically, an embodiment of the present disclosure provides a method for monitoring a network attack, including: acquiring a suspicious network attack log; determining a network protocol corresponding to the suspicious network attack log according to the suspicious network attack log; extracting attribute content corresponding to the preset attribute from the suspicious network attack log according to the preset attribute corresponding to the network protocol and the message format of the network protocol; analyzing the attribute content according to a preset monitoring strategy corresponding to the network protocol to obtain an analysis result; and generating alarm information under the condition that the analysis result shows that the suspicious network attack log representation has network attacks.
It should be noted that the network attack monitoring method and apparatus provided by the embodiments of the present disclosure may be used in the field of information security. The network attack monitoring method and device provided by the embodiment of the disclosure can also be used in any fields except the field of information security, such as the financial field. The application fields of the network attack monitoring method and the network attack monitoring device provided by the embodiment of the disclosure are not limited.
In the technical scheme of the disclosure, before the personal information of the user is acquired or collected, the authorization or the consent of the user is acquired.
In the technical scheme of the disclosure, the data acquisition, collection, storage, use, processing, transmission, provision, disclosure, application and other processing are all in accordance with the regulations of relevant laws and regulations, necessary security measures are taken, and the public order and good custom are not violated.
Fig. 1 schematically shows an application scenario diagram of a network attack monitoring method, apparatus, device, medium, and program product according to an embodiment of the present disclosure.
As shown in fig. 1, the application scenario 100 according to this embodiment may include a network, a network attack prevention device, and a server. Network 102 is used to provide a medium for a communication link between network attack protection device 101 and server 103. Network 102 may include various connection types, such as wired, wireless communication links, or fiber optic cables, to name a few.
The cyber attack protecting device 101 may be an intrusion preventing device, a cyber application protecting wall, or a cyber traffic capturing device, the cyber attack protecting device 101 may generate a large amount of cyber attack logs, and the cyber attack protecting device 101 may interact with the server 103 through the network 102 to transmit the generated cyber attack logs to the server 103.
The server 103 may be a server providing various services, for example, store the cyber attack log sent by the cyber attack protection device 101, and may further analyze the cyber attack log sent by the cyber attack protection device 101 according to a preset monitoring policy, and generate alarm information to notify a front-line monitoring person.
It should be noted that the network attack monitoring method provided by the embodiment of the present disclosure may be generally executed by the server 103. Accordingly, the monitoring apparatus for network attacks provided by the embodiments of the present disclosure may be generally disposed in the server 103. The network attack monitoring method provided by the embodiment of the present disclosure may also be executed by a server or a server cluster that is different from the server 103 and can communicate with the network attack protection device 101 and/or the server 103. Accordingly, the network attack monitoring apparatus provided by the embodiment of the present disclosure may also be disposed in a server or a server cluster that is different from the server 103 and is capable of communicating with the network attack protection device 101 and/or the server 105. Alternatively, the network attack monitoring method provided by the embodiment of the present disclosure may also be executed by the network attack protection device 101, or may also be executed by other network attack protection devices different from the network attack protection device 101. Accordingly, the monitoring apparatus for network attack provided by the embodiment of the present disclosure may also be disposed in the network attack protection device 101, or in other network attack protection devices different from the network attack protection device 101.
For example, a monitoring policy tool may be deployed on the cyber attack protecting device 101, with which the monitoring policy is predefined. Then, the monitoring policy tool may execute the network attack monitoring method provided by the embodiment of the present disclosure on the network attack protection device 101.
It should be understood that the number of network attack protection devices, networks, and servers in fig. 1 is merely illustrative. There may be any number of network attack prevention devices, networks, and servers, as desired for implementation.
The network attack monitoring method according to the disclosed embodiment will be described in detail with reference to fig. 2 to 4 based on the scenario described in fig. 1.
Fig. 2 schematically shows a flowchart of a method for monitoring network attacks according to an embodiment of the present disclosure.
As shown in fig. 2, the monitoring method of network attack of this embodiment includes operations S210 to S250, and the monitoring method of network attack may be performed by a server.
In operation S210, a suspicious cyber-attack log is obtained.
According to an embodiment of the present disclosure, the suspicious cyber attack log may include, for example, a cyber attack log generated by a cyber attack prevention device. The cyber attack prevention devices may include, for example, intrusion prevention devices, network application firewalls, network traffic grab devices, etc., which may generate a large number of logs of cyber attacks.
According to the embodiment of the disclosure, a network attack log storage server for storing various network attack logs can be built, and the network attack logs generated by the network attack protection device can be transmitted to the network attack log storage server so as to be convenient for analyzing the network attack logs.
In operation S220, a network protocol corresponding to the suspicious network attack log is determined according to the suspicious network attack log.
According to the embodiment of the disclosure, in a network application, when a network device transmits a message through a network attack protection device, the network attack device adds a network source to which the message belongs to a network attack log, so that the network attack log includes feature information of the network source, and the feature information may include a network protocol address. Therefore, the network protocols contained in the suspicious network attack log can be determined according to the suspicious network attack log.
According to an embodiment of the present disclosure, the network protocol includes one of: network layer protocol, transport layer protocol, application layer protocol.
According to an embodiment of the present disclosure, the network layer Protocol may include, for example, an IP Protocol (Internet Protocol), an ICMP Protocol (Internet Control Message Protocol), and the like. The transport layer Protocol may include, for example, a TCP Protocol (Transmission Control Protocol/Internet Protocol). The application layer Protocol may include, for example, the HTTP Protocol (HyperText Transfer Protocol).
In operation S230, according to the preset attribute corresponding to the network protocol and the packet format of the network protocol, the attribute content corresponding to the preset attribute is extracted from the suspected network attack log.
According to an embodiment of the present disclosure, the preset attribute corresponding to the network protocol may include any attribute that can be used as an attack recognition feature. For example, the network protocol is an IP protocol, and the preset attribute corresponding to the IP protocol may include a packet length, a packet identifier ID, a packet survival time, and the like.
According to an embodiment of the present disclosure, the preset attribute corresponding to the network layer protocol includes: message length, message identification information and message survival time; the preset attributes corresponding to the transport layer protocol include: message serial number, message confirmation number, message checksum, message synchronization flag bit, message confirmation flag bit and message reset flag bit; the preset attributes corresponding to the application layer protocol include: the system comprises a request method and a user agent, wherein the request method comprises a communication method actually used by a message, and the user agent comprises user information contained in the message.
According to an embodiment of the present disclosure, the attribute description of the preset attribute is as shown in table 1:
TABLE 1
According to the embodiment of the disclosure, the suspicious network attack log is split according to the message format of the network message, then the attribute content corresponding to the preset attribute in the suspicious network attack log is extracted according to the preset attribute, and the attribute content is used as the attack identification feature for analysis.
In operation S240, the attribute content is analyzed according to a preset monitoring policy corresponding to the network protocol, so as to obtain an analysis result.
According to an embodiment of the present disclosure, the preset monitoring policy may be predefined, for example, with a monitoring policy tool. Different network protocols employ different monitoring strategies.
According to an embodiment of the present disclosure, the preset monitoring policy corresponding to the network layer protocol includes: whether the length of the message meets a preset value or not and whether the message identification information in the same communication session is the same or not are judged, and whether the message is an effective message or not is judged according to the survival time of the message; the preset monitoring strategy corresponding to the transport layer protocol comprises the following steps: whether the message confirmation number is the same as the message serial number or not, whether the numerical value obtained by adopting a preset calculation mode is the same as the message checksum or not, and whether the synchronous flag bit of the message, the confirmation flag bit of the message and the reset flag bit of the message are all 1 or not; the preset monitoring strategy corresponding to the application layer protocol comprises the following steps: whether a communication method actually used by the message is included in a preset communication method or not, and whether the user information included in the message is included in the preset user information base or not.
For example, if the network protocol is an IP protocol, the monitoring policy corresponding to the IP protocol may include whether the length of the packet satisfies a preset value, whether the packet identifier information in the same communication session is the same, and whether the packet is an effective packet is determined according to the survival time of the packet. For another example, the network protocol is a TCP protocol, and the monitoring policy corresponding to the TCP protocol may include whether the message acknowledgment number is the same as the message serial number, whether the value obtained by using a preset calculation method is the same as the message checksum, and whether the synchronization flag bit of the message, the acknowledgement flag bit of the message, and the reset flag bit of the message are all 1.
In operation S250, in a case that the analysis result indicates that the suspicious network attack log represents that the suspicious network attack log has a network attack, alarm information is generated.
According to the embodiment of the disclosure, under the condition that the suspicious network attack log has the network attack, the alarm information is generated and a front-line monitoring person is notified to process the suspicious network attack log.
According to the embodiment of the disclosure, because the network protocol corresponding to the suspicious network attack log is determined according to the suspicious network attack log, and then the attribute content corresponding to the preset attribute is extracted from the suspicious network attack log according to the preset attribute corresponding to the network protocol and the message format of the network protocol, and further the attribute content is analyzed according to the preset monitoring strategy, and the alarm information is generated according to the analysis result, the technical problem that the accuracy of the alarm information is low due to the fact that the real network attack is difficult to accurately identify by the existing network attack monitoring method is at least partially overcome, and the technical effect that the accuracy of the alarm information is improved by accurately and precisely identifying the real network attack through the accurate attack identification degree is achieved.
According to the embodiment of the disclosure, the network protocol includes n preset attributes, wherein n is greater than or equal to 1; the analyzing the attribute content according to the preset monitoring policy corresponding to the network protocol to obtain an analysis result includes: according to a preset arrangement sequence of n preset attributes, sequentially analyzing attribute contents corresponding to the preset attributes to obtain sub-analysis results corresponding to the preset attributes; and determining the analysis result according to the sub-analysis result.
According to an embodiment of the present disclosure, each of the preset attributes has a corresponding preset condition; the analyzing the attribute content corresponding to the preset attribute in sequence according to the preset arrangement sequence of the n preset attributes to obtain the sub-analysis result corresponding to the preset attribute comprises: s1, aiming at the ith preset attribute in the n preset attributes, analyzing the content of the ith attribute corresponding to the ith preset attribute according to the ith preset condition corresponding to the ith preset attribute to obtain an ith sub-analysis result corresponding to the ith preset attribute; s2, stopping the analysis of the subsequent preset attributes to obtain i sub-analysis results when the i sub-analysis results show that the content of the i attribute does not meet the i preset condition, wherein the subsequent preset attributes comprise preset attributes behind the i preset attribute in the preset arrangement sequence, and i is greater than or equal to 1; s3, analyzing the i +1 th attribute content corresponding to the i + l th preset attribute when the i-th sub-analysis result indicates that the i-th attribute content satisfies the i-th preset condition; and sequentially executing the steps S1 to S3 on the n preset attributes to finally obtain m sub-analysis results, wherein m is more than or equal to 1 and less than or equal to n.
According to the embodiment of the disclosure, the n preset attributes are analyzed according to the preset arrangement sequence, and under the condition that the analysis result of the currently analyzed preset attribute does not meet the preset condition, the suspicious network attack log is determined to contain the network attack without analyzing the subsequent preset attribute. By adopting the method, the workload of analyzing the network attack log can be reduced, and the analysis efficiency is improved.
According to an embodiment of the present disclosure, the determining the analysis result according to the sub-analysis result includes: under the condition that m is less than n, determining that the analysis result comprises the suspicious network attack log with network attacks according to the m sub-analysis results; when m is equal to n, judging whether the m sub-analysis results include sub-analysis results of which the attribute contents do not meet the corresponding preset conditions; determining that the analysis result includes that the suspicious cyber attack log has cyber attack under the condition that the m sub-analysis results include sub-analysis results of which the attribute contents do not meet the corresponding preset conditions; and under the condition that the m sub-analysis results do not contain the sub-analysis results of which the attribute contents do not meet the corresponding preset conditions, determining that the analysis results comprise that the suspicious network attack log does not have network attacks.
Fig. 3 schematically shows a flow chart of an attribute content analysis method according to an embodiment of the present disclosure.
As shown in fig. 3, the attribute content analysis method of this embodiment includes operations S301 to S308, where the preset attributes are a first preset attribute, a second preset attribute, and a third preset attribute according to a preset arrangement attribute.
In operation S301, a first attribute content corresponding to a first preset attribute is analyzed according to a first preset condition corresponding to the first preset attribute, so as to obtain a first sub-analysis result corresponding to the first preset attribute.
In operation S302, it is determined whether the first attribute content in the first sub-analysis result satisfies a first preset condition. In case that the first sub-analysis result indicates that the first attribute contents do not satisfy the first preset condition, operation S308 is performed. In case that the first sub-analysis result indicates that the first attribute contents satisfy the first preset condition, operation S303 is performed.
In operation S303, the second attribute content corresponding to the second preset attribute is analyzed according to a second preset condition corresponding to the second preset attribute, so as to obtain a second sub-analysis result corresponding to the second preset attribute.
In operation S304, it is determined whether the second attribute content in the second sub-analysis result satisfies a second preset condition. In case that the second sub-analysis result indicates that the second attribute contents do not satisfy the second preset condition, operation S308 is performed. In case that the second sub-analysis result indicates that the second attribute contents satisfy the second preset condition, operation S305 is performed.
In operation S305, a third attribute content corresponding to a third preset attribute is analyzed according to a third preset condition corresponding to the third preset attribute, so as to obtain a third sub-analysis result corresponding to the third preset attribute.
In operation S306, it is determined whether the third attribute content in the third sub-analysis result satisfies a third preset condition. In case that the third sub-analysis result indicates that the third attribute contents do not satisfy the third preset condition, operation S308 is performed. In case that the third sub-analysis result indicates that the third attribute contents satisfy the third preset condition, operation S307 is performed.
In operation S307, it is determined that the suspected cyber attack log does not have a cyber attack.
In operation S308, the analysis is stopped, and it is determined that the suspected cyber-attack log has a cyber-attack.
Fig. 4 schematically shows a flowchart of a method for monitoring network attacks according to another embodiment of the present disclosure.
As shown in fig. 4, the flowchart of the monitoring method for network attacks in this embodiment includes operations S401 to S409.
In operation S401, the cyber attack protecting apparatus transmits a cyber attack log to the cyber attack log storing server.
In operation S402, the cyber attack log storage server receives and stores the cyber attack log.
In operation S403, different monitoring policies are predefined according to different network protocols by using a monitoring policy tool deployed on the cyber attack log storage server.
In operation S404, a network protocol corresponding to the network attack log is determined according to the network attack log.
In operation S405, according to the preset attribute corresponding to the network protocol and the message format of the network protocol, the attribute content corresponding to the preset attribute is extracted from the network attack log.
In operation S406, the attribute content is analyzed according to the monitoring policy corresponding to the network protocol, so as to obtain an analysis result.
In operation S407, determining whether the cyber attack log has a cyber attack according to the analysis result, and executing operation S408 if the analysis result indicates that the cyber attack log represents that the cyber attack log has the cyber attack; in case the analysis result indicates that the cyber attack log representation does not have a cyber attack, operation S409 is performed.
In operation S408, alarm information is generated so that a monitoring person performs relevant processing according to the alarm information.
In operation S409, it ends.
According to the embodiment of the disclosure, a user can formulate the corresponding preset attribute and the monitoring strategy based on the network protocol, split the network attack log based on the message format of the network protocol, extract the attribute content corresponding to the preset attribute, take the extracted attribute content as the attack identification feature and analyze the attack identification feature by using the monitoring strategy, thereby obtaining the analysis result. The method can provide more accurate and precise attack identification degree, so that real network attacks can be accurately identified, and the accuracy of alarm information is further improved.
It should be noted that, unless explicitly stated that there is an execution sequence between different operations or there is an execution sequence between different operations in technical implementation, the execution sequence between multiple operations may not be sequential, or multiple operations may be executed simultaneously in the flowchart in this disclosure.
Based on the network attack monitoring method, the disclosure also provides a network attack monitoring device. The apparatus will be described in detail below with reference to fig. 5.
Fig. 5 schematically shows a block diagram of a network attack monitoring apparatus according to an embodiment of the present disclosure.
As shown in fig. 5, the monitoring apparatus 500 for network attacks of this embodiment includes an obtaining module 510, a determining module 520, an extracting module 530, an analyzing module 540, and a generating module 550.
The obtaining module 510 is configured to obtain a suspicious network attack log. In an embodiment, the obtaining module 510 may be configured to perform the operation S210 described above, which is not described herein again.
The determining module 520 is configured to determine a network protocol corresponding to the suspicious network attack log according to the suspicious network attack log. In an embodiment, the determining module 520 may be configured to perform the operation S220 described above, which is not described herein again.
The extracting module 530 is configured to extract, according to a preset attribute corresponding to the network protocol and a message format of the network protocol, an attribute content corresponding to the preset attribute from the suspicious network attack log. In an embodiment, the extracting module 530 may be configured to perform the operation S230 described above, which is not described herein again.
The analysis module 540 is configured to analyze the attribute content according to a preset monitoring policy corresponding to the network conference, so as to obtain an analysis result. In an embodiment, the analysis module 540 may be configured to perform the operation S240 described above, which is not described herein again.
The generating module 550 is configured to generate alarm information when the analysis result indicates that the suspected cyber attack log represents that there is a cyber attack. In an embodiment, the generating module 550 may be configured to perform the operation S250 described above, which is not described herein again.
According to the embodiment of the disclosure, the network protocol includes n preset attributes, where n is greater than or equal to 1.
According to an embodiment of the present disclosure, an analysis module includes: an analysis submodule and a determination submodule.
And the analysis submodule is used for sequentially analyzing the attribute content corresponding to the preset attributes according to the preset arrangement sequence of the n preset attributes to obtain a sub-analysis result corresponding to the preset attributes.
And the determining submodule is used for determining the analysis result according to the sub-analysis result.
According to an embodiment of the present disclosure, each of the above-mentioned preset attributes has a corresponding preset condition.
According to an embodiment of the present disclosure, the analysis submodule includes: the device comprises a first analysis unit, a stop unit, a second analysis unit and an execution unit.
And the first analysis unit is used for analyzing the ith attribute content corresponding to the ith preset attribute according to the ith preset condition corresponding to the ith preset attribute in the n preset attributes to obtain the ith sub-analysis result corresponding to the ith preset attribute.
And a stopping unit, configured to stop, when the ith sub-analysis result indicates that the content of the ith attribute does not satisfy the ith preset condition, analyzing subsequent preset attributes to obtain i sub-analysis results, where the subsequent preset attributes include a preset attribute that is subsequent to the ith preset attribute in the preset arrangement order, and i is greater than or equal to 1.
And a second analysis unit, configured to, when the ith sub-analysis result indicates that the ith attribute content satisfies the ith preset condition, analyze the ith + 1-th attribute content corresponding to the (i + 1) -th preset attribute.
And the execution unit is used for sequentially executing the operations of the first analysis unit, the stopping unit and the second analysis unit on the n preset attributes to finally obtain m sub-analysis results, wherein m is more than or equal to 1 and less than or equal to n.
According to an embodiment of the present disclosure, the determining sub-module includes: the device comprises a first determining unit, a judging unit, a second determining unit and a third determining unit.
And the first determining unit is used for determining that the analysis result comprises the suspicious network attack log with the network attack according to the m sub-analysis results under the condition that m is less than n.
And a determining unit, configured to determine whether the m sub-analysis results include a sub-analysis result whose attribute content does not satisfy the corresponding preset condition when m is equal to n.
A second determining unit, configured to determine that the analysis result includes that the suspected cyber-attack log has a cyber-attack when the m sub-analysis results include sub-analysis results whose attribute contents do not satisfy the corresponding preset conditions.
A third determining unit, configured to determine that the analysis result includes that the suspected cyber attack log does not have a cyber attack if the m sub-analysis results do not include a sub-analysis result whose attribute content does not satisfy the corresponding preset condition.
According to an embodiment of the present disclosure, the network protocol includes one of: network layer protocol, transport layer protocol, application layer protocol.
According to an embodiment of the present disclosure, the preset attribute corresponding to the network layer protocol includes: message length, message identification information and message survival time; the preset attributes corresponding to the transport layer protocol include: message serial number, message confirmation number, message checksum, message synchronization flag bit, message confirmation flag bit and message reset flag bit; the preset attributes corresponding to the application layer protocol include: the system comprises a request method and a user agent, wherein the request method comprises a communication method actually used by a message, and the user agent comprises user information contained in the message.
According to an embodiment of the present disclosure, the preset monitoring policy corresponding to the network layer protocol includes: whether the length of the message meets a preset value or not and whether the message identification information in the same communication session is the same or not are judged, and whether the message is an effective message or not is judged according to the survival time of the message; the preset monitoring strategy corresponding to the transport layer protocol comprises the following steps: whether the message confirmation number is the same as the message serial number or not, whether the numerical value obtained by adopting a preset calculation mode is the same as the message checksum or not, and whether the synchronous flag bit of the message, the confirmation flag bit of the message and the reset flag bit of the message are all 1 or not; the preset monitoring strategy corresponding to the application layer protocol comprises the following steps: whether a communication method actually used by the message is included in a preset communication method or not, and whether the user information included in the message is included in the preset user information base or not.
Any number of modules, sub-modules, units, or at least part of the functionality of any number thereof according to embodiments of the present disclosure may be implemented in one module. Any one or more of the modules, sub-modules, units according to the embodiments of the present disclosure may be implemented by being split into a plurality of modules. Any one or more of the modules, sub-modules, units according to the embodiments of the present disclosure may be implemented at least partially as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented in any other reasonable manner of hardware or firmware by integrating or packaging the circuit, or in any one of three implementations of software, hardware, and firmware, or in any suitable combination of any of them. Alternatively, one or more of the modules, sub-modules, units according to embodiments of the disclosure may be implemented at least partly as computer program modules, which, when executed, may perform corresponding functions.
According to the embodiment of the present disclosure, any plurality of the obtaining module 510, the determining module 520, the extracting module 530, the analyzing module 540, and the generating module 550 may be combined and implemented in one module, or any one of them may be split into a plurality of modules. Alternatively, at least part of the functionality of one or more of these modules may be combined with at least part of the functionality of the other modules and implemented in one module. According to an embodiment of the present disclosure, at least one of the obtaining module 510, the determining module 520, the extracting module 530, the analyzing module 540, and the generating module 550 may be implemented at least partially as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented by hardware or firmware in any other reasonable manner of integrating or packaging a circuit, or implemented by any one of three implementations of software, hardware, and firmware, or implemented by a suitable combination of any several of them. Alternatively, at least one of the obtaining module 510, the determining module 520, the extracting module 530, the analyzing module 540 and the generating module 550 may be at least partially implemented as a computer program module, which when executed, may perform a corresponding function.
It should be noted that the monitoring device part of the network attack in the embodiment of the present disclosure corresponds to the monitoring method part of the network attack in the embodiment of the present disclosure, and the description of the monitoring device part of the network attack specifically refers to the monitoring method part of the network attack, which is not described herein again.
Fig. 6 schematically shows a block diagram of an electronic device adapted to implement a monitoring method of network attacks according to an embodiment of the present disclosure.
As shown in fig. 6, an electronic device 600 according to an embodiment of the present disclosure includes a processor 601, which can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM)602 or a program loaded from a storage section 608 into a Random Access Memory (RAM) 603. Processor 601 may include, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or associated chipset, and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), among others. The processor 601 may also include onboard memory for caching purposes. Processor 601 may include a single processing unit or multiple processing units for performing different actions of a method flow according to embodiments of the disclosure.
In the RAM 603, various programs and data necessary for the operation of the electronic apparatus 600 are stored. The processor 601, the ROM602, and the RAM 603 are connected to each other via a bus 604. The processor 601 performs various operations of the method flows according to the embodiments of the present disclosure by executing programs in the ROM602 and/or RAM 603. It is to be noted that the programs may also be stored in one or more memories other than the ROM602 and RAM 603. The processor 601 may also perform various operations of the method flows according to embodiments of the present disclosure by executing programs stored in the one or more memories.
The present disclosure also provides a computer-readable storage medium, which may be contained in the apparatus/device/system described in the above embodiments; or may exist separately and not be assembled into the device/apparatus/system. The computer-readable storage medium carries one or more programs which, when executed, implement the method according to an embodiment of the disclosure.
According to embodiments of the present disclosure, the computer-readable storage medium may be a non-volatile computer-readable storage medium, which may include, for example but is not limited to: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. For example, according to embodiments of the present disclosure, a computer-readable storage medium may include the ROM602 and/or RAM 603 described above and/or one or more memories other than the ROM602 and RAM 603.
Embodiments of the present disclosure also include a computer program product comprising a computer program containing program code for performing the method illustrated in the flow chart. When the computer program product runs in a computer system, the program code is used for causing the computer system to realize the network attack monitoring method provided by the embodiment of the disclosure.
The computer program performs the above-described functions defined in the system/apparatus of the embodiments of the present disclosure when executed by the processor 601. The above described systems, devices, modules, units, etc. may be implemented by computer program modules according to embodiments of the present disclosure.
In one embodiment, the computer program may be hosted on a tangible storage medium such as an optical storage device, a magnetic storage device, or the like. In another embodiment, the computer program may also be transmitted, distributed in the form of signals over a network medium, downloaded and installed via the communication section 609, and/or installed from a removable medium 611. The computer program containing program code may be transmitted using any suitable network medium, including but not limited to: wireless, wired, etc., or any suitable combination of the foregoing.
In such an embodiment, the computer program may be downloaded and installed from a network through the communication section 609, and/or installed from the removable medium 611. The computer program, when executed by the processor 601, performs the above-described functions defined in the system of the embodiments of the present disclosure. The systems, devices, apparatuses, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the present disclosure.
In accordance with embodiments of the present disclosure, program code for executing computer programs provided by embodiments of the present disclosure may be written in any combination of one or more programming languages, and in particular, these computer programs may be implemented using high level procedural and/or object oriented programming languages, and/or assembly/machine languages. The programming language includes, but is not limited to, programming languages such as Java, C + +, python, the "C" language, or the like. The program code may execute entirely on the user computing device, partly on the user device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of a remote computing device, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., through the internet using an internet service provider).
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
Those skilled in the art will appreciate that various combinations and/or combinations of features recited in the various embodiments and/or claims of the present disclosure can be made, even if such combinations or combinations are not expressly recited in the present disclosure. In particular, various combinations and/or combinations of the features recited in the various embodiments and/or claims of the present disclosure may be made without departing from the spirit or teaching of the present disclosure. All such combinations and/or associations are within the scope of the present disclosure.
The embodiments of the present disclosure have been described above. However, these examples are for illustrative purposes only and are not intended to limit the scope of the present disclosure. Although the embodiments are described separately above, this does not mean that the measures in the embodiments cannot be used in advantageous combination. The scope of the disclosure is defined by the appended claims and equivalents thereof. Various alternatives and modifications can be devised by those skilled in the art without departing from the scope of the present disclosure, and such alternatives and modifications are intended to be within the scope of the present disclosure.
Claims (11)
1. A network attack monitoring method comprises the following steps:
acquiring a suspicious network attack log;
determining a network protocol corresponding to the suspicious network attack log according to the suspicious network attack log;
extracting attribute content corresponding to the preset attribute from the suspicious network attack log according to the preset attribute corresponding to the network protocol and the message format of the network protocol;
analyzing the attribute content according to a preset monitoring strategy corresponding to the network protocol to obtain an analysis result; and
and generating alarm information under the condition that the analysis result shows that the suspicious network attack log represents that the suspicious network attack log has network attacks.
2. The method of claim 1, wherein the network protocol includes n of the preset attributes, where n ≧ 1;
the analyzing the attribute content according to the preset monitoring strategy corresponding to the network protocol to obtain an analysis result comprises:
according to a preset arrangement sequence of the n preset attributes, sequentially analyzing the attribute contents corresponding to the preset attributes to obtain sub-analysis results corresponding to the preset attributes;
and determining the analysis result according to the sub-analysis result.
3. The method of claim 2, wherein each of the preset attributes has a corresponding preset condition;
the analyzing the attribute content corresponding to the preset attributes in sequence according to the preset arrangement sequence of the n preset attributes to obtain the sub-analysis result corresponding to the preset attributes comprises:
s1, aiming at the ith preset attribute in the n preset attributes, analyzing the ith attribute content corresponding to the ith preset attribute according to the ith preset condition corresponding to the ith preset attribute to obtain the ith sub-analysis result corresponding to the ith preset attribute;
s2, stopping the analysis of the subsequent preset attributes to obtain i sub-analysis results under the condition that the ith sub-analysis result shows that the ith attribute content does not meet the ith preset condition, wherein the subsequent preset attributes comprise preset attributes behind the ith preset attribute in the preset arrangement sequence, and i is more than or equal to 1;
s3, analyzing the (i + 1) th attribute content corresponding to the (i + 1) th preset attribute under the condition that the (i) th sub-analysis result shows that the (i) th attribute content meets the (i) th preset condition;
and sequentially executing the steps S1 to S3 on the n preset attributes to finally obtain m sub-analysis results, wherein m is more than or equal to 1 and less than or equal to n.
4. The method of claim 3, wherein said determining the analysis result from the sub-analysis results comprises:
under the condition that m is less than n, determining that the analysis result comprises the suspicious network attack log with network attacks according to the m sub-analysis results;
if m is equal to n, judging whether the m sub-analysis results contain sub-analysis results of which the attribute contents do not meet the corresponding preset conditions;
under the condition that the m sub-analysis results contain the sub-analysis results of which the attribute contents do not meet the corresponding preset conditions, determining that the analysis results comprise that the suspicious network attack log has network attacks;
and under the condition that the m sub-analysis results do not contain the sub-analysis results of which the attribute contents do not meet the corresponding preset conditions, determining that the analysis results comprise that the suspicious network attack log does not have network attacks.
5. The method of claim 1, wherein the network protocol comprises one of: network layer protocol, transport layer protocol, application layer protocol.
6. The method of claim 5, wherein,
the preset attributes corresponding to the network layer protocol include: message length, message identification information and message survival time;
the preset attributes corresponding to the transport layer protocol include: message serial number, message confirmation number, message checksum, message synchronization flag bit, message confirmation flag bit and message reset flag bit;
the preset attributes corresponding to the application layer protocol include: the system comprises a request method and a user agent, wherein the request method comprises a communication method actually used by a message, and the user agent comprises user information contained in the message.
7. The method of claim 6, wherein,
the preset monitoring strategy corresponding to the network layer protocol comprises the following steps: whether the length of the message meets a preset value or not and whether the message identification information in the same communication session is the same or not are judged, and whether the message is an effective message or not is judged according to the survival time of the message;
the preset monitoring strategy corresponding to the transport layer protocol comprises the following steps: whether the message confirmation number is the same as the message serial number or not and whether the numerical value obtained by adopting a preset calculation mode is the same as the message checksum or not, and whether the synchronous flag bit of the message, the confirmation flag bit of the message and the reset flag bit of the message are all 1 or not;
the preset monitoring strategy corresponding to the application layer protocol comprises the following steps: whether a communication method actually used by the message is included in a preset communication method or not, and whether user information included in the message is included in a preset user information base or not are determined.
8. A network attack monitoring apparatus, comprising:
the acquisition module is used for acquiring the suspicious network attack log;
the determining module is used for determining a network protocol corresponding to the suspicious network attack log according to the suspicious network attack log;
the extracting module is used for extracting attribute content corresponding to the preset attribute from the suspicious network attack log according to the preset attribute corresponding to the network protocol and the message format of the network protocol;
the analysis module is used for analyzing the attribute content according to a preset monitoring strategy corresponding to the network protocol to obtain an analysis result; and
and the generating module is used for generating alarm information under the condition that the analysis result shows that the suspicious network attack log is characterized by having network attacks.
9. An electronic device, comprising:
one or more processors;
a storage device for storing one or more programs,
wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the method of any of claims 1-7.
10. A computer readable storage medium having stored thereon executable instructions which, when executed by a processor, cause the processor to perform the method of any one of claims 1 to 7.
11. A computer program product comprising a computer program which, when executed by a processor, implements a method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210694259.5A CN114884748A (en) | 2022-06-16 | 2022-06-16 | Network attack monitoring method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210694259.5A CN114884748A (en) | 2022-06-16 | 2022-06-16 | Network attack monitoring method and device, electronic equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114884748A true CN114884748A (en) | 2022-08-09 |
Family
ID=82682063
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210694259.5A Pending CN114884748A (en) | 2022-06-16 | 2022-06-16 | Network attack monitoring method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114884748A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115883226A (en) * | 2022-12-07 | 2023-03-31 | 中国第一汽车股份有限公司 | Vehicle network attack analysis method, device, equipment and storage medium |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108255996A (en) * | 2017-12-29 | 2018-07-06 | 西安交大捷普网络科技有限公司 | Safe log analyzing method based on Apriori algorithm |
-
2022
- 2022-06-16 CN CN202210694259.5A patent/CN114884748A/en active Pending
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108255996A (en) * | 2017-12-29 | 2018-07-06 | 西安交大捷普网络科技有限公司 | Safe log analyzing method based on Apriori algorithm |
Non-Patent Citations (1)
| Title |
|---|
| 李云等: ""基于协议分析的入侵检测算法及体系结构研究"", 《计算机安全》, pages 2 - 4 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115883226A (en) * | 2022-12-07 | 2023-03-31 | 中国第一汽车股份有限公司 | Vehicle network attack analysis method, device, equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP2985974B1 (en) | Malicious tunneling handling system | |
| US20190182281A1 (en) | Path scanning for the detection of anomalous subgraphs and use of dns requests and host agents for anomaly/change detection and network situational awareness | |
| US20160241574A1 (en) | Systems and methods for determining trustworthiness of the signaling and data exchange between network systems | |
| CN111131320B (en) | Asset identification method, device, system and medium | |
| Zaripova | Network security issues and effective protection against network attacks | |
| CN106685899B (en) | Method and device for identifying malicious access | |
| CN109309591B (en) | Traffic data statistical method, electronic device and storage medium | |
| CN112351031A (en) | Generation method and device of attack behavior portrait, electronic equipment and storage medium | |
| CN111787018A (en) | Method, device, electronic equipment and medium for identifying network attack behaviors | |
| CN111316272A (en) | Advanced cyber-security threat mitigation using behavioral and deep analytics | |
| CN114884748A (en) | Network attack monitoring method and device, electronic equipment and storage medium | |
| CN112000719A (en) | Data security situation awareness system, method, device and storage medium | |
| CN112134870B (en) | Network security threat blocking method, device, equipment and storage medium | |
| CN111181967A (en) | Data stream identification method and device, electronic equipment and medium | |
| US20220210180A1 (en) | Automated Detection of Cross Site Scripting Attacks | |
| Thatha et al. | Security and risk analysis in the cloud with software defined networking architecture. | |
| CN112989355B (en) | Vulnerability threat perception method, device, storage medium and equipment | |
| CN113297241A (en) | Method, device, equipment, medium and program product for judging network flow | |
| CN114374838A (en) | Network camera monitoring method, device, equipment and medium | |
| CN113923021A (en) | Sandbox-based encrypted flow processing method, system, device and medium | |
| CN109150871A (en) | Safety detection method, device, electronic equipment and computer readable storage medium | |
| CN114629694B (en) | Distributed denial of service (DDoS) detection method and related device | |
| CN114285663A (en) | Method, device, equipment and medium for managing attack source address | |
| CN114285660B (en) | Honey net deployment method, device, equipment and medium | |
| CN116668161A (en) | Method, device, equipment and medium for monitoring tenant behaviors in cloud platform |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |