CN115021974A - Local area network security probe equipment set - Google Patents

Local area network security probe equipment set Download PDF

Info

Publication number
CN115021974A
CN115021974A CN202210521470.7A CN202210521470A CN115021974A CN 115021974 A CN115021974 A CN 115021974A CN 202210521470 A CN202210521470 A CN 202210521470A CN 115021974 A CN115021974 A CN 115021974A
Authority
CN
China
Prior art keywords
data
network
module
database
data packet
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210521470.7A
Other languages
Chinese (zh)
Other versions
CN115021974B (en
Inventor
张雨杭
吴昊男
李俊伟
刘一清
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
East China Normal University
Original Assignee
East China Normal University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by East China Normal University filed Critical East China Normal University
Priority to CN202210521470.7A priority Critical patent/CN115021974B/en
Publication of CN115021974A publication Critical patent/CN115021974A/en
Application granted granted Critical
Publication of CN115021974B publication Critical patent/CN115021974B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L49/00Packet switching elements
    • H04L49/20Support for services
    • H04L49/208Port mirroring
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Abstract

The invention discloses a local area network security probe equipment group, comprising: the system comprises network data probe equipment, network data monitoring service equipment and a network information database which are deployed at multiple places. The safety probe equipment is deployed at multiple points in a large network, and then the flow information is collected and arranged to the data service monitoring equipment, so that the functions of safety monitoring, threat investigation, network resource statistics, network data model construction and the like of the whole network can be completed through the overall and local cooperation. When the network security management system is actually used, a network security manager can monitor the network security state in real time, quickly locate threats, quickly troubleshoot faults and have positive promoting effects on increasing the security and performance of the network.

Description

Local area network security probe equipment set
Technical Field
The invention belongs to the technical field of network communication, and relates to a comprehensive network flow monitoring equipment group combining a gateway type hardware firewall and local network flow detection, which is suitable for various network security application scenes such as network flow control, network threat analysis, network resource survey and the like.
Background
The internet technology gradually deepens into various industries, becomes an irreplaceable important production link, and also becomes a living resource on which people live. The security and stability of the internet are becoming more and more important guarantees for social security and even national security. Currently, each industry is equipped with a position specially responsible for network resource management and network security maintenance. Among them, network managers increasingly demand network data flow monitoring, network resource management, and network threat early warning functions.
The network data flow monitoring technology is based on a TCP/IP protocol packet of network bottom data, and the packet header data is disassembled and analyzed to obtain information such as the flow direction, the strength and the like of the data in the whole network. The technology also analyzes and combines the flow data in a network data model construction mode, namely, long-term network data is counted, and several relatively stable parameter models are extracted to be jointly constructed into a space coordinate model.
The network resource management technology is to explore and build a model of a whole network routing path based on a routing topology discovery technology, and manage the quantity of various devices and corresponding connection modes in a network. Network administrators typically limit the number of devices in a network and optimize the device connection schemes in the network to improve network performance.
The network threat early warning and defense technology is based on a certain network data packet filtering rule, and is used for screening out a source address and a protocol mode with unsafe factors in a data packet entering the network, preventing the data from entering a gateway or recording the data and providing early warning. At present, a software filtering algorithm of a server based on an x86 architecture is popular, can be used for connecting an artificial intelligence model to improve the precision, but has longer time delay and poorer real-time performance; there are also database and statistics based hardware filtering models that are less accurate than artificial intelligence but have better real-time. Of course, the defense against dangerous data and the protection of normal data always have conflicts, so that a misjudgment scene always exists, which is one of the most core problems in the field of network security.
Disclosure of Invention
The invention aims to solve a series of problems of high misjudgment rate, poor resource management capability, poor real-time performance, single sampling point and the like in the current network security management, and provides a novel local area network security probe equipment group based on an FPGA. The network management personnel can realize the functions of resource detection, distributed management and safety protection of the whole network by deploying the probe equipment at important communication exchange nodes in the network. In addition, the equipment group can be configured by a user at the data terminal, so that the user-defined function management is realized, and the network adaptability of the network security system is greatly improved.
The specific technical scheme for realizing the purpose of the invention is as follows:
a local area network security probe equipment group is characterized in that the equipment group comprises: the system comprises a plurality of network mirror image port safety probe devices, a network information storage database and data monitoring and service devices, wherein the network mirror image port safety probe devices are connected with the data monitoring and service devices; the network information storage database is connected with the data monitoring and service equipment; wherein:
the network mirror image port security probe equipment comprises a network data packet capturing module, a network data packet analyzing module, a data feature classifying module, a data feature temporary storage module, a data feature packaging module and a network transmission module; the network data packet capturing module is connected with the network data packet analyzing module and the data feature classifying module; the network data packet analysis module and the data feature classification module are both connected with the data feature temporary storage module; the data feature temporary storage module is connected with the data feature packaging module, and the data feature packaging module is connected with the network transmission module;
the network data packet capturing module detects and captures a complete data packet from an optical network data stream, wherein the complete data packet must contain a continuous bit stream from a preamble to a check bit, and the check bit conforms to a check rule; the network data packet analysis module sequentially divides a lead code, a source address, a destination address, a data packet type, message data and a check code of the data packet captured by the network data packet capture module through a state machine algorithm based on data packet frame structure judgment; the data feature classification module classifies and summarizes the data packet contents refined in the network data packet analysis module, filters out useless lead codes and check codes, reserves a source address, a destination address and a protocol and stores the source address, the destination address and the protocol in the data feature temporary storage module; the data characteristic temporary storage module has the task of classifying and caching the fragmentary refined data so as to facilitate subsequent mass transmission; the data feature group module combines a plurality of groups of data in the data feature temporary storage module into a UDP data packet, delivers the UDP data packet to the network transmission module for transmission, and has the transmission rule that the length of the data packet is not more than 100 bytes and has the transmission time limit limitation, namely, when the data is less, the data is not required to be sent after being completely packed, but is forced to be sent immediately after the specified time; the data sent by the network transmission module is sent to the data monitoring and service equipment through a network interface;
the data monitoring and service equipment comprises a network data receiving module, a database communication module, a data analysis module, a user network service module, a decision module and a decision execution module; the network transmission module and the network data receiving module of the network mirror image port security probe device are connected by a network cable; the network data receiving module is connected with the data analysis module and the database communication module; the database communication module is connected with a network information storage database; the data analysis module is connected with the user network service module and the decision module; the decision module is connected with the decision execution module; the user network service module is connected with the network data receiving module, the data analysis module, the database communication module and the decision module and is connected with a user service interface;
the network data receiving module acquires data sent by the network mirror port safety probe equipment from network data flow, unpacks and caches the data, and then the database communication module stores the received data to a corresponding position in a network information storage database, different information types correspond to different storage page tables, and the network information storage database is based on the service of a MongoDB database and has strong multi-page table management capability; the database communication module is a simple database interaction interface and has the functions of storing and reading data in the database; the data analysis module is used as a core module, undertakes the task of analyzing and counting the data in the database, simultaneously sets statistical parameters, cluster analysis and list comparison algorithms, and analyzes and counts the data in the database acquired by the database communication module; the user network service module is a user interaction interface, is provided with a webpage interface, displays the acquisition state of the current data and the data statistical result analyzed by the data analysis module, and displays the data statistical result in the form of various statistical charts; the flow use statistical graph of any IP can be searched in the webpage interface, and the rule of data statistics can be modified; in addition, a black and white IP list in the network can be configured, corresponding parameters are configured in the decision module, and then the decision execution module executes corresponding operations, specifically: the decision execution module sends a UDP data packet to inform the network mirror port safety probe equipment, wherein the UDP data packet contains control characters of a protocol; after the network data packet capturing module of the network mirror image port security probe equipment identifies the control character, the capturing rule of the network data packet capturing module can be modified, so that data packets sent by IP addresses in a blacklist are selectively discarded.
The network information storage database stores all data collected by the network mirror port security probe equipment and aggregated by the data monitoring and service equipment; the system specifically comprises a main database, a time-sharing database and a characteristic database; the main database, the time-sharing database and the characteristic database are independent and are respectively connected with a database communication module of the data monitoring and service equipment; the main database stores all the captured data contents, but does not reserve the specific time corresponding to the data; the time-sharing database stores data of each time period so as to analyze the time correlation of partial data categories; the characteristic database stores the result returned by the database communication module after the analysis of the data analysis module, so that the result after the data analysis is rapidly stored and is convenient to use at any time.
The data characteristic temporary storage module temporarily stores the network data after the network data is processed by a dynamic dictionary coding compression algorithm, the size of a dictionary of the compression algorithm is dynamically adjusted, the size of the dictionary changes along with the redundancy degree of the data needing to be compressed in each time period, the dictionary is reduced when the data redundancy is high, and the dictionary is increased when the data redundancy is low; the data feature temporary storage module delivers the compressed data and the dictionary used for compressing the data when the data delivery data feature packaging module packages the data; the dynamic dictionary compression scheme can adapt to different network environments, gives higher compression rate to data and saves the storage space of the equipment group.
The statistical parameters set in the data analysis module are that network traffic data are divided into different categories according to source IP addresses and destination IP addresses to form a traffic statistical matrix of interconnected traffic between all IPs in the whole network, and the statistical parameters can be obtained by calculating a mean matrix, a variance matrix, PCA decomposition and singular value decomposition of the matrix;
the clustering algorithm is that all statistical parameters of the network form a linear space, the statistical parameter coordinate of each time period corresponds to one point in the linear space, and the parameter coordinate points of different time periods are converged in a certain area in the space, namely a clustering area of the network. The statistical parameter can be regarded as the sum of a network basic parameter and a fluctuation parameter, wherein the network basic parameter is fixed in the same network system, and the fluctuation parameter accords with the characteristics of random noise and is in accordance with Gaussian distribution. Therefore, the two characteristics are represented together, namely parameter coordinate points of the same network in different time periods in a parameter linear space converge in a certain area;
the list comparison algorithm means that the flow correlation and the data flow intensity between different IP pairs are counted according to the flow statistical matrix of the interconnection flow between each IP, so that an interconnection network flow intensity image of all the flows is obtained, and an IP name single group with high flow correlation can be obtained; the correlation refers to that the traffic-time function of each IP pair is regarded as a random process, and the linear correlation degree of the time variation trends of the two IP pairs can be obtained by calculating the cross-correlation function of the traffic-time functions of the two different IP pairs, that is, the traffic variation trends of the two IP pairs are not obviously the same or opposite. The IP group with high correlation is found to be helpful for timely finding out network data abnormity, if some of the IPs suddenly deviate from the correlation of the group, the flow rate of the IP group is abnormally changed, and the IP group can be quickly locked to find out problems. Compared with a global traffic statistical model, the local traffic model can obtain more model details, and can guide a network administrator to optimize a hardware interconnection path according to traffic intensity, so that better network communication efficiency is brought.
Compared with the prior art, the invention has the beneficial effects that:
1) the invention can realize the overall and local monitoring of a certain local area network, rather than the traditional gateway monitoring. The network security probe equipment group can be deployed on a main router of a large-scale network at multiple points, statistics and recording of a source address and a destination address of passing data are achieved, and therefore a topological network structure of a data path is obtained. The method has better capability of detecting and positioning the invaded nodes such as 'meat machines' and the like in the network, and can be found and processed early.
2) The invention can realize tracing and tracing the suspicious data stream, and can help the network administrator to quickly find and process the security vulnerabilities. And the legal user data packet can be tracked and protected, so that the user data can not be filtered or monitored.
3) The invention supports dynamic structure configuration, has good function expansibility, and can dynamically adjust function configuration to balance time resources and hardware architecture and obtain better system compatibility.
4) The invention does not depend on the existing hardware architecture and operating system, and the core device is constructed by FPGA, thereby having better safety performance. The system structure is clear and concise, and the generated data can be traced, so that the system has better debugging and maintenance convenience.
Drawings
FIG. 1 is a block diagram of the present invention;
FIG. 2 is a schematic diagram of a network architecture implementing the present invention.
Detailed Description
The invention is described in detail below with reference to the figures and examples.
Referring to fig. 2, the schematic diagram of the device group of the present invention deployed in an actual network environment is that the security probe device 1 is directly deployed in a network through a network mirror port to obtain the most direct and most original network data, and the data is not screened by an application layer and a session layer, so that the most real data situation of the network can be reflected. The network mirror port security probe device 1 is deployed at a plurality of nodes in a network, and can more finely acquire the network state of each part of the network, rather than being limited to the traditional overall network data statistics. The information is gathered to a network management service center, and after statistics and integration, the information can be better presented to network management personnel through a user interface.
The network mirror image port safety probe device 1 is an independent instrument formed by all modules, two 10G optical fiber interfaces are arranged outside the device and are connected to a network data packet capturing module, and the bandwidth of the device supports the processing of optical fiber signals of a small and medium-sized network core switch node.
By connecting the optical network interface to the data mirror port of the core switch through the optical fiber, the device 1 can obtain the network packet information passing through the core switch of the network at every moment. The data packet information comprises various TCP, UDP, ICMP, IGMP and other protocol packets, and has different frame information. The modules in the device 1 respectively undertake the work of acquiring, sorting and summarizing the data packets: the network packet capture module 11 detects and captures a complete packet from the optical network data stream, where the complete packet must contain a continuous bit stream from the start of the preamble to the end of the check code, and the check passes. The network data packet parsing module 12 sequentially divides the preamble, the source address, the destination address, the type of the data packet, the message data, the check code and the like of the data packet captured by the network data packet capturing module 11 through a state machine algorithm based on the data packet frame structure determination. The data feature classification module 13 classifies and summarizes the data packet content refined in the network data packet analysis module 12, filters out useless preamble codes, check codes and other parts, retains useful information such as a source address, a destination address and a protocol and stores the useful information in the data feature temporary storage module 14. The main task of the data feature temporary storage module 14 is to buffer the fragmented refined data in a classified manner for subsequent mass transmission. The data feature packaging module 15 combines multiple sets of data in the data feature temporary storage module 14 into a UDP data packet, and delivers the UDP data packet to the network transmission module 16 for transmission, which is based on the principle that the data packet has a moderate length (about 100 bytes) and a transmission time limit (when the data is less, the data is not waiting for the data to be full, but is directly transmitted). The data transmitted by the network transmission module 16 is sent to the data monitoring and service device 3 through the network interface.
The data monitoring and service device 3 is a data server deployed at a network management terminal, and can run on a common PC based on an express framework and a MongoDB database system. The data monitoring and service device 3 may obtain data sent by the multiple network mirror port security probe devices 1 deployed in the network, so as to obtain data traffic information of multiple network nodes of the target network. The network information storage database 2 deployed at the cloud end is connected to obtain a large amount of data storage space, so that the capacity of storage analysis of a large amount of network data streams is obtained. The data monitoring and service device 3 deploys network management service, and a network administrator can call various statistical results (including active IP ranking, traffic broken line graph, network protocol proportion and other statistical graphs) of current network data statistics, so that the operation condition and the safety state of the current network can be checked more intuitively, and a more accurate network safety maintenance strategy can be made. In addition, the data monitoring and service equipment 3 is loaded with an algorithm for intelligently analyzing network traffic data, so that the data can be monitored to be abnormal and early warning can be given out in time, and potential network threats can be discovered as soon as possible. The algorithm is based on network data feature extraction and cluster analysis, and adopts a mode of jointly judging a judgment domain and a manual setting value, so that the adaptability to different network environments is improved. Compared with most network security software with a neural network, the network security hardware system has higher running speed and response speed because of not adopting an analysis mode of the neural network, does not occupy too many operation resources of a network server because of discrete equipment, and can be better integrated with the network system.
The network data receiving module 30 of the data monitoring and service device 3 obtains the data sent by the network mirror port security probe device 1 from the network data stream, performs unpacking and caching processing, and then the database communication module 31 transfers the received data to the corresponding position in the network information storage database based on the MongoDB database service. The database communication module 31 is a simple database interaction interface, and has the functions of storing and reading data in the database. The data analysis module 32 is used as a core module of the data monitoring and service device 3, and takes on the task of analyzing and counting a large amount of data in the database, and a series of algorithms such as statistical parameters, cluster analysis, list comparison and the like are deployed here, so that the data in the database is analyzed and applied. The user network service module 33 is a user interaction interface of the data monitoring and service device 3, and has a web interface, which can display the current data collection condition and the data statistical result analyzed by the data analysis module 32, and show the data statistical result in the form of various statistical charts. The flow use statistical chart of the concerned IP can be searched in the webpage interface, and the rule of data statistics can be modified. In addition, a black and white IP list in the network can be configured, all data packets sent by the IP address entering the white list cannot be intercepted, and the data packets sent by the IP address entering the black list can be intercepted and recorded. This is accomplished by configuring the corresponding parameters in the decision module 34 and then executing the corresponding operations by the decision execution module 35, and in fact, the decision execution module 35 sends UDP packets to inform the network mirror port security probe apparatus 1 so as to change the black-and-white list configuration of the corresponding hardware.
The network information storage database 2 stores all data collected by the network mirror port safety probe device 1 so as to facilitate the self-correlation characteristic statistics of the data; the time sharing database 22 stores some optional data collected from the network mirror port security probe device 1 at each time period so as to analyze the time correlation of partial data categories; the feature database 23 stores the statistical data analyzed by the data analysis module 32, so that the analyzed data can be stored quickly.
Examples
Referring to fig. 1, the present embodiment is a schematic diagram of a single network probe apparatus, and includes a network mirror port security probe device 1, a network information storage database 2, and a data monitoring and service device 3.
The flow of the network mirror port security probe device 1 for acquiring signals is as follows:
the network data packet enters the network data packet capturing module 11 from the mirror image port of the main switch, and the network data packet capturing module 11 has a buffer FIFO for data packet buffering, so as to facilitate subsequent processing. The data packet captured in the network data packet capturing module 11 may enter the network data packet analyzing module 12 to be analyzed into data and packet header information, or may enter the data feature classifying module 13 to be analyzed into data features for statistical use, which is determined by referring to the specific configuration of the user. The parsed data are stored in the data feature temporary storage module 14 as a chain lookup table for retrieval and lookup. The data feature group package module 15 screens the data in the data feature temporary storage module 4 according to the user setting, acquires the required flow information or packet header tag, combines the flow information or the packet header tag into a UDP data packet, and then delivers the UDP data packet to the data monitoring and service device 3 through the network transmission module 16. The network mirror image port security probe device 1 uses UDP data packets and data monitoring and service device 3 to communicate, and is characterized by simple package and large data volume.
The data receiving module 30 in the data monitoring and service device 3 may receive a UDP data packet sent by the network mirror port security probe device 1, split the UDP data according to an agreed package rule and packet header information, and analyze the UDP data into a feature data group obtained by the security probe device 1. One part of the data directly enters the database communication module 31, and the other part of the data enters the data analysis module 32 for analysis. The database communication module 31 has the main functions of connecting to the network information storage database 2, performing database storage and database reading operations, and directly connecting to the three sub-databases, i.e., the main database 21, the time-sharing database 22, and the feature database 23. Therefore, the data receiving module 30 can deliver the data requiring direct database storage to the database communication module 31 for direct storage according to the user configuration, and the data not directly stored enters the data analysis module 32 for analysis. The data analysis here is usually operations such as statistics and feature extraction, in order to obtain statistical features in the case of larger-scale data. The data processed by the data analysis module 32 has multiple flow directions. Firstly, the data can enter the decision module 34 to perform network security rule determination, and if the data captured by the probe does not conform to the existing security rule, the decision module 34 will call the decision execution module 35 to perform corresponding processing, for example, sending out early warning information, directly filtering the data, and the like. Secondly, the data can be displayed in the user network service module 33, and becomes an important index of the user monitoring interface, so as to reflect the current network situation in real time and assist the user operation. Finally, the data can be passed to the database communication module 31 for storage directly in the feature database 23 for later use.
The user network service module 33 is a graphical user interface, and users with authority can access and view a plurality of statistical charts of the current network to obtain the network state. The security policy of the decision module 34, such as black list, white list, etc., can also be configured directly to obtain a better network security environment. Of course, the user may also receive the early warning information or the safety record information sent by the decision module 34, so as to quickly find the network problem and eliminate the hidden danger. The user network service module 33 can also directly access the database communication module 31, so as to directly read the data flow table in the database, and screen or search the required network data packet information.

Claims (3)

1. A local area network security probe device set, the device set comprising: the system comprises a plurality of network mirror image port safety probe devices (1), a network information storage database (2) and data monitoring and service devices (3), wherein the network mirror image port safety probe devices (1) are connected with the data monitoring and service devices (3); the network information storage database (2) is connected with the data monitoring and service equipment (3);
the network mirror image port safety probe device (1) comprises a network data packet capturing module (11), a network data packet analyzing module (12), a data feature classifying module (13), a data feature temporary storage module (14), a data feature group packaging module (15) and a network transmission module (16); the network data packet capturing module (11) is connected with the network data packet analyzing module (12) and the data feature classifying module (13); the network data packet analysis module (12) and the data feature classification module (13) are both connected with the data feature temporary storage module (14); the data characteristic temporary storage module (14) is connected with the data characteristic package module (15), and the data characteristic package module (15) is connected with the network transmission module (16);
the network data packet capturing module (11) detects and captures a complete data packet from an optical network data stream, wherein the complete data packet must contain a continuous bit stream from a preamble to a check bit, and the check bit conforms to a check rule; the network data packet analysis module (12) sequentially divides a preamble, a source address, a destination address, a data packet type, message data and a check code of the data packet captured by the network data packet capture module (11) through a state machine algorithm based on data packet frame structure judgment; the data feature classification module (13) classifies and summarizes the data packet contents refined in the network data packet analysis module (12), filters out useless lead codes and check codes, reserves a source address, a destination address and a protocol and stores the source address, the destination address and the protocol in the data feature temporary storage module (14); the data characteristic temporary storage module (14) has the task of classifying and caching the fragmented refined data so as to facilitate subsequent large-batch transmission; the data feature group package module (15) combines a plurality of groups of data in the data feature temporary storage module (14) into a UDP data package, and delivers the UDP data package to the network transmission module (16) for transmission, wherein the transmission rule is that the length of the data package is not more than 100 bytes, and the data package has the transmission time limit limitation, namely, when the data is less, the data can not be sent after being completely stored, but is forced to be sent immediately after the specified time; the data sent by the network transmission module (16) is sent to the data monitoring and service equipment (3) through a network interface;
the data monitoring and service equipment (3) comprises a network data receiving module (30), a database communication module (31), a data analysis module (32), a user network service module (33), a decision module (34) and a decision execution module (35); a network transmission module (16) and a network data receiving module (30) of the network mirror image port security probe device (1) are connected by a network cable; the network data receiving module (30) is connected with the data analysis module (32) and the database communication module (31); the database communication module (31) is connected with the network information storage database (2); the data analysis module (32) is connected with the user network service module (33) and the decision module (34); the decision module (34) is connected with the decision execution module (35); the user network service module (33) is connected with the network data receiving module (30), the data analysis module (32), the database communication module (31) and the decision-making module (34) and is connected with the user service interface;
the network data receiving module (30) acquires data sent by the network mirror image port safety probe device (1) from network data flow, unpacks and caches the data, and then the database communication module (31) transfers the received data to the network information storage database (2); the database communication module (31) is a simple database interaction interface and has the functions of storing and reading data in the database; the data analysis module (32) is used as a core module, takes on the task of analyzing and counting the data in the database, sets statistical parameters, cluster analysis and list comparison algorithms, and analyzes and counts the data in the database acquired by the database communication module (31); the user network service module (33) is a user interaction interface, is provided with a webpage interface, displays the current data acquisition state and the data statistical result analyzed by the data analysis module (32), and displays the data statistical result in the form of various statistical charts; the flow use statistical graph of any IP can be searched in the webpage interface, and the rule of data statistics can be modified; in addition, a black and white IP list in the network can be configured, corresponding parameters are configured in the decision module (34), and then the decision execution module (35) executes corresponding operations, specifically: the decision execution module (35) sends a UDP data packet to inform the network mirror image port safety probe device (1), wherein the UDP data packet contains control characters of a protocol; after a network data packet capturing module (11) of the network mirror image port safety probe device (1) identifies the control character, the capturing rule of the network data packet capturing module can be modified, so that data packets sent by IP addresses in a blacklist are selectively discarded; the network information storage database (2) stores all data collected by the network mirror port safety probe equipment (1) and aggregated by the data monitoring and service equipment (3); the system comprises a main database (21), a time sharing database (22) and a characteristic database (23); the main database (21), the time sharing database (22) and the characteristic database (23) are independent and are respectively connected with a database communication module (31) of the data monitoring and service equipment (3); the main database (21) stores all the captured data contents, but does not reserve the specific time corresponding to the data; the time sharing database (22) stores data of each time interval so as to analyze the time correlation of partial data categories; the characteristic database (23) stores the data statistical results which are analyzed by the data analysis module (32) and then returned by the database communication module (31), so that the results after data analysis are rapidly stored and can be used at any time.
2. The lan security probe device suite of claim 1, wherein the data feature temporary storage module (14) temporarily stores the network data after processing by a dynamic dictionary coding compression algorithm, and the dictionary size of the compression algorithm is dynamically adjusted, and the size of the dictionary changes with the data redundancy degree to be compressed in each time period, the dictionary decreases when the data redundancy is high, and the dictionary increases when the data redundancy is low; the data characteristic temporary storage module (14) delivers not only the compressed data but also a dictionary used for compressing the data when the data delivery data characteristic packaging module (15) packages the data.
3. The LAN security probe device set according to claim 1, wherein the statistical parameters set in the data analysis module (32) are that the network traffic data are divided into different categories according to the source IP address and the destination IP address to form a traffic statistical matrix of the interconnected traffic between each IP in the whole network, and the statistical parameters can be obtained by calculating the mean matrix, the variance matrix, the PCA decomposition and the singular value decomposition of the matrix;
the clustering algorithm is that all statistical parameters of the network form a linear space, the statistical parameter coordinate of each time period corresponds to one point in the linear space, and the parameter coordinate points of different time periods are converged in a certain area in the space, namely a clustering area of the network;
the list comparison algorithm means that the flow correlation and the data flow intensity between different IP pairs are counted according to the flow statistical matrix of the interconnected flow between the IPs, so that the interconnected network flow intensity image of all the flows is obtained, and the IP name single group with high flow correlation can be obtained.
CN202210521470.7A 2022-05-13 2022-05-13 Local area network safety probe equipment set Active CN115021974B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210521470.7A CN115021974B (en) 2022-05-13 2022-05-13 Local area network safety probe equipment set

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210521470.7A CN115021974B (en) 2022-05-13 2022-05-13 Local area network safety probe equipment set

Publications (2)

Publication Number Publication Date
CN115021974A true CN115021974A (en) 2022-09-06
CN115021974B CN115021974B (en) 2023-09-08

Family

ID=83068593

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210521470.7A Active CN115021974B (en) 2022-05-13 2022-05-13 Local area network safety probe equipment set

Country Status (1)

Country Link
CN (1) CN115021974B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030225549A1 (en) * 2002-03-29 2003-12-04 Shay A. David Systems and methods for end-to-end quality of service measurements in a distributed network environment
CN107995162A (en) * 2017-10-27 2018-05-04 深信服科技股份有限公司 Network security sensory perceptual system, method and readable storage medium storing program for executing
US20190052549A1 (en) * 2016-05-06 2019-02-14 Enterpriseweb Llc Systems and methods for domain-driven design and execution of metamodels
CN113259202A (en) * 2021-06-28 2021-08-13 四川新网银行股份有限公司 Method and system for monitoring unsafe file sharing

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030225549A1 (en) * 2002-03-29 2003-12-04 Shay A. David Systems and methods for end-to-end quality of service measurements in a distributed network environment
US20190052549A1 (en) * 2016-05-06 2019-02-14 Enterpriseweb Llc Systems and methods for domain-driven design and execution of metamodels
CN107995162A (en) * 2017-10-27 2018-05-04 深信服科技股份有限公司 Network security sensory perceptual system, method and readable storage medium storing program for executing
CN113259202A (en) * 2021-06-28 2021-08-13 四川新网银行股份有限公司 Method and system for monitoring unsafe file sharing

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
柴文磊;张彬;刘劲松;李超;: "网络信息监控系统的设计与实现", 安徽农业科学, no. 02 *

Also Published As

Publication number Publication date
CN115021974B (en) 2023-09-08

Similar Documents

Publication Publication Date Title
CN112085039B (en) ICMP hidden channel detection method based on random forest
EP1742416B1 (en) Method, computer readable medium and system for analyzing and management of application traffic on networks
US6269447B1 (en) Information security analysis system
US6549208B2 (en) Information security analysis system
US6253337B1 (en) Information security analysis system
US7047423B1 (en) Information security analysis system
US5787253A (en) Apparatus and method of analyzing internet activity
CN109766695A (en) A kind of network security situational awareness method and system based on fusion decision
US9584533B2 (en) Performance enhancements for finding top traffic patterns
KR100513911B1 (en) Information security analysis system
CN110855493B (en) Application topological graph drawing device for mixed environment
US20170295068A1 (en) Logical network topology analyzer
CN112532614A (en) Safety monitoring method and system for power grid terminal
CN112350882A (en) Distributed network traffic analysis system and method
CN115021974B (en) Local area network safety probe equipment set
TWI704782B (en) Method and system for backbone network flow anomaly detection
WO2017196842A1 (en) Monitoring network traffic to determine similar content
CN112910842B (en) Network attack event evidence obtaining method and device based on flow reduction
Xu et al. A real-time network traffic profiling system
CN112235309B (en) Multi-scale detection system for hidden channel of cloud platform network
CN114553546A (en) Message capturing method and device based on network application
Shen et al. Research on Flow Anomaly Detection Technology Based on NetFlow
AU2002311381B2 (en) Information security analysis system
CN112165487A (en) Zeek-based distributed network security and performance detection method and system
Chernoglazov Three Dimensional Visualisation of Network and Security Log Data

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant