CN115065592A - Information processing method, device and storage medium - Google Patents

Information processing method, device and storage medium Download PDF

Info

Publication number
CN115065592A
CN115065592A CN202210571157.4A CN202210571157A CN115065592A CN 115065592 A CN115065592 A CN 115065592A CN 202210571157 A CN202210571157 A CN 202210571157A CN 115065592 A CN115065592 A CN 115065592A
Authority
CN
China
Prior art keywords
information
abnormal
conversion
abnormal information
pieces
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210571157.4A
Other languages
Chinese (zh)
Inventor
张斌
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sangfor Technologies Co Ltd
Original Assignee
Sangfor Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sangfor Technologies Co Ltd filed Critical Sangfor Technologies Co Ltd
Priority to CN202210571157.4A priority Critical patent/CN115065592A/en
Publication of CN115065592A publication Critical patent/CN115065592A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/069Management of faults, events, alarms or notifications using logs of notifications; Post-processing of notifications

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides an information processing method, an information processing device and a storage medium, wherein the method comprises the following steps: obtaining N pieces of abnormal information; each abnormal information corresponds to a network chain; each abnormal information is determined according to the flow detection in the network; n is an integer greater than 1; acquiring a plurality of conversion strategy information corresponding to a plurality of communication links; and processing the N pieces of abnormal information based on the plurality of conversion strategy information to determine abnormal equipment information. Because the N abnormal information is processed through the acquired conversion strategy information, the processing speed is improved, the abnormal equipment is conveniently analyzed, and the efficiency of determining the abnormal equipment is improved.

Description

Information processing method, device and storage medium
Technical Field
The embodiment of the invention relates to the technical field of network security, in particular to an information processing method, an information processing device and a storage medium.
Background
When the network security device performs security detection or host computer crash detection, it needs to analyze Internet Protocol (IP) address information in an alarm log corresponding to an attack network data stream, so as to detect an abnormal device. Because the Network environment of the Network security device is complex, a Network Address Translation (NAT) router exists in the intranet for communicating with the internet, and after one Network data stream between two communication hosts passes through the NAT router, the source and destination IP addresses are all converted, so that one Network data stream forms a plurality of alarm logs containing different source and destination IP addresses, and the efficiency of determining the abnormal device is low.
Disclosure of Invention
The information processing method, the information processing device and the storage medium provided by the embodiment of the invention can improve the efficiency of determining abnormal equipment.
The technical scheme of the invention is realized as follows:
the embodiment of the invention provides an information processing method, which comprises the following steps:
acquiring N pieces of abnormal information; each abnormal information corresponds to a network chain; each abnormal information is determined according to the flow detection in the network; n is an integer greater than 1;
acquiring a plurality of conversion strategy information corresponding to a plurality of communication links;
and processing the N pieces of abnormal information based on the plurality of conversion strategy information to determine abnormal equipment information.
In the above solution, the obtaining of multiple pieces of conversion policy information corresponding to multiple communication links includes:
receiving a plurality of conversion logs sent by a plurality of conversion nodes contained in each communication link;
and extracting conversion strategy information corresponding to each communication link from the conversion logs so as to obtain the conversion strategy information.
In the foregoing solution, the extracting, from the plurality of conversion logs, the conversion policy information corresponding to each communication link includes:
sorting the plurality of conversion logs based on time information of the plurality of conversion logs;
extracting intermediate source network address information and conversion information from a first conversion log, and respectively extracting corresponding conversion information from other conversion logs; wherein the conversion information comprises: quintuple information;
and combining the intermediate source network address information extracted from the first conversion log and the plurality of conversion information extracted from the plurality of conversion logs to form the conversion strategy information.
In the foregoing solution, the processing the N pieces of abnormal information based on the plurality of conversion policy information to determine abnormal device information includes:
determining a plurality of abnormal information belonging to the same data stream from the N pieces of abnormal information by using the plurality of conversion strategy information;
and determining abnormal equipment information based on the similarity among the plurality of abnormal information.
In the above solution, the determining, by using the multiple pieces of conversion policy information, multiple pieces of exception information belonging to the same data flow from among the N pieces of exception information includes:
determining that the N pieces of abnormal information have first abnormal information corresponding to the destination network address information matched with the intermediate source network address information; the intermediate source network address information belongs to the Kth conversion strategy information; k is an integer greater than or equal to 1;
determining that M abnormal information corresponding to M conversion information respectively corresponding to matched abnormal quintuple information is contained in the N abnormal information; the M pieces of conversion information belong to the Kth piece of conversion strategy information; m is an integer greater than 1;
and combining the first abnormal information with the M pieces of abnormal information to obtain the plurality of pieces of abnormal information.
In the foregoing solution, the determining the abnormal device information based on the similarity between the multiple pieces of abnormal information includes:
carrying out similarity verification detection on the abnormal information to obtain detection results of the abnormal information;
if the detection result represents that the similarity verification of the abnormal information passes, sequencing the abnormal information based on the time information of the abnormal information;
and determining the abnormal equipment information according to the abnormal quintuple information included in each piece of sequenced abnormal information.
In the foregoing solution, the performing similarity verification detection on the multiple pieces of abnormal information to obtain a detection result of the multiple pieces of abnormal information includes:
determining a character string with a preset length byte in each application layer data packet of the abnormal information;
calculating identification information of each abnormal information through the character strings;
and if the similarity among the identification information of the abnormal information is greater than or equal to a preset threshold value, obtaining a detection result that the similarity of the abnormal information passes the verification.
The embodiment of the invention also provides an information processing method, which comprises the following steps:
acquiring N pieces of abnormal information; each abnormal information corresponds to a network chain; each abnormal information is determined according to the flow detection in the network; n is an integer greater than 1;
acquiring a plurality of conversion strategy information corresponding to a plurality of communication links;
and determining a plurality of abnormal information of the same data stream in the N abnormal information based on the plurality of conversion strategy information, aggregating the plurality of abnormal information, and determining abnormal source equipment information.
An embodiment of the present invention further provides an information processing apparatus, including:
a data acquisition unit for acquiring N pieces of abnormal information; each abnormal information corresponds to a network chain; each abnormal information is determined according to the flow detection in the network; n is an integer greater than 1;
the data acquisition unit is further configured to acquire a plurality of conversion policy information corresponding to a plurality of communication links;
and the determining unit is used for processing the N pieces of abnormal information based on the plurality of conversion strategy information and determining abnormal equipment information.
An embodiment of the present invention further provides an information processing apparatus, including:
the second data acquisition unit is used for acquiring N pieces of abnormal information; each abnormal information corresponds to a network chain; each abnormal information is determined according to the flow detection in the network; n is an integer greater than 1;
the second data acquisition unit is further configured to acquire a plurality of conversion policy information corresponding to a plurality of communication links;
and the aggregation determining unit is used for determining a plurality of abnormal information of the same data flow in the N pieces of abnormal information based on the plurality of conversion strategy information, aggregating the plurality of abnormal information and determining abnormal source equipment information.
The embodiment of the present invention further provides an information processing apparatus, which is characterized by comprising a memory and a processor, wherein the memory stores a computer program capable of running on the processor, and the processor implements the steps in the method when executing the program.
An embodiment of the present invention further provides a computer-readable storage medium, on which a computer program is stored, where the computer program is executed by a processor to implement the steps in the above method.
In the embodiment of the invention, N pieces of abnormal information are acquired; each abnormal information corresponds to a network chain; each abnormal information is determined according to the flow detection in the network; n is an integer greater than 1; acquiring a plurality of conversion strategy information corresponding to a plurality of communication links; and processing the N pieces of abnormal information based on the plurality of conversion strategy information to determine abnormal equipment information. According to the scheme, the N abnormal information is processed through the acquired conversion strategy information, so that the processing rate is increased, the abnormal equipment is conveniently analyzed, and the efficiency of determining the abnormal equipment is improved.
Drawings
Fig. 1 is an optional flowchart of an information processing method according to an embodiment of the present invention;
fig. 2 is a schematic diagram illustrating an optional effect of the information processing method according to the embodiment of the present invention;
fig. 3 is an alternative flow chart of an information processing method according to an embodiment of the present invention;
fig. 4 is an alternative flow chart of the information processing method according to the embodiment of the present invention;
fig. 5 is an alternative flow chart of the information processing method according to the embodiment of the present invention;
fig. 6 is an alternative flow chart of the information processing method according to the embodiment of the present invention;
fig. 7 is an alternative flow chart of an information processing method according to an embodiment of the present invention;
FIG. 8 is a first schematic structural diagram of an information processing apparatus according to an embodiment of the present invention;
FIG. 9 is a first diagram illustrating a first hardware entity of an information processing apparatus according to an embodiment of the present invention;
FIG. 10 is a second schematic structural diagram of an information processing apparatus according to an embodiment of the present invention;
fig. 11 is a hardware entity diagram of an information processing apparatus according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention clearer, the technical solutions of the present invention are further described in detail with reference to the drawings and the embodiments, the described embodiments should not be construed as limiting the present invention, and all other embodiments obtained by a person of ordinary skill in the art without creative efforts shall fall within the protection scope of the present invention.
In the following description, reference is made to "some embodiments" which describe a subset of all possible embodiments, but it is understood that "some embodiments" may be the same subset or different subsets of all possible embodiments, and may be combined with each other without conflict.
To the extent that similar descriptions of "first/second" appear in this patent document, the description below will be added, where reference is made to the term "first \ second \ third" merely to distinguish between similar objects and not to imply a particular ordering with respect to the objects, it being understood that "first \ second \ third" may be interchanged either in a particular order or in a sequential order as permitted, to enable embodiments of the invention described herein to be practiced in other than the order illustrated or described herein.
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. The terminology used herein is for the purpose of describing embodiments of the invention only and is not intended to be limiting of the invention.
In the related art, the NAT router method is used when some hosts inside a private network have been assigned local IP addresses, but want to communicate with hosts on the internet. This approach requires NAT software to be installed on the router of the private network connected to the internet. A router with NAT software, called a NAT router, has at least one valid external global IP address. Therefore, all hosts using local addresses need to convert the local addresses into global IP addresses on the NAT router to connect to the internet when communicating with the outside world.
The NAT router not only can solve the problem of insufficient IP addresses, but also can effectively avoid attacks from the outside of the network and hide and protect computers inside the network. The private address of the internal network is converted into the public address of the external network. So that hosts on the internal network can access the Internet.
Generally, in an intranet network, NAT router translation is performed, as shown in fig. 2, two layers of NAT translation exist between a host a and a host B, which are NAT1 and NAT2, respectively, and source and destination IP addresses of a network flow from the host a to the host B are different at network chains 1, 2, and 3.
If the enterprise chooses to deploy network security devices in network chain 1, network chain 2, and network chain 3, then a network flow from host a to host B will generate three exception logs, which belong to substantially the same network traffic. Since the back-end processing node receives a large amount of abnormal information, a large amount of calculation exists in the process of determining the abnormal device, and the efficiency of determining the abnormal host is low. But also causes great trouble in determining the attack source host. 1. Three exception logs are generated for one network flow, and the 3 exception logs need to be analyzed. 2. It is difficult to accurately identify which IP address belongs to the real attack source host and which IP address belongs to the target host from the 3 abnormal logs. And thus the efficiency of determining the attack source host is low.
Fig. 1 is an optional flowchart of an information processing method according to an embodiment of the present invention, and will be described with reference to the steps shown in fig. 1.
S101, acquiring N pieces of abnormal information; each abnormal information corresponds to a network chain; each anomaly information is determined from traffic detection in the network.
In the embodiment of the invention, the back-end processing node acquires N pieces of abnormal information. Each abnormal information corresponds to a network chain; each anomaly information is determined based on traffic detection in the network.
In the embodiment of the invention, the back-end processing node receives N pieces of abnormal information sent by different front-end nodes after detecting the data flow of the network chain to which the back-end processing node belongs.
In the embodiment of the present invention, the back-end processing node may be a server connected with the front-end node. In the embodiment of the invention, the back-end processing node can be only connected with a plurality of front-end nodes between two terminals in the same group, and can also be simultaneously connected with a plurality of front-end nodes between a plurality of groups of two terminals. The front-end node is a network security device configured in front of the two terminals, and the two communication devices to which the front-end node belongs form a network chain. The link between two terminals in the same group is a communication link. A communication link comprising: a plurality of network chains.
In the embodiment of the present invention, the front-end node may be a firewall or a situation awareness device. Wherein the exception information includes: source IP address information, source port information, destination IP address information, destination port information, transport layer protocol information, and application layer packets corresponding to the network link data stream.
In the embodiment of the invention, N front-end nodes detect the data flow of the network chain, if the data flow is detected to have attack behavior data flow, each front-end node records the source IP address information, the source port information, the destination IP address information, the destination port information, the transmission layer protocol information and the application layer data packet of the corresponding data flow to form corresponding abnormal information, and then N pieces of abnormal information are obtained and sent to a back-end processing node.
Illustratively, in conjunction with fig. 2, a NAT1 and a NAT2 are configured between the host a and the host B. The network chain 1 between host a and NAT1 can configure the front-end node 1. The network chain 2 between the NAT1 and the NAT2 can configure the front-end node 2, the network chain 3 between the NAT2 and the host B can configure the front-end node 3, and the back-end processing node can receive the exception information corresponding to the network chain 1 sent by the front-end node 1, the exception information corresponding to the network chain 2 sent by the front-end node 2, and the exception information corresponding to the network chain 3 sent by the front-end node 3. Similarly, the back-end processing node can also receive a plurality of abnormal messages sent by the front-end node between other hosts.
S102, obtaining a plurality of conversion strategy information corresponding to a plurality of communication links.
In the embodiment of the invention, the back-end processing node acquires a plurality of conversion strategy information corresponding to a plurality of communication links.
In the embodiment of the invention, the back-end processing node can be connected with a plurality of pairs of communication terminals, and the links between each pair of communication terminals form a communication link. When data communication occurs between a pair of communication terminals, a conversion node between the pair of communication terminals transmits a conversion log to a back-end processing node. Wherein the conversion log may include: quintuple information corresponding to a network chain to which the translation node belongs.
In the embodiment of the invention, a back-end processing node receives a plurality of conversion logs sent by a plurality of conversion nodes contained in a communication link between a pair of terminals. Meanwhile, the back-end processing node may receive a plurality of conversion logs respectively transmitted by a plurality of conversion nodes included in other communication links. And the back-end processing node extracts the conversion strategy information corresponding to the communication link from the conversion logs so as to obtain a plurality of conversion strategy information corresponding to the communication links.
S103, processing the N abnormal information based on the plurality of conversion strategy information, and determining abnormal equipment information.
In the embodiment of the invention, the back-end processing node processes the N pieces of abnormal information based on the plurality of conversion strategy information to determine the abnormal equipment information.
In the embodiment of the present invention, the back-end processing node determines, based on the plurality of conversion policy information, a plurality of pieces of exception information belonging to the same data flow (that is, the same communication link) from among the N pieces of exception information. And the back-end processing node sequences the abnormal information based on the time information of the abnormal information so as to obtain a plurality of abnormal information in a certain sequence. And the back-end processing node determines abnormal equipment information through abnormal quintuple information in a plurality of abnormal information in a certain sequence. And the user can determine abnormal equipment in a certain sequence according to the abnormal equipment information.
In the embodiment of the present invention, the back-end processing node may determine, from abnormal devices in a certain order, that the first abnormal device is an abnormal source device.
In the embodiment of the invention, after the similarity verification of the abnormal information is passed, the back-end processing node sequences the abnormal information to determine the abnormal equipment information.
In the embodiment of the invention, the back-end processing node can sequence the abnormal information through the timestamps of the abnormal information to obtain the abnormal information in a certain sequence. And enabling the user to determine the abnormal equipment information by using the source IP address information and/or the source port information in the sequenced abnormal information.
In the embodiment of the invention, N pieces of abnormal information are acquired; each abnormal information corresponds to a network chain; each abnormal information is determined according to the flow detection in the network; n is an integer greater than 1; acquiring a plurality of conversion strategy information corresponding to a plurality of communication links; and processing the N pieces of abnormal information based on the plurality of conversion strategy information to determine abnormal equipment information. According to the scheme, the N abnormal information is processed through the acquired conversion strategy information, so that the processing rate is increased, the abnormal equipment is conveniently analyzed, and the efficiency of determining the abnormal equipment is improved.
Referring to fig. 3, fig. 3 is an optional schematic flow diagram of an information processing method according to an embodiment of the present invention, and S102 shown in fig. 1 may also be implemented through S104 to S105, which will be described with reference to the steps.
S104, receiving a plurality of conversion logs sent by a plurality of conversion nodes contained in each communication link.
In the embodiment of the invention, the back-end processing node receives a plurality of conversion logs sent by a plurality of conversion nodes contained in each communication link.
In the embodiment of the invention, the back-end processing node is connected with a plurality of conversion nodes in a plurality of communication links. When data communication occurs in any communication link, a plurality of conversion nodes in the communication link form conversion logs, and the plurality of conversion nodes of the communication link send the respectively formed conversion logs to the back-end processing node.
In the embodiment of the invention, the back-end processing node receives a plurality of conversion logs sent by a plurality of conversion nodes contained in each communication link in real time so as to determine the conversion strategy information. That is, the specific real-time process of S102 and the specific real-time process of S101 are not in definite sequence.
And S105, extracting conversion strategy information corresponding to each communication link from the conversion logs, and further obtaining a plurality of conversion strategy information.
In the embodiment of the invention, the back-end processing node extracts the conversion strategy information corresponding to each communication link from a plurality of conversion logs so as to obtain a plurality of conversion strategy information.
In the embodiment of the invention, the back-end processing node extracts the conversion source network address information, the conversion source port information, the conversion destination network address information and the conversion destination port information which correspond to the plurality of conversion nodes respectively from the plurality of conversion logs. The back-end processing node combines the conversion source network address information, the conversion source port information, the conversion destination network address information and the conversion destination port information which are respectively corresponding to the plurality of conversion nodes, and then conversion strategy information corresponding to the communication link is obtained. That is, the information of the conversion policy between the pair of communication devices corresponding to the communication link is obtained. Similarly, the back-end processing node obtains a plurality of conversion policy information corresponding to the plurality of communication links by using the same method.
In the embodiment of the invention, a back-end processing node sequences a plurality of conversion logs according to the timestamps of the plurality of conversion logs (the time information of the received conversion logs); extracting destination network address information and conversion information from a first conversion log, and respectively extracting corresponding conversion information from other conversion logs; wherein the conversion information includes: converting source network address information, converting source port information, converting destination network address information and converting destination port information; and combining the target network address information extracted from the first conversion log and a plurality of conversion information extracted from a plurality of conversion logs to form conversion strategy information corresponding to the communication link.
In the embodiment of the invention, the target object is configured on the NAT router, and the conversion log of the NAT router is sent to the back-end processing node. And the back-end processing node analyzes the received NTA conversion log and stores a conversion strategy, and the conversion strategy is updated in real time based on the received conversion log.
In the embodiment of the invention, the back-end processing node extracts the corresponding conversion strategy information through the plurality of conversion logs, and then determines a plurality of abnormal information belonging to the same attack flow in the N pieces of abnormal information through the conversion strategy information for processing, so that the processing speed is increased, and the efficiency of analyzing the abnormal equipment is improved.
Referring to fig. 4, fig. 4 is an optional flowchart of the information processing method according to the embodiment of the present invention, and S105 shown in fig. 3 may be implemented by S106 to S108, which will be described with reference to the steps.
And S106, sequencing the conversion logs based on the time information of the conversion logs.
In the embodiment of the invention, the back-end processing node sequences the plurality of conversion logs based on the time information of the plurality of conversion logs.
In the embodiment of the invention, the back-end processing node sequences the conversion logs according to the timestamps of the conversion logs to obtain a plurality of conversion logs in a certain sequence.
In the embodiment of the invention, the back-end processing node receives a plurality of conversion logs sent by a plurality of conversion nodes of the same communication link. Since the timestamp is obtained when the conversion log is received, the back-end processing node may order the plurality of conversion logs with the timestamp of the plurality of conversion logs.
S107, extracting the intermediate source network address information and the conversion information from the first conversion log, and respectively extracting the corresponding conversion information from the other conversion logs.
In the embodiment of the invention, the back-end processing node extracts the intermediate source network address information and the conversion information from the first conversion log, and extracts the corresponding conversion information from other conversion logs respectively.
In the embodiment of the invention, the back-end processing node sequences the plurality of conversion logs according to the sequence of the timestamps of the plurality of conversion logs. And the back-end processing node extracts the intermediate source network address information and the conversion information in the first conversion log. The back-end processing node extracts the conversion information of other conversion logs except the first conversion log.
Wherein the conversion information includes: quintuple information. The quintuple information includes: translation source network address information, translation source port information, translation destination network address information, and translation destination port information.
And S108, combining the intermediate source network address information extracted from the first conversion log and the plurality of conversion information extracted from the plurality of conversion logs to form conversion strategy information, and further obtaining the plurality of conversion strategy information.
In the embodiment of the invention, the back-end processing node extracts the intermediate source network address information from the first conversion log and combines a plurality of conversion information extracted from a plurality of conversion logs to form conversion strategy information, thereby obtaining a plurality of conversion strategy information.
In the embodiment of the invention, the back-end processing node extracts the intermediate source IP address information, the conversion source port information, the conversion destination IP address information and the conversion destination port information from the first conversion log. The back-end processing node extracts the conversion source IP address information, the conversion source port information, the conversion destination IP address information and the conversion destination port information from other conversion logs. And the back-end processing node respectively packages the information extracted from each conversion log and finally combines the information to form conversion strategy information. And the same back-end processing node obtains a plurality of conversion strategy information by adopting the same method.
In the embodiment of the invention, because the plurality of conversion logs in the same communication link have a certain sequence, the back-end processing node uses the sequence to sequence the plurality of conversion logs, extracts the intermediate source network address information and the conversion information from the first conversion log, and respectively extracts the corresponding conversion information from other conversion logs, thereby forming the corresponding conversion strategy information to ensure the integrity of each conversion strategy information, so that the back-end processing node can more accurately determine a plurality of abnormal information belonging to the same attack flow from the N abnormal information.
Referring to fig. 5, fig. 5 is an optional flowchart of the information processing method according to the embodiment of the present invention, and S103 shown in fig. 1 may be implemented by S109 to S110, which will be described with reference to the steps.
And S109, determining a plurality of abnormal information belonging to the same data flow from the N pieces of abnormal information by using the plurality of conversion strategy information.
In the embodiment of the invention, the back-end processing node determines a plurality of abnormal information belonging to the same data flow from the N abnormal information by using the plurality of conversion strategy information.
In the embodiment of the invention, the back-end processing node determines a plurality of abnormal information belonging to the same attack data flow from the N pieces of abnormal information by using a plurality of conversion strategy information corresponding to a plurality of communication links.
In the embodiment of the present invention, the back-end processing node matches the source network address information, the source port information, the destination network address information, and the destination port information of the N pieces of abnormal information with the conversion information included in each piece of conversion policy information, and determines a plurality of pieces of abnormal information if there is a match between the source network address information, the source port information, the destination network address information, and the destination port information of the plurality of pieces of abnormal information and the conversion information included in a piece of conversion policy information.
In the embodiment of the present invention, after the back-end processing node obtains the plurality of abnormal information, the similarity verification may be performed on the plurality of abnormal information by using the application layer packet included in the plurality of abnormal information.
And S110, determining abnormal equipment information based on the similarity among the abnormal information.
In the embodiment of the invention, the back-end processing node determines the abnormal equipment information based on the similarity among the plurality of abnormal information.
In the embodiment of the invention, the back-end processing node calculates the identification information of each abnormal information by using the preset character string in each abnormal information, and if the identification information of a plurality of abnormal information is the same or the similarity is more than or equal to the preset threshold, the plurality of abnormal information is sequenced based on the time information of the plurality of abnormal information to obtain a plurality of abnormal information in a certain sequence. And the back-end processing node determines abnormal equipment information through abnormal quintuple information in the plurality of abnormal information.
Referring to fig. 6, fig. 6 is an optional flowchart of the information processing method according to the embodiment of the present invention, and S109 to S110 shown in fig. 5 can be implemented by S111 to S116, which will be described with reference to the steps.
S111, determining first abnormal information which is determined from the N pieces of abnormal information and corresponds to destination network address information matched with the intermediate source network address information; the intermediate source network address information belongs to the kth conversion policy information.
In the embodiment of the invention, the back-end processing node determines from the N pieces of abnormal information that the back-end processing node has the first abnormal information corresponding to the destination network address information matched with the intermediate source network address information. Wherein, the intermediate source network address information belongs to the Kth conversion strategy information. K is an integer greater than or equal to 1.
The kth conversion policy information belongs to the plurality of conversion policy information.
S112, determining that M abnormal information corresponding to M conversion information respectively corresponding to matched abnormal quintuple information exists in the N abnormal information; the M pieces of conversion information belong to the kth conversion policy information.
In the embodiment of the invention, the back-end processing node is determined in N abnormal information and has M abnormal information corresponding to M conversion information respectively and correspondingly matched with the abnormal quintuple information; the M pieces of conversion information belong to the kth conversion policy information. M is an integer greater than 1.
S113, combining the first anomaly information with the M anomaly information to obtain a plurality of anomaly information.
In the embodiment of the invention, the back-end processing node combines the first abnormal information and the M pieces of abnormal information to obtain a plurality of pieces of abnormal information.
In the embodiment of the present invention, the back-end processing node detects and obtains the destination network address information included in the first abnormal information of the N pieces of abnormal information, and matches the destination network address information included in the K-th conversion policy information, and the N pieces of abnormal information include the address and port information included in the M pieces of abnormal information, and respectively match the address and port information corresponding to the plurality of pieces of conversion information of the K-th conversion policy information, thereby determining that the first abnormal information plus the M pieces of abnormal information are a plurality of pieces of abnormal information. Wherein K is an integer of 1 or more.
In this embodiment of the present invention, the first exception information may be any one of N pieces of exception information. The first abnormality information may include: source network address information, source port information, destination network address information, and destination port information. In this embodiment of the present invention, the kth conversion policy information may be any one of a plurality of conversion policy information.
For example, the N pieces of exception information may be 10 pieces of exception information. The plurality of conversion policy information may be 3 conversion policy information. The back-end processing node detects that destination network address information contained in the 3 rd abnormal information is matched with intermediate source network address information contained in the 2 nd conversion strategy information, and source IP address information, source port information, destination IP address information and destination port information respectively contained in the 4 th abnormal information, the 6 th abnormal information and the 8 th abnormal information are respectively and correspondingly matched with a plurality of conversion information in the 2 nd conversion strategy information, so that the 3 rd abnormal information, the 4 th abnormal information, the 6 th abnormal information and the 8 th abnormal information are determined to be a plurality of abnormal information.
In the embodiment of the invention, the network security equipment detects network attacks, and as the intranet can be provided with a plurality of flow acquisition probes, a plurality of attack logs can be generated in the same attack flow. The network security equipment screens out a plurality of attack logs belonging to the same attack flow based on the stored NAT conversion strategy
And S114, carrying out similarity verification detection on the abnormal information to obtain detection results of the abnormal information.
In the embodiment of the invention, the back-end processing node carries out similarity verification detection on the plurality of abnormal information to obtain the detection results of the plurality of abnormal information.
In the embodiment of the invention, the back-end processing node determines the character string with the preset length byte in each application layer data packet of the abnormal information. And the back-end processing node calculates the identification information of each abnormal information through the character string. And if the similarity among the identification information of the abnormal information is greater than or equal to a preset threshold, the back-end processing node obtains a detection result that the similarity verification of the abnormal information passes.
In the embodiment of the present invention, if the similarity between the identification information of the plurality of pieces of abnormal information is smaller than a preset threshold, the back-end processing node obtains a detection result that the similarity verification of the plurality of pieces of abnormal information fails.
The preset threshold may be a numerical value.
In the embodiment of the invention, the back-end processing node determines the data to be encrypted with the byte of the preset length in each application layer data packet of the abnormal information. And the back-end processing node calculates the data to be encrypted by using a preset encryption algorithm to obtain a unique value of each abnormal information. And if the unique values of the plurality of abnormal information are the same, determining the detection result that the similarity verification of the plurality of abnormal information passes.
In the embodiment of the invention, if the back-end processing node detects that the unique values of the plurality of abnormal information are the same, the similarity verification of the plurality of abnormal information is determined to be passed.
In the embodiment of the present invention, each exception information may include a payload packet corresponding to a link data flow. And because the payload data packets of the same attack flow are completely the same, the back-end processing node can calculate the data to be encrypted of each abnormal information.
In the embodiment of the present invention, the back-end processing node may calculate the data to be encrypted through a hash Algorithm and an information Digest Algorithm (Message-Digest Algorithm, MD5), so as to obtain a unique value of each piece of abnormal information. The corresponding back-end processing node can also adopt the same algorithm to calculate the unique values of a plurality of abnormal information.
In the embodiment of the present invention, if the unique values of the plurality of abnormal information detected by the end processing node are the same, it indicates that the payload contained in the plurality of abnormal information is the same and belongs to the same attack flow. And then the back-end processing node determines that the similarity verification of the plurality of abnormal information passes.
In the embodiment of the present invention, if the similarity verification of the plurality of abnormal information fails, the back-end processing node may perform the similarity verification on the plurality of abnormal information after a certain time interval.
In the embodiment of the invention, the back-end processing node calculates the unique value as the identification information through the data to be encrypted of the abnormal information of the same attack flow. And the back-end processing node verifies and aggregates a plurality of abnormal information of the same attack flow according to the identification information, thereby improving the detection efficiency of abnormal equipment.
And S115, if the similarity verification of the plurality of abnormal information represented by the detection result passes, sequencing the plurality of abnormal information according to the time information of the plurality of abnormal information.
In the embodiment of the invention, if the detection result indicates that the similarity verification of the plurality of abnormal information passes, the back-end processing node sequences the plurality of abnormal information according to the time information of the plurality of abnormal information.
S116, determining abnormal equipment information according to the abnormal quintuple information included in each piece of sequenced abnormal information.
In the embodiment of the invention, the back-end processing node determines the abnormal equipment information according to the abnormal quintuple information included in each piece of sequenced abnormal information.
Referring to fig. 7, fig. 7 is an optional flowchart of an information processing method according to an embodiment of the present invention, which will be described with reference to steps.
S201, acquiring N abnormal information; each abnormal information corresponds to a network chain; each anomaly information is determined from traffic detection in the network.
In the embodiment of the invention, a back-end processing node acquires N pieces of abnormal information; each abnormal information corresponds to a network chain; each anomaly information is determined from traffic detection in the network.
S202, acquiring a plurality of conversion strategy information corresponding to a plurality of communication links.
In the embodiment of the invention, the back-end processing node acquires a plurality of conversion strategy information corresponding to a plurality of communication links.
S203, determining a plurality of abnormal information of the same data stream in the N abnormal information based on the plurality of conversion strategy information, aggregating the plurality of abnormal information, and determining abnormal source equipment information.
In the embodiment of the invention, the back-end processing node determines a plurality of abnormal information of the same data flow in the N abnormal information based on the plurality of conversion strategy information, aggregates the plurality of abnormal information and determines the abnormal source equipment information.
In the embodiment of the invention, the back-end processing node determines a plurality of abnormal information belonging to the same data flow from the N abnormal information by using the plurality of conversion strategy information. And after the similarity verification of the abnormal information is passed, the back-end processing node aggregates the abnormal information by using the time information of the received abnormal information to obtain the aggregated abnormal information. And the back-end processing node determines the information of the abnormal source equipment in the aggregated abnormal information so as to determine the abnormal source equipment.
In the embodiment of the invention, the back-end processing node uses the time information of the plurality of abnormal information to sequence the plurality of abnormal information, takes the source network address information and the source port information of the first abnormal information, and takes the destination network address information and the destination port information of the last abnormal information to aggregate to obtain the aggregated abnormal information.
In the embodiment of the invention, the back-end processing node determines that the source IP address information or the source port information is abnormal source equipment information in the aggregation abnormal information, so that a user can determine abnormal source equipment according to the abnormal source equipment information.
In the embodiment of the present invention, if the back-end processing node receives three exception messages A, B, C. The three pieces of exception information A, B, C respectively correspond to timestamps of 15:04:02, 15:04:03 and 15:04: 06. The back-end processing node orders the three exception information A, B, C in the order of the three timestamps. And the back-end processing node acquires the source IP address information and the source port information of the abnormal information A, acquires the destination IP address information and the destination port information of the abnormal information C, and combines the transport layer protocol information to form the aggregated abnormal information. The user can determine the abnormal source device information by using the source IP address information and the source port information of the abnormal information a.
In the embodiment of the invention, a user can search the abnormal source equipment information corresponding to the source network address information and the source port information in the corresponding data table, so as to determine the abnormal source equipment.
In the embodiment of the invention, the back-end processing node sequences the plurality of abnormal information according to the time information of the plurality of abnormal information to form the aggregated abnormal information, which is equivalent to reducing the number of the abnormal information, thereby improving the efficiency of determining the abnormal source equipment.
Referring to fig. 8, fig. 8 is a first schematic structural diagram of an information processing apparatus according to an embodiment of the present invention.
An embodiment of the present invention further provides an information processing apparatus, including: a data acquisition unit 803 and a determination unit 804.
A data acquisition unit 803 configured to acquire N pieces of abnormality information; each abnormal information corresponds to a network chain; each abnormal information is determined according to the flow detection in the network; n is an integer greater than 1;
the data obtaining unit 803 is further configured to obtain a plurality of conversion policy information corresponding to a plurality of communication links;
a determining unit 804, configured to process the N pieces of abnormal information based on the plurality of conversion policy information, and determine abnormal device information.
In this embodiment of the present invention, the data obtaining unit 803 in the information processing apparatus 800 is configured to receive a plurality of conversion logs sent by a plurality of conversion nodes included in each communication link; and extracting conversion strategy information corresponding to each communication link from the conversion logs so as to obtain the conversion strategy information.
In this embodiment of the present invention, the data obtaining unit 803 in the information processing apparatus 800 is configured to sort the plurality of conversion logs based on the time information of the plurality of conversion logs; extracting intermediate source network address information and conversion information from a first conversion log, and respectively extracting corresponding conversion information from other conversion logs; wherein the conversion information includes: quintuple information; and combining the intermediate source network address information extracted from the first conversion log and a plurality of conversion information extracted from the plurality of conversion logs to form the conversion strategy information.
In this embodiment of the present invention, the determining unit 804 in the information processing apparatus 800 is configured to determine, from the N pieces of exception information, a plurality of pieces of exception information belonging to the same data flow, using the plurality of pieces of conversion policy information; and determining abnormal equipment information based on the similarity among the plurality of abnormal information.
In this embodiment of the present invention, the determining unit 804 in the information processing apparatus 800 is configured to determine, from the N pieces of exception information, that there is first exception information corresponding to destination network address information that matches the intermediate source network address information; the intermediate source network address information belongs to the Kth conversion strategy information; k is an integer greater than or equal to 1; determining that M abnormal information corresponding to M conversion information respectively corresponding to matched abnormal quintuple information is contained in the N abnormal information; the M pieces of conversion information belong to the Kth piece of conversion strategy information; m is an integer greater than 1; and combining the first abnormal information with the M pieces of abnormal information to obtain the plurality of pieces of abnormal information.
In this embodiment of the present invention, the determining unit 804 in the information processing apparatus 800 is configured to perform similarity verification detection on the plurality of abnormal information, so as to obtain detection results of the plurality of abnormal information; if the detection result represents that the similarity verification of the abnormal information passes, sequencing the abnormal information based on the time information of the abnormal information; and determining the abnormal equipment information according to the abnormal quintuple information included in each piece of sequenced abnormal information.
In this embodiment of the present invention, the determining unit 804 in the information processing apparatus 800 is configured to determine a character string of a predetermined length byte in each application layer packet of the exception information; calculating to obtain the identification information of each abnormal information through the character string; and if the similarity among the identification information of the abnormal information is greater than or equal to a preset threshold value, obtaining a detection result that the similarity of the abnormal information passes the verification.
In the embodiment of the present invention, N pieces of abnormal information are acquired by the data acquisition unit 803; each abnormal information corresponds to a network chain; each abnormal information is determined according to the flow detection in the network; n is an integer greater than 1; acquiring a plurality of conversion policy information corresponding to a plurality of communication links by the data acquisition unit 803; and processing the N pieces of abnormal information based on the plurality of conversion strategy information through a determining unit to determine abnormal equipment information. According to the scheme, the N abnormal information is processed through the acquired conversion strategy information, so that the processing rate is increased, the abnormal equipment is conveniently analyzed, and the efficiency of determining the abnormal equipment is improved.
Correspondingly, the embodiment of the present invention provides an information processing apparatus, which includes a first memory 802 and a first processor 801, where the first memory 802 stores a computer program that can be executed on the first processor 801, and the first processor 801 implements the steps in the method when executing the computer program.
Here, it should be noted that: the above description of the storage medium and apparatus embodiments is similar to the description of the method embodiments above, with similar beneficial effects as the method embodiments. For technical details not disclosed in the embodiments of the storage medium and the apparatus according to the invention, reference is made to the description of the embodiments of the method according to the invention.
It should be noted that fig. 9 is a first schematic diagram of a hardware entity of an information processing apparatus according to an embodiment of the present invention, as shown in fig. 9, the hardware entity of the information processing apparatus 800 includes: a first processor 801 and a first memory 802, wherein;
the first processor 801 generally controls the overall operation of the information processing apparatus 800.
The first Memory 802 is configured to store instructions and applications executable by the first processor 801, and may also buffer data (e.g., image data, audio data, voice communication data, and video communication data) to be processed or already processed by each module in the first processor 801 and the information processing apparatus 800, and may be implemented by a FLASH Memory (FLASH) or a Random Access Memory (RAM).
Referring to fig. 10, fig. 10 is a schematic structural diagram of an information processing apparatus according to an embodiment of the present invention.
An embodiment of the present invention further provides an information processing apparatus, including: a second data acquisition unit 903 and an aggregation determination unit 904.
A second data obtaining unit 903, configured to obtain N pieces of exception information; each abnormal information corresponds to a network chain; each abnormal information is determined according to the flow detection in the network; n is an integer greater than 1;
the second data obtaining unit 903 is further configured to obtain multiple pieces of conversion policy information corresponding to multiple communication links;
an aggregation determining unit 904, configured to determine multiple pieces of exception information of the same data stream in the N pieces of exception information based on the multiple pieces of conversion policy information, aggregate the multiple pieces of exception information, and determine exception source device information.
According to the scheme, the plurality of abnormal information of the same data stream is determined in the N pieces of abnormal information based on the plurality of conversion strategy information, and the plurality of abnormal information are aggregated, so that the number of processed abnormal information is reduced, the processing efficiency is improved, and the efficiency of determining the abnormal source equipment is improved.
Correspondingly, an embodiment of the present invention provides an information processing apparatus, including a second memory 902 and a second processor 901, where the second memory 902 stores a computer program operable on the second processor 901, and the second processor 901 implements the steps in the method when executing the computer program.
Here, it should be noted that: the above description of the storage medium and apparatus embodiments is similar to the description of the method embodiments above, with similar beneficial effects as the method embodiments. For technical details not disclosed in the embodiments of the storage medium and the apparatus according to the invention, reference is made to the description of the embodiments of the method according to the invention.
Fig. 11 is a schematic diagram of a hardware entity of an information processing apparatus according to an embodiment of the present invention, and as shown in fig. 11, the hardware entity of the information processing apparatus 900 includes: a second processor 901 and a second memory 902, wherein;
the second processor 901 generally controls the overall operation of the information processing apparatus 900.
The second Memory 902 is configured to store instructions and applications executable by the second processor 901, and may also buffer data (e.g., image data, audio data, voice communication data, and video communication data) to be processed or already processed by each module in the second processor 901 and the information processing apparatus 900, and may be implemented by a FLASH Memory (FLASH) or a Random Access Memory (RAM).
It should be appreciated that reference throughout this specification to "one embodiment" or "an embodiment" means that a particular feature, structure or characteristic described in connection with the embodiment is included in at least one embodiment of the present invention. Thus, the appearances of the phrases "in one embodiment" or "in an embodiment" in various places throughout this specification are not necessarily all referring to the same embodiment. Furthermore, the particular features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. It should be understood that, in various embodiments of the present invention, the sequence numbers of the above-mentioned processes do not mean the execution sequence, and the execution sequence of each process should be determined by its function and inherent logic, and should not constitute any limitation on the implementation process of the embodiments of the present invention. The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
In the embodiments provided in the present invention, it should be understood that the disclosed apparatus and method may be implemented in other ways. The above-described device embodiments are merely illustrative, for example, the division of the unit is only a logical functional division, and there may be other division ways in actual implementation, such as: multiple units or components may be combined, or may be integrated into another system, or some features may be omitted, or not implemented. In addition, the coupling, direct coupling or communication connection between the components shown or discussed may be through some interfaces, and the indirect coupling or communication connection between the devices or units may be electrical, mechanical or other forms.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units; can be located in one place or distributed on a plurality of network units; some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, all the functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may be separately regarded as one unit, or two or more units may be integrated into one unit; the integrated unit can be realized in a form of hardware, or in a form of hardware plus a software functional unit.
Those of ordinary skill in the art will understand that: all or part of the steps for realizing the method embodiments can be completed by hardware related to program instructions, the program can be stored in a computer readable storage medium, and the program executes the steps comprising the method embodiments when executed; and the aforementioned storage medium includes: various media capable of storing program codes, such as a removable storage device, a Read Only Memory (ROM), a magnetic disk, and an optical disk.
Alternatively, the integrated unit of the present invention may be stored in a computer-readable storage medium if it is implemented in the form of a software functional module and sold or used as a separate product. Based on such understanding, the technical solutions of the embodiments of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the methods according to the embodiments of the present invention. And the aforementioned storage medium includes: various media that can store program codes, such as a removable storage device, a ROM, a magnetic disk, or an optical disk.
The above description is only an embodiment of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily think of the changes or substitutions within the technical scope of the present invention, and shall cover the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the appended claims.

Claims (12)

1. An information processing method characterized by comprising:
acquiring N pieces of abnormal information; each abnormal information corresponds to a network chain; each abnormal information is determined according to the flow detection in the network; n is an integer greater than 1;
acquiring a plurality of conversion strategy information corresponding to a plurality of communication links;
and processing the N pieces of abnormal information based on the plurality of conversion strategy information to determine abnormal equipment information.
2. The information processing method according to claim 1, wherein the obtaining of the plurality of conversion policy information corresponding to the plurality of communication links comprises:
receiving a plurality of conversion logs sent by a plurality of conversion nodes contained in each communication link;
and extracting conversion strategy information corresponding to each communication link from the conversion logs so as to obtain the conversion strategy information.
3. The information processing method according to claim 2, wherein the extracting, from the plurality of conversion logs, the conversion policy information corresponding to each communication link includes:
sorting the plurality of conversion logs based on time information of the plurality of conversion logs;
extracting intermediate source network address information and conversion information from a first conversion log, and respectively extracting corresponding conversion information from other conversion logs; wherein the conversion information includes: quintuple information;
and combining the intermediate source network address information extracted from the first conversion log and a plurality of conversion information extracted from the plurality of conversion logs to form the conversion strategy information.
4. The information processing method according to claim 1, wherein the processing the N pieces of abnormal information based on the plurality of conversion policy information to determine abnormal device information includes:
determining a plurality of abnormal information belonging to the same data stream from the N pieces of abnormal information by using the plurality of conversion strategy information;
and determining abnormal equipment information based on the similarity among the plurality of abnormal information.
5. The information processing method according to claim 4, wherein the determining, by using the plurality of conversion policy information, a plurality of exception information belonging to the same data flow from among the N exception information includes:
determining that the N pieces of abnormal information have first abnormal information corresponding to the destination network address information matched with the intermediate source network address information; the intermediate source network address information belongs to the Kth conversion strategy information; k is an integer greater than or equal to 1;
determining that M abnormal information corresponding to M conversion information respectively corresponding to matched abnormal quintuple information is contained in the N abnormal information; the M pieces of conversion information belong to the Kth piece of conversion strategy information; m is an integer greater than 1;
and combining the first abnormal information with the M pieces of abnormal information to obtain the plurality of pieces of abnormal information.
6. The information processing method according to claim 4, wherein the determining abnormal device information based on the similarity between the plurality of abnormal information includes:
carrying out similarity verification detection on the abnormal information to obtain detection results of the abnormal information;
if the detection result indicates that the similarity verification of the abnormal information passes, sequencing the abnormal information based on the time information of the abnormal information;
and determining the abnormal equipment information according to the abnormal quintuple information included in each piece of sequenced abnormal information.
7. The information processing method according to claim 6, wherein the performing similarity verification detection on the plurality of abnormal information to obtain detection results of the plurality of abnormal information includes:
determining a character string with a preset length byte in each application layer data packet of the abnormal information;
calculating to obtain the identification information of each abnormal information through the character string;
and if the similarity among the identification information of the abnormal information is greater than or equal to a preset threshold value, obtaining a detection result that the similarity of the abnormal information passes the verification.
8. An information processing method characterized by comprising:
acquiring N pieces of abnormal information; each abnormal information corresponds to a network chain; each abnormal information is determined according to the flow detection in the network; n is an integer greater than 1;
acquiring a plurality of conversion strategy information corresponding to a plurality of communication links;
and determining a plurality of abnormal information of the same data stream in the N abnormal information based on the plurality of conversion strategy information, aggregating the plurality of abnormal information, and determining abnormal source equipment information.
9. An information processing apparatus characterized by comprising:
a data acquisition unit for acquiring N pieces of abnormal information; each abnormal information corresponds to a network chain; each abnormal information is determined according to the flow detection in the network; n is an integer greater than 1;
the data acquisition unit is further configured to acquire a plurality of conversion policy information corresponding to a plurality of communication links;
and the determining unit is used for processing the N pieces of abnormal information based on the plurality of conversion strategy information and determining abnormal equipment information.
10. An information processing apparatus characterized by comprising:
the second data acquisition unit is used for acquiring N pieces of abnormal information; each abnormal information corresponds to a network chain; each abnormal information is determined according to the flow detection in the network; n is an integer greater than 1;
the second data acquisition unit is further configured to acquire a plurality of conversion policy information corresponding to a plurality of communication links;
and the aggregation determining unit is used for determining a plurality of abnormal information of the same data flow in the N pieces of abnormal information based on the plurality of conversion strategy information, aggregating the plurality of abnormal information and determining abnormal source equipment information.
11. An information processing apparatus comprising a memory and a processor, the memory storing a computer program operable on the processor, the processor implementing the steps of the method according to any one of claims 1 to 7 or 8 when executing the program.
12. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the method according to any one of claims 1 to 7, 8.
CN202210571157.4A 2022-05-24 2022-05-24 Information processing method, device and storage medium Pending CN115065592A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210571157.4A CN115065592A (en) 2022-05-24 2022-05-24 Information processing method, device and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210571157.4A CN115065592A (en) 2022-05-24 2022-05-24 Information processing method, device and storage medium

Publications (1)

Publication Number Publication Date
CN115065592A true CN115065592A (en) 2022-09-16

Family

ID=83199040

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210571157.4A Pending CN115065592A (en) 2022-05-24 2022-05-24 Information processing method, device and storage medium

Country Status (1)

Country Link
CN (1) CN115065592A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20230336409A1 (en) * 2020-09-14 2023-10-19 Nippon Telegraph And Telephone Corporation Combination rules creation device, method and program

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180351909A1 (en) * 2017-05-30 2018-12-06 Paypal, Inc. Determining source address information for network packets
CN110505248A (en) * 2019-09-29 2019-11-26 国家计算机网络与信息安全管理中心 A kind of localization method and system of Intranet NAT flow
EP3767885A1 (en) * 2019-07-18 2021-01-20 Huawei Technologies Co., Ltd. Method, apparatus, and system for locating root cause of network anomaly, and computer storage medium
CN112887310A (en) * 2021-01-27 2021-06-01 华南理工大学 Method, device and medium for improving network attack risk assessment efficiency

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180351909A1 (en) * 2017-05-30 2018-12-06 Paypal, Inc. Determining source address information for network packets
EP3767885A1 (en) * 2019-07-18 2021-01-20 Huawei Technologies Co., Ltd. Method, apparatus, and system for locating root cause of network anomaly, and computer storage medium
CN110505248A (en) * 2019-09-29 2019-11-26 国家计算机网络与信息安全管理中心 A kind of localization method and system of Intranet NAT flow
CN112887310A (en) * 2021-01-27 2021-06-01 华南理工大学 Method, device and medium for improving network attack risk assessment efficiency

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20230336409A1 (en) * 2020-09-14 2023-10-19 Nippon Telegraph And Telephone Corporation Combination rules creation device, method and program

Similar Documents

Publication Publication Date Title
US11463457B2 (en) Artificial intelligence (AI) based cyber threat analyst to support a cyber security appliance
US9860278B2 (en) Log analyzing device, information processing method, and program
US8307441B2 (en) Log-based traceback system and method using centroid decomposition technique
US10084806B2 (en) Traffic simulation to identify malicious activity
US20140068775A1 (en) Historical analysis to identify malicious activity
CN108965248B (en) P2P botnet detection system and method based on traffic analysis
US11777971B2 (en) Bind shell attack detection
US20200304521A1 (en) Bot Characteristic Detection Method and Apparatus
US10348751B2 (en) Device, system and method for extraction of malicious communication pattern to detect traffic caused by malware using traffic logs
US11546356B2 (en) Threat information extraction apparatus and threat information extraction system
CN115695031A (en) Host computer sink-loss detection method, device and equipment
Homoliak et al. ASNM: Advanced security network metrics for attack vector description
Kozik et al. Pattern extraction algorithm for NetFlow‐based botnet activities detection
CN101741745B (en) Method and system for identifying application traffic of peer-to-peer network
Xiao et al. Discovery method for distributed denial-of-service attack behavior in SDNs using a feature-pattern graph model
CN114281676A (en) Black box fuzzy test method and system for industrial control private protocol
CN116915450A (en) Topology pruning optimization method based on multi-step network attack recognition and scene reconstruction
CN115065592A (en) Information processing method, device and storage medium
US10944724B2 (en) Accelerating computer network policy search
Giacinto et al. Alarm clustering for intrusion detection systems in computer networks
US10187414B2 (en) Differential malware detection using network and endpoint sensors
RU2472211C1 (en) Method of protecting information computer networks from computer attacks
Khan et al. Lightweight testbed for cybersecurity experiments in scada-based systems
CN115664833B (en) Network hijacking detection method based on local area network safety equipment
KR20140064149A (en) Apparatus and method for traffic analysis

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination