CN115225385A - Flow monitoring method, system, equipment and computer readable storage medium - Google Patents
Flow monitoring method, system, equipment and computer readable storage medium Download PDFInfo
- Publication number
- CN115225385A CN115225385A CN202210857791.4A CN202210857791A CN115225385A CN 115225385 A CN115225385 A CN 115225385A CN 202210857791 A CN202210857791 A CN 202210857791A CN 115225385 A CN115225385 A CN 115225385A
- Authority
- CN
- China
- Prior art keywords
- detection result
- flow
- abnormal
- target
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 57
- 238000012544 monitoring process Methods 0.000 title claims abstract description 42
- 238000001514 detection method Methods 0.000 claims abstract description 212
- 230000002159 abnormal effect Effects 0.000 claims abstract description 123
- 238000004891 communication Methods 0.000 claims abstract description 64
- 238000004590 computer program Methods 0.000 claims description 10
- 230000008859 change Effects 0.000 claims description 4
- 230000008569 process Effects 0.000 description 10
- 230000005856 abnormality Effects 0.000 description 9
- 230000001360 synchronised effect Effects 0.000 description 6
- 238000010586 diagram Methods 0.000 description 5
- 230000003287 optical effect Effects 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 238000011161 development Methods 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- 241000239226 Scorpiones Species 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
Abstract
The application discloses a flow monitoring method, a system, equipment and a computer readable storage medium, which are used for acquiring the flow to be detected of network equipment; analyzing access information corresponding to the flow to be detected, and detecting whether the access information is abnormal or not to obtain a first detection result; identifying a communication IP in the flow to be detected, and detecting whether the communication IP is abnormal or not to obtain a second detection result; determining target URL information corresponding to the flow to be detected, and detecting whether the target URL information is abnormal or not to obtain a third detection result; determining a target flow value of the flow to be detected, and detecting whether the target flow value is abnormal or not to obtain a fourth detection result; and if any one of the first detection result, the second detection result, the third detection result and the fourth detection result represents an abnormal detection result, determining that the network equipment is abnormal. The accuracy of anomaly detection of the network equipment is improved.
Description
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method, a system, a device, and a computer-readable storage medium for traffic monitoring.
Background
With the development of communication technology, the types and functions of network devices are more and more abundant, and the attack ways of the attacker on the network devices are more and more diverse, which makes the security detection of the network devices more and more difficult, in other words, it is difficult to accurately detect whether the network devices are secure or not.
In summary, how to accurately detect the security of a network device is a problem that needs to be solved by those skilled in the art.
Disclosure of Invention
The application aims to provide a traffic monitoring method which can solve the technical problem of accurately detecting the security of network equipment to a certain extent. The application also provides a flow monitoring system, an electronic device and a computer readable storage medium.
In order to achieve the above purpose, the present application provides the following technical solutions:
a traffic monitoring method, comprising:
acquiring the flow to be detected of the network equipment;
analyzing access information corresponding to the flow to be detected, and detecting whether the access information is abnormal or not to obtain a first detection result;
identifying the communication IP in the flow to be detected, and detecting whether the communication IP is abnormal to obtain a second detection result;
determining target URL information corresponding to the flow to be detected, and detecting whether the target URL information is abnormal or not to obtain a third detection result;
determining a target flow value of the flow to be detected, and detecting whether the target flow value is abnormal or not to obtain a fourth detection result;
and if any one of the first detection result, the second detection result, the third detection result and the fourth detection result represents an abnormal detection result, determining that the network equipment is abnormal.
Preferably, the access information includes visitor information and access object information;
the detecting whether the access information is abnormal or not to obtain a first detection result includes:
if the visitor information does not belong to a preset access asset group and/or the access object information belongs to a preset limited access object, generating a first detection result representing that the access information is abnormal;
if the visitor information belongs to the access asset group and the access object information does not belong to the limited access object, generating a first detection result representing that the access information is normal;
wherein the access asset group includes information of visitors allowed to access the network device; the restricted access object includes object information that is not allowed to be accessed in the network device.
Preferably, the communication IP includes a target visitor IP and/or a target external IP, the target visitor IP includes an IP for accessing the network device, and the target external IP includes an IP for accessing the network device;
the detecting whether the communication IP is abnormal or not to obtain a second detection result includes:
acquiring historical visitor IP and/or historical external IP of the network equipment;
if the target visitor IP belongs to the historical visitor IP and/or the target external connection IP belongs to the historical external connection IP, generating a second detection result representing that the communication IP is normal;
and if the target visitor IP does not belong to the historical visitor IP and/or the target external connection IP does not belong to the historical external connection IP, generating a second detection result representing that the communication IP is abnormal.
Preferably, the detecting whether the target URL information is abnormal or not to obtain a third detection result includes:
acquiring historical URL information of the network equipment;
and if the target URL information does not belong to the historical URL information, generating a third detection result representing that the target URL information is abnormal.
Preferably, the detecting whether the target URL information is abnormal or not to obtain a third detection result includes:
detecting whether the change frequency of the URL parameter of the target URL information is higher than a preset value, if so, generating a third detection result representing that the target URL information is abnormal;
and/or detecting whether encrypted communication exists in the target URL information, if so, generating a third detection result representing that the target URL information is abnormal;
and/or detecting whether an access page of the target URL information is a preset page, and if not, generating a third detection result representing that the target URL information is abnormal.
Preferably, the detecting whether the target flow magnitude value is abnormal or not to obtain a fourth detection result includes:
counting the historical flow magnitude value of the network equipment;
determining a flow detection baseline value based on the historical flow magnitude value;
if the target flow value exceeds a preset percentage value of the flow detection baseline value, generating a fourth detection result representing that the target flow value is abnormal;
and if the target flow value does not exceed the preset percentage value of the flow detection baseline value, generating a fourth detection result representing that the target flow value is normal.
Preferably, after determining that the network device is abnormal, the method further includes:
and performing abnormal alarm and display on the network equipment.
A flow monitoring system comprising:
the flow acquisition module is used for acquiring the flow to be detected of the network equipment;
the access information analysis module is used for analyzing the access information corresponding to the flow to be detected and detecting whether the access information is abnormal or not to obtain a first detection result;
the communication IP identification module is used for identifying the communication IP in the flow to be detected and detecting whether the communication IP is abnormal or not to obtain a second detection result;
the URL information analysis module is used for determining target URL information corresponding to the to-be-detected flow, detecting whether the target URL information is abnormal or not, and obtaining a third detection result;
the flow magnitude analysis module is used for determining a target flow magnitude of the flow to be detected, and detecting whether the target flow magnitude is abnormal or not to obtain a fourth detection result;
and the anomaly analysis module is used for determining that the network equipment is abnormal if any one of the first detection result, the second detection result, the third detection result and the fourth detection result represents an anomaly detection result.
An electronic device, comprising:
a memory for storing a computer program;
a processor for implementing the steps of the flow monitoring method as described above when executing the computer program.
A computer-readable storage medium, in which a computer program is stored which, when being executed by a processor, carries out the steps of the traffic monitoring method according to any one of the above.
The flow monitoring method provided by the application obtains the flow to be detected of the network equipment; analyzing access information corresponding to the flow to be detected, and detecting whether the access information is abnormal or not to obtain a first detection result; identifying a communication IP in the flow to be detected, and detecting whether the communication IP is abnormal or not to obtain a second detection result; determining target URL information corresponding to the flow to be detected, and detecting whether the target URL information is abnormal or not to obtain a third detection result; determining a target flow value of the flow to be detected, and detecting whether the target flow value is abnormal or not to obtain a fourth detection result; and if any one of the first detection result, the second detection result, the third detection result and the fourth detection result represents an abnormal detection result, determining that the network equipment is abnormal. According to the method and the device, after the flow to be detected of the network equipment is obtained, abnormality detection needs to be carried out on the network equipment from four angles of the access information, the communication IP, the target URL information and the target flow magnitude value corresponding to the flow to be detected, and the abnormality of the network equipment can be determined as long as any one of the access information, the communication IP, the target URL information and the target flow magnitude value is abnormal, so that the accuracy of the abnormality detection on the network equipment is improved. The flow monitoring system, the electronic device and the computer readable storage medium provided by the application also solve the corresponding technical problems.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a system framework diagram of a traffic monitoring scheme provided by an embodiment of the present application;
fig. 2 is a flowchart of a traffic monitoring method according to an embodiment of the present disclosure;
fig. 3 is another flowchart of a traffic monitoring method according to an embodiment of the present disclosure;
fig. 4 is a schematic structural diagram of a flow monitoring system according to an embodiment of the present disclosure;
fig. 5 is a schematic diagram of a hardware component structure of an electronic device according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments in the present application without making any creative effort belong to the protection scope of the present application.
With the development of communication technology, the types and functions of network devices are more and more abundant, and the attack ways of the attacker on the network devices are more and more diverse, which makes the security detection of the network devices more and more difficult, in other words, it is difficult to accurately detect whether the network devices are secure or not. The flow monitoring scheme provided by the application can accurately detect the safety of the network equipment.
In the flow monitoring scheme of the present application, the adopted system framework may specifically refer to fig. 1, and may specifically include: a backend server 01 and a number of clients 02 establishing a communication connection with the backend server 01.
In the application, the background server 01 is used for executing the steps of the flow monitoring method, including acquiring the flow to be detected of the network device; analyzing access information corresponding to the flow to be detected, and detecting whether the access information is abnormal or not to obtain a first detection result; identifying a communication IP in the flow to be detected, and detecting whether the communication IP is abnormal or not to obtain a second detection result; determining target URL information corresponding to the flow to be detected, and detecting whether the target URL information is abnormal or not to obtain a third detection result; determining a target flow value of the flow to be detected, and detecting whether the target flow value is abnormal or not to obtain a fourth detection result; and if any one of the first detection result, the second detection result, the third detection result and the fourth detection result represents an abnormal detection result, determining that the network equipment is abnormal.
Further, the background server 01 may further include a traffic database, an information database, a detection result database, and the like. The flow database is used for storing the acquired flow to be detected of the network equipment, the information database is used for storing access information, communication IP, target URL information and target flow values, and a detection result database user stores a first detection result, a second detection result, a third detection result, a fourth detection result and the like. In the present application, the background server 01 may respond to the traffic monitoring request of one or more user terminals 02, and it can be understood that the traffic monitoring requests initiated by different user terminals 02 in the present application may be traffic monitoring requests for the same network device, or user operation processing requests initiated for different network devices.
Referring to fig. 2, fig. 2 is a flowchart of a traffic monitoring method according to an embodiment of the present disclosure.
The traffic monitoring method provided by the embodiment of the application can comprise the following steps:
step S101: and acquiring the flow to be detected of the network equipment.
In practical application, the flow to be detected of the network device can be obtained first, the type of the network device can be determined according to actual needs, for example, the type can be a mobile phone, a computer and the like in a user side, a target drone and the like in a network protection process, in addition, the type, the content and the like of the flow to be detected can also be determined according to actual needs, and the description is omitted here.
Step S102: and analyzing access information corresponding to the flow to be detected, and detecting whether the access information is abnormal or not to obtain a first detection result.
In practical application, considering that a network device sets corresponding access rights for the security of the network device, for example, which visitors can access the network device and which contents of the network device can be accessed, if the corresponding contents of the access information exceed the access rights, it may be considered that the traffic to be detected is not safe, and for convenience of understanding, it is assumed that the configuration is performed according to the service or port opened by the network device, and it is known that the network device only allows access to the service opened by the Server, such as a web (world wide web) service, an FTP (file transfer protocol) service, and the like, at this time, if the access is not limited, it is illegal access, for example, the network device does not open a smb (Server Message Block, server information Block) service but is accessed to a 445/139 port, and at this time, the traffic to be detected is not safe, so the traffic to be detected may be monitored according to the access information corresponding to the traffic to be detected, and after the traffic to be detected by the network device is obtained, the access information corresponding to be analyzed, and whether the traffic to be detected is abnormal, and the first detection result is obtained to detect the traffic from the view of the traffic to be monitored.
In a specific application scenario, the type of the access information may be determined according to actual needs, for example, the access information may include visitor information and access object information, the visitor information is also information of an object accessing the network device, the access object information refers to information of an object accessed in the network device, and the type of the access information may be determined according to actual needs; correspondingly, in the process of detecting whether the access information is abnormal or not and obtaining a first detection result, whether the visitor information belongs to a preset access asset group or not can be judged, and whether the access object information belongs to a preset limited access object or not can be judged; if the visitor information does not belong to the access asset group and/or the access object information belongs to a preset limited access object, generating a first detection result representing that the access information is abnormal; if the visitor information belongs to the access asset group and the access object information does not belong to a preset limited access object, generating a first detection result representing that the access information is normal; wherein the access asset group includes information of visitors allowed to access the network device; the restricted access object includes object information that is not allowed to be accessed in the network device.
Step S103: and identifying the communication IP in the flow to be detected, and detecting whether the communication IP is abnormal or not to obtain a second detection result.
In practical application, after the access information corresponding to the flow to be detected is analyzed and whether the access information is abnormal or not is detected to obtain a first detection result, the flow to be detected can be monitored from the communication IP angle, that is, the communication IP in the flow to be detected can be identified, and whether the communication IP is abnormal or not is detected to obtain a second detection result.
In a specific application scenario, the type of the communication IP may be determined according to actual needs, for example, the communication IP may include a target visitor IP and/or a target external IP, the target visitor IP includes an IP for accessing a network device, and the target external IP includes an IP for accessing the network device; correspondingly, in the process of detecting whether the communication IP is abnormal and obtaining the second detection result, the historical visitor IP and/or the historical external IP of the network device may be obtained, for example, the historical visitor IP and/or the historical external IP of the network device in the previous 7 days and the previous month may be obtained; judging whether the target visitor IP belongs to the historical visitor IP and/or judging whether the target external IP belongs to the historical external IP, for example, taking a fixed IP section of a C-section historical visitor IP of the fixed access network equipment as a historical visitor baseline, taking a fixed IP section of the C-section historical external IP fixedly accessed by the network equipment as a historical external baseline, judging whether an IP section of the target visitor IP belongs to the historical visitor baseline, judging whether the target external IP belongs to the historical external baseline, if so, judging that the target visitor IP belongs to the historical visitor IP, otherwise, judging that the target visitor IP does not belong to the historical visitor IP, if so, judging that the target external IP belongs to the historical external IP, otherwise, judging that the target external IP does not belong to the historical external IP; if the target visitor IP belongs to the historical visitor IP and/or the target external connection IP belongs to the historical external connection IP, generating a second detection result representing that the communication IP is normal; and if the target visitor IP does not belong to the historical visitor IP and/or the target externally-connected IP does not belong to the historical externally-connected IP, generating a second detection result representing communication IP abnormity.
Step S104: and determining target URL information corresponding to the flow to be detected, and detecting whether the target URL information is abnormal or not to obtain a third detection result.
In practical application, after the communication IP in the traffic to be detected is identified and detected to determine whether the communication IP is abnormal or not, and the second detection result is obtained, the traffic to be detected may be monitored from the URL (uniform resource locator) information perspective, that is, the target URL information corresponding to the traffic to be detected may be determined, and the third detection result may be obtained by detecting whether the target URL information is abnormal or not.
In a specific application scenario, in the process of detecting whether the target URL information is abnormal and obtaining a third detection result, historical URL information of the network device may be obtained, for example, URL information of the network device within a previous week or a previous month is obtained as the historical URL information; and judging whether the target URL information belongs to historical URL information, if the target URL information does not belong to the historical URL information, namely the target URL information is newly added URL information, determining that the target URL information has risk, and then generating a third detection result representing that the target URL information is abnormal.
In a specific application scenario, in the process of detecting whether the target URL information is abnormal or not and obtaining a third detection result, whether the change frequency of the URL parameter of the target URL information is higher than a preset value or not can be detected, if yes, the target URL can be considered to have a suspicion that the network equipment is guessed violently, and a third detection result representing that the target URL information is abnormal can be generated; and/or detecting whether encrypted communication exists in the target URL information, such as whether encrypted webshells such as ice scorpions and Gossla exist, and if yes, generating a third detection result representing that the target URL information is abnormal; and/or detecting whether the access page of the target URL information is a preset page or not, if not, namely the access page of the target URL information is a non-existing page, determining that the flow to be detected scans the website of the network equipment, and generating a third detection result representing that the target URL information is abnormal.
Step S105: and determining a target flow value of the flow to be detected, and detecting whether the target flow value is abnormal or not to obtain a fourth detection result.
In practical application, after determining target URL information corresponding to the flow to be detected and detecting whether the target URL information is abnormal to obtain a third detection result, the flow to be detected may be monitored from the perspective of the flow magnitude value, that is, the target flow magnitude value of the flow to be detected may be determined and whether the target flow magnitude value is abnormal may be detected to obtain a fourth detection result.
In a specific application scenario, in the process of detecting whether the target flow value is abnormal or not and obtaining a fourth detection result, the historical flow value of the network device may be counted, for example, the historical flow value of the network device within a week and a month is counted; determining a flow detection baseline value based on the historical flow values, for example, taking an average value of the historical flow values and the like as a flow detection baseline; judging whether the target flow value exceeds a preset percentage value of a flow detection baseline value, such as judging whether the target flow value exceeds 30% of the flow detection baseline value; if the target flow value exceeds a preset percentage value of the flow detection baseline value, generating a fourth detection result representing that the target flow value is abnormal; and if the target flow magnitude value does not exceed the preset percentage value of the flow detection baseline value, generating a fourth detection result representing that the target flow magnitude value is normal.
Step S106: and if any one of the first detection result, the second detection result, the third detection result and the fourth detection result represents an abnormal detection result, determining that the network equipment is abnormal.
In practical applications, after the first detection result, the second detection result, the third detection result, and the fourth detection result are obtained, if any one of the first detection result, the second detection result, the third detection result, and the fourth detection result represents an abnormal detection result, it may be determined that the network device is abnormal, and correspondingly, if the first detection result, the second detection result, the third detection result, and the fourth detection result all represent a normal detection result, it may be determined that the network device is normal.
It should be noted that after determining that the network device is abnormal based on the first detection result, the second detection result, the third detection result, and the fourth detection result, other operations may be performed on the network device, for example, performing further security detection on the network device, and the like.
The flow monitoring method provided by the application obtains the flow to be detected of the network equipment; analyzing access information corresponding to the flow to be detected, and detecting whether the access information is abnormal or not to obtain a first detection result; identifying a communication IP in the flow to be detected, and detecting whether the communication IP is abnormal or not to obtain a second detection result; determining target URL information corresponding to the flow to be detected, and detecting whether the target URL information is abnormal or not to obtain a third detection result; determining a target flow value of the flow to be detected, and detecting whether the target flow value is abnormal or not to obtain a fourth detection result; and if any one of the first detection result, the second detection result, the third detection result and the fourth detection result represents an abnormal detection result, determining that the network equipment is abnormal. According to the method and the device, after the flow to be detected of the network equipment is obtained, abnormality detection needs to be carried out on the network equipment from four angles of the access information, the communication IP, the target URL information and the target flow magnitude value corresponding to the flow to be detected, and the abnormality of the network equipment can be determined as long as any one of the access information, the communication IP, the target URL information and the target flow magnitude value is abnormal, so that the accuracy of the abnormality detection on the network equipment is improved.
Referring to fig. 3, fig. 3 is another flowchart of a traffic monitoring method according to an embodiment of the present disclosure.
The traffic monitoring method provided by the embodiment of the application can comprise the following steps:
step S201: and acquiring the flow to be detected of the network equipment.
Step S202: and analyzing access information corresponding to the flow to be detected, and detecting whether the access information is abnormal or not to obtain a first detection result.
Step S203: and identifying the communication IP in the flow to be detected, and detecting whether the communication IP is abnormal or not to obtain a second detection result.
Step S204: and determining target URL information corresponding to the flow to be detected, and detecting whether the target URL information is abnormal or not to obtain a third detection result.
Step S205: and determining a target flow value of the flow to be detected, and detecting whether the target flow value is abnormal or not to obtain a fourth detection result.
Step S206: and if any one of the first detection result, the second detection result, the third detection result and the fourth detection result represents an abnormal detection result, determining that the network equipment is abnormal.
Step S207: and performing abnormal alarm and display on the network equipment.
In practical application, after determining that the network device is abnormal, in order to facilitate a user and the like to timely obtain a message of the network device abnormality, an abnormality alarm may be performed on the network device and displayed, for example, the abnormality alarm may be performed through a preset color map and displayed on a large screen, and the application is not limited specifically herein.
Referring to fig. 4, fig. 4 is a schematic structural diagram of a flow monitoring system according to an embodiment of the present disclosure.
The traffic monitoring system provided by the embodiment of the application can include:
a traffic obtaining module 101, configured to obtain a to-be-detected traffic of a network device;
the access information analysis module 102 is configured to analyze access information corresponding to the traffic to be detected, and detect whether the access information is abnormal, so as to obtain a first detection result;
the communication IP identification module 103 is used for identifying a communication IP in the flow to be detected and detecting whether the communication IP is abnormal to obtain a second detection result;
the URL information analysis module 104 is configured to determine target URL information corresponding to the traffic to be detected, and detect whether the target URL information is abnormal, so as to obtain a third detection result;
the flow magnitude analysis module 105 is configured to determine a target flow magnitude of the flow to be detected, and detect whether the target flow magnitude is abnormal, so as to obtain a fourth detection result;
and the anomaly analysis module 106 is configured to determine that the network device is abnormal if any one of the first detection result, the second detection result, the third detection result, and the fourth detection result represents an anomaly detection result.
In the traffic monitoring system provided by the embodiment of the application, the access information may include visitor information and access object information;
the access information analysis module may include:
the first judgment unit is used for judging whether the visitor information belongs to a preset access asset group or not and judging whether the access object information belongs to a preset limited access object or not; if the visitor information does not belong to the access asset group and/or the access object information belongs to a preset limited access object, generating a first detection result representing that the access information is abnormal; if the visitor information belongs to the access asset group and the access object information does not belong to a preset limited access object, generating a first detection result representing that the access information is normal; wherein the access asset group includes information of visitors allowed to access the network device; the restricted access object includes object information that is not allowed to be accessed in the network device.
In the traffic monitoring system provided by the embodiment of the application, the communication IP may include a target visitor IP and/or a target external IP, the target visitor IP includes an IP for accessing a network device, and the target external IP includes an IP for accessing the network device;
the communication IP identification module may include:
the first acquisition unit is used for acquiring historical visitor IP and/or historical external IP of the network equipment;
the second judging unit is used for judging whether the target visitor IP belongs to the historical visitor IP and/or judging whether the target externally-connected IP belongs to the historical externally-connected IP; if the target visitor IP belongs to the historical visitor IP and/or the target external connection IP belongs to the historical external connection IP, generating a second detection result representing that the communication IP is normal; and if the target visitor IP does not belong to the historical visitor IP and/or the target external connection IP does not belong to the historical external connection IP, generating a second detection result representing the communication IP abnormity.
In an embodiment of the present application, a URL information analysis module of a traffic monitoring system may include:
a second acquisition unit configured to acquire history URL information of the network device;
and the third judging unit is used for generating a third detection result representing that the target URL information is abnormal if the target URL information does not belong to the historical URL information.
In an embodiment of the present application, a URL information analysis module of a traffic monitoring system may include:
the first detection unit is used for detecting whether the change frequency of the URL parameter of the target URL information is higher than a preset value or not, and if so, generating a third detection result representing that the target URL information is abnormal;
and/or the second detection unit is used for detecting whether encrypted communication exists in the target URL information, and if yes, a third detection result representing that the target URL information is abnormal is generated;
and/or the third detection unit is used for detecting whether the access page of the target URL information is a preset page, and if not, generating a third detection result representing that the target URL information is abnormal.
In an embodiment of the present application, a flow monitoring system, a flow magnitude analysis module may include:
the first statistical unit is used for counting the historical flow magnitude value of the network equipment;
a first determination unit configured to determine a flow detection baseline value based on the historical flow magnitude value;
the fourth judging unit is used for judging whether the target flow magnitude value exceeds a preset percentage value of the flow detection baseline value or not; if the target flow value exceeds a preset percentage value of the flow detection baseline value, generating a fourth detection result representing that the target flow value is abnormal; and if the target flow value does not exceed the preset percentage value of the flow detection baseline value, generating a fourth detection result representing that the target flow value is normal.
The traffic monitoring system provided in the embodiment of the present application may further include:
and the alarm module is used for performing abnormity alarm and display on the network equipment after the abnormity analysis module determines that the network equipment is abnormal.
Based on the hardware implementation of the program module, and in order to implement the method according to the embodiment of the present invention, an embodiment of the present invention further provides an electronic device, and fig. 5 is a schematic diagram of a hardware composition structure of the electronic device according to the embodiment of the present invention, as shown in fig. 5, the electronic device includes:
a communication interface 1 capable of information interaction with other devices such as network devices and the like;
and the processor 2 is connected with the communication interface 1 to realize information interaction with other equipment, and is used for executing the flow monitoring method provided by one or more technical schemes when running a computer program. And the computer program is stored on the memory 3.
In practice, of course, the various components in the electronic device are coupled together by the bus system 4. It will be appreciated that the bus system 4 is used to enable connection communication between these components. The bus system 4 comprises, in addition to a data bus, a power bus, a control bus and a status signal bus. But for the sake of clarity the various buses are labeled as bus system 4 in figure 5.
The memory 3 in the embodiment of the present invention is used to store various types of data to support the operation of the electronic device. Examples of such data include: any computer program for operating on an electronic device.
It will be appreciated that the memory 3 may be either volatile memory or nonvolatile memory, and may include both volatile and nonvolatile memory. Among them, the nonvolatile Memory may be a Read Only Memory (ROM), a Programmable Read Only Memory (PROM), an Erasable Programmable Read-Only Memory (EPROM), an Electrically Erasable Programmable Read-Only Memory (EEPROM), a magnetic random access Memory (FRAM), a Flash Memory (Flash Memory), a magnetic surface Memory, an optical Disc, or a Compact Disc Read-Only Memory (CD-ROM); the magnetic surface storage may be disk storage or tape storage. Volatile Memory can be Random Access Memory (RAM), which acts as external cache Memory. By way of illustration and not limitation, many forms of RAM are available, such as Static Random Access Memory (SRAM), synchronous Static Random Access Memory (SSRAM), dynamic Random Access Memory (DRAM), synchronous Dynamic Random Access Memory (SDRAM), double Data Rate Synchronous Dynamic Random Access Memory (DDRSDRAM), enhanced Synchronous Dynamic Random Access Memory (ESDRAM), enhanced Synchronous Dynamic Random Access Memory (Enhanced DRAM), synchronous Dynamic Random Access Memory (SLDRAM), direct Memory (DRmb Access), and Random Access Memory (DRAM). The memory 2 described in the embodiments of the present invention is intended to comprise, without being limited to, these and any other suitable types of memory.
The method disclosed by the above embodiment of the present invention can be applied to the processor 2, or implemented by the processor 2. The processor 2 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be performed by instructions in the form of hardware integrated logic circuits or software in the processor 2. The processor 2 described above may be a general purpose processor, a DSP, or other programmable logic device, discrete gate or transistor logic device, discrete hardware components, or the like. The processor 2 may implement or perform the methods, steps, and logic blocks disclosed in embodiments of the present invention. The general purpose processor may be a microprocessor or any conventional processor or the like. The steps of the method disclosed by the embodiment of the invention can be directly implemented by a hardware decoding processor, or can be implemented by combining hardware and software modules in the decoding processor. The software modules may be located in a storage medium located in the memory 3, and the processor 2 reads the program in the memory 3 and performs the steps of the foregoing method in combination with its hardware.
When the processor 2 executes the program, the corresponding processes in the methods according to the embodiments of the present invention are realized, and for brevity, are not described herein again.
In an exemplary embodiment, the present invention further provides a storage medium, i.e. a computer storage medium, in particular a computer readable storage medium, for example comprising a memory 3 storing a computer program, which is executable by a processor 2 to perform the steps of the aforementioned method. The computer readable storage medium may be Memory such as FRAM, ROM, PROM, EPROM, EEPROM, flash Memory, magnetic surface Memory, optical disk, or CD-ROM.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus, terminal and method may be implemented in other manners. The above-described device embodiments are only illustrative, for example, the division of the unit is only one logical function division, and there may be other division ways in actual implementation, such as: multiple units or components may be combined, or may be integrated into another system, or some features may be omitted, or not implemented. In addition, the coupling, direct coupling or communication connection between the components shown or discussed may be through some interfaces, and the indirect coupling or communication connection between the devices or units may be electrical, mechanical or other forms.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on multiple network units; some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, all the functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may be separately regarded as one unit, or two or more units may be integrated into one unit; the integrated unit can be realized in a form of hardware, or in a form of hardware plus a software functional unit.
Those of ordinary skill in the art will understand that: all or part of the steps for implementing the method embodiments may be implemented by hardware related to program instructions, and the program may be stored in a computer readable storage medium, and when executed, the program performs the steps including the method embodiments; and the aforementioned storage medium includes: a removable storage device, a ROM, a RAM, a magnetic or optical disk, or various other media that can store program code.
Alternatively, the integrated unit of the present invention may be stored in a computer-readable storage medium if it is implemented in the form of a software functional module and sold or used as a separate product. Based on such understanding, the technical solutions of the embodiments of the present invention or portions thereof contributing to the prior art may be embodied in the form of a software product, which is stored in a storage medium and includes several instructions for enabling an electronic device (which may be a personal computer, a server, or a network device) to execute all or part of the methods described in the embodiments of the present invention. And the aforementioned storage medium includes: a removable storage device, a ROM, a RAM, a magnetic or optical disk, or various other media that can store program code.
For descriptions of relevant parts in the traffic monitoring system, the electronic device, and the computer-readable storage medium provided in the embodiments of the present application, reference is made to detailed descriptions of corresponding parts in the traffic monitoring method provided in the embodiments of the present application, and details are not repeated here. In addition, parts of the above technical solutions provided in the embodiments of the present application, which are consistent with the implementation principles of corresponding technical solutions in the prior art, are not described in detail so as to avoid redundant description.
It is further noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrases "comprising a," "8230," "8230," or "comprising" does not exclude the presence of additional like elements in a process, method, article, or apparatus that comprises the element.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (10)
1. A method of traffic monitoring, comprising:
acquiring the flow to be detected of the network equipment;
analyzing access information corresponding to the flow to be detected, and detecting whether the access information is abnormal or not to obtain a first detection result;
identifying a communication IP in the flow to be detected, and detecting whether the communication IP is abnormal or not to obtain a second detection result;
determining target URL information corresponding to the flow to be detected, and detecting whether the target URL information is abnormal or not to obtain a third detection result;
determining a target flow value of the flow to be detected, and detecting whether the target flow value is abnormal or not to obtain a fourth detection result;
and if any one of the first detection result, the second detection result, the third detection result and the fourth detection result represents an abnormal detection result, determining that the network equipment is abnormal.
2. The method of claim 1, wherein the access information includes visitor information and access object information;
the detecting whether the access information is abnormal or not to obtain a first detection result includes:
if the visitor information does not belong to a preset access asset group and/or the access object information belongs to a preset limited access object, generating a first detection result representing that the access information is abnormal;
if the visitor information belongs to the access asset group and the access object information does not belong to the limited access object, generating a first detection result representing that the access information is normal;
wherein the access asset group comprises information of visitors allowed to access the network device; the restricted access object includes object information that is not allowed to be accessed in the network device.
3. The method of claim 1, wherein the communication IP comprises a target visitor IP and/or a target extranet IP, wherein the target visitor IP comprises an IP for accessing the network device, and wherein the target extranet IP comprises an IP for accessing the network device;
the detecting whether the communication IP is abnormal or not to obtain a second detection result includes:
acquiring a historical visitor IP and/or a historical external IP of the network equipment;
if the target visitor IP belongs to the historical visitor IP and/or the target external connection IP belongs to the historical external connection IP, generating a second detection result representing that the communication IP is normal;
and if the target visitor IP does not belong to the historical visitor IP and/or the target external connection IP does not belong to the historical external connection IP, generating a second detection result representing that the communication IP is abnormal.
4. The method according to claim 1, wherein the detecting whether the target URL information is abnormal results in a third detection result, comprising:
acquiring historical URL information of the network equipment;
and if the target URL information does not belong to the historical URL information, generating a third detection result representing that the target URL information is abnormal.
5. The method according to claim 1, wherein the detecting whether the target URL information is abnormal results in a third detection result, comprising:
detecting whether the change frequency of the URL parameter of the target URL information is higher than a preset value, if so, generating a third detection result representing that the target URL information is abnormal;
and/or detecting whether encrypted communication exists in the target URL information, if so, generating a third detection result representing that the target URL information is abnormal;
and/or detecting whether an access page of the target URL information is a preset page, and if not, generating a third detection result representing that the target URL information is abnormal.
6. The method according to claim 1, wherein the detecting whether the target flow magnitude value is abnormal or not obtains a fourth detection result, and the method includes:
counting the historical flow magnitude value of the network equipment;
determining a flow detection baseline value based on the historical flow magnitude value;
if the target flow value exceeds a preset percentage value of the flow detection baseline value, generating a fourth detection result representing that the target flow value is abnormal;
and if the target flow value does not exceed the preset percentage value of the flow detection baseline value, generating a fourth detection result representing that the target flow value is normal.
7. The method according to any one of claims 1 to 6, wherein after determining that the network device is abnormal, further comprising:
and performing abnormal alarm and display on the network equipment.
8. A flow monitoring system, comprising:
the flow acquisition module is used for acquiring the flow to be detected of the network equipment;
the access information analysis module is used for analyzing the access information corresponding to the flow to be detected and detecting whether the access information is abnormal or not to obtain a first detection result;
the communication IP identification module is used for identifying the communication IP in the flow to be detected and detecting whether the communication IP is abnormal or not to obtain a second detection result;
the URL information analysis module is used for determining target URL information corresponding to the to-be-detected flow, detecting whether the target URL information is abnormal or not, and obtaining a third detection result;
the flow magnitude analysis module is used for determining a target flow magnitude of the flow to be detected, and detecting whether the target flow magnitude is abnormal or not to obtain a fourth detection result;
and the anomaly analysis module is used for determining that the network equipment is abnormal if any one of the first detection result, the second detection result, the third detection result and the fourth detection result represents an anomaly detection result.
9. An electronic device, comprising:
a memory for storing a computer program;
a processor for implementing the steps of the flow monitoring method according to any one of claims 1 to 7 when executing the computer program.
10. A computer-readable storage medium, in which a computer program is stored which, when being executed by a processor, carries out the steps of the flow monitoring method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210857791.4A CN115225385B (en) | 2022-07-20 | 2022-07-20 | Flow monitoring method, system, equipment and computer readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210857791.4A CN115225385B (en) | 2022-07-20 | 2022-07-20 | Flow monitoring method, system, equipment and computer readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115225385A true CN115225385A (en) | 2022-10-21 |
| CN115225385B CN115225385B (en) | 2024-02-23 |
Family
ID=83613981
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210857791.4A Active CN115225385B (en) | 2022-07-20 | 2022-07-20 | Flow monitoring method, system, equipment and computer readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115225385B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117061254A (en) * | 2023-10-12 | 2023-11-14 | 之江实验室 | Abnormal flow detection method, device and computer equipment |
Citations (25)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2011150507A (en) * | 2010-01-21 | 2011-08-04 | Panasonic Corp | Wireless terminal, and method of restoring access history |
| US20120060218A1 (en) * | 2010-09-02 | 2012-03-08 | Kim Jeong-Wook | System and method for blocking sip-based abnormal traffic |
| CN103166794A (en) * | 2013-02-22 | 2013-06-19 | 中国人民解放军91655部队 | Information security management method with integration security control function |
| CN104484474A (en) * | 2014-12-31 | 2015-04-01 | 南京盾垒网络科技有限公司 | Database security auditing method |
| US20160080401A1 (en) * | 2014-09-12 | 2016-03-17 | Sangfor Technologies Company Limited | Method and system for detecting unauthorized access attack |
| US20160337397A1 (en) * | 2015-05-15 | 2016-11-17 | Alibaba Group Holding Limited | Method and device for defending against network attacks |
| US20180241638A1 (en) * | 2015-08-24 | 2018-08-23 | Shanghai Netis Technologies Co., Ltd. | Method and system for discovering and presenting access information of network applications |
| CN108777679A (en) * | 2018-05-22 | 2018-11-09 | 深信服科技股份有限公司 | Flow access relation generation method, device and the readable storage medium storing program for executing of terminal |
| CN109039792A (en) * | 2018-10-30 | 2018-12-18 | 深信服科技股份有限公司 | Management method, device, equipment and the storage medium of network management device |
| US20190034548A1 (en) * | 2017-07-26 | 2019-01-31 | International Business Machines Corporation | Selecting a browser to launch a uniform resource locator (url) |
| US20190042747A1 (en) * | 2018-06-29 | 2019-02-07 | Intel Corporation | Controlled introduction of uncertainty in system operating parameters |
| CN109561092A (en) * | 2018-12-03 | 2019-04-02 | 北京安华金和科技有限公司 | The method for carrying out security postures modeling based on data traffic and data detection result |
| CN110222525A (en) * | 2019-05-14 | 2019-09-10 | 新华三大数据技术有限公司 | Database manipulation auditing method, device, electronic equipment and storage medium |
| CN111159706A (en) * | 2019-12-26 | 2020-05-15 | 深信服科技股份有限公司 | Database security detection method, device, equipment and storage medium |
| CN111262849A (en) * | 2020-01-13 | 2020-06-09 | 东南大学 | Method for identifying and blocking network abnormal flow behaviors based on flow table information |
| CN111371623A (en) * | 2020-03-13 | 2020-07-03 | 杨磊 | Service performance and safety monitoring method and device, storage medium and electronic equipment |
| CN111738770A (en) * | 2020-06-28 | 2020-10-02 | 北京达佳互联信息技术有限公司 | Advertisement abnormal flow detection method and device |
| CN111935172A (en) * | 2020-08-25 | 2020-11-13 | 珠海市一知安全科技有限公司 | Network abnormal behavior detection method based on network topology, computer device and computer readable storage medium |
| CN112565287A (en) * | 2020-12-18 | 2021-03-26 | 深信服科技股份有限公司 | Asset exposure surface determining method and device, firewall and storage medium |
| CN112989157A (en) * | 2019-12-13 | 2021-06-18 | 网宿科技股份有限公司 | Method and device for detecting crawler request |
| CN113014601A (en) * | 2021-03-26 | 2021-06-22 | 深信服科技股份有限公司 | Communication detection method, device, equipment and medium |
| CN113489744A (en) * | 2021-07-27 | 2021-10-08 | 哈尔滨工业大学 | Internet of things attack pattern recognition method based on hoxon multivariate process modeling |
| CN113518077A (en) * | 2021-05-26 | 2021-10-19 | 杭州安恒信息技术股份有限公司 | Malicious web crawler detection method, device, equipment and storage medium |
| CN114124658A (en) * | 2021-11-23 | 2022-03-01 | 北京天融信网络安全技术有限公司 | Industrial control network anomaly detection method and device, electronic equipment and storage medium |
| CN114650187A (en) * | 2022-04-29 | 2022-06-21 | 深信服科技股份有限公司 | Abnormal access detection method and device, electronic equipment and storage medium |
-
2022
- 2022-07-20 CN CN202210857791.4A patent/CN115225385B/en active Active
Patent Citations (25)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2011150507A (en) * | 2010-01-21 | 2011-08-04 | Panasonic Corp | Wireless terminal, and method of restoring access history |
| US20120060218A1 (en) * | 2010-09-02 | 2012-03-08 | Kim Jeong-Wook | System and method for blocking sip-based abnormal traffic |
| CN103166794A (en) * | 2013-02-22 | 2013-06-19 | 中国人民解放军91655部队 | Information security management method with integration security control function |
| US20160080401A1 (en) * | 2014-09-12 | 2016-03-17 | Sangfor Technologies Company Limited | Method and system for detecting unauthorized access attack |
| CN104484474A (en) * | 2014-12-31 | 2015-04-01 | 南京盾垒网络科技有限公司 | Database security auditing method |
| US20160337397A1 (en) * | 2015-05-15 | 2016-11-17 | Alibaba Group Holding Limited | Method and device for defending against network attacks |
| US20180241638A1 (en) * | 2015-08-24 | 2018-08-23 | Shanghai Netis Technologies Co., Ltd. | Method and system for discovering and presenting access information of network applications |
| US20190034548A1 (en) * | 2017-07-26 | 2019-01-31 | International Business Machines Corporation | Selecting a browser to launch a uniform resource locator (url) |
| CN108777679A (en) * | 2018-05-22 | 2018-11-09 | 深信服科技股份有限公司 | Flow access relation generation method, device and the readable storage medium storing program for executing of terminal |
| US20190042747A1 (en) * | 2018-06-29 | 2019-02-07 | Intel Corporation | Controlled introduction of uncertainty in system operating parameters |
| CN109039792A (en) * | 2018-10-30 | 2018-12-18 | 深信服科技股份有限公司 | Management method, device, equipment and the storage medium of network management device |
| CN109561092A (en) * | 2018-12-03 | 2019-04-02 | 北京安华金和科技有限公司 | The method for carrying out security postures modeling based on data traffic and data detection result |
| CN110222525A (en) * | 2019-05-14 | 2019-09-10 | 新华三大数据技术有限公司 | Database manipulation auditing method, device, electronic equipment and storage medium |
| CN112989157A (en) * | 2019-12-13 | 2021-06-18 | 网宿科技股份有限公司 | Method and device for detecting crawler request |
| CN111159706A (en) * | 2019-12-26 | 2020-05-15 | 深信服科技股份有限公司 | Database security detection method, device, equipment and storage medium |
| CN111262849A (en) * | 2020-01-13 | 2020-06-09 | 东南大学 | Method for identifying and blocking network abnormal flow behaviors based on flow table information |
| CN111371623A (en) * | 2020-03-13 | 2020-07-03 | 杨磊 | Service performance and safety monitoring method and device, storage medium and electronic equipment |
| CN111738770A (en) * | 2020-06-28 | 2020-10-02 | 北京达佳互联信息技术有限公司 | Advertisement abnormal flow detection method and device |
| CN111935172A (en) * | 2020-08-25 | 2020-11-13 | 珠海市一知安全科技有限公司 | Network abnormal behavior detection method based on network topology, computer device and computer readable storage medium |
| CN112565287A (en) * | 2020-12-18 | 2021-03-26 | 深信服科技股份有限公司 | Asset exposure surface determining method and device, firewall and storage medium |
| CN113014601A (en) * | 2021-03-26 | 2021-06-22 | 深信服科技股份有限公司 | Communication detection method, device, equipment and medium |
| CN113518077A (en) * | 2021-05-26 | 2021-10-19 | 杭州安恒信息技术股份有限公司 | Malicious web crawler detection method, device, equipment and storage medium |
| CN113489744A (en) * | 2021-07-27 | 2021-10-08 | 哈尔滨工业大学 | Internet of things attack pattern recognition method based on hoxon multivariate process modeling |
| CN114124658A (en) * | 2021-11-23 | 2022-03-01 | 北京天融信网络安全技术有限公司 | Industrial control network anomaly detection method and device, electronic equipment and storage medium |
| CN114650187A (en) * | 2022-04-29 | 2022-06-21 | 深信服科技股份有限公司 | Abnormal access detection method and device, electronic equipment and storage medium |
Non-Patent Citations (1)
| Title |
|---|
| 陈臣;: "基于大数据驱动的图书馆动态网络性能评估和服务质量保证研究", 图书馆理论与实践, no. 08, pages 89 - 93 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117061254A (en) * | 2023-10-12 | 2023-11-14 | 之江实验室 | Abnormal flow detection method, device and computer equipment |
| CN117061254B (en) * | 2023-10-12 | 2024-01-23 | 之江实验室 | Abnormal flow detection method, device and computer equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115225385B (en) | 2024-02-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111274583A (en) | Big data computer network safety protection device and control method thereof | |
| CN109922160B (en) | Terminal secure access method, device and system based on power Internet of things | |
| US20100169973A1 (en) | System and Method For Detecting Unknown Malicious Code By Analyzing Kernel Based System Actions | |
| CN111178760B (en) | Risk monitoring method, risk monitoring device, terminal equipment and computer readable storage medium | |
| US20180075240A1 (en) | Method and device for detecting a suspicious process by analyzing data flow characteristics of a computing device | |
| CN112073389B (en) | Cloud host security situation awareness system, method, device and storage medium | |
| CN112769775B (en) | Threat information association analysis method, system, equipment and computer medium | |
| CN114584405B (en) | Electric power terminal safety protection method and system | |
| CN113992356A (en) | Method and device for detecting IP attack and electronic equipment | |
| CN112818307A (en) | User operation processing method, system, device and computer readable storage medium | |
| CN111835737A (en) | WEB attack protection method based on automatic learning and related equipment thereof | |
| CN114650187B (en) | Abnormal access detection method and device, electronic equipment and storage medium | |
| CN115225385B (en) | Flow monitoring method, system, equipment and computer readable storage medium | |
| CN112668005A (en) | Webshell file detection method and device | |
| CN111404937A (en) | Method and device for detecting server vulnerability | |
| CN114363062A (en) | Domain name detection method, system, equipment and computer readable storage medium | |
| CN113472798B (en) | Method, device, equipment and medium for backtracking and analyzing network data packet | |
| CN112650180B (en) | Safety warning method, device, terminal equipment and storage medium | |
| CN110363002A (en) | A kind of intrusion detection method, device, equipment and readable storage medium storing program for executing | |
| CN110955890B (en) | Method and device for detecting malicious batch access behaviors and computer storage medium | |
| CN115051867B (en) | Illegal external connection behavior detection method and device, electronic equipment and medium | |
| CN115567258B (en) | Network security situation awareness method, system, electronic equipment and storage medium | |
| CN113923039A (en) | Attack equipment identification method and device, electronic equipment and readable storage medium | |
| CN111314308A (en) | System security check method and device based on port analysis | |
| CN114785691B (en) | Network security control method and device, computer equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |