CN115913688A - Network data security monitoring method, device, equipment and storage medium - Google Patents
Network data security monitoring method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN115913688A CN115913688A CN202211397056.6A CN202211397056A CN115913688A CN 115913688 A CN115913688 A CN 115913688A CN 202211397056 A CN202211397056 A CN 202211397056A CN 115913688 A CN115913688 A CN 115913688A
- Authority
- CN
- China
- Prior art keywords
- data
- real
- time
- equipment
- characterization
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application relates to the field of artificial intelligence and network security, and comprises a network data security monitoring method, a system, computer equipment and a storage medium. The method comprises the steps of obtaining an equipment identification rule, and carrying out data identification on communication source data of a plurality of authorized equipment by using the equipment identification rule to obtain a safety representation threshold corresponding to the authorized equipment; monitoring real-time interactive flow generated by each authorization device in a communication network constructed by the authorization devices to obtain real-time characterization parameters; determining whether the real-time characterization parameter exceeds the safety characterization threshold; when the unauthorized equipment is beyond the range, the untrusted equipment signal is output, the accuracy of detecting the condition that the unauthorized equipment is accessed to the enterprise network can be improved by using the scheme provided by the application, the convenience under the condition of effective monitoring is also ensured, and the operation cost is reduced.
Description
Technical Field
The present application relates to the field of artificial intelligence and network security, and in particular, to a method and an apparatus for network data security monitoring, a computer device, and a storage medium.
Background
The security problem of enterprise networks is more and more emphasized, and at present, the enterprise network security is that a firewall is deployed to set a reasonable ACL policy according to services, so as to manage and control intrusion of external attack traffic to an intranet. In addition to external attack traffic, inside-out threats are becoming more normalized, so security policies, particularly access and access to unauthorized devices, are also being enforced for enterprise intranets. For the access and access behaviors of unauthorized devices, on one hand, the unauthorized devices are difficult to find in time, and on the other hand, great risk hidden dangers exist. The traditional method mainly adopts a mode of adopting mac + ip binding through a network access layer, and then allows equipment to be admitted after user authorization verification. However, it is difficult to detect devices authorized to access through the method as a springboard, and thus other devices illegally accessed. Therefore, in order to overcome the defects of the conventional technology, a method for effectively monitoring unauthorized access equipment without affecting normal office work, which has high reliability and stability, needs to be provided to ensure the security of enterprise networks.
Disclosure of Invention
An embodiment of the present application aims to provide a network data security monitoring method, which is used for solving a security problem of monitoring whether unauthorized devices exist in an internal network of a company in the prior art.
In order to solve the foregoing technical problem, an embodiment of the present application provides a method for monitoring network data security, which adopts the following technical solutions:
acquiring an equipment identification rule, and performing data identification on communication source data of a plurality of authorized equipment by using the equipment identification rule to obtain a safety representation threshold corresponding to the authorized equipment;
monitoring real-time interactive flow generated by each authorization device in a communication network constructed by the authorization devices to obtain real-time characterization parameters;
determining whether the real-time characterization parameter exceeds the safety characterization threshold;
when exceeded, an untrusted device signal is output.
Further, the method further comprises:
obtaining the equipment identification rule, wherein the equipment identification rule comprises: address identification rules, system fingerprint identification rules and interactive terminal identification rules;
identifying the communication source data by using the address identification rule to obtain an address value;
identifying the communication source data by using the system fingerprint identification rule to obtain a system fingerprint value;
and identifying the communication source data by using the interactive terminal identification rule to obtain a terminal configuration value.
Further, the method further comprises:
extracting a safety address value interval of the address value corresponding to the authorization equipment to obtain a first characterization threshold;
extracting a security system value interval of the system fingerprint value corresponding to the authorization equipment to obtain a second characterization threshold;
extracting a safe terminal value interval of the terminal configuration value corresponding to the authorization equipment to obtain a third representation threshold;
summarizing all the first characterization thresholds, the second characterization thresholds and the third characterization thresholds to form the safety characterization threshold corresponding to each seoul full device.
Further, the method also comprises the following steps:
monitoring whether the authorized equipment generates real-time interactive traffic or not;
when the request data is generated, sending real-time request data to the authorization equipment to obtain a response data packet of the authorization equipment;
and performing data extraction on the response data packet to obtain the real-time flow parameters of the authorization equipment.
Further, the method further comprises:
identifying the real-time flow parameters by using the address identification rule to obtain real-time address data;
identifying the real-time flow parameters by using the system fingerprint identification rule to obtain real-time system fingerprint data;
identifying the real-time flow parameters by using the interactive terminal identification rule to obtain real-time terminal configuration data;
and summarizing the real-time address data, the real-time system fingerprint data and the real-time terminal configuration data to form real-time characterization parameters.
Further, the method further comprises:
collecting network open source data, wherein the network security open source data comprises: open source event data and open source situation data;
performing data characteristic analysis on the open source situation data through the open source event data to obtain event characteristic parameters corresponding to the open source situation data;
and carrying out event classification on the event characteristic parameters by utilizing a pre-constructed classification model to form event classifications corresponding to the event characteristic parameters.
Further, the method further comprises:
extracting the corresponding real-time characterization parameters in the untrusted device signals;
calculating the probability of the real-time characterization parameters as threat events in the event classification by using the preset classification model to form threat probability;
generating a device threat report in conjunction with the implementation characterization parameters and the threat event when the threat probability exceeds a preset threshold.
In order to solve the above technical problem, an embodiment of the present application further provides a network data security monitoring apparatus, which adopts the following technical solutions:
a network data security monitoring apparatus, the network data security monitoring apparatus comprising:
the acquisition module is used for acquiring the equipment identification rule;
the characteristic identification module is used for carrying out data identification on communication source data of a plurality of authorized devices by using the device identification rule to obtain a safety representation threshold corresponding to the authorized devices;
the monitoring module is used for monitoring real-time interactive flow generated by each authorization device in a communication network constructed by the authorization devices to obtain real-time characterization parameters;
and the judging module is used for judging whether the real-time characterization parameters exceed the safety characterization threshold or not and outputting an untrusted device prompt when the real-time characterization parameters exceed the safety characterization threshold.
In order to solve the above technical problem, an embodiment of the present application further provides a computer device, which adopts the following technical solutions:
a computer device comprising a memory and a processor, wherein the memory stores computer readable instructions, and the processor executes the computer readable instructions to implement the steps of the network data security monitoring method.
In order to solve the foregoing technical problem, an embodiment of the present application further provides a computer-readable storage medium, which adopts the following technical solutions
A computer readable storage medium, wherein the computer readable storage medium stores computer readable instructions, and when executed by a processor, the computer readable instructions implement the steps of the network data security monitoring method as described above.
Compared with the prior art, the embodiment of the application mainly has the following beneficial effects: the method mainly utilizes artificial intelligence to summarize and classify the enterprise security events, extracts the corresponding equipment identification rule, and utilizes the equipment identification rule to perform security characterization detection on the authorized equipment, so as to obtain the security characterization threshold interval of the authorized equipment, and utilizes the threshold interval to monitor the communication network constructed by the authorized equipment.
Drawings
In order to more clearly illustrate the solution of the present application, the drawings needed for describing the embodiments of the present application will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present application, and that other drawings can be obtained by those skilled in the art without inventive effort.
FIG. 1 is an exemplary system architecture diagram in which the present application may be applied;
FIG. 2 is a flow diagram of one embodiment of a method for secure interception of network data according to the present application;
FIG. 3 is a flowchart according to one embodiment of step S200 in the present application;
FIG. 4 is a block diagram of an embodiment of a network data security monitoring method according to the present application
FIG. 5 is a block diagram of one embodiment of a computer device according to the present application.
Detailed Description
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs; the terminology used in the description of the application herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application; the terms "including" and "having," and any variations thereof, in the description and claims of this application and the description of the above figures are intended to cover non-exclusive inclusions. The terms "first," "second," and the like in the description and claims of this application or in the foregoing drawings are used for distinguishing between different objects and not for describing a particular sequential order.
Reference herein to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the application. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. It is explicitly and implicitly understood by one skilled in the art that the embodiments described herein can be combined with other embodiments.
In order to make the technical solutions better understood by those skilled in the art, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings.
As shown in fig. 1, the system architecture 100 may include terminal devices 101, 102, 103, a network 104, and a server 105. Network 104 is the medium used to provide communication links between terminal devices 101, 102, 103 and server 105. Network 104 may include various connection types, such as wired, wireless communication links, or fiber optic cables, to name a few.
The user may use the terminal devices 101, 102, 103 to interact with the server 105 via the network 104 to receive or send messages or the like. Various communication client applications, such as a web browser application, a shopping application, a search application, an instant messaging tool, a mailbox client, social networking platform software, and the like, may be installed on the terminal devices 101, 102, and 103.
The terminal devices 101, 102, 103 may be various electronic devices having a display screen and supporting web browsing, including but not limited to a smart phone, a tablet computer, an e-book reader, an MP3 player (Moving Picture experts Group Audio Layer III, motion Picture experts compression standard Audio Layer 3), an MP4 player (Moving Picture experts Group Audio Layer IV, motion Picture experts compression standard Audio Layer 4), a laptop portable computer, a desktop computer, and the like.
The server 105 may be a server providing various services, such as a background server providing support for pages displayed on the terminal devices 101, 102, 103.
It should be noted that, the network data security monitoring method provided in the embodiments of the present application generally consists ofServer/terminal Terminal equipmentThe execution is carried out, accordingly, the network data security monitoring device is generally arranged inServer/terminal deviceIn (1).
It should be understood that the number of terminal devices, networks, and servers in fig. 1 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.
With continuing reference to fig. 2, a flow diagram of one embodiment of a network data security listening method according to the present application is shown. The embodiment of the application can acquire and process related data based on an artificial intelligence technology. Among them, artificial Intelligence (AI) is a theory, method, technique and application system that simulates, extends and expands human Intelligence using a digital computer or a machine controlled by a digital computer, senses the environment, acquires knowledge and uses the knowledge to obtain the best result.
The artificial intelligence infrastructure generally includes technologies such as sensors, dedicated artificial intelligence chips, cloud computing, distributed storage, big data processing technologies, operation/interaction systems, mechatronics, and the like. The artificial intelligence software technology mainly comprises a computer vision technology, a robot technology, a biological recognition technology, a voice processing technology, a natural language processing technology, machine learning/deep learning and the like. The network data security monitoring method comprises the following steps:
in this embodiment, the network data security monitoring method includes:
s200, acquiring an equipment identification rule, and performing data identification on communication source data of a plurality of authorized equipment by using the equipment identification rule to obtain a safety characterization threshold corresponding to the authorized equipment.
In this embodiment of the present invention, as shown in fig. 3, before acquiring the device identification rule, the method further includes:
s201, collecting network open source data, wherein the network security open source data comprises: open source event data and open source situation data;
specifically, the network security open source data includes: the method comprises the steps of firstly carrying out data analysis on open source event data and open source situation data in the network security open source data, wherein the open source event data and the open source situation data can be realized by using a pre-constructed mechanical learning model so as to effectively classify the network security open source data.
The open source event data refers to data collected when a security event occurs, and can be collected through three public network security databases, wherein the three public network security databases are respectively as follows: VERIS Community Database (VCDB), hackmageddon, and The Web Having Identifications Database (WHID).
Open source situation data refers to data which affects occurrence of open source event data, in the prior art, a method for analyzing the open source situation data mainly comprises the steps of analyzing the degree of misconfiguration or difference from standard/suggested configuration of a network or the degree of malicious behavior from the network, wherein the open source situation data obtained by analyzing the degree of the malicious behavior can also be called threat events,
it should be noted that the open source event data and the open source situation data are not a numerical value, but include data parameters of a plurality of characteristic dimensions, the open source event data may have different characteristic dimensions according to different sources, and this embodiment mainly explains the transmission protocol dimension, the operating system dimension, and the terminal identification dimension. Meanwhile, it should be understood that the network situation refers to the current state and the variation trend of the whole network, which are formed by various network device operation conditions, network behaviors, user behaviors and other factors. The situation awareness is to acquire, understand, display and predict a future trend of the security elements which can cause situation changes in a large-scale network environment.
S202: performing data characteristic analysis on the open source situation data through the open source event data to obtain event characteristic parameters corresponding to the open source situation data;
specifically, in this embodiment, by combining the open source event data, data preprocessing is performed on the open source situation data, and data aggregation characteristic analysis is performed, so as to obtain event characteristic parameters corresponding to the open source situation data. In order to improve the safety monitoring of the network without generating misjudgment and improve the accuracy of the network, data preprocessing is performed on the open source situation data to obtain corresponding event characteristic parameters, wherein the event characteristic parameters are mathematical expressions used for representing various data characteristics in the open source situation data, and the mathematical expressions can be specifically in a vector form.
S203: utilizing a pre-constructed classification model to classify the event characteristic parameters to form event classifications corresponding to the event characteristic parameters:
specifically, in this embodiment, a trained random forest model is first extracted, where the random forest model includes multiple decision trees, each decision tree corresponds to one classification, event feature parameters are input into the random forest model trained in advance, the event feature parameters are trained through the random forest model to obtain a decision tree most matched with the feature value, and a branch classification of the decision tree is obtained as an equipment identification rule after classification. It should be noted that Random forest (Random forest) refers to a classifier that trains and predicts a sample by using a plurality of trees. In machine learning, a random forest is a classifier that contains multiple decision trees, and the class of its output is determined by the mode of the class output by the individual trees. Each decision tree in the random forest, after training, contains fixed branch classifications, each branch representing a dimensional feature of the data.
Further, an equipment identification rule is obtained, wherein the equipment identification rule is constructed by screening any one protocol in the existing IP/TCP protocol cluster and/or OSI protocol cluster in advance to form a protocol group and extracting the protocol rule of each protocol in the protocol group, the invention mainly describes and utilizes a part of protocols for description, and the method comprises the following steps: the method comprises the steps of extracting protocol rules to obtain an IP protocol rule, an HTTP protocol rule, an ICMP protocol rule, a TCP protocol rule and a UDP protocol rule, and summarizing to obtain an equipment identification rule.
Further, it should be noted that the authorization device described in this application refers to a network device that constructs an internal network of an enterprise, and a method how to perform device authorization may be any authorization method in the prior art. And identifying the communication source data of the authorization equipment by using the equipment identification rule, and forming a characteristic parameter corresponding to each authorization equipment, wherein the IP address of the authorization equipment is extracted firstly, the extraction of the IP address can be identified by the IP protocol rule, and the IP address of each authorization equipment is assigned to obtain a corresponding address value.
Specifically, in this embodiment, the field value of the authorization device is identified according to the returned TTL field, and if the TTL field value of UNIX and UNIX-like operating systems is 255, the authorization device is assigned to 1; it should be noted that, before performing system fingerprint assignment on the authorization device, system data is also acquired, the existing systems of different versions are assigned to obtain a corresponding system fingerprint list, when the system feature identification of the authorization device is identified, a corresponding system is obtained, and the system fingerprint value of the authorization device is obtained by performing assignment through the system fingerprint list.
In another preferred embodiment, the system fingerprint of the authorizing device is also identified by ICMP protocol rules, TCP protocol rules and UDP protocol rules. It should be noted that, the system fingerprint identification of the authorization device is implemented by the existing scanning software using the above rules, and the scanning procedures commonly used in the prior art include, for example: nmap, xprobe2, zmap, maccan, or the like. The method scans the authorization equipment by using Nmap and/or Xprobe2 to obtain the system fingerprint corresponding to the authorization equipment, and assigns values to the identified system to be summarized to obtain a system fingerprint list.
Specifically, in this embodiment, the UDP and TCP data packets may be sent to the IP address of the authorization device by using Nmap, the TCP/IP operating system fingerprint identification work is performed according to a response program returned by the authorization device, the ICMP data packet is sent to the IP address of the authorization device by using Xprobe2, and the response of the IP address is analyzed to perform the TCP/IP operating system fingerprint identification work, the returned operating system fingerprint data is collected, the data is de-noised and assigned, and then the browser feature of the authorization device is identified to generate the terminal configuration value, where the terminal configuration value includes collecting the browser feature data of the authorization device, where the terminal configuration value at least includes one of user, browser language, resolution, color depth, time zone, owned data storage mode, CPU category, installation plug-in, and installation font, and is assigned to obtain the terminal configuration value.
Further, extracting a safe address value interval of an address value corresponding to the authorization terminal, wherein the trained random forest model is used for carrying out classification and identification on the IP address condition of the authorization equipment terminal, and extracting the safe address value interval of the IP address value in the non-threat event to obtain a first representation threshold;
extracting a security system value interval of a system fingerprint value corresponding to the authorization terminal, wherein the trained random forest model is used for carrying out classification and identification on the system fingerprint value of the authorization equipment, and the security system value interval of the system fingerprint value in the non-threat event is extracted to obtain a second representation threshold;
extracting a safety terminal value interval of a terminal configuration value corresponding to the authorization terminal, wherein the safety terminal value interval of the terminal configuration value in the non-threat event is extracted by classifying and identifying the terminal configuration value of the authorization device through a trained random forest model, and a third characterization threshold is obtained;
and summarizing all the first characterization thresholds, the second characterization thresholds and the third characterization thresholds to form a safety characterization threshold corresponding to each authorized device.
S210: and monitoring real-time interactive flow generated by each authorization device in a communication network constructed by the authorization devices to obtain real-time characterization parameters.
Specifically, in this embodiment, the authorization device is monitored, when the authorization device generates real-time interactive traffic, the real-time request data is sent to the authorization device to obtain a response data packet corresponding to the authorization device, and the data of the response data packet is extracted to obtain real-time traffic parameters of the authorization device.
Specifically, in this embodiment, the real-time traffic parameters are identified by using the address identification rule to obtain real-time address data; identifying the real-time flow parameters by using a system fingerprint identification rule to obtain real-time system fingerprint data; identifying real-time flow parameters by using an interactive terminal identification rule to obtain real-time terminal configuration data; and summarizing the real-time address data, the real-time system fingerprint data and the real-time terminal configuration data to form real-time characterization parameters.
S220: determining whether the real-time characterization parameter exceeds a safety characterization threshold; when exceeded, an untrusted device signal is output.
Specifically, in this embodiment, a security judgment is performed on the terminal device that generates the real-time traffic parameter, the real-time address data, the real-time system fingerprint data, and the real-time terminal configuration data in the real-time characterizing parameter are extracted, a security characterizing threshold constructed by the above method is used to perform a numerical judgment, and when the real-time characterizing parameter exceeds the security characterizing parameter, the corresponding terminal device is locked to perform an untrusted identification.
Further, in this embodiment, the IP protocol, HTTP protocol, ICMP protocol, TCP protocol, and UDP protocol in the device identification rule are used to scan the terminal device again, and the constructed virtual machine performs communication, and by identifying the device identity and handshaking the request, the conditions of the CPU module, the memory card, the IP address, and the system data are read, and the constructed virtual machine is used to compare detailed message functions and contents, and when the returned information is different from the real information, the security characterization parameter of the authorized device is extracted;
further, extracting the corresponding real-time characterization parameters in the untrusted device signal; calculating the probability of the real-time characterization parameters as threat events in the event classification by using the preset classification model to form threat probability; and when the threat probability exceeds a preset threshold value, generating a device threat report by combining the implementation characterization parameters and the threat event, and outputting an untrusted device warning corresponding to the device threat report.
Compared with the prior art, the embodiment of the application mainly has the following beneficial effects: the invention mainly utilizes artificial intelligence to summarize and classify enterprise security incidents, extracts corresponding equipment identification rules, and carries out security characterization detection on authorized equipment through the equipment identification rules, so as to obtain a security characterization threshold interval of the authorized equipment.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above may be implemented by a computer program, which may be stored in a computer readable storage medium, and when executed, may include the processes of the embodiments of the methods described above. The storage medium may be a non-volatile storage medium such as a magnetic disk, an optical disk, a Read-Only Memory (ROM), or a Random Access Memory (RAM).
It should be understood that, although the steps in the flowcharts of the figures are shown in order as indicated by the arrows, the steps are not necessarily performed in order as indicated by the arrows. The steps are not performed in the exact order shown and may be performed in other orders unless otherwise indicated herein. Moreover, at least a portion of the steps in the flow chart of the figure may include multiple sub-steps or multiple stages, which are not necessarily performed at the same time, but may be performed at different times, which are not necessarily performed in sequence, but may be performed alternately or alternately with other steps or at least a portion of the sub-steps or stages of other steps.
With further reference to fig. 4, as an implementation of the method shown in fig. 2, the present application provides an embodiment of a network data security monitoring apparatus 300, where the embodiment of the apparatus corresponds to the embodiment of the method shown in fig. 2, and the apparatus may be specifically applied to various electronic devices.
The acquisition module 301: for obtaining device identification rules
Specifically, the acquisition module acquires the equipment identification rule, which is constructed by screening any one protocol in the existing IP/TCP protocol cluster and/or OSI protocol cluster in advance to form a protocol group and extracting the protocol rule of each protocol in the protocol group; the invention is mainly explained by using a part of protocols, which comprises the following steps: the method comprises the steps of extracting protocol rules to obtain an IP protocol rule, an HTTP protocol rule, an ICMP protocol rule, a TCP protocol rule and a UDP protocol rule, and summarizing to obtain an equipment identification rule.
Further, the obtaining module further comprises a threat classification submodule;
the threat classification submodule is used for collecting network open source data before the acquisition module acquires the equipment identification rule, wherein the network security open source data comprises: firstly, the threat classification submodule performs data analysis on the open source event data and the open source situation data in the network security open source data so as to effectively classify the network security open source data.
Open source situation data refers to data which affects the occurrence of network security events, in the prior art, the method for analyzing the open source situation data mainly comprises the steps of analyzing the degree of misconfiguration of a network or the difference between the misconfiguration and standard/recommended configuration or the degree of malicious behaviors from the network, wherein the open source situation data obtained by analyzing the degree of the malicious behaviors can also be called threat events,
the open source event data refers to data collected when a security event occurs, and can be collected through three public network security databases, wherein the three public network security databases are respectively as follows: VERIS Commnunity Database (VCDB), hackmageddon, and The Web Having Identifications Database (WHID).
It should be noted that the open source situation data and the open source event data are not a single value, but include data parameters of multiple characteristic dimensions, and the open source event data may include different characteristic dimensions according to different sources thereof. Meanwhile, it should be understood that the network situation refers to the current state and the variation trend of the whole network, which are formed by various network device operation conditions, network behaviors, user behaviors and other factors. The network situation awareness is to acquire, understand, display and predict a future trend of a security element which can cause the network situation to change in a large-scale network environment.
Specifically, the threat classification submodule performs data preprocessing and aggregation analysis on the open source situation data by combining the open source event data to obtain event characteristic parameters corresponding to the open source situation data. In order to improve the safety monitoring of the network without generating misjudgment and improve the accuracy of the network, data preprocessing is performed on the open source situation data to obtain corresponding event characteristic parameters, wherein the event characteristic parameters are mathematical expressions used for representing various data characteristics in the open source situation data, and the mathematical expressions can be specifically in a vector form.
The feature identification module 302 is configured to perform data identification on communication source data of multiple authorized devices by using the device identification rule, so as to obtain a security representation threshold corresponding to the authorized device.
Specifically, the feature identification module identifies a field value of the authorization device according to the returned TTL field, and if the TTL field values of UNIX and UNIX-like operating systems are 255, the authorization device is assigned to be 1; it should be noted that, before performing system fingerprint assignment on the authorization device, system data is also acquired, the existing systems of different versions are assigned to obtain a corresponding system fingerprint list, when the system feature identification of the authorization device is identified, a corresponding system is obtained, and assignment is performed through the system fingerprint list to obtain a system fingerprint value of the authorization device.
In another preferred embodiment, the feature identification module further identifies the system fingerprint of the authorizing device by ICMP protocol rules, TCP protocol rules, and UDP protocol rules. It should be noted that, the system fingerprint identification of the authorization device is implemented by the existing scanning software using the above rules, and the scanning procedures commonly used in the prior art include, for example: nmap, xprobe2, zmap, maccan, or the like. The method scans the authorization equipment by using Nmap and/or Xprobe2 to obtain the system fingerprint corresponding to the authorization equipment, and assigns values to the identified system to be summarized to obtain a system fingerprint list.
Specifically, the feature identification module may send UDP and TCP packets to an IP address of the authorization device by using Nmap, perform TCP/IP operating system fingerprint identification according to a response program returned by the authorization device, send ICMP packets to the IP address of the authorization device by using Xprobe2, analyze a response of the packets to perform TCP/IP operating system fingerprint identification, collect returned operating system fingerprint data, perform data de-noising on the operating system fingerprint data, and perform assignment, further identify browser features of the authorization device to generate a terminal configuration value, where the terminal configuration value includes collecting browser feature data of the authorization device, where the terminal configuration value at least includes one of user agent, browser language, resolution, color depth, time zone, owned data storage mode, CPU category, installation plug-in, and installation font, and assign a value to the terminal configuration value to obtain the terminal configuration value.
Further, the feature recognition module extracts a safety address value interval of an address value corresponding to the authorization terminal, wherein the trained random forest model is used for carrying out classification recognition on the IP address condition of the authorization equipment terminal, and the safety address value interval of the IP address value in the non-threat event is extracted to obtain a first representation threshold;
the characteristic identification module extracts a security system value interval of a system fingerprint value corresponding to the authorization terminal, wherein the trained random forest model is used for carrying out classification identification on the system fingerprint value of the authorization equipment, and the security system value interval of the system fingerprint value in a non-threat event is extracted to obtain a second representation threshold;
the feature recognition module extracts a safety terminal value interval of a terminal configuration value corresponding to the authorization terminal, wherein the safety terminal value interval of the terminal configuration value in the non-threat event is extracted by classifying and recognizing the terminal configuration value of the authorization equipment through a trained random forest model, and a third characterization threshold is obtained;
and the characteristic identification module summarizes all the first characterization thresholds, the second characterization thresholds and the third characterization thresholds to form a safety characterization threshold corresponding to each authorized device.
A monitoring module 303, configured to monitor a real-time interaction traffic generated by each authorization device in a communication network established by the authorization device, so as to obtain a real-time characterization parameter;
specifically, the monitoring module monitors the authorization device, sends real-time request data to the authorization device when the authorization device generates real-time interactive traffic to obtain a response data packet corresponding to the authorization device, and extracts data from the response data packet to obtain real-time traffic parameters of the authorization device.
Specifically, the monitoring module identifies real-time traffic parameters by using an address identification rule to obtain real-time address data; identifying the real-time flow parameters by using a system fingerprint identification rule to obtain real-time system fingerprint data; identifying real-time flow parameters by using an interactive terminal identification rule to obtain real-time terminal configuration data; and summarizing the real-time address data, the real-time system fingerprint data and the real-time terminal configuration data to form real-time characterization parameters.
A decision module 304 for determining whether the real-time characterization parameter exceeds the safety characterization threshold, and outputting an untrusted device when the real-time characterization parameter exceeds the safety characterization threshold
Specifically, the judging module carries out safety judgment on the terminal equipment generating the real-time flow parameters, extracts real-time address data, real-time system fingerprint data and real-time terminal configuration data in the real-time characterization parameters, carries out numerical judgment through the safety characterization threshold constructed by the method, and locks the corresponding terminal equipment to carry out non-credible identification when the real-time characterization parameters exceed the safety characterization parameters.
Further, the judging module scans the terminal device again by using an IP protocol, an HTTP protocol, an ICMP protocol, a TCP protocol and a UDP protocol in the device identification rule, the constructed virtual machine is communicated, the conditions of the CPU module, the memory card, the IP address and the system data are read by using the device identification and handshake request, the constructed virtual machine is used for comparing detailed message functions and contents, and when the returned information is different from the real information, the safety characterization parameters of the authorized device are extracted;
further, the judging module extracts the corresponding real-time characterization parameters in the untrusted device signal; calculating the probability of the real-time characterization parameters as threat events in the event classification by using the preset classification model to form threat probability; and when the threat probability exceeds a preset threshold value, generating a device threat report by combining the implementation characterization parameters and the threat event, and outputting an untrusted device warning corresponding to the device threat report.
Compared with the prior art, the embodiment of the application mainly has the following beneficial effects: the method mainly utilizes artificial intelligence to summarize and classify the enterprise security events, extracts the corresponding equipment identification rule, and utilizes the equipment identification rule to perform security characterization detection on the authorized equipment, so as to obtain the security characterization threshold interval of the authorized equipment, and utilizes the threshold interval to monitor the communication network constructed by the authorized equipment.
In order to solve the technical problem, the embodiment of the application further provides computer equipment. Referring to fig. 5, fig. 5 is a block diagram of a basic structure of a computer device according to the embodiment.
The computer device 5 comprises a memory 51, a processor 52, a network interface 53 communicatively connected to each other via a system bus. It is noted that only a computer device 5 having components 51-53 is shown, but it is understood that not all of the shown components are required to be implemented, and that more or fewer components may be implemented instead. As will be understood by those skilled in the art, the computer device is a device capable of automatically performing numerical calculation and/or information processing according to a preset or stored instruction, and the hardware includes, but is not limited to, a microprocessor, an Application Specific Integrated Circuit (ASIC), a Programmable Gate Array (FPGA), a Digital Signal Processor (DSP), an embedded device, and the like.
The computer device can be a desktop computer, a notebook, a palm computer, a cloud server and other computing devices. The computer equipment can carry out man-machine interaction with a user through a keyboard, a mouse, a remote controller, a touch panel or voice control equipment and the like.
The memory 51 includes at least one type of readable storage medium including a flash memory, a hard disk, a multimedia card, a card type memory (e.g., SD or DX memory, etc.), a Random Access Memory (RAM), a Static Random Access Memory (SRAM), a Read Only Memory (ROM), an Electrically Erasable Programmable Read Only Memory (EEPROM), a Programmable Read Only Memory (PROM), a magnetic memory, a magnetic disk, an optical disk, etc. In some embodiments, the memory 51 may be an internal storage unit of the computer device 5, such as a hard disk or a memory of the computer device 5. In other embodiments, the memory 51 may also be an external storage device of the computer device 5, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), and the like, which are provided on the computer device 5. Of course, the memory 51 may also comprise both an internal storage unit of the computer device 5 and an external storage device thereof. In this embodiment, the memory 51 is generally used for storing an operating system and various application software installed in the computer device 5, such as program codes of the X method. Further, the memory 51 may also be used to temporarily store various types of data that have been output or are to be output.
The processor 52 may be a Central Processing Unit (CPU), controller, microcontroller, microprocessor, or other data Processing chip in some embodiments. The processor 52 is typically used to control the overall operation of the computer device 5. In this embodiment, the processor 52 is configured to execute the program code stored in the memory 51 or process data, for example, execute the program code of the X method.
The network interface 53 may comprise a wireless network interface or a wired network interface, and the network interface 53 is generally used for establishing communication connections between the computer device 5 and other electronic devices.
The present application further provides another embodiment, which is to provide a computer-readable storage medium, where the network data security monitoring program is stored, and the network data security monitoring program is executable by at least one processor, so that the at least one processor performs the steps of the network data security monitoring method as described above.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware online platform, and certainly can also be implemented by hardware, but in many cases, the former is a better embodiment. Based on such understanding, the technical solutions of the present application may be embodied in the form of a software product, which is stored in a storage medium (such as ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal device (such as a mobile phone, a computer, a server, an air conditioner, or a network device) to execute the method according to the embodiments of the present application.
The application is operational with numerous general purpose or special purpose computing system environments or configurations. For example: personal computers, server computers, hand-held or portable devices, tablet-type devices, multiprocessor systems, microprocessor-based systems, set top boxes, programmable consumer electronics, network PCs, minicomputers, mainframe computers, distributed computing environments that include any of the above systems or devices, and the like. The application may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. The application may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.
It should be understood that the above-described embodiments are merely exemplary of some, and not all, embodiments of the present application, and that the drawings illustrate preferred embodiments of the present application without limiting the scope of the claims appended hereto. This application is capable of embodiments in many different forms and the embodiments are provided so that this disclosure will be thorough and complete. Although the present application has been described in detail with reference to the foregoing embodiments, it will be apparent to one skilled in the art that modifications can be made to the embodiments described in the foregoing detailed description, or equivalents can be substituted for some of the features described therein. All equivalent structures made by using the contents of the specification and the drawings of the present application are directly or indirectly applied to other related technical fields and are within the protection scope of the present application.
Claims (10)
1. A network data security monitoring method is characterized by comprising the following steps:
acquiring an equipment identification rule, and performing data identification on communication source data of a plurality of authorized equipment by using the equipment identification rule to obtain a safety representation threshold corresponding to the authorized equipment;
monitoring real-time interactive flow generated by each authorization device in a communication network constructed by the authorization devices to obtain real-time characterization parameters;
determining whether the real-time characterization parameter exceeds the safety characterization threshold;
when exceeded, an untrusted device signal is output.
2. The method for securely listening to network data according to claim 1, wherein the performing data identification on the communication source data of multiple authorized devices by using the device identification rule specifically includes:
obtaining the equipment identification rule, wherein the equipment identification rule comprises: address identification rules, system fingerprint identification rules and interactive terminal identification rules;
identifying the communication source data by using the address identification rule to obtain an address value;
identifying the communication source data by using the system fingerprint identification rule to obtain a system fingerprint value;
and identifying the communication source data by using the interactive terminal identification rule to obtain a terminal configuration value.
3. The method according to claim 2, wherein the obtaining of the security representation threshold corresponding to the authorized device specifically includes;
extracting a safe address value interval of the address value corresponding to the authorization equipment to obtain a first characterization threshold;
extracting a security system value interval of the system fingerprint value corresponding to the authorization equipment to obtain a second characterization threshold;
extracting a safe terminal value interval of the terminal configuration value corresponding to the authorization equipment to obtain a third representation threshold;
and summarizing all the first characterization thresholds, the second characterization thresholds and the third characterization thresholds to form the safety characterization threshold corresponding to each Seoul full device.
4. The method for securely listening to network data according to claim 3, wherein the listening to the real-time interactive traffic generated by each authorized device in the communication network constructed by the authorized devices specifically comprises:
monitoring whether the authorization equipment generates real-time interactive traffic;
when the request data is generated, sending real-time request data to the authorization equipment to obtain a response data packet of the authorization equipment;
and performing data extraction on the response data packet to obtain the real-time flow parameters of the authorization equipment.
5. The method for monitoring network data security according to claim 4, wherein the obtaining of the real-time characterization parameter specifically includes:
identifying the real-time flow parameters by using the address identification rule to obtain real-time address data;
identifying the real-time flow parameters by using the system fingerprint identification rule to obtain real-time system fingerprint data;
identifying the real-time flow parameters by using the interactive terminal identification rule to obtain real-time terminal configuration data;
and summarizing the real-time address data, the real-time system fingerprint data and the real-time terminal configuration data to form real-time characterization parameters.
6. The method for securely listening to network data according to claim 4, wherein before the obtaining the device identification rule, the method further comprises:
collecting network open source data, wherein the network security open source data comprises: open source event data and open source situation data;
performing data characteristic analysis on the open source situation data through the open source event data to obtain event characteristic parameters corresponding to the open source situation data;
and carrying out event classification on the event characteristic parameters by utilizing a pre-constructed classification model to form event classifications corresponding to the event characteristic parameters.
7. The method for network data security listening according to claim 6, further comprising, after outputting the untrusted device identification:
extracting the corresponding real-time characterization parameters in the untrusted device signals;
calculating the probability of the real-time characterization parameters as threat events in the event classification by using the preset classification model to form threat probability;
generating a device threat report in conjunction with the implementation characterizing parameters and the threat event when the threat probability exceeds a preset threshold.
8. An apparatus for network data security monitoring, the apparatus comprising:
the acquisition module is used for acquiring the equipment identification rule;
the characteristic identification module is used for carrying out data identification on communication source data of a plurality of authorized devices by using the device identification rule to obtain a safety representation threshold corresponding to the authorized devices;
the monitoring module is used for monitoring real-time interactive flow generated by each authorization device in a communication network constructed by the authorization devices to obtain real-time characterization parameters;
and the judging module is used for judging whether the real-time characterization parameters exceed the safety characterization threshold or not and outputting an untrusted device prompt when the real-time characterization parameters exceed the safety characterization threshold.
9. A computer device comprising a memory having computer readable instructions stored therein and a processor that when executed performs the steps of secure snooping of network data according to any one of claims 1 to 7.
10. A computer readable storage medium having computer readable instructions stored thereon which, when executed by a processor, implement the steps of network data security listening of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211397056.6A CN115913688A (en) | 2022-11-09 | 2022-11-09 | Network data security monitoring method, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211397056.6A CN115913688A (en) | 2022-11-09 | 2022-11-09 | Network data security monitoring method, device, equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115913688A true CN115913688A (en) | 2023-04-04 |
Family
ID=86494899
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211397056.6A Pending CN115913688A (en) | 2022-11-09 | 2022-11-09 | Network data security monitoring method, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115913688A (en) |
-
2022
- 2022-11-09 CN CN202211397056.6A patent/CN115913688A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11336669B2 (en) | Artificial intelligence cyber security analyst | |
| CN107547555B (en) | Website security monitoring method and device | |
| US10721245B2 (en) | Method and device for automatically verifying security event | |
| CN109862003B (en) | Method, device, system and storage medium for generating local threat intelligence library | |
| CN108881263B (en) | Network attack result detection method and system | |
| CN114584405B (en) | Electric power terminal safety protection method and system | |
| CN111786950A (en) | Situation awareness-based network security monitoring method, device, equipment and medium | |
| CN103281177A (en) | Method and system for detecting hostile attack on Internet information system | |
| CN103748853A (en) | Method and system for classifying a protocol message in a data communication network | |
| CN113704328B (en) | User behavior big data mining method and system based on artificial intelligence | |
| CN112560029A (en) | Website content monitoring and automatic response protection method based on intelligent analysis technology | |
| CN113726784A (en) | Network data security monitoring method, device, equipment and storage medium | |
| CN114528457A (en) | Web fingerprint detection method and related equipment | |
| CN111586005A (en) | Scanner scanning behavior identification method and device | |
| CN111049828B (en) | Network attack detection and response method and system | |
| CN112230584A (en) | Safety monitoring visualization system and safety monitoring method applied to industrial control field | |
| CN113704772B (en) | Safety protection processing method and system based on user behavior big data mining | |
| CN114928462A (en) | Web safety protection method based on user behavior recognition | |
| CN114338171A (en) | Black product attack detection method and device | |
| CN114070642A (en) | Network security detection method, system, device and storage medium | |
| CN110955890A (en) | Method and device for detecting malicious batch access behaviors and computer storage medium | |
| CN116738369A (en) | Traffic data classification method, device, equipment and storage medium | |
| CN112215622A (en) | Risk prevention and control method and system based on order information | |
| CN113037555B (en) | Risk event marking method, risk event marking device and electronic equipment | |
| CN113923037B (en) | Anomaly detection optimization device, method and system based on trusted computing |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |