CN116074066A - Intelligent monitoring blocking method and system for retrieval threat information - Google Patents

Intelligent monitoring blocking method and system for retrieval threat information Download PDF

Info

Publication number
CN116074066A
CN116074066A CN202211715580.3A CN202211715580A CN116074066A CN 116074066 A CN116074066 A CN 116074066A CN 202211715580 A CN202211715580 A CN 202211715580A CN 116074066 A CN116074066 A CN 116074066A
Authority
CN
China
Prior art keywords
attack
data
interception
blocking
data set
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202211715580.3A
Other languages
Chinese (zh)
Other versions
CN116074066B (en
Inventor
张昇鹏
张耀国
朱磊
姜飞
龚国桐
林川
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangxi Nanning Yingfu Taike Information Technology Co ltd
Original Assignee
Guangxi Nanning Yingfu Taike Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangxi Nanning Yingfu Taike Information Technology Co ltd filed Critical Guangxi Nanning Yingfu Taike Information Technology Co ltd
Priority to CN202211715580.3A priority Critical patent/CN116074066B/en
Publication of CN116074066A publication Critical patent/CN116074066A/en
Application granted granted Critical
Publication of CN116074066B publication Critical patent/CN116074066B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0209Architectural arrangements, e.g. perimeter networks or demilitarized zones
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention provides a search threat information intelligent monitoring blocking method and a system, which relate to the technical field of network security, and are used for monitoring network access flow and network exit flow by a flow monitoring system connected with a target network, uploading the network access flow and the network exit flow to an intelligent monitoring platform, carrying out attack detection on a network flow monitoring data set according to an application firewall, an intrusion defending system and a semantic detection engine, outputting an attack data set, inputting the attack data set into attack blocking equipment, acquiring first blocking data and second blocking data, generating a blocking data packet, and realizing attack blocking according to the blocking data packet. The invention solves the technical problems that the attack data cannot be processed rapidly and a plurality of servers and clients cannot be monitored in the prior art, realizes classification processing and classification blocking of the intercepted data, and achieves the technical effects of improving the processing efficiency of the attack data and ensuring the safe operation of the servers.

Description

Intelligent monitoring blocking method and system for retrieval threat information
Technical Field
The invention relates to the technical field of network security, in particular to an intelligent monitoring blocking method and system for retrieval threat information.
Background
In recent years, with continuous practice of each key information infrastructure industry unit, the importance of threat information is widely accepted. Threat information sharing groups of various authorities and in the wild are continuously emerging, and enthusiasm for developing attack protection and intrusion tracing based on threat information is rising. According to the latest research report, the national threat information scale in 2021 reaches about 10.69 hundred million, but most of the threat information is mainly in a subscription mode, and the joint defense linkage treatment mechanism based on the threat information is still lacking at present. The conventional monitoring and blocking method for the retrieval threat information has certain defects, and a certain lifting space exists for monitoring and blocking the retrieval threat information.
In the prior art, attack data cannot be processed rapidly, and a plurality of servers and clients cannot be monitored, so that the processing efficiency of the attack data is low, and the safe operation of the servers is threatened.
Disclosure of Invention
The embodiment of the application provides a method and a system for intelligently monitoring and blocking retrieval threat information, which are used for solving the technical problems that attack data cannot be rapidly processed and a plurality of servers and clients cannot be monitored in the prior art.
In view of the above problems, the embodiments of the present application provide a method and a system for intelligently monitoring and blocking the information of a search threat.
In a first aspect, an embodiment of the present application provides a method for intelligently monitoring and blocking threat information, where the method includes: the flow monitoring system is connected with the target network and used for monitoring the network access flow and the network exit flow to acquire a network flow monitoring data set; uploading the network flow monitoring data set to the intelligent information monitoring platform, wherein a plurality of detection modules are arranged in the intelligent information monitoring platform, and the detection modules comprise an application firewall, an intrusion prevention system and a semantic detection engine; according to the application firewall, the intrusion prevention system and the semantic detection engine, carrying out attack detection on the network flow monitoring data set, and outputting an attack data set; inputting the attack data set into the attack interception device; acquiring first interception data and second interception data according to the attack interception equipment, wherein the second interception data is associated interception data based on the first interception data; and generating a blocking data packet according to the first blocking data and the second blocking data, and realizing attack blocking according to the blocking data packet.
In a second aspect, an embodiment of the present application provides a system for intelligently monitoring and blocking threat intelligence, where the system includes: the flow monitoring data set acquisition module is used for connecting a flow monitoring system of a target network, monitoring network access flow and network exit flow and acquiring a network flow monitoring data set; the flow monitoring data set uploading module is used for uploading the network flow monitoring data set to the intelligent information monitoring platform, wherein a plurality of detection modules are arranged in the intelligent information monitoring platform and comprise an application firewall, an intrusion prevention system and a semantic detection engine; the attack data set acquisition module is used for carrying out attack detection on the network flow monitoring data set according to the application firewall, the intrusion prevention system and the semantic detection engine and outputting an attack data set; the attack data set input module is used for inputting the attack data set into the attack interception equipment; the interception data acquisition module is used for acquiring first interception data and second interception data according to the attack interception equipment, wherein the second interception data is associated interception data based on the first interception data; and the attack blocking module is used for generating a blocking data packet according to the first blocking data and the second blocking data and realizing attack blocking according to the blocking data packet.
One or more technical solutions provided in the embodiments of the present application at least have the following technical effects or advantages:
the embodiment of the application provides an intelligent monitoring blocking method for retrieving threat information, which relates to the technical field of network security, and is used for monitoring network access flow and network exit flow by a flow monitoring system connected with a target network, acquiring a network flow monitoring data set, uploading the network flow monitoring data set to an intelligent monitoring platform for information, wherein the intelligent monitoring platform for information is internally provided with a plurality of detection modules, the detection modules comprise an application firewall, an intrusion prevention system and a semantic detection engine, attack detection is carried out on the network flow monitoring data set according to the application firewall, the intrusion prevention system and the semantic detection engine, the attack data set is output, the attack data set is input into attack blocking equipment, first blocking data and second blocking data are acquired according to the attack blocking equipment, wherein the second blocking data is associated blocking data based on the first blocking data, blocking data packets are generated according to the first blocking data and the second blocking data packets, and attack blocking is realized according to the blocking data packets. The technical problems that attack data cannot be processed rapidly and a plurality of servers and clients cannot be monitored in the prior art are solved, the interception data are classified and blocked, the processing efficiency of the attack data is improved, and the safe operation of the servers is guaranteed.
The foregoing description is only an overview of the technical solutions of the present application, and may be implemented according to the content of the specification in order to make the technical means of the present application more clearly understood, and in order to make the above-mentioned and other objects, features and advantages of the present application more clearly understood, the following detailed description of the present application will be given.
Drawings
FIG. 1 is a schematic flow chart of a method for intelligently monitoring and blocking the information of a search threat according to an embodiment of the application;
fig. 2 is a schematic diagram of an interception flow based on a server interception instruction and a client interception instruction in an intelligent monitoring blocking method for threat information retrieval according to an embodiment of the present application;
FIG. 3 is a schematic flow chart of a matching interception level obtained in an intelligent monitoring blocking method for threat information retrieval according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of an intelligent monitoring blocking system for threat information retrieval according to an embodiment of the present application.
Reference numerals illustrate: the system comprises a flow monitoring data set acquisition module 10, a flow monitoring data set uploading module 20, an attack data set acquisition module 30, an attack data set input module 40, an interception data acquisition module 50 and an attack blocking module 60.
Detailed Description
The embodiment of the application provides an intelligent monitoring blocking method for retrieving threat information, which is used for solving the technical problems that attack data cannot be processed quickly and a plurality of servers and clients cannot be monitored in the prior art.
Example 1
As shown in fig. 1, an embodiment of the present application provides a method for intelligently monitoring and blocking search threat intelligence, where the method is applied to an intelligence monitoring platform, and the platform is communicatively connected with attack interception equipment, and the method includes:
step S100: the flow monitoring system is connected with the target network and used for monitoring the network access flow and the network exit flow to acquire a network flow monitoring data set;
specifically, the intelligent monitoring blocking method for the retrieval threat information is applied to an intelligent monitoring platform, the intelligent monitoring platform is in communication connection with attack interception equipment, and the attack interception equipment is used for acquiring interception data. The flow monitoring system is used for monitoring and filtering the data flow of the user, effectively mastering bad information in a monitoring range and is commonly used in the aspect of network safety. Network communication is accomplished by means of data packets, all information being contained in the network communication data packets. The two computers communicate via the network by sending and receiving data packets, so-called traffic monitoring, which is the actual management and control of these network communication data packets, and the optimization and limitation. The purpose of traffic monitoring is to allow and ensure efficient transmission of useful data packets, to prohibit or limit illegal data packet transmission, the nature of traffic monitoring being a constraint. By monitoring the network access flow and the network exit flow, the network communication is accurately controlled, and a foundation is laid for subsequent monitoring.
Step S200: uploading the network flow monitoring data set to the intelligent information monitoring platform, wherein a plurality of detection modules are arranged in the intelligent information monitoring platform, and the detection modules comprise an application firewall, an intrusion prevention system and a semantic detection engine;
specifically, the network traffic monitoring data set refers to the classification of the network traffic and the network traffic after the network traffic is monitored, and is generally classified into two types, namely normal traffic and abnormal traffic, wherein the normal traffic refers to the network traffic and the network traffic which are at a normal level or are level with the normal level, and the abnormal traffic refers to characteristic behaviors different from the normal condition or attack codes; the intelligent information monitoring platform is a platform integrating monitoring methods aiming at the target network, and the method contained in the platform comprises an application firewall, an intrusion prevention system, a semantic detection engine and the like, wherein the firewall is a technology for helping a computer network to construct a relatively isolated protection barrier between an internal network and an external network by organically combining various software and hardware devices for safety management and screening so as to protect user data and information safety; the intrusion prevention system is a computer network security device capable of monitoring network data transmission behaviors of a network or network equipment, and is capable of timely interrupting, adjusting or isolating some abnormal or harmful network data transmission behaviors; the semantic detection engine is used for comprehensively judging the attack behavior by combining the actual SQL statement, the XSS statement lexicon and the grammar analysis with threat level, so that the attack detection and interception problems of the advanced hacker deformation means are solved. The method solves the problems of incomplete monitoring and incomplete classification of the flow under different conditions, and achieves the effect of stabilizing the flow data.
Step S300: according to the application firewall, the intrusion prevention system and the semantic detection engine, carrying out attack detection on the network flow monitoring data set, and outputting an attack data set;
specifically, the application firewall, the intrusion prevention system and the semantic detection engine refer to monitoring means of the intelligent information monitoring platform for network traffic and network outlet traffic, and the methods can be used for monitoring traffic, so that monitoring, organizing and processing can be realized no matter abnormal data input and output or other kinds of attacks aiming at servers, databases and network contents; the monitoring platform is used for carrying out attack detection on the network flow monitoring data set, wherein the network flow monitoring data set is used for monitoring the network access flow and the network exit flow of a server, the attack monitoring mode is used for monitoring the flow through a plurality of dimensions by using the plurality of means, if the detection result is not problematic, the normal operation is carried out, and a normal log is output, if the detection result is problematic, the attack data set is used for outputting the attack data set of the feature codes, the attack modes, the caused anomalies and the like of the external attack modes such as programs, network data and the like of the external attack, and the method solves the identification and the judgment of different attack modes, and achieves the effects of rapidly calling the attack mode features from a database and improving the efficiency and the accuracy of the next processing.
Step S400: inputting the attack data set into the attack interception device;
specifically, the attack data set is input into the attack interception device, the attack data set refers to a collection of abnormal data and attack behavior data obtained after monitoring and analyzing network traffic and outgoing network traffic by the intelligent information monitoring platform, the attack interception device refers to a terminal device which is in communication connection with a plurality of servers and a plurality of clients and is used for processing the abnormal data and the attack data, and the device can prevent and isolate external attacks until the abnormal data is eliminated.
Step S500: acquiring first interception data and second interception data according to the attack interception equipment, wherein the second interception data is associated interception data based on the first interception data;
specifically, the second interception data is associated interception data based on the first interception data, the attack interception device refers to the terminal device which is in communication connection with a plurality of servers and a plurality of clients and is used for processing abnormal data and attack data and blocking and defending the attack data, the first interception data refers to interception data of a data set which is under attack outside a firewall in an attack process type and is not involved in the system, the second interception data refers to interception data of the attack data set which is already infected into the system and has influence on the system, and the method solves the problem of attack processes of different conditions and different processes, achieves the effects of blocking and classifying the attack data in a segmented mode, and improves the processing efficiency and accuracy.
Step S600: and generating a blocking data packet according to the first blocking data and the second blocking data, and realizing attack blocking according to the blocking data packet.
Specifically, according to the blocking data packet, attack blocking is achieved, the first blocking data and the second blocking data refer to two data under the conditions of different processes, different attack progress and different influence on a system, a blocking data packet is generated according to the two data, the blocking data packet refers to a data set packet generated by data such as a characteristic code, an attack code and the like after an intelligent monitoring platform attacks and blocks the blocking conditions of the first blocking data and the second blocking data, and then each component is obtained by the intelligent monitoring platform to clear and block the blocking data packet. The method solves the requirements of classifying and blocking the intercepted data, and achieves the effect of targeted processing of different data.
Further, as shown in fig. 2, step S400 of the present application further includes:
step S410: inputting the attack data set into the attack interception device, wherein the attack interception device is in communication connection with a plurality of servers and a plurality of clients;
step S420: acquiring service end communication modes of the plurality of service ends;
step S430: acquiring client communication modes of the plurality of clients;
step S440: according to the server communication mode and the client communication mode, a server interception instruction and a client interception instruction are issued;
step S450: intercepting based on the server interception instruction and the client interception instruction.
Specifically, the attack interception device is in communication connection with a plurality of servers and a plurality of clients, wherein the service communication mode with the plurality of servers is to communicate the attack interception device with the contents such as a server, a network port, a database and the like to be protected, intervene in ports for outputting and downloading traffic, and construct a firewall, an intrusion prevention system and a semantic detection engine or add the firewall, the intrusion prevention system and the semantic detection engine of the server to intercept the attack; the communication mode of the client is to connect the attack interception system to the client, such as a downlink server of the client, a computer host and other devices according to the client requirement, intervene or construct a firewall, an intrusion prevention system, a semantic detection engine and the like by itself to monitor the traffic condition of the client, and perform the operation of the interception instruction according to the communication mode of the server and the communication mode of the client.
Further, as shown in fig. 3, the present application further includes:
step S710: generating information data according to the attack data set;
step S720: acquiring a preset information source library, and connecting the preset information source library to the attack interception equipment;
step S730: tracing the information data based on the preset information source library to acquire the data source corresponding to the information data;
step S740: and matching according to the affiliated data source of the information data to obtain a matching interception grade.
Specifically, generating the information data refers to performing information source analysis according to the information sources required by each port and big data acquisition, if the number of the information sources is large or the information sources are repeated, performing targeted information analysis and processing after setting according to the user needs, network conditions and other data through multi-information-source redundancy setting of the system, thereby acquiring a preset information source library, wherein the information source library is accessed into attack interception equipment so as to extract information in time for analysis processing when carrying out attack interception operation, giving the preset information source library, performing tracing and tracing on the monitored information data, analyzing basic logic such as code features and underlying logic of the information data, and performing matching comparison with the preset information source library, namely tracing and tracing to obtain the data sources corresponding to the information data, and finally performing matching and interception grade according to the data sources corresponding to the information data, wherein the matching and interception grade can be classified according to the difficulty, such as simple processing is one-level, medium difficulty is two-level, and difficult three-level.
Further, the present application further includes:
step S750: configuring the preset information source library, wherein the preset information source library comprises a plurality of information sources;
step S760: performing protection level analysis on each information source in the preset information source library to obtain a plurality of information source protection levels, wherein the plurality of information source protection levels are in one-to-one correspondence with the plurality of information sources;
step S770: generating a plurality of attack interception levels according to the plurality of information source protection levels;
step S780: and optimizing the preset information source library according to the attack interception levels.
Specifically, according to each information source in the obtained information source library, grading is performed, protection rules of different grades are separated, such as classification into primary protection according to easy processing, classification into secondary protection, classification into tertiary analysis and the like of the more difficult processing, classification into the protection level rules of the information sources is performed according to the classification, and the obtained information source protection levels need to correspond to the information sources, wherein the information sources refer to public information sources, cloud platform information sources, network space mapping information sources, third-party internet company information sources, information sources of the server and the like. And generating a plurality of corresponding attack interception levels according to the information source protection levels, and optimizing a defense method, code loopholes and the like of a preset information source library.
Further, step S500 of the present application further includes:
step S510: according to the attack interception equipment, intercepting in real time and outputting the first interception data;
step S520: judging a real-time stage where the attack is according to the first interception data, and acquiring an interception related instruction if the stage where the attack in the first interception data is in a second stage;
step S530: and intercepting the associated data according to the interception associated instruction to acquire the second intercepted data.
Specifically, after outputting the first interception data, judging the real-time stage of the current time of the existing attack, if the attack is already invaded into the system, if the attack is already controlling the conditions of a server, a client and the like, if the similar conditions occur, judging that the attack is in the second stage, acquiring the interception related instruction, namely the code characteristics and other data of the attack, and acquiring second interception data after intercepting.
Further, the present application further includes:
step S810: performing feature analysis on the attack data set to acquire attack data features;
step S820: connecting the attack interception equipment to acquire data and acquiring a historical attack data set;
step S830: carrying out attack identification in a historical attack data set according to the attack data characteristics, and obtaining attack repetition rate;
step S840: and generating early warning reminding information according to the attack repetition rate.
Specifically, the attack interception equipment is connected to perform data acquisition to obtain a historical attack data set, attack identification is performed in the historical attack data set according to the attack data characteristics to obtain attack repetition rate, the historical attack data set is traced upwards for a period of time, such as three months or other time periods, threat information is subjected to deep analysis, if a plurality of attack types occur in the period of time, the attack types are marked as important identification early warning, and meanwhile the historical attack data set should simultaneously contain the attributes of the attack types, the attack time, the attack area, the industry to which an attacked unit belongs, and the like, so that convenience and accuracy are provided when early warning information is generated and attack is processed, and early warning reminding information is obtained according to the attack repetition rate data, so that the early warning strength can be achieved according to the repetition rate.
Further, step S810 of the present application further includes:
step S811: performing feature analysis on the attack data set to obtain a plurality of attack attribute features, wherein the attack attribute features comprise basic attribute features, asset attribute features, attack type features and attack target features;
step S812: performing attack similarity calculation on the historical attack data set by using the plurality of attack attribute characteristics, and outputting attack characteristic similarity;
step S813: and outputting N attacks with the attack feature similarity larger than the preset feature similarity, and acquiring the attack repetition rate based on the duty ratio of the N attacks to the total attack quantity of the historical attack data.
Specifically, the plurality of attack attribute features include a basic attribute feature, an asset attribute feature, an attack type feature and an attack target feature, where the basic attribute feature refers to a basic attribute such as a home location, an operator used by the home location, an attack time, and the like; asset attribute characteristics refer to attributes such as asset tags, component tags, open ports, etc. about the nature of the attack data set; the attack type features refer to code features of attack types, such as features of attack types of XSS attack, CSRF attack, SQL injection, man-in-the-middle attack and the like; the attack target features refer to features of an attacker for an intrusion target, such as attack on a financial system, attack on the whole website, intrusion on the whole server and the like, which are features of the attack target; and then carrying out attack similarity calculation on the historical attack data set by using the plurality of attack attribute characteristics, outputting attack characteristic similarity, namely carrying out transverse and longitudinal comparison according to the data such as the attack attribute characteristics and the like to obtain the similarity of the attack characteristics of the data to be analyzed, classifying, and taking out the attacks higher than a preset value to obtain the occupation ratio of the attack quantity in the historical attack data set, wherein the attack similarity preset value refers to the occupation ratio of the similarity condition of the plurality of attributes in N attacks, and if the attack similarity preset value is higher than fifty percent, the attack is similar, and the like. And obtaining the attack repetition rate data according to the data.
Example two
Based on the same inventive concept as the method for intelligently monitoring and blocking the information of the search threat in the foregoing embodiment, as shown in fig. 4, the present application provides a system for intelligently monitoring and blocking the information of the search threat, the system comprising:
the flow monitoring data set acquisition module 10 is used for connecting a flow monitoring system of a target network, monitoring network access flow and network exit flow, and acquiring a network flow monitoring data set;
the flow monitoring data set uploading module 20 is configured to upload the network flow monitoring data set to the intelligence monitoring platform, where the intelligence monitoring platform is built with a plurality of detection modules, and the plurality of detection modules include an application firewall, an intrusion prevention system and a semantic detection engine;
the attack data set acquisition module 30 is used for carrying out attack detection on the network traffic monitoring data set according to the application firewall, the intrusion prevention system and the semantic detection engine, and outputting an attack data set;
an attack data set input module 40, wherein the attack data set input module 40 is used for inputting the attack data set into the attack interception device;
the interception data acquisition module 50 is configured to acquire first interception data and second interception data according to the attack interception device, where the second interception data is associated interception data based on the first interception data;
the attack blocking module 60 is configured to generate a blocking data packet according to the first blocking data and the second blocking data, and implement attack blocking according to the blocking data packet.
Further, the system further comprises:
the data set input module is used for inputting the attack data set into the attack interception equipment, wherein the attack interception equipment is in communication connection with a plurality of servers and a plurality of clients;
the server communication mode acquisition module is used for acquiring server communication modes of the plurality of servers;
a client communication mode acquisition module, configured to acquire client communication modes of the plurality of clients;
the interception instruction issuing module is used for issuing a server interception instruction and a client interception instruction according to the server communication mode and the client communication mode;
and the interception module is used for intercepting based on the server interception instruction and the client interception instruction.
Further, the system further comprises:
the information data generation module is used for generating information data according to the attack data set;
the information source library acquisition module is used for acquiring a preset information source library and connecting the preset information source library to the attack interception equipment;
the tracing and searching module is used for tracing and searching the information data based on the preset information source library to acquire the data source corresponding to the information data;
and the matching module is used for matching according to the affiliated data source of the information data to obtain a matching interception grade.
Further, the system further comprises:
a preset information source library configuration module for configuring the preset information source library, wherein the preset information source library comprises a plurality of information sources;
the protection level analysis module is used for carrying out protection level analysis on each information source in the preset information source library to obtain a plurality of information source protection levels, and the plurality of information source protection levels are in one-to-one correspondence with the plurality of information sources;
the attack interception level generation module is used for generating a plurality of attack interception levels according to the plurality of information source protection levels;
and the optimizing module is used for optimizing the preset information source library according to the attack interception levels.
Further, the system further comprises:
the real-time interception module is used for intercepting in real time according to the attack interception equipment and outputting the first interception data;
the interception related instruction acquisition module is used for judging a real-time stage where the attack is located according to the first interception data, and acquiring an interception related instruction if the stage where the attack in the first interception data is located is a second stage;
and the associated data interception module is used for intercepting associated data according to the associated interception instruction and acquiring the second interception data.
Further, the system further comprises:
the characteristic analysis module is used for carrying out characteristic analysis on the attack data set to acquire attack data characteristics;
the data acquisition module is used for connecting the attack interception equipment to acquire data and acquiring a historical attack data set;
the attack recognition module is used for carrying out attack recognition in the historical attack data set according to the attack data characteristics and obtaining the attack repetition rate;
and the early warning reminding information generation module is used for generating early warning reminding information according to the attack repetition rate.
Further, the system further comprises:
the attack attribute feature acquisition module is used for carrying out feature analysis on the attack data set to acquire a plurality of attack attribute features, wherein the attack attribute features comprise basic attribute features, asset attribute features, attack type features and attack target features;
the attack similarity calculation module is used for carrying out attack similarity calculation on the historical attack data set by the plurality of attack attribute characteristics and outputting attack characteristic similarity;
the attack repetition rate acquisition module is used for outputting N attacks with the attack feature similarity larger than the preset feature similarity, and acquiring the attack repetition rate based on the duty ratio of the N attacks to the total attack number of the historical attack data.
Through the foregoing detailed description of a method for intelligently monitoring and blocking the information of the search threat, those skilled in the art can clearly know a method and a system for intelligently monitoring and blocking the information of the search threat in this embodiment, and for the device disclosed in the embodiment, since the device corresponds to the method disclosed in the embodiment, the description is relatively simple, and relevant places refer to the description of the method section.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (8)

1. The method is applied to an intelligent monitoring platform of the information, and the platform is in communication connection with attack interception equipment, and the method comprises the following steps:
the flow monitoring system is connected with the target network and used for monitoring the network access flow and the network exit flow to acquire a network flow monitoring data set;
uploading the network flow monitoring data set to the intelligent information monitoring platform, wherein a plurality of detection modules are arranged in the intelligent information monitoring platform, and the detection modules comprise an application firewall, an intrusion prevention system and a semantic detection engine;
according to the application firewall, the intrusion prevention system and the semantic detection engine, carrying out attack detection on the network flow monitoring data set, and outputting an attack data set;
inputting the attack data set into the attack interception device;
acquiring first interception data and second interception data according to the attack interception equipment, wherein the second interception data is associated interception data based on the first interception data;
and generating a blocking data packet according to the first blocking data and the second blocking data, and realizing attack blocking according to the blocking data packet.
2. The method of claim 1, wherein the method further comprises:
inputting the attack data set into the attack interception device, wherein the attack interception device is in communication connection with a plurality of servers and a plurality of clients;
acquiring service end communication modes of the plurality of service ends;
acquiring client communication modes of the plurality of clients;
according to the server communication mode and the client communication mode, a server interception instruction and a client interception instruction are issued;
intercepting based on the server interception instruction and the client interception instruction.
3. The method of claim 1, wherein the method further comprises:
generating information data according to the attack data set;
acquiring a preset information source library, and connecting the preset information source library to the attack interception equipment;
tracing the information data based on the preset information source library to acquire the data source corresponding to the information data;
and matching according to the affiliated data source of the information data to obtain a matching interception grade.
4. A method as claimed in claim 3, wherein the method further comprises:
configuring the preset information source library, wherein the preset information source library comprises a plurality of information sources;
performing protection level analysis on each information source in the preset information source library to obtain a plurality of information source protection levels, wherein the plurality of information source protection levels are in one-to-one correspondence with the plurality of information sources;
generating a plurality of attack interception levels according to the plurality of information source protection levels;
and optimizing the preset information source library according to the attack interception levels.
5. The method of claim 1, wherein the method further comprises:
according to the attack interception equipment, intercepting in real time and outputting the first interception data;
judging a real-time stage where the attack is according to the first interception data, and acquiring an interception related instruction if the stage where the attack in the first interception data is in a second stage;
and intercepting the associated data according to the interception associated instruction to acquire the second intercepted data.
6. The method of claim 1, wherein the method further comprises:
performing feature analysis on the attack data set to acquire attack data features;
connecting the attack interception equipment to acquire data and acquiring a historical attack data set;
carrying out attack identification in a historical attack data set according to the attack data characteristics, and obtaining attack repetition rate;
and generating early warning reminding information according to the attack repetition rate.
7. The method of claim 6, wherein the attack data set is characterized to obtain attack data characteristics, the method further comprising:
performing feature analysis on the attack data set to obtain a plurality of attack attribute features, wherein the attack attribute features comprise basic attribute features, asset attribute features, attack type features and attack target features;
performing attack similarity calculation on the historical attack data set by using the plurality of attack attribute characteristics, and outputting attack characteristic similarity;
and outputting N attacks with the attack feature similarity larger than the preset feature similarity, and acquiring the attack repetition rate based on the duty ratio of the N attacks to the total attack quantity of the historical attack data.
8. A system for intelligent monitoring and blocking of threat information in a search, wherein the system is applied to an intelligent monitoring platform of threat information, the platform is in communication connection with attack interception equipment, and the system comprises:
the flow monitoring data set acquisition module is used for connecting a flow monitoring system of a target network, monitoring network access flow and network exit flow and acquiring a network flow monitoring data set;
the flow monitoring data set uploading module is used for uploading the network flow monitoring data set to the intelligent information monitoring platform, wherein a plurality of detection modules are arranged in the intelligent information monitoring platform and comprise an application firewall, an intrusion prevention system and a semantic detection engine;
the attack data set acquisition module is used for carrying out attack detection on the network flow monitoring data set according to the application firewall, the intrusion prevention system and the semantic detection engine and outputting an attack data set;
the attack data set input module is used for inputting the attack data set into the attack interception equipment;
the interception data acquisition module is used for acquiring first interception data and second interception data according to the attack interception equipment, wherein the second interception data is associated interception data based on the first interception data;
and the attack blocking module is used for generating a blocking data packet according to the first blocking data and the second blocking data and realizing attack blocking according to the blocking data packet.
CN202211715580.3A 2022-12-29 2022-12-29 Intelligent monitoring blocking method and system for retrieval threat information Active CN116074066B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211715580.3A CN116074066B (en) 2022-12-29 2022-12-29 Intelligent monitoring blocking method and system for retrieval threat information

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211715580.3A CN116074066B (en) 2022-12-29 2022-12-29 Intelligent monitoring blocking method and system for retrieval threat information

Publications (2)

Publication Number Publication Date
CN116074066A true CN116074066A (en) 2023-05-05
CN116074066B CN116074066B (en) 2023-07-07

Family

ID=86169349

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211715580.3A Active CN116074066B (en) 2022-12-29 2022-12-29 Intelligent monitoring blocking method and system for retrieval threat information

Country Status (1)

Country Link
CN (1) CN116074066B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117439825A (en) * 2023-12-21 2024-01-23 江苏禾冠信息技术有限公司 Network intrusion protection method and system for home router

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106131027A (en) * 2016-07-19 2016-11-16 北京工业大学 A kind of exception flow of network based on software defined network detection system of defense
US20180007038A1 (en) * 2016-06-29 2018-01-04 International Business Machines Corporation Monitoring encrypted communication sessions
US10122748B1 (en) * 2015-08-21 2018-11-06 InsCyt, LLC Network protection system and threat correlation engine
CN111641589A (en) * 2020-04-30 2020-09-08 中国移动通信集团有限公司 Advanced sustainable threat detection method, system, computer and storage medium
CN113259356A (en) * 2021-05-21 2021-08-13 北京国联天成信息技术有限公司 Threat intelligence and terminal detection response method and system under big data environment
CN115378647A (en) * 2022-07-15 2022-11-22 中国电子科技集团公司第三十研究所 Policy analysis optimization method and system based on flow rule characteristics

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10122748B1 (en) * 2015-08-21 2018-11-06 InsCyt, LLC Network protection system and threat correlation engine
US20180007038A1 (en) * 2016-06-29 2018-01-04 International Business Machines Corporation Monitoring encrypted communication sessions
CN106131027A (en) * 2016-07-19 2016-11-16 北京工业大学 A kind of exception flow of network based on software defined network detection system of defense
CN111641589A (en) * 2020-04-30 2020-09-08 中国移动通信集团有限公司 Advanced sustainable threat detection method, system, computer and storage medium
CN113259356A (en) * 2021-05-21 2021-08-13 北京国联天成信息技术有限公司 Threat intelligence and terminal detection response method and system under big data environment
CN115378647A (en) * 2022-07-15 2022-11-22 中国电子科技集团公司第三十研究所 Policy analysis optimization method and system based on flow rule characteristics

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117439825A (en) * 2023-12-21 2024-01-23 江苏禾冠信息技术有限公司 Network intrusion protection method and system for home router
CN117439825B (en) * 2023-12-21 2024-03-01 江苏禾冠信息技术有限公司 Network intrusion protection method and system for home router

Also Published As

Publication number Publication date
CN116074066B (en) 2023-07-07

Similar Documents

Publication Publication Date Title
CN107241352B (en) Network security event classification and prediction method and system
US20210273957A1 (en) Cyber security for software-as-a-service factoring risk
CN112738015B (en) Multi-step attack detection method based on interpretable convolutional neural network CNN and graph detection
CN111245793A (en) Method and device for analyzing abnormity of network data
CN112235283A (en) Vulnerability description attack graph-based network attack evaluation method for power engineering control system
CN116074066B (en) Intelligent monitoring blocking method and system for retrieval threat information
US20230012220A1 (en) Method for determining likely malicious behavior based on abnormal behavior pattern comparison
Liu An intrusion detection system based on convolutional neural network
CN115987615A (en) Network behavior safety early warning method and system
Wang et al. MAAC: Novel alert correlation method to detect multi-step attack
CN112637108B (en) Internal threat analysis method and system based on anomaly detection and emotion analysis
Harbola et al. Improved intrusion detection in DDoS applying feature selection using rank & score of attributes in KDD-99 data set
CN115795330A (en) Medical information anomaly detection method and system based on AI algorithm
Fujita et al. LSTM neural networks for detecting anomalies caused by web application cyber attacks
CN113709170A (en) Asset safe operation system, method and device
CN112925805A (en) Big data intelligent analysis application method based on network security
CN114500122B (en) Specific network behavior analysis method and system based on multi-source data fusion
CN111709021A (en) Attack event identification method based on mass alarms and electronic device
EP4024252A1 (en) A system and method for identifying exploited cves using honeypots
Bian et al. Application of Data Mining in Predictive Analysis of Network Security Model
CN112839029B (en) Botnet activity degree analysis method and system
Rutravigneshwaran A study of intrusion detection system using efficient data mining techniques
Yao et al. A Data Fusion Framework of Multi-Source Heterogeneous Network Security Situational Awareness Based on Attack Pattern
Yang Application of Data Mining Technology in Network Security
CN115051833B (en) Intercommunication network anomaly detection method based on terminal process

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant