CN116318913A - Identification method and device for externally performing semi-connection scanning by host process - Google Patents
Identification method and device for externally performing semi-connection scanning by host process Download PDFInfo
- Publication number
- CN116318913A CN116318913A CN202310188002.7A CN202310188002A CN116318913A CN 116318913 A CN116318913 A CN 116318913A CN 202310188002 A CN202310188002 A CN 202310188002A CN 116318913 A CN116318913 A CN 116318913A
- Authority
- CN
- China
- Prior art keywords
- data
- connection
- host process
- access
- semi
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a method and a device for identifying semi-connection scanning of a host process, wherein the method comprises the following steps: acquiring external semi-connection access data of a host process; performing white list filtering on the access data; grouping the current access data, and splicing the access target IP and the access target PORT for each piece of data in each group to obtain spliced IP (Internet protocol) PORT data; based on the IP (Internet protocol) PORT data, determining total external scanning risk scores of a host process; based on the risk total score, whether the host process corresponding to the risk total score performs semi-connection scanning on the outside is determined by using the configured threshold value.
Description
Technical Field
The present invention relates to the field of server technologies, and in particular, to a method and apparatus for identifying a host process to perform semi-connection scanning.
Background
Semi-connected network scanning is typically a main scanning method in attacks such as transverse penetration, and the semi-connected network scanning has high concealment, does not generate complete session records of TCP, and has extremely high scanning performance, so that the semi-connected network scanning is very widely used, but the related detection technology of the scanning behavior currently has a plurality of defects.
The traditional network scanning detection mainly comprises the step of arranging a bypass flow detection probe to realize network scanning detection in the network boundary, wherein the scheme mainly covers the north-south flow, the east-west flow is covered with too high cost, and the servers in a common machine room are difficult to cover. In addition, the detection of the network traffic side cannot accurately identify the attack progress information, and the detection has more problems on security analysis, positioning, automatic false alarm elimination and the like.
However, the traditional scheme at the host side is limited to the ways of collecting netstat network snapshots and the like, and only full-connection network scanning on the host can be detected, but in practice, if half-connection network scanning is initiated externally or an intranet server is less, too many connection records cannot be produced, and related detection cannot be completed.
Therefore, there is no better solution at present how to identify how to have a process on the server to perform semi-connection scanning.
Disclosure of Invention
The technical problem to be solved by the invention is how to identify that a process on a server performs semi-connection scanning outwards; in view of the above, the present invention provides an identification method and apparatus for performing semi-connection scanning by a host process.
The technical scheme adopted by the invention is that the identification method for carrying out semi-connection scanning on the outside of the host process comprises the following steps:
acquiring external semi-connection access data of a host process;
performing white list filtering on the access data;
grouping the current access data, and splicing the access target IP and the access target PORT for each piece of data in each group to obtain spliced IP (Internet protocol) PORT data;
based on the IP (Internet protocol) PORT data, determining total external scanning risk scores of a host process;
and based on the risk total score, determining whether a host process corresponding to the risk total score has a phenomenon of externally performing semi-connection scanning or not by using a configured threshold value.
In one embodiment, the obtaining the external semi-connection access data of the host process includes:
accessing data to the external semi-connection through an eBPF XDP capturing process; and/or
And acquiring external semi-connection access data by using a kernel Hook.
In one embodiment, the grouping the current access data, and concatenating the access destination IP and the access destination PORT for each piece of data in each grouping to obtain the concatenated IP: PORT data, including:
dividing the data of the same host UUID and the same process ID in the access data into the same group;
and splicing the access target IP and the access target PORT in each piece of data in each packet to obtain spliced IP: PORT data.
In one embodiment, the determining the total risk score of the external scanning of the host process based on the IP: PORT data includes:
performing deduplication on the IP (Internet protocol) PORT data, and determining the total deduplication number N;
and carrying out weight calculation processing on the N to determine total external scanning risk scores of the host process.
Another aspect of the present invention further provides an identification apparatus for performing a semi-connection scan on an external side of a host process, including:
the acquisition module is configured to acquire external semi-connection access data of the host process;
the filtering module is configured to perform white list filtering on the access data;
the data processing module is configured to group the current access data, splice the access target IP and the access target PORT for each piece of data in each group to obtain spliced IP (Internet protocol) PORT data;
the evaluation module is configured to determine the total external scanning risk score of the host process based on the IP PORT data;
and the judging module is configured to determine whether the half-connection scanning phenomenon is performed on the outside of the host process corresponding to the risk total score or not by utilizing the configured threshold value based on the risk total score.
In one embodiment, the acquisition module is further configured to:
accessing data to the external semi-connection through an eBPF XDP capturing process; and/or
And acquiring external semi-connection access data by using a kernel Hook.
In one embodiment, the data processing module is further configured to:
dividing the data of the same host UUID and the same process ID in the access data into the same group;
and splicing the access target IP and the access target PORT in each piece of data in each packet to obtain spliced IP: PORT data.
In one embodiment, the evaluation module is further configured to:
performing deduplication on the IP (Internet protocol) PORT data, and determining the total deduplication number N;
and carrying out weight calculation processing on the N to determine total external scanning risk scores of the host process.
Another aspect of the present invention also provides an electronic device including: memory, a processor and a computer program stored on the memory and executable on the processor, which when executed by the processor, performs the steps of the identification method for a host process to perform a semi-connection scan externally as set forth in any one of the preceding claims.
Another aspect of the present invention also provides a computer storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the identification method for externally performing a semi-connection scan by a host process as set forth in any one of the above.
By adopting the technical scheme, the invention has at least the following advantages:
the invention effectively reduces false alarm and improves detection performance through the high-efficiency semi-connected network connection data acquisition and the white list, and can accurately identify which process on which host computer is in external semi-connected network scanning after the risk identification calculation after grouping aggregation. The method solves the problems that the traditional network side is difficult to cover east-west scanning and the scanning process cannot be accurately identified, and also solves the problem that the traditional host machine cannot cover the host machine process to externally detect the semi-connected network scanning abnormality.
Drawings
FIG. 1 is a schematic flow diagram of an identification method for performing a semi-connection scan to the outside by a host process according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of a specific implementation framework of an identification method for performing a semi-connection scan to the outside by a host process according to an embodiment of the present invention;
FIG. 3 is a diagram showing the structure of an identification device for performing a semi-connection scan to the outside by a host process according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
In order to further describe the technical means and effects adopted by the present invention for achieving the intended purpose, the following detailed description of the present invention is given with reference to the accompanying drawings and preferred embodiments.
In the drawings, the thickness, size and shape of the object have been slightly exaggerated for convenience of explanation. The figures are merely examples and are not drawn to scale.
It will be further understood that the terms "comprises," "comprising," "includes," "including," "having," "containing," and/or "including," when used in this specification, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof. Furthermore, when a statement such as "at least one of the following" appears after a list of features that are listed, the entire listed feature is modified instead of modifying a separate element in the list. Furthermore, when describing embodiments of the present application, the use of "may" means "one or more embodiments of the present application. Also, the term "exemplary" is intended to refer to an example or illustration.
As used herein, the terms "substantially," "about," and the like are used as terms of a table approximation, not as terms of a table level, and are intended to illustrate inherent deviations in measured or calculated values that would be recognized by one of ordinary skill in the art.
Unless otherwise defined, all terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs. It will be further understood that terms, such as those defined in commonly used dictionaries, should be interpreted as having a meaning that is consistent with their meaning in the context of the relevant art and will not be interpreted in an idealized or overly formal sense unless expressly so defined herein.
It should be noted that, in the case of no conflict, the embodiments and features in the embodiments may be combined with each other. The present application will be described in detail below with reference to the accompanying drawings in conjunction with embodiments.
In a first embodiment of the present invention, an identification method for performing semi-connection scanning on the outside of a host process, as shown in fig. 1, includes the following steps:
step S1, obtaining external semi-connection access data of a host process;
s2, performing white list filtering on the access data;
step S3, grouping the current access data, and splicing the access target IP and the access target PORT for each piece of data in each group to obtain spliced IP (Internet protocol) PORT data;
step S4, determining total risk scores of external scanning of the host process based on the IP (Internet protocol) PORT data;
and S5, determining whether a half-connection scanning phenomenon is performed on the outside of a host process corresponding to the risk total score by using a configured threshold value based on the risk total score.
The method provided by the present embodiment will be described in detail below with reference to fig. 2.
Step S1, obtaining external semi-connection access data of a host process;
in this embodiment, obtaining the external semi-connection access data of the host process may further include: accessing data to the external semi-connection through an eBPF XDP capturing process; and/or collecting external semi-connection access data by using a kernel Hook.
Specifically, the Linux eBPF technology Hook kernel function inet_sock_set_state efficient collecting host process exemplifies externally initiated half-link network request data, optionally, supporting collecting the externally initiated half-link network request data by using other modes such as system kernel Hook and the like, which is not limited in this embodiment.
A probe (hereinafter, referred to as an Agent) is deployed on the host to collect semi-connected network data, and the Agent is divided into a kernel-mode Agent and a user-mode Agent. The kernel mode Agent is implemented by using Linux eBPF technology, and is added to the host kernel, and monitors the kernel function inet_sock_set_state in real time (the function is called by the network connection state change, the function parameters include old_state and new_state), and when the function is called, the half connection data acquisition logic is executed, and the acquisition logic is described as follows:
1) Focusing only on the connection change states of CLOSED- > syn_send and syn_send- > ESTABLISHED, CLOSED- > syn_send representing a change from connection CLOSED to semi-connected state, syn_send- > ESTABLISHED representing a change from semi-connected to fully-connected state;
2) When a process initiates network connection, the network connection state is changed from CLOSED- > SYN_SENT to a semi-connection state, and the information of the network connection is collected: process PID, process name, process path, process command line parameter, process UID, process EUID, process GID, father process PID, father process name, father process path, father process UID, father process EUID, father process GID, source IP, source port, target IP, target port, protocol type, and collecting network connection information in network five-tuple: the source IP, the source port, the target IP, the target port and the protocol type key are stored in the ebpfmapA, and network five-tuple is formed: the source IP, the source port, the target IP, the target port and the protocol type are stored in the ebpfmap B;
3) When the network connection state is defined by syn_send- > ESTABLISHED, it indicates that the connection has been ESTABLISHED, in network five-tuple: deleting the network connection data stored in the ebpfmapA by using the key as the source IP, the source port, the target IP, the target port and the protocol type, removing the fully connected network connection data, and only retaining the half-connected network connection data;
4) The user state Agent acquires network five-tuple information from the ebpfmap B in real time, uses the network five-tuple as a key every one minute, acquires semi-connected network connection information from the ebpfmap A, stores the semi-connected network connection information into a cache if the semi-connected network connection information is acquired, and deletes data recorded in the ebpfmap A. And traversing the cache, carrying out data aggregation by taking a process PID+a process name+a target IP+a target port as a key, and reporting the data to a data analysis platform such as a Flink, spark and the like.
It can be understood that, compared with the current mainstream scheme, by monitoring connection system call (Linux Kaudit) or acquiring network connection data in a syn_send/ESTABLISHED state on a system at regular time, the scheme can accurately acquire network connection data in a half-connection state only, and does not include full connection data, and has good support for short-time connection, low report missing rate, low system invasiveness and low system resource consumption.
S2, performing white list filtering on the access data;
in this embodiment, consumption calculation can be performed on network connection data including semi-connection collected in real time at a host side through a data analysis platform such as a link and a Spark, and first, matching calculation of a white list is performed to reduce false alarm and improve overall calculation performance, and the white list supports user-defined configuration or is automatically issued according to an alarm. The scheme supports white list filtering from fields such as IP, network segments, IP types (intranet and Internet), IP geographic positions, ports, process names, process MD5, process paths and the like, data after the white list is matched is directly ignored, and subsequent detection logic is not performed.
Step S3, grouping the current access data, and splicing the access target IP and the access target PORT for each piece of data in each group to obtain spliced IP (Internet protocol) PORT data;
in this embodiment, the current access data is grouped, and the access target IP and the access target PORT are spliced for each piece of data in each group to obtain the spliced IP: PORT data, which further includes: dividing the data of the same host UUID and the same process ID in the access data into the same group; and splicing the access target IP and the access target PORT in each piece of data in each packet to obtain spliced IP: PORT data.
That is, entering into the packet aggregation logic may perform grouping according to the UUID of the host and the process ID, or alternatively, this embodiment may support selecting a process path, a parent process path, a process name, a parent process name, etc. to perform grouping, where network connection data of the same host UUID and the same process ID enter into one packet, and then, for each data in the group, splice the access target IP and the access target PORT to produce the spliced IP: PORT data.
Step S4, determining total risk scores of external scanning of the host process based on the IP (Internet protocol) PORT data;
in this embodiment, based on the IP: PORT data, determining the total score of the risk of external scanning by the host process further includes: performing de-duplication on the IP (Internet protocol) PORT data, and determining the total de-duplication number N; and carrying out weight calculation processing on the N to determine total external scanning risk scores of the host process.
In some embodiments, the deduplication statistics may be performed on the IP: PORT data generated by the concatenation in the packet, and the total number of deduplications is calculated to be N, and optionally, all the IP: PORTs after deduplication in the packet may be combined and spliced to calculate the information entropy, or other features. And then calculating the total score of the external scanning risk of the host process according to the weight for all the features.
And S5, determining whether a half-connection scanning phenomenon is performed on the outside of a host process corresponding to the risk total score by using a configured threshold value based on the risk total score.
Illustratively, the process is considered to be scanning for networks outward if the total score is greater than or equal to a threshold (default 300) including semi-connected network scanning, and is considered to be scanning for networks outward if the total score is less than the threshold. The threshold value can be self-defined and adjusted according to the running condition, or after the model is run for gray level learning for a certain period, the threshold value is configured.
In this embodiment, when the host side process recognizes that the external semi-connection or other network scanning is performed, an alarm is generated, and at this time, automatic interception is optionally supported and enabled, and the abnormal process is automatically ended. For the alarm, if the selection is ignored, the automatic generation of the white list strategy is supported in the white list engine, and the automatic generation of the strategy also supports the selection of fields such as IP, network segments, IP types (intranet and Internet), IP geographic positions, ports, process names, process MD5, process paths and the like for combination.
Compared with the prior art, the embodiment has at least the following advantages:
1) In the embodiment, the external half-connection network connection data of the host process is collected through an eBPF hook kernel inet_pack_set_state function;
2) According to the embodiment, false alarm is effectively reduced and detection performance is improved through the white list;
3) After the risk identification calculation after grouping and aggregation, the embodiment can accurately identify which process on which host computer is performing semi-connected network scanning outwards.
In summary, the embodiment can be used for alleviating the problems that the traditional network side is difficult to cover east-west scanning and cannot accurately identify the scanning process, and can also improve the problem that the traditional host machine cannot cover the host machine process to externally detect the semi-connected network scanning abnormality.
The second embodiment of the present invention, corresponding to the first embodiment, introduces an identification device for performing semi-connection scanning on the outside of a host process, as shown in fig. 3, and includes the following components:
the acquisition module is configured to acquire external semi-connection access data of the host process;
the filtering module is configured to perform white list filtering on the access data;
the data processing module is configured to group the current access data, splice the access target IP and the access target PORT for each piece of data in each group to obtain spliced IP (Internet protocol) PORT data;
the evaluation module is configured to determine the total external scanning risk score of the host process based on the IP PORT data;
and the judging module is configured to determine whether the host process corresponding to the risk total score has the phenomenon of externally performing semi-connection scanning or not by utilizing the configured threshold value based on the risk total score.
In one embodiment, the acquisition module is further configured to:
accessing data to the external semi-connection through an eBPF XDP capturing process; and/or
And acquiring external semi-connection access data by using a kernel Hook.
In one embodiment, the data processing module is further configured to:
dividing the data of the same host UUID and the same process ID in the access data into the same group;
and splicing the access target IP and the access target PORT in each piece of data in each packet to obtain spliced IP: PORT data.
In one embodiment, the evaluation module is further configured to:
performing de-duplication on the IP (Internet protocol) PORT data, and determining the total de-duplication number N;
and carrying out weight calculation processing on the N to determine total external scanning risk scores of the host process.
A third embodiment of the present invention, as shown in fig. 4, is an electronic device, which can be understood as a physical device, including a processor and a memory storing processor-executable instructions, which when executed by the processor, perform the following operations:
step S1, obtaining external semi-connection access data of a host process;
s2, performing white list filtering on the access data;
step S3, grouping the current access data, and splicing the access target IP and the access target PORT for each piece of data in each group to obtain spliced IP (Internet protocol) PORT data;
step S4, determining total risk scores of external scanning of the host process based on the IP (Internet protocol) PORT data;
and S5, determining whether the host process corresponding to the risk total score has the phenomenon of externally performing semi-connection scanning or not by utilizing the configured threshold value based on the risk total score.
In the fourth embodiment of the present invention, the process of the identification method for performing the semi-connection scanning by the host process is the same as that of the first, second or third embodiment, and the difference is that in engineering implementation, the present embodiment may be implemented by means of software plus a necessary general hardware platform, and certainly may also be implemented by hardware, but in many cases, the former is a better implementation. Based on such understanding, the method of the present invention may be embodied in the form of a computer software product stored on a storage medium (e.g., ROM/RAM, magnetic disk, optical disk) comprising instructions for causing an apparatus to perform the method of the embodiments of the present invention.
While the invention has been described in connection with specific embodiments thereof, it is to be understood that these drawings are included in the spirit and scope of the invention, it is not to be limited thereto.
Claims (10)
1. An identification method for performing semi-connection scanning on the outside of a host process, which is characterized by comprising the following steps:
acquiring external semi-connection access data of a host process;
performing white list filtering on the access data;
grouping the current access data, and splicing the access target IP and the access target PORT for each piece of data in each group to obtain spliced IP (Internet protocol) PORT data;
based on the IP (Internet protocol) PORT data, determining total external scanning risk scores of a host process;
and based on the risk total score, determining whether a host process corresponding to the risk total score has a phenomenon of externally performing semi-connection scanning or not by using a configured threshold value.
2. The method for identifying a half-connection scan of a host process according to claim 1, wherein the obtaining the external half-connection access data of the host process comprises:
accessing data to the external semi-connection through an eBPF XDP capturing process; and/or
And acquiring external semi-connection access data by using a kernel Hook.
3. The method for identifying a half-connection scan of a host process according to claim 1, wherein grouping the current access data, and concatenating the access destination IP with the access destination PORT for each piece of data in each group to obtain the concatenated IP: PORT data, comprises:
dividing the data of the same host UUID and the same process ID in the access data into the same group;
and splicing the access target IP and the access target PORT in each piece of data in each packet to obtain spliced IP: PORT data.
4. The method for identifying a half-connection scan performed by a host process according to claim 1, wherein determining an overall score of risk of the host process for external scanning based on the IP: PORT data comprises:
performing deduplication on the IP (Internet protocol) PORT data, and determining the total deduplication number N;
and carrying out weight calculation processing on the N to determine total external scanning risk scores of the host process.
5. An identification device for performing semi-connection scanning on the outside of a host process, comprising:
the acquisition module is configured to acquire external semi-connection access data of the host process;
the filtering module is configured to perform white list filtering on the access data;
the data processing module is configured to group the current access data, splice the access target IP and the access target PORT for each piece of data in each group to obtain spliced IP (Internet protocol) PORT data;
the evaluation module is configured to determine the total external scanning risk score of the host process based on the IP PORT data;
and the judging module is configured to determine whether the half-connection scanning phenomenon is performed on the outside of the host process corresponding to the risk total score or not by utilizing the configured threshold value based on the risk total score.
6. The method of claim 5, wherein the acquisition module is further configured to:
accessing data to the external semi-connection through an eBPF XDP capturing process; and/or
And acquiring external semi-connection access data by using a kernel Hook.
7. The method of claim 5, wherein the data processing module is further configured to:
dividing the data of the same host UUID and the same process ID in the access data into the same group;
and splicing the access target IP and the access target PORT in each piece of data in each packet to obtain spliced IP: PORT data.
8. The method of claim 5, wherein the evaluation module is further configured to:
performing deduplication on the IP (Internet protocol) PORT data, and determining the total deduplication number N;
and carrying out weight calculation processing on the N to determine total external scanning risk scores of the host process.
9. An electronic device, the electronic device comprising: memory, a processor and a computer program stored on the memory and executable on the processor, which when executed by the processor implements the steps of the identification method for a host process to scan for a semi-connection to an outside, as claimed in any one of claims 1 to 4.
10. A computer storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the identification method for a host process to scan for a semi-connection to the outside of claim 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310188002.7A CN116318913A (en) | 2023-03-02 | 2023-03-02 | Identification method and device for externally performing semi-connection scanning by host process |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310188002.7A CN116318913A (en) | 2023-03-02 | 2023-03-02 | Identification method and device for externally performing semi-connection scanning by host process |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116318913A true CN116318913A (en) | 2023-06-23 |
Family
ID=86786262
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310188002.7A Pending CN116318913A (en) | 2023-03-02 | 2023-03-02 | Identification method and device for externally performing semi-connection scanning by host process |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116318913A (en) |
-
2023
- 2023-03-02 CN CN202310188002.7A patent/CN116318913A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103428196B (en) | A kind of WEB application intrusion detection method based on URL white list | |
| US20180075240A1 (en) | Method and device for detecting a suspicious process by analyzing data flow characteristics of a computing device | |
| CN106452955B (en) | A kind of detection method and system of abnormal network connection | |
| CN106101130A (en) | A kind of network malicious data detection method, Apparatus and system | |
| CN101902349A (en) | Method and system for detecting scanning behaviors of ports | |
| CN112738095A (en) | Method, device, system, storage medium and equipment for detecting illegal external connection | |
| CN110035062A (en) | A kind of network inspection method and apparatus | |
| CN112100048B (en) | Self-adaptive inspection method and device for server | |
| CN111241545A (en) | Software processing method, system, device and medium | |
| CN110784486A (en) | Industrial vulnerability scanning method and system | |
| CN111209213B (en) | Abnormality detection method, system, equipment and storage medium for application program running | |
| CN113810408A (en) | Network attack organization detection method, device, equipment and readable storage medium | |
| CN111526109B (en) | Method and device for automatically detecting running state of web threat recognition defense system | |
| CN113542311A (en) | Method for detecting and backtracking defect host in real time | |
| CN116318913A (en) | Identification method and device for externally performing semi-connection scanning by host process | |
| CN117040779A (en) | Network abnormal access information acquisition method and device | |
| CN113098727A (en) | Data packet detection processing method and device | |
| TWI640891B (en) | Method and apparatus for detecting malware | |
| CN115913634A (en) | Network security abnormity detection method and system based on deep learning | |
| CN106789979B (en) | Method and device for diagnosing effectiveness of active domain name in IDC machine room | |
| Zhou et al. | Classification of botnet families based on features self-learning under network traffic censorship | |
| CN111404903B (en) | Log processing method, device, equipment and storage medium | |
| CN112541183B (en) | Data processing method and device, edge computing equipment and storage medium | |
| CN113810386B (en) | Method and device for extracting training data for network security from big data | |
| CN116980221A (en) | Flow monitoring method, device, equipment and medium based on network space target range |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |