CN116980221A - Traffic monitoring methods, devices, equipment and media based on cyberspace shooting range - Google Patents

Traffic monitoring methods, devices, equipment and media based on cyberspace shooting range Download PDF

Info

Publication number
CN116980221A
CN116980221A CN202311052106.1A CN202311052106A CN116980221A CN 116980221 A CN116980221 A CN 116980221A CN 202311052106 A CN202311052106 A CN 202311052106A CN 116980221 A CN116980221 A CN 116980221A
Authority
CN
China
Prior art keywords
traffic
network security
data
flow
security event
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202311052106.1A
Other languages
Chinese (zh)
Inventor
林文辉
杨树强
陶莎
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Peng Cheng Laboratory
Original Assignee
Peng Cheng Laboratory
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Peng Cheng Laboratory filed Critical Peng Cheng Laboratory
Priority to CN202311052106.1A priority Critical patent/CN116980221A/en
Publication of CN116980221A publication Critical patent/CN116980221A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本公开提供了一种基于网络空间靶场的流量监测方法、装置、设备和介质。该流量监测方法包括:从网络空间靶场的安全事件数据库中获取网络安全事件;获取网络安全事件的特征数据;基于特征数据,在网络空间靶场的流量数据库中查询网络安全事件对应的流量数据,其中,流量数据库存储了网络安全事件在网络空间靶场中发生的全流量镜像数据。本公开实施例能够确保监测到的数据流量是完整的,从而提高了利用数据流量判断流量采集与存储设备状态的准确性。本公开实施例可应用于网络安全、通讯安全等。

The present disclosure provides a traffic monitoring method, device, equipment and medium based on a cyberspace shooting range. The traffic monitoring method includes: obtaining network security events from the security event database of the cyberspace shooting range; obtaining characteristic data of network security events; based on the characteristic data, querying the traffic data corresponding to network security events in the traffic database of the cyberspace shooting range, where ,The traffic database stores the full traffic mirroring ,data of network security events that occur in the ,cyberspace range. The disclosed embodiments can ensure that the monitored data traffic is complete, thereby improving the accuracy of using data traffic to determine the status of traffic collection and storage devices. The disclosed embodiments can be applied to network security, communication security, etc.

Description

基于网络空间靶场的流量监测方法、装置、设备和介质Traffic monitoring methods, devices, equipment and media based on cyberspace shooting range

技术领域Technical field

本公开涉及网络安全领域,特别是涉及基于网络空间靶场的流量监测方法、装置、设备和介质。The present disclosure relates to the field of network security, and in particular to traffic monitoring methods, devices, equipment and media based on cyberspace shooting ranges.

背景技术Background technique

流量数据是用于分析发生在网络空间靶场中的网络安全事件的重要组成部分。为了保证流量可以正确且完整的被采集到,需要对流量进行监测,以保证流量采集与存储设备状态正常。Traffic data is an important component for analyzing cybersecurity incidents that occur in cyberspace ranges. In order to ensure that the traffic can be collected correctly and completely, the traffic needs to be monitored to ensure that the traffic collection and storage devices are in normal condition.

现有技术中,一般是通过对网络空间靶场的流量采集设备与流量镜像设备的流量采集配置状态的监控,来监测网络流量数据。但是,由于网络空间靶场的节点数量庞大、拓扑关联复杂,即使某些采集节点失效或者部分上下行网络受阻,流量采集设备依旧可以通过未失效的节点与未受阻的网络连接采集到流量数据。所以利用这种方式监测到的流量数据可能不是完整的,因此也无法代表整个网络空间靶场中的流量采集与存储设备状态正常。因此,现有技术中的流量监测方法无法准确地反映网络空间靶场中流量采集与存储设备是否存在异常。In the existing technology, network traffic data is generally monitored by monitoring the traffic collection configuration status of the traffic collection equipment and traffic mirroring equipment in the cyberspace shooting range. However, due to the large number of nodes and complex topological relationships in the cyberspace range, even if some collection nodes fail or part of the upstream and downstream networks are blocked, the traffic collection equipment can still collect traffic data through non-failed nodes and unblocked network connections. Therefore, the traffic data monitored in this way may not be complete, and therefore cannot represent the normal status of the traffic collection and storage devices in the entire cyberspace range. Therefore, the traffic monitoring methods in the existing technology cannot accurately reflect whether there are abnormalities in the traffic collection and storage equipment in the cyberspace shooting range.

发明内容Contents of the invention

本公开实施例提供了基于网络空间靶场的流量监测方法、装置、设备和介质,能够确保监测到的数据流量是完整的,从而提高了利用数据流量判断流量采集与存储设备状态的准确性。Embodiments of the present disclosure provide traffic monitoring methods, devices, equipment and media based on cyberspace shooting ranges, which can ensure that the monitored data traffic is complete, thereby improving the accuracy of using data traffic to determine the status of traffic collection and storage devices.

根据本公开的一方面,提供了一种基于网络空间靶场的流量监测方法,包括:According to one aspect of the present disclosure, a traffic monitoring method based on a cyberspace range is provided, including:

从所述网络空间靶场的安全事件数据库中获取网络安全事件;Obtain network security events from the security event database of the cyberspace range;

获取所述网络安全事件的特征数据;Obtain characteristic data of the network security incident;

基于所述特征数据,在所述网络空间靶场的流量数据库中查询所述网络安全事件对应的流量数据,其中,所述流量数据库存储了所述网络安全事件在所述网络空间靶场中发生的全流量镜像数据。Based on the characteristic data, the traffic data corresponding to the network security event is queried in the traffic database of the cyberspace shooting range, where the traffic database stores all the occurrences of the network security event in the cyberspace shooting range. Traffic mirroring data.

根据本公开的一方面,提供了一种基于网络空间靶场的流量监测装置,包括:According to one aspect of the present disclosure, a traffic monitoring device based on a cyberspace shooting range is provided, including:

第一获取单元,用于从所述网络空间靶场的安全事件数据库中获取网络安全事件;A first acquisition unit configured to acquire network security events from the security event database of the cyberspace shooting range;

第二获取单元,用于获取所述网络安全事件的特征数据;a second acquisition unit, configured to acquire characteristic data of the network security event;

第一查询单元,用于基于所述特征数据,在所述网络空间靶场的流量数据库中查询所述网络安全事件对应的流量数据,其中,所述流量数据库存储了所述网络安全事件在所述网络空间靶场中发生的全流量镜像数据。A first query unit configured to query the traffic data corresponding to the network security event in the traffic database of the cyberspace shooting range based on the characteristic data, wherein the traffic database stores the network security event in the Full traffic mirrored data occurring in cyberspace ranges.

可选地,所述第一获取单元具体用于:Optionally, the first acquisition unit is specifically used to:

确定监测周期与监测时长;Determine the monitoring cycle and monitoring duration;

按照所述监测周期,根据所述监测时长确定监测时间区间;According to the monitoring cycle, the monitoring time interval is determined according to the monitoring duration;

从所述网络空间靶场的所述安全事件数据库中,随机抽取预定数目个在所述监测时间区间发生的所述网络安全事件。Randomly extract a predetermined number of the network security events that occur within the monitoring time interval from the security event database of the cyberspace shooting range.

可选地,所述特征数据包含所述网络安全事件发生的源地址、源端口、目标地址、目标端口、虚拟局域网标识、与时间戳。Optionally, the characteristic data includes the source address, source port, destination address, destination port, virtual local area network identifier, and timestamp of the occurrence of the network security event.

可选地,所述流量数据库中包含多个流量接口,每个所述流量接口对应于一个所述网络安全事件;每一个所述流量接口中包含流量开始时间、流量结束时间、流量参数组,所述流量参数组中包含流量虚拟局域网标识、流量源地址、流量源端口、流量目标地址、流量目标端口;Optionally, the traffic database includes multiple traffic interfaces, each of the traffic interfaces corresponding to one of the network security events; each of the traffic interfaces includes a traffic start time, a traffic end time, and a traffic parameter group, The traffic parameter group includes a traffic virtual LAN identifier, a traffic source address, a traffic source port, a traffic destination address, and a traffic destination port;

所述第一查询单元具体用于:The first query unit is specifically used for:

基于所述流量开始时间、流量结束时间、与所述时间戳,在所述流量数据库中确定候选流量端口;Determine candidate traffic ports in the traffic database based on the traffic start time, traffic end time, and the timestamp;

基于所述源地址与所述流量源地址的匹配关系、所述源端口与所述流量源端口的匹配关系、所述目标地址与所述流量目标地址的匹配关系、所述目标端口与所述流量目标端口的匹配关系、所述虚拟局域网标识与所述流量虚拟局域网标识的匹配关系,在所述候选流量端口中确定所述网络安全事件对应的目标流量端口;Based on the matching relationship between the source address and the traffic source address, the matching relationship between the source port and the traffic source port, the matching relationship between the target address and the traffic target address, the target port and the The matching relationship between the traffic target port, the matching relationship between the virtual LAN identifier and the traffic virtual LAN identifier, and determining the target traffic port corresponding to the network security event among the candidate traffic ports;

由所述目标流量接口返回所述网络安全事件的所述流量数据。The traffic data of the network security event is returned by the target traffic interface.

可选地,所述网络安全事件包含事件标识;Optionally, the network security event includes an event identifier;

所述特征数据包含正向特征数据、与逆向特征数据;The feature data includes forward feature data and reverse feature data;

所述第二获取单元具体用于:The second acquisition unit is specifically used for:

根据所述事件标识在所述安全事件数据库中调取所述网络安全事件的所述源地址、所述源端口、所述目标地址、所述目标端口、所述虚拟局域网标识、与所述时间戳;According to the event identifier, the source address, the source port, the target address, the target port, the virtual local area network identifier, and the time of the network security event are retrieved from the security event database. stamp;

将所述源地址、所述源端口、所述目标地址、所述目标端口、所述虚拟局域网标识、与所述时间戳组合成为所述正向特征数据;Combining the source address, the source port, the target address, the target port, the virtual local area network identifier, and the timestamp into the forward feature data;

将所述目标地址作为逆向源地址,将所述目标端口作为逆向源端口,将所述源地址作为逆向目标地址,将所述源端口作为逆向目标端口;Use the target address as the reverse source address, the target port as the reverse source port, the source address as the reverse target address, and the source port as the reverse target port;

将所述逆向源地址、所述逆向源端口、所述逆向目标地址、与所述逆向目标端口、所述虚拟局域网标识、与所述时间戳组合成为所述逆向特征数据。The reverse source address, the reverse source port, the reverse target address, the reverse target port, the virtual local area network identifier, and the timestamp are combined into the reverse feature data.

可选地,所述流量数据包括正向流量数据与逆向流量数据;Optionally, the traffic data includes forward traffic data and reverse traffic data;

所述第一查询单元具体用于:The first query unit is specifically used for:

基于所述正向特征数据中的所述源地址、所述源端口、所述目标地址、所述目标端口、所述虚拟局域网标识、与所述时间戳,在所述流量数据库中确定所述网络安全事件对应的正向流量数据;Based on the source address, the source port, the target address, the target port, the virtual LAN identifier, and the timestamp in the forward feature data, the traffic database is determined Forward traffic data corresponding to network security events;

基于所述逆向特征数据中的所述逆向源地址、所述逆向源端口、所述逆向目标地址、与所述逆向目标端口、所述虚拟局域网标识、与所述时间戳,在所述流量数据库中确定所述网络安全事件对应的所述逆向流量数据。Based on the reverse source address, the reverse source port, the reverse target address, the reverse target port, the virtual LAN identifier, and the timestamp in the reverse feature data, in the traffic database Determine the reverse traffic data corresponding to the network security event.

可选地,所述第二获取单元具体用于:Optionally, the second acquisition unit is specifically used to:

从所述安全事件数据库中的融合安全事件索引库中获取所述网络安全事件的特征数据;所述融合安全事件索引库是基于所述安全事件数据库中的多个所述网络安全事件生成的。The characteristic data of the network security event is obtained from a fused security event index library in the security event database; the fused security event index library is generated based on a plurality of network security events in the security event database.

可选地,所述流量数据库通过以下过程获取所述网络安全事件的所述全流量镜像数据:Optionally, the traffic database obtains the full traffic mirroring data of the network security event through the following process:

在所述网络空间靶场的各个节点插入流量探针;Insert traffic probes into each node of the cyberspace range;

在所述网络安全事件发生时,利用所述流量探针捕获所述流量数据;When the network security event occurs, use the traffic probe to capture the traffic data;

如果所述流量探针在所述网络安全事件发生的各个节点都捕获到所述流量数据,将所述流量数据镜像后存储在所述流量数据库中,得到所述全流量镜像数据。If the traffic probe captures the traffic data at each node where the network security event occurs, the traffic data is mirrored and stored in the traffic database to obtain the full traffic mirroring data.

可选地,所述流量监测装置还包括:Optionally, the flow monitoring device also includes:

告警发起单元,用于如果未查询到所述网络安全事件对应的流量数据,发起告警事件;An alarm initiating unit is used to initiate an alarm event if the traffic data corresponding to the network security event is not queried;

第二查询单元,用于基于所述告警事件,间隔预设时间后在所述流量数据库中再次查询所述网络安全事件对应的所述流量数据。The second query unit is configured to query the traffic data corresponding to the network security event in the traffic database again after a preset time interval based on the alarm event.

根据本公开的一方面,提供了一种电子设备,包括存储器和处理器,所述存储器存储有计算机程序,所述处理器执行所述计算机程序时实现如上所述的流量监测方法。According to an aspect of the present disclosure, an electronic device is provided, including a memory and a processor. The memory stores a computer program. When the processor executes the computer program, the flow monitoring method as described above is implemented.

根据本公开的一方面,提供了一种计算机可读存储介质,所述存储介质存储有计算机程序,所述计算机程序被处理器执行时实现如上所述的流量监测方法。According to an aspect of the present disclosure, a computer-readable storage medium is provided, the storage medium stores a computer program, and when the computer program is executed by a processor, the traffic monitoring method as described above is implemented.

根据本公开的一方面,提供了一种计算机程序产品,该计算机程序产品包括计算机程序,所述计算机程序被计算机设备的处理器读取并执行,使得该计算机设备执行如上所述的流量监测方法。According to an aspect of the present disclosure, a computer program product is provided. The computer program product includes a computer program that is read and executed by a processor of a computer device, so that the computer device performs the flow monitoring method as described above. .

本公开实施例中,从网络空间靶场的安全事件数据库中获取网络安全事件,再获取网络安全事件的特征数据,依据特征数据在网络空间靶场的流量数据库中查询发生网络安全事件时产生的流量数据。流量数据库存储了网络安全事件发生时的全镜像流量数据。如果流量采集设备中的某些节点存在异常,流量数据是无法被完整采集到的,也就无法镜像后存储到流量数据库中。因此,依据网络安全事件的数据特征在流量数据库中查询到的流量数据一定是网络安全事件对应的完整流量数据。如果根据特征数据未能在流量数据库中查询到发生网络安全事件时产生的流量数据,那就表示网络空间靶场中的流量采集与存储设备中某些节点失效或者某条网络连接受阻,需要尽快检查修复。如果可以查询到流量数据,那么就表示流量采集与存储设备的状态正常。所以本公开实施例保证了监测到的流量数据是完整的,从而提高了利用数据流量判断流量采集与存储设备状态的准确性。In this disclosed embodiment, network security events are obtained from the security event database of the cyberspace shooting range, and then the characteristic data of the network security events are obtained. Based on the characteristic data, the traffic data generated when the network security event occurs is queried in the traffic database of the cyberspace shooting range. . The traffic database stores full-image traffic data when network security incidents occur. If some nodes in the traffic collection device are abnormal, the traffic data cannot be completely collected and cannot be mirrored and stored in the traffic database. Therefore, the traffic data queried in the traffic database based on the data characteristics of network security events must be the complete traffic data corresponding to network security events. If the traffic data generated when a network security incident occurs cannot be queried in the traffic database based on the characteristic data, it means that some nodes in the traffic collection and storage device in the cyberspace range have failed or a certain network connection is blocked, and it needs to be checked as soon as possible. repair. If the traffic data can be queried, it means that the status of the traffic collection and storage device is normal. Therefore, the embodiments of the present disclosure ensure that the monitored traffic data is complete, thereby improving the accuracy of using data traffic to determine the status of traffic collection and storage devices.

本公开的其他特征和优点将在随后的说明书中阐述,并且,部分地从说明书中变得显而易见,或者通过实施本公开而了解。本公开的目的和其他优点可通过在说明书、权利要求书以及附图中所特别指出的结构来实现和获得。Additional features and advantages of the disclosure will be set forth in the description which follows, and, in part, will be apparent from the description, or may be learned by practice of the disclosure. The objectives and other advantages of the disclosure may be realized and obtained by the structure particularly pointed out in the written description, claims and appended drawings.

附图说明Description of the drawings

附图用来提供对本公开技术方案的进一步理解,并且构成说明书的一部分,与本公开的实施例一起用于解释本公开的技术方案,并不构成对本公开技术方案的限制。The drawings are used to provide a further understanding of the technical solution of the present disclosure, and constitute a part of the specification. They are used to explain the technical solution of the present disclosure together with the embodiments of the present disclosure, and do not constitute a limitation of the technical solution of the present disclosure.

图1是本公开实施例提供的基于网络空间靶场的流量监测方法的一种体系架构图;Figure 1 is an architecture diagram of a traffic monitoring method based on a cyberspace shooting range provided by an embodiment of the present disclosure;

图2是本公开实施例的基于网络空间靶场的流量监测方法的流程图;Figure 2 is a flow chart of a traffic monitoring method based on a cyberspace shooting range according to an embodiment of the present disclosure;

图3是图2中步骤210的一个具体流程图;Figure 3 is a specific flow chart of step 210 in Figure 2;

图4是确定监测事件区间的示例图;Figure 4 is an example diagram for determining the monitoring event interval;

图5是图2中步骤230的一个具体流程图;Figure 5 is a specific flow chart of step 230 in Figure 2;

图6是图2中步骤220的一个具体流程图;Figure 6 is a specific flow chart of step 220 in Figure 2;

图7是图6中正向特征数据与逆向特征数据的示意图;Figure 7 is a schematic diagram of the forward feature data and reverse feature data in Figure 6;

图8是图2中步骤230的一个具体流程图;Figure 8 is a specific flow chart of step 230 in Figure 2;

图9是流量数据库获取全流量镜像数据的一个具体流程图;Figure 9 is a specific flow chart for the traffic database to obtain full traffic mirror data;

图10是在图2之后如果未查询到流量数据的一个具体流程图;Figure 10 is a specific flow chart if the traffic data is not queried after Figure 2;

图11是本公开实施例的一个整体流程图;Figure 11 is an overall flow chart of an embodiment of the present disclosure;

图12是本公开实施例的流量监测装置的结构框图;Figure 12 is a structural block diagram of a flow monitoring device according to an embodiment of the present disclosure;

图13是根据本公开实施例图2所示的流量监测方法的控制终端结构图;Figure 13 is a control terminal structure diagram of the traffic monitoring method shown in Figure 2 according to an embodiment of the present disclosure;

图14是根据本公开实施例图2所示的流量监测方法的服务器结构图。Figure 14 is a server structure diagram of the traffic monitoring method shown in Figure 2 according to an embodiment of the present disclosure.

具体实施方式Detailed ways

为了使本公开的目的、技术方案及优点更加清楚明白,以下结合附图及实施例,对本公开进行进一步详细说明。应当理解,此处所描述的具体实施例仅用以解释本公开,并不用于限定本公开。In order to make the purpose, technical solutions and advantages of the present disclosure more clear, the present disclosure will be further described in detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described here are only used to explain the present disclosure and are not intended to limit the present disclosure.

对本公开实施例进行进一步详细说明之前,对本公开实施例中涉及的名词和术语进行说明,本公开实施例中涉及的名词和术语适用于如下的解释:Before further describing the embodiments of the present disclosure in detail, the nouns and terms involved in the embodiments of the present disclosure are explained. The nouns and terms involved in the embodiments of the present disclosure are applicable to the following explanations:

网络空间靶场:网络空间靶场是一种基于虚拟化技术,对真实开网络空间中的网络架构、系统设备、业务流量的运行状态及运行环境进行模拟和复现的技术或产品,以更有效地实现与网络安全相关的学习与研究等,从而提高人员的网络安全对抗水平与系统的防守能力。通过对网络空间靶场中网络安全事件的分析,确定防护策略,以提高真实环境中网络的稳定性与安全性。Cyberspace shooting range: The cyberspace shooting range is a technology or product based on virtualization technology that simulates and reproduces the network architecture, system equipment, business traffic operating status and operating environment in real open network space, so as to more effectively Realize network security-related learning and research, etc., thereby improving personnel's network security confrontation level and system defense capabilities. Through the analysis of network security events in the cyberspace shooting range, protection strategies are determined to improve the stability and security of the network in the real environment.

流量镜像:流量镜像是一项网络技术,用于将网络通信实时复制到另一个接口(或者多个接口)进行分析和监控。流量镜像可以帮助运维人员、安全人员实时监控网络设备和应用的稳定性和安全性,通过分析流量进行问题排查和攻击防护。同时,流量镜像不会对网络带宽产生影响,不会干扰网络的正常运行。Traffic Mirroring: Traffic mirroring is a network technology used to copy network traffic to another interface (or multiple interfaces) in real time for analysis and monitoring. Traffic mirroring can help operation and maintenance personnel and security personnel monitor the stability and security of network equipment and applications in real time, and analyze traffic for problem troubleshooting and attack protection. At the same time, traffic mirroring will not affect network bandwidth and will not interfere with the normal operation of the network.

数据采集探针:数据采集探针是指在网络通信过程中,对于指定的网络流量进行捕获和分析的一种设备。在捕获阶段,探针会对经过它所连接的网络流量进行抓取,并将抓取到的数据存储到内存或者硬盘中。在分析阶段,探针会对抓取到的数据进行解码、重组和过滤等操作,以便提取出其中有用的信息。Data collection probe: A data collection probe refers to a device that captures and analyzes specified network traffic during network communication. In the capture phase, the probe captures the network traffic connected to it and stores the captured data in memory or hard disk. During the analysis phase, the probe decodes, reorganizes, and filters the captured data to extract useful information.

图1是根据本公开的实施例的流量监测方法所应用的系统构架图。它包括:控制终端与网络空间靶场,其中,网络空间靶场中包含安全事件数据库、流量数据库、流量采集设备。Figure 1 is a system architecture diagram to which the traffic monitoring method is applied according to an embodiment of the present disclosure. It includes: control terminal and cyberspace shooting range. The cyberspace shooting range includes security event database, traffic database and traffic collection equipment.

控制终端是用来发起对网络空间靶场的监测、查看监测结果、当监测结果发生异常时处理异常结果等操作的设备。它包括桌面电脑、膝上型电脑、PDA(个人数字助理)、手机、专用终端等多种形式。另外,它可以是单台设备,也可以是多台设备组成的集合。例如,多台设备通过局域网连接,公用一台显示设备进行协同工作,共同构成一个控制终端。The control terminal is a device used to initiate operations such as monitoring the cyberspace shooting range, viewing monitoring results, and handling abnormal results when the monitoring results are abnormal. It includes desktop computers, laptop computers, PDAs (personal digital assistants), mobile phones, dedicated terminals and other forms. In addition, it can be a single device or a collection of multiple devices. For example, multiple devices are connected through a LAN and share a display device to work together to form a control terminal.

网络空间靶场是用户进行网络安全攻防演练的计算机系统。网络空间靶场可以是一台高性能计算机、多台高性能计算机中划出的一部分的组合等。网络空间靶场中的安全事件数据库用于存储发生在网络空间靶场的所有网络安全事件。流量采集设备用于在发生网络安全事件时采集流量数据,在采集流量数据后将数据镜像存储在流量数据库中。The cyberspace shooting range is a computer system where users conduct network security attack and defense drills. The cyberspace range can be a high-performance computer, a combination of a portion of multiple high-performance computers, etc. The security incident database in the cyberspace range is used to store all network security events that occur in the cyberspace range. The traffic collection device is used to collect traffic data when a network security incident occurs. After collecting the traffic data, the data image is stored in the traffic database.

在利用控制终端对网络空间靶场进行流量监测时,需要利用网络时间协议同步网络中各个计算机的时间,以便可以准确找到网络安全事件的流量数据。When using a control terminal to monitor traffic at a cyberspace shooting range, it is necessary to use the network time protocol to synchronize the time of each computer in the network so that the traffic data of network security events can be accurately found.

根据本公开的一个实施例,提供了一种基于网络空间靶场的流量监测方法。According to an embodiment of the present disclosure, a traffic monitoring method based on a cyberspace shooting range is provided.

流量监测用于在网络空间靶场中监测流量数据,当监测到的流量数据有异常时,相关负责人可以即使察觉并修复,以保证网络空间靶场可以准确采集到流量数据并对网络安全事件进行分析。在现有技术中,一般是通过对网络空间靶场的流量采集设备与流量镜像设备的流量采集配置状态的监控,来监测网络流量数据。但这种方式无法保证采集到的流量数据是完整的,也就无法保证流量采集与存储设备的全部节点与连接状态是正常的。Traffic monitoring is used to monitor traffic data in cyberspace shooting ranges. When there is an abnormality in the monitored traffic data, the relevant person in charge can detect and repair it immediately to ensure that the cyberspace shooting range can accurately collect traffic data and analyze network security events. . In the existing technology, network traffic data is generally monitored by monitoring the traffic collection configuration status of the traffic collection equipment and traffic mirroring equipment in the cyberspace shooting range. However, this method cannot guarantee that the collected traffic data is complete, nor can it guarantee that all nodes and connection statuses of the traffic collection and storage devices are normal.

应用本公开实施例的流量监测方法采集到的流量数据一定是完整的,因此可以准确地反应流量采集与存储设备中各个节点与连接的状态。The traffic data collected by applying the traffic monitoring method of the embodiment of the present disclosure must be complete, and therefore can accurately reflect the status of each node and connection in the traffic collection and storage device.

如图2所示,本公开实施例的流量监测方法包括:As shown in Figure 2, the traffic monitoring method according to the embodiment of the present disclosure includes:

步骤210、从网络空间靶场的安全事件数据库中获取网络安全事件;Step 210: Obtain network security events from the security event database of the cyberspace shooting range;

步骤220、获取网络安全事件的特征数据;Step 220: Obtain characteristic data of network security events;

步骤230、基于特征数据,在网络空间靶场的流量数据库中查询网络安全事件对应的流量数据,其中,流量数据库存储了网络安全事件在网络空间靶场中发生的全流量镜像数据。Step 230: Based on the characteristic data, query the traffic data corresponding to the network security event in the traffic database of the cyberspace shooting range. The traffic database stores the full traffic mirroring data of network security events occurring in the cyberspace shooting range.

步骤210中,安全事件数据库中存储了发生在网络空间靶场中的网络安全事件。使用网络空间靶场中的安全设备(如防火墙/入侵防御系统/入侵监测系统等)识别发生在网络空间靶场中的仿真攻防行为事件后,通过大数据计算后生成网络安全事件数据,存在安全事件数据库中。在发生一个网络安全事件时,就会产生对应的流量数据。因此,利用流量数据可以判断在网络安全事件发生时,网络空间靶场中的流量采集与存储设备的状态。In step 210, network security events that occurred in the cyberspace shooting range are stored in the security event database. After using security equipment in the cyberspace range (such as firewalls/intrusion prevention systems/intrusion monitoring systems, etc.) to identify simulated offensive and defensive behavior events that occur in the cyberspace range, network security event data is generated through big data calculations, and a security event database exists. middle. When a network security incident occurs, corresponding traffic data will be generated. Therefore, traffic data can be used to determine the status of traffic collection and storage devices in the cyberspace range when a network security incident occurs.

在一个实施例中,从网络空间靶场的安全事件数据库中获取网络安全事件的方式为实时获取。In one embodiment, the method of obtaining network security events from the security event database of the cyberspace shooting range is real-time acquisition.

网络空间靶场中发生的网络安全事件往往是连续的。因此,可以对网络空间靶场中的流量数据采取实时监测的方式,以保证连续的网络安全事件可以正常运行。Cybersecurity incidents occurring in cyberspace ranges tend to be continuous. Therefore, the traffic data in the cyberspace range can be monitored in real time to ensure that continuous network security events can operate normally.

当网络空间靶场中发生一个网络安全事件时,将网络安全事件存储进安全事件库中,将流量数据镜像后存储进流量数据库中。在存储完成后,获取该网络安全事件,并执行步骤220-步骤230,以实现对流量数据的实时监测。When a network security event occurs in the cyberspace shooting range, the network security event is stored in the security event database, and the traffic data is mirrored and stored in the traffic database. After the storage is completed, the network security event is obtained, and steps 220 to 230 are executed to implement real-time monitoring of traffic data.

由于网络空间靶场可以同时为多个对象提供网络安全攻防演练场景,因此,在同一时间网络空间靶场中可能会发生多个网络安全事件。但是,往往使用单个网络安全事件就可以检查出流量采集与存储设备中发生的异常,如果对每一个网络安全事件的流量数据都进行监测,无疑是比较浪费的。因此,可以获取同时存储进安全事件数据库中的网络安全事件中的预定数目个。预定数目往往是1,为了避免单个监测结果不准确,也可以将预定数目确定为2或3个。获取预定数目个网络安全事件可以提高实时监测的监测效率,利用较少的网络安全事件就可以反映数据采集与存储设备的实时状态。Since the cyberspace shooting range can provide network security attack and defense drill scenarios for multiple objects at the same time, multiple network security incidents may occur in the cyberspace shooting range at the same time. However, a single network security event can often be used to detect anomalies in traffic collection and storage devices. It would undoubtedly be wasteful to monitor the traffic data of each network security event. Therefore, a predetermined number of network security events simultaneously stored in the security event database can be obtained. The predetermined number is often 1. In order to avoid inaccurate single monitoring results, the predetermined number can also be determined as 2 or 3. Obtaining a predetermined number of network security events can improve the monitoring efficiency of real-time monitoring, and using fewer network security events can reflect the real-time status of data collection and storage devices.

利用实时获取对数据进行实时监测的优点是,可以及时监测流量数据采集与存储的状态,以便遇到异常状态时可以及时处理,提高了处理异常状态的及时性。The advantage of using real-time acquisition to monitor data in real time is that the status of traffic data collection and storage can be monitored in a timely manner so that abnormal conditions can be processed in a timely manner, which improves the timeliness of processing abnormal conditions.

由于网络空间靶场还需要为对象进行网络安全演练提供计算资源,如果流量监测与网络安全演练同时发生,可能增加网络空间靶场的负载,从而影响网络安全演练的效率。因此,在一个实施例中,如图3所示,步骤210包括:Since the cyberspace shooting range also needs to provide computing resources for the objects to conduct network security drills, if traffic monitoring and network security drills occur at the same time, the load on the cyberspace shooting range may be increased, thus affecting the efficiency of the network security drills. Therefore, in one embodiment, as shown in Figure 3, step 210 includes:

步骤310、确定监测周期与监测时长;Step 310: Determine the monitoring cycle and monitoring duration;

步骤320、按照监测周期,根据监测时长确定监测时间区间;Step 320: Determine the monitoring time interval according to the monitoring cycle and the monitoring duration;

步骤330、从网络空间靶场的安全事件数据库中,随机抽取预定数目个在监测时间区间发生的网络安全事件。Step 330: Randomly extract a predetermined number of network security events that occur within the monitoring time interval from the security event database of the cyberspace shooting range.

在本实施例中,按照预定监测周期对流量进行监测,例如,每一个小时对流量进行一次监测,通过监测周期内发生的网络安全事件来判断这个期间是否存在流量采集与存储设备状态异常。监测周期可以预先设定为固定的时长,例如,1小时、2小时等;也可以根据网络空间靶场中发生的网络安全事件的数量来动态调整,例如,在某一时间段网络安全事件数量激增,这很容易出现流量数据采集异常,因此可以将监测周期适当缩短,以提高流量监测的准确性。In this embodiment, the traffic is monitored according to a predetermined monitoring cycle, for example, the traffic is monitored every hour, and network security events that occur within the monitoring cycle are used to determine whether there is an abnormality in the status of the traffic collection and storage device during this period. The monitoring period can be pre-set to a fixed length, for example, 1 hour, 2 hours, etc.; it can also be dynamically adjusted according to the number of network security events that occur in the cyberspace range, for example, if the number of network security events increases sharply in a certain period of time , which is prone to abnormal flow data collection, so the monitoring cycle can be shortened appropriately to improve the accuracy of flow monitoring.

如果在监测周期内存在异常,没有人工干预,异常会持续存在,因此,没有必要获取整个监测周期内的网络安全事件,而是通过确定监测时长,获取监测时长内的网络安全事件。监测时长设置为1分钟、5分钟、10分钟、15分钟等,可以根据监测周期内发生的网络安全事件的数量确定,如果监测周期内发生的网络安全事件的数量较多,那么可以将监测时长设置的短一些。If there is an anomaly during the monitoring period, the anomaly will continue to exist without manual intervention. Therefore, it is not necessary to obtain the network security events during the entire monitoring period. Instead, the network security events within the monitoring period are obtained by determining the monitoring period. The monitoring duration is set to 1 minute, 5 minutes, 10 minutes, 15 minutes, etc., which can be determined according to the number of network security events that occur during the monitoring period. If the number of network security events that occur during the monitoring period is large, the monitoring period can be set to 1 minute, 5 minutes, 10 minutes, 15 minutes, etc. Set it shorter.

监测时间区间是一个监测周期中用于进行流量监测的时间段。监测时间区间内的流量监测结果可以反映整个监测区间的流量监测结果。监测时间区间的时间起点为执行流量监测的时间点减去监测时长得到的时间点,时间终点为执行流量监测的时间点。例如图4所示,监测周期为1小时,那么在10:00、11:00、12:00都需要执行一次流量监测。监测时长为15分钟,那么在11:00时,10:45到11:00为监测时间区间,在12:00时,11:45到12:00为监测时间区间。如果数据监测异常发生在10:00到10:45之间,那么在10:45到11:00的监测时间区间,异常依旧存在。因此,通过对小范围时间内的流量监测就可以反映整个监测周期的流量状态。The monitoring time interval is the time period used for traffic monitoring in a monitoring cycle. The flow monitoring results within the monitoring time interval can reflect the flow monitoring results of the entire monitoring interval. The starting point of the monitoring time interval is the time point when the traffic monitoring is performed minus the monitoring duration, and the end point is the time point when the traffic monitoring is performed. For example, as shown in Figure 4, if the monitoring period is 1 hour, then traffic monitoring needs to be performed at 10:00, 11:00, and 12:00. The monitoring time is 15 minutes, then at 11:00, the monitoring time interval is from 10:45 to 11:00, and at 12:00, the monitoring time interval is from 11:45 to 12:00. If the data monitoring anomaly occurs between 10:00 and 10:45, then the anomaly still exists during the monitoring time interval from 10:45 to 11:00. Therefore, by monitoring the flow within a small range of time, the flow status of the entire monitoring period can be reflected.

在确定监测时间区间后,从安全事件数据库中随机抽取预定数目个在检测时间区间内发生的网络安全事件。随机抽取的预定数目依据网络空间靶场的负载而定。预定数目越大,监测结果越精确,但是对系统的负载越大。预定数目的确定可以根据网络空间靶场的负载设定为固定值,例如10个;也可以根据网络空间靶场中正在运行的网络安全事件的数量来动态调整,例如,当前网络空间靶场中正在运行的网络安全事件数量较多,那么需要就将预定数目降低,以保证流量监测不影响网络安全事件的正常运行。After determining the monitoring time interval, a predetermined number of network security events occurring within the detection time interval are randomly selected from the security event database. The predetermined number of random draws is based on the loading of the cyberspace range. The larger the predetermined number, the more accurate the monitoring results will be, but the greater the load on the system. The determination of the predetermined number can be set to a fixed value, such as 10, according to the load of the cyberspace range; it can also be dynamically adjusted according to the number of network security events running in the cyberspace range, for example, the number of network security events currently running in the cyberspace range. If the number of network security events is large, it is necessary to reduce the scheduled number to ensure that traffic monitoring does not affect the normal operation of network security events.

本实施例的优点是,按照预定周期进行流量监测,避免流量监测抢占网络空间靶场中的网络安全演练所需的计算资源,影响演练正常进行。The advantage of this embodiment is that traffic monitoring is performed according to a predetermined period to avoid traffic monitoring from seizing the computing resources required for network security drills in the cyberspace shooting range and affecting the normal progress of the drill.

在步骤220中,获取网络安全事件的特征数据。In step 220, characteristic data of the network security event is obtained.

在一个实施例中,获取网络安全事件的特征数据包括:从安全事件数据库中的融合安全事件索引库中获取网络安全事件的特征数据。In one embodiment, obtaining the characteristic data of the network security event includes: obtaining the characteristic data of the network security event from a converged security event index library in the security event database.

融合安全事件索引库是基于安全事件数据库中的多个网络安全事件生成的,融合安全事件索引库在网络空间靶场中的作用是,将来自于不同安全设备的网络安全事件融合在一起进行综合分析。因此,融合安全事件索引库会将不同的网络安全事件的多字段进行格式统一,以便进行融合。例如,来自于不同安全设备的网络安全事件的时间格式可能不同,在融合安全事件索引库中,会将不同格式的事件统一为相同格式并进行排序。融合安全事件索引库还会对网络安全事件进行去重、去杂,例如,通过网络安全事件标识或虚拟局域网标识来判断网络安全事件是否为有效事件。由此可见,通过融合安全事件索引库获取到的数据特征更加准确,且更加易于查找。The fused security event index database is generated based on multiple network security events in the security event database. The role of the fused security event index database in the cyberspace shooting range is to integrate network security events from different security devices for comprehensive analysis. . Therefore, the integrated security event index database will unify the format of multiple fields of different network security events for fusion. For example, network security events from different security devices may have different time formats. In the converged security event index database, events in different formats will be unified into the same format and sorted. The integrated security event index database will also deduplicate and eliminate network security events. For example, it can determine whether a network security event is a valid event through the network security event identifier or virtual LAN identifier. It can be seen that the data characteristics obtained by integrating the security event index database are more accurate and easier to find.

融合安全事件索引库中包含的网络安全事件的主要字段如表1所示:The main fields of network security events included in the Fusion Security Event Index Database are shown in Table 1:

表1Table 1

由于每个网络安全事件都具有多种特征数据,因此,可以利用事件标识获取与流量数据相关的特征数据。在一个实施例中,特征数据包含网络安全事件发生的源地址、源端口、目标地址、目标端口、虚拟局域网标识、与时间戳。Since each network security event has a variety of characteristic data, event identification can be used to obtain characteristic data related to traffic data. In one embodiment, the signature data includes the source address, source port, destination address, destination port, virtual local area network identifier, and timestamp of the network security event.

源地址是网络安全事件发生的发起方IP地址;源端口是网络安全事件发生的发起方端口号;目标地址是网络安全事件发生的接收方IP地址;目标端口是网络安全事件发生的接收方端口号;虚拟局域网标识是网络安全事件隔离运行在网络空间靶场中的虚拟网络标识;时间戳是网络安全事件发生的时间。The source address is the IP address of the initiator of the network security event; the source port is the port number of the initiator of the network security event; the destination address is the IP address of the receiver of the network security event; the target port is the receiver port of the network security event. No.; the virtual LAN identifier is a virtual network identifier running in the cyberspace range in isolation of network security events; the timestamp is the time when the network security event occurs.

从多种特征数据中获取上述特征数据的优点是,利用少量的特征数据就可以达到查询流量数据的目的,提高了查询效率。The advantage of obtaining the above characteristic data from a variety of characteristic data is that the purpose of querying traffic data can be achieved by using a small amount of characteristic data, which improves query efficiency.

基于这个实施例,步骤230的流量数据库中包含多个流量接口,每个流量接口对应于一个网络安全事件,通过流量接口可以获取网络安全事件的流量数据,每一个流量接口中包含流量开始时间、流量结束时间、流量参数组,流量参数组中包含流量虚拟局域网标识、流量源地址、流量源端口、流量目标地址、流量目标端口。因此,如图5所示,步骤230包括:Based on this embodiment, the traffic database in step 230 contains multiple traffic interfaces. Each traffic interface corresponds to a network security event. The traffic data of the network security event can be obtained through the traffic interface. Each traffic interface contains the traffic start time, Traffic end time, traffic parameter group, the traffic parameter group includes the traffic virtual LAN identifier, traffic source address, traffic source port, traffic destination address, and traffic destination port. Therefore, as shown in Figure 5, step 230 includes:

步骤510、基于流量开始时间、流量结束时间、与时间戳,在流量数据库中确定候选流量端口;Step 510: Determine candidate traffic ports in the traffic database based on the traffic start time, traffic end time, and timestamp;

步骤520、基于源地址与流量源地址的匹配关系、源端口与流量源端口的匹配关系、目标地址与流量目标地址的匹配关系、目标端口与流量目标端口的匹配关系、虚拟局域网标识与流量虚拟局域网标识的匹配关系,在候选流量端口中确定网络安全事件对应的目标流量端口;Step 520: Based on the matching relationship between the source address and the traffic source address, the matching relationship between the source port and the traffic source port, the matching relationship between the target address and the traffic target address, the matching relationship between the target port and the traffic target port, the virtual LAN identifier and the traffic virtualization The matching relationship between LAN identifiers determines the target traffic port corresponding to the network security event among the candidate traffic ports;

步骤530、由目标流量接口返回网络安全事件的流量数据。Step 530: Return the traffic data of the network security event from the target traffic interface.

在本实施例中,根据获取到的网络安全事件的特征数据在流量数据库中确定网络安全事件对应的目标流量接口。流量接口的类型可以是RESTFUL API。流量接口的请求头部分的数据内容如表2所示:In this embodiment, the target traffic interface corresponding to the network security event is determined in the traffic database according to the obtained characteristic data of the network security event. The type of traffic interface can be RESTFUL API. The data content of the request header part of the traffic interface is shown in Table 2:

表2流量接口的请求体的数据内容如表3所示:The data content of the request body of the traffic interface in Table 2 is shown in Table 3:

表3table 3

流量接口的请求头部分包含了流量接口的数据信息,不能用于查询通过流量接口可调取的流量数据。请求体部分包含了通过流量接口可调取的流量数据,因此,通过请求体查询流量接口。The request header part of the traffic interface contains the data information of the traffic interface and cannot be used to query the traffic data that can be retrieved through the traffic interface. The request body part contains the traffic data that can be retrieved through the traffic interface. Therefore, the traffic interface is queried through the request body.

首先,通过请求体数据中的流量开始时间、流量结束时间、与网络安全事件的特征数据中的时间戳确定候选流量端口。如果网络安全事件的时间发生在流量开始时间与流量结束时间之间,就代表流量接口可调取的流量数据与网络安全事件发生的时间相互匹配。之后再从时间匹配的候选流量接口中选择目标流量接口。需要注意的是,需要将流量开始时间、流量结束时间、时间戳的时间格式统一,以便比较。First, candidate traffic ports are determined based on the traffic start time, traffic end time in the request body data, and the timestamp in the characteristic data of network security events. If the time of the network security event occurs between the traffic start time and the traffic end time, it means that the traffic data that can be retrieved by the traffic interface matches the time when the network security event occurs. Then select the target traffic interface from the time-matched candidate traffic interfaces. It should be noted that the time formats of traffic start time, traffic end time, and timestamp need to be unified for comparison.

表2请求体中的“filterTupleArray”为流量参数组,其中,"vlanId"为流量虚拟局域网标识;"sourceIp"为流量源地址;"destIp"为流量目标地址;"sourcePort"为流量源端口;"destPort"为流量目标端口。"filterTupleArray" in the request body in Table 2 is the traffic parameter group, in which "vlanId" is the traffic virtual LAN identifier; "sourceIp" is the traffic source address; "destIp" is the traffic destination address; "sourcePort" is the traffic source port;" destPort" is the traffic destination port.

只有当网络安全事件的特征数据中虚拟局域网标识与流量虚拟局域网标识相同,源地址与流量源地址相同,目标地址与流量目标地址相同,源端口与流量源端口相同,目标端口与流量目标端口相等,才能表示这个流量接口对应的流量数据是网络安全事件的流量数据,流量接口是网络安全事件对应的目标流量端口。Only when the virtual LAN identifier in the characteristic data of the network security event is the same as the traffic virtual LAN identifier, the source address is the same as the traffic source address, the destination address is the same as the traffic destination address, the source port is the same as the traffic source port, and the destination port is equal to the traffic destination port , it means that the traffic data corresponding to this traffic interface is the traffic data of network security events, and the traffic interface is the target traffic port corresponding to network security events.

在找到目标流量接口后,由目标流量接口返回网络安全事件的流量数据。返回结果如表4所示:After the target traffic interface is found, the traffic data of the network security event is returned by the target traffic interface. The returned results are shown in Table 4:

序号serial number 参数名称parameter name 类型type 说明illustrate 11 CodeCode 整数型Integer type 查询任务状态,0为成功,1为失败Query the task status, 0 means success, 1 means failure 22 MsgMsg 字符串string 如任务失败,则返回失败信息If the task fails, failure information will be returned. 33 totalBytestotalBytes 字符串string 查询流量数据的总字节数Query the total number of bytes of traffic data 44 totalPacketstotalPackets 整数型Integer type 查询流量数据的总数据包数Query the total number of packets in traffic data

表4Table 4

表4中的参数“Code”用来指示是否查询到目标流量接口,如果成功则为0,如果失败,则为1,并且通过参数“Msg”返回失败信息。“totalBytes”与“totalPackets”表示查询到的流量数据的总字节数与总数据包数,如果这两个参数不为0,就代表网络空间靶场的流量采集与存储设备状态正常;反之,如果这两个参数有一个为0,就代表网络空间靶场的流量采集与存储设备状态异常。The parameter "Code" in Table 4 is used to indicate whether the target traffic interface is queried. If it succeeds, it is 0, if it fails, it is 1, and the failure information is returned through the parameter "Msg". "totalBytes" and "totalPackets" represent the total number of bytes and total number of packets of the queried traffic data. If these two parameters are not 0, it means that the traffic collection and storage device status of the cyberspace shooting range is normal; otherwise, if If one of these two parameters is 0, it means that the traffic collection and storage device status of the cyberspace shooting range is abnormal.

本实施例中利用流量接口查询流量数据的优点是,减少了直接查询流量数据造成的服务器负载,提高了查找效率,同时不直接对流量数据进行操作,提高了数据安全性与准确性。The advantage of using the traffic interface to query traffic data in this embodiment is that it reduces the server load caused by directly querying traffic data and improves search efficiency. At the same time, the traffic data is not directly operated, which improves data security and accuracy.

网络安全事件的发生使用发送方到接收方的单向流量传输,在实际应用中,有可能出现从发送方到接收方的流量采集正常,但是从接收方到发送方的流量采集受阻。如果利用另一个网络安全事件来验证接收方到发送方的流量采集状态,那会徒增网络空间靶场负载。因此,在一个实施例中,网络安全事件包含事件标识,步骤220中的特征数据包含正向特征数据、与逆向特征数据。正向特征数据是网络安全事件的发送方到接收方的特征数据;逆向特征数据是网络安全事件的接收方到发送方的特征数据。基于此,如图6所示,步骤220包括:The occurrence of network security events uses one-way traffic transmission from the sender to the receiver. In actual applications, it is possible that the traffic collection from the sender to the receiver is normal, but the traffic collection from the receiver to the sender is blocked. If another network security event is used to verify the status of receiver-to-sender traffic collection, it will increase the load on the cyberspace range. Therefore, in one embodiment, the network security event includes an event identifier, and the characteristic data in step 220 includes forward characteristic data and reverse characteristic data. Forward characteristic data is the characteristic data from the sender to the receiver of network security events; reverse characteristic data is the characteristic data from the receiver to the sender of network security events. Based on this, as shown in Figure 6, step 220 includes:

步骤610、根据事件标识在安全事件数据库中调取网络安全事件的源地址、源端口、目标地址、目标端口、虚拟局域网标识、与时间戳;Step 610: Retrieve the source address, source port, destination address, destination port, virtual LAN identifier, and timestamp of the network security event from the security event database according to the event identifier;

步骤620、将源地址、源端口、目标地址、目标端口、虚拟局域网标识、与时间戳组合成为正向特征数据;Step 620: Combine the source address, source port, destination address, destination port, virtual LAN identifier, and timestamp into forward feature data;

步骤630、将目标地址作为逆向源地址,将目标端口作为逆向源端口,将源地址作为逆向目标地址,将源端口作为逆向目标端口;Step 630: Use the target address as the reverse source address, the target port as the reverse source port, the source address as the reverse target address, and the source port as the reverse target port;

步骤640、将逆向源地址、逆向源端口、逆向目标地址、与逆向目标端口、虚拟局域网标识、与时间戳组合成为逆向特征数据。Step 640: Combine the reverse source address, reverse source port, reverse destination address, reverse destination port, virtual LAN identifier, and timestamp into reverse feature data.

参照表1,通过事件标识,可以获取网络安全事件的源地址、源端口、目标地址、目标端口、虚拟局域网标识、与时间戳,这些是由发送方到接收方的正向特征数据。Referring to Table 1, through the event identifier, the source address, source port, destination address, destination port, virtual LAN identifier, and timestamp of the network security event can be obtained. These are forward characteristic data from the sender to the receiver.

将目标地址作为逆向的源地址,将目标端口作为逆向的源端口,将源地址作为逆向的目标地址,将源端口作为逆向的目标端口。如图7所示,在这个过程中将正向发送方作为逆向接收方,将正向接收方作为逆向发送方。将转换后的特征数据与虚拟局域网标识与时间戳组合得到逆向特征数据。Use the destination address as the reverse source address, the destination port as the reverse source port, the source address as the reverse destination address, and the source port as the reverse destination port. As shown in Figure 7, in this process, the forward sender is regarded as the reverse receiver, and the forward receiver is regarded as the reverse sender. The converted characteristic data is combined with the virtual LAN identifier and timestamp to obtain the reverse characteristic data.

本实施例的优点在于,利用一个网络安全事件获取双向的特征数据,以获取双向的流量特征,保证了流量数据查询的完整性,提高监测效率。The advantage of this embodiment is that a network security event is used to obtain bidirectional characteristic data to obtain bidirectional traffic characteristics, which ensures the integrity of traffic data query and improves monitoring efficiency.

基于本实施例,流量数据包括正向流量数据与逆向流量数据,因此,如图8所示,步骤230包括:Based on this embodiment, the traffic data includes forward traffic data and reverse traffic data. Therefore, as shown in Figure 8, step 230 includes:

步骤810、基于正向特征数据中的源地址、源端口、目标地址、目标端口、虚拟局域网标识、与时间戳,在流量数据库中确定网络安全事件对应的正向流量数据;Step 810: Determine the forward traffic data corresponding to the network security event in the traffic database based on the source address, source port, destination address, destination port, virtual LAN identifier, and timestamp in the forward feature data;

步骤820、基于逆向特征数据中的逆向源地址、逆向源端口、逆向目标地址、与逆向目标端口、虚拟局域网标识、与时间戳,在流量数据库中确定网络安全事件对应的逆向流量数据。Step 820: Determine the reverse traffic data corresponding to the network security event in the traffic database based on the reverse source address, reverse source port, reverse destination address, reverse destination port, virtual LAN identifier, and timestamp in the reverse feature data.

在本实施例中,基于正向特征数据可以在流量数据库中获取从正向发送方到正向接收方的流量数据,基于逆向特征数据可以获取从逆向发送方到逆向接收方的流量数据。In this embodiment, the traffic data from the forward sender to the forward receiver can be obtained in the traffic database based on the forward characteristic data, and the traffic data from the reverse sender to the reverse receiver can be obtained based on the reverse characteristic data.

基于源地址、源端口、目标地址、目标端口、虚拟局域网标识、与时间戳,在流量数据库中确定正向流量数据的过程与前述实施例相同,此处不再赘述。The process of determining forward traffic data in the traffic database based on the source address, source port, destination address, destination port, VLAN identifier, and timestamp is the same as in the previous embodiment, and will not be described again here.

本实施例的优点与前述实施例中获取双向的特征数据优点相同,此处不再赘述。The advantages of this embodiment are the same as those of obtaining bidirectional feature data in the previous embodiment, and will not be described again here.

由于流量数据库存储了网络安全事件在网络空间靶场中发生的全流量镜像数据,所以才能保证从流量数据库中查询到的流量数据是网络安全事件的完整流量。Since the traffic database stores the full traffic mirror data of network security events that occur in the cyberspace shooting range, it can be guaranteed that the traffic data queried from the traffic database is the complete traffic of network security events.

在一个实施例中,如图9所示,流量数据库通过以下过程获取网络安全事件的全流量镜像数据:In one embodiment, as shown in Figure 9, the traffic database obtains full traffic mirroring data of network security events through the following process:

步骤910、在网络空间靶场的各个节点插入流量探针;Step 910: Insert traffic probes into each node of the cyberspace range;

步骤920、在网络安全事件发生时,利用流量探针捕获流量数据;Step 920: When a network security event occurs, use a traffic probe to capture traffic data;

步骤930、如果流量探针在网络安全事件发生的各个节点都捕获到流量数据,将流量数据镜像后存储在流量数据库中,得到全流量镜像数据。Step 930: If the traffic probe captures traffic data at each node where the network security event occurs, the traffic data is mirrored and stored in the traffic database to obtain full traffic mirroring data.

在本实施例中,网络空间靶场的各个节点都插入流量探针,用于捕获流量数据。当一个网络安全事件发生时,网络空间靶场中网络安全事件经过的各个节点的流量探针就作为一个整体,只有这些流量探针都捕获到流量数据,才能将流量数据镜像后存储到流量数据库中,得到全流量镜像数据。只要有一个流量探针无法捕获流量数据,都无法在流量数据库中形成全流量镜像数据。In this embodiment, traffic probes are inserted into each node of the cyberspace range to capture traffic data. When a network security event occurs, the traffic probes of each node that the network security event passes through in the cyberspace shooting range are treated as a whole. Only when these traffic probes capture the traffic data can the traffic data be mirrored and stored in the traffic database. , to obtain full traffic mirroring data. As long as one traffic probe cannot capture traffic data, full traffic mirroring data cannot be formed in the traffic database.

正因为如此,才可以确保从流量数据库中查询到的流量数据是网络安全事件的完整流量。因此,本实施确保了流量数据库中存储的流量数据的完整性。Because of this, it can be ensured that the traffic data queried from the traffic database is the complete traffic of network security events. Therefore, this implementation ensures the integrity of the traffic data stored in the traffic database.

当在流量数据库中查询到网络安全事件的流量数据,那么表示流量采集与存储设备无异常,可进行下一个网络安全事件的流量监测。When the traffic data of network security events is queried in the traffic database, it means that there is no abnormality in the traffic collection and storage device, and the traffic monitoring of the next network security event can be carried out.

当在流量数据库中未查询到网络安全事件的流量数据,那么就表示流量采集与存储设备状态异常,需要进行处理。When the traffic data of network security events is not queried in the traffic database, it means that the status of the traffic collection and storage device is abnormal and needs to be processed.

在一个实施例中,如图10所示,在步骤230之后,流量监测方法还包括:In one embodiment, as shown in Figure 10, after step 230, the traffic monitoring method further includes:

步骤1010、如果未查询到网络安全事件对应的流量数据,发起告警事件;Step 1010: If the traffic data corresponding to the network security event is not queried, initiate an alarm event;

步骤1020、基于告警事件,间隔预设时间后在流量数据库中再次查询网络安全事件对应的流量数据。Step 1020: Based on the alarm event, query the traffic data corresponding to the network security event again in the traffic database after a preset time interval.

如果没有查询到流量数据,通过异常处理接口,将异常流量特征发送给自动异常处理平台,以进行后续处理。If no traffic data is queried, the abnormal traffic characteristics are sent to the automatic exception handling platform through the exception handling interface for subsequent processing.

自动异常处理平台在接收到告警事件后,在间隔预设时间后在流量数据库中再出查询网络安全事件对应的流量数据。这样做的目的是,防止流量数据库与安全事件数据库之间存在存储时间差,也就是安全事件数据库中已经存储了网络安全事件,但是流量数据库中还没有存储网络安全事件对应的流量数据。因此,在预设时间后再次查询,如果可以查询到流量数据,那么就代表流量采集与存储设备状态正常,如果还不能查询到流量数据,那么就代表异常,需要进行修复。After receiving the alarm event, the automatic exception handling platform will query the traffic data corresponding to the network security event in the traffic database after a preset time interval. The purpose of this is to prevent the storage time difference between the traffic database and the security event database. That is, the security event database has stored network security events, but the traffic database has not yet stored the traffic data corresponding to the network security events. Therefore, query again after the preset time. If the traffic data can be queried, it means that the status of the traffic collection and storage device is normal. If the traffic data cannot be queried, it means that it is abnormal and needs to be repaired.

本实施例的优点是,避免存储时间差而造成查询不到流量数据的问题,提高了流量监测的准确性。The advantage of this embodiment is that it avoids the problem of not being able to query traffic data due to storage time differences, and improves the accuracy of traffic monitoring.

对异常状态的处理需要获取产生告警的网络安全事件、仿真网络区域、以及流量采集与存储设备的信息。通过检查上述信息,排查异常,针对特定的问题按照预定方式进行修复,并记录日志。如果无法修复或未发现状态异常,需要通过短信或邮件等方式将告警通知相关负责人,由人工干预检查上述信息,确定产生异常的原因,并解决问题。Handling abnormal states requires obtaining information about network security events that generate alarms, simulated network areas, and traffic collection and storage devices. By checking the above information, troubleshoot abnormalities, fix specific problems in a predetermined way, and record logs. If it cannot be repaired or no status abnormality is found, the alarm needs to be notified to the relevant person in charge via text message or email. Manual intervention will check the above information, determine the cause of the abnormality, and solve the problem.

本公开实施例的流量监测方法的整体流程如图11所示,从安全事件数据库中获取网络安全事件;获取网络安全事件的特征数据;基于特征数据,在流量数据库中查询网络安全事件的流量数据;判断是否查询到流量数据;如果是,获取下一个网络安全事件进行流量监测;如果否,发起告警事件,由自动异常处理平台与相关负责人对告警原因进行排查,修复异常状态;在异常修复后,再次获取网络安全事件进行流量监测。The overall flow of the traffic monitoring method in the embodiment of the present disclosure is shown in Figure 11. Network security events are obtained from the security event database; characteristic data of network security events are obtained; based on the characteristic data, traffic data of network security events are queried in the traffic database ; Determine whether the traffic data is queried; if yes, obtain the next network security event for traffic monitoring; if not, initiate an alarm event, and the automatic exception processing platform and the relevant person in charge will investigate the cause of the alarm and repair the abnormal state; after exception repair Afterwards, network security events are obtained again for traffic monitoring.

下面对本公开实施例的装置和设备进行描述。The apparatus and equipment of the embodiments of the present disclosure are described below.

可以理解的是,虽然上述各个流程图中的各个步骤按照箭头的表征依次显示,但是这些步骤并不是必然按照箭头表征的顺序依次执行。除非本实施例中有明确的说明,这些步骤的执行并没有严格的顺序限制,这些步骤可以以其它的顺序执行。而且,上述流程图中的至少一部分步骤可以包括多个步骤或者多个阶段,这些步骤或者阶段并不必然是在同一时间执行完成,而是可以在不同的时间执行,这些步骤或者阶段的执行顺序也不必然是依次进行,而是可以与其它步骤或者其它步骤中的步骤或者阶段的至少一部分轮流或者交替地执行。It can be understood that although the steps in each of the above flowcharts are shown in sequence according to the arrows, these steps are not necessarily executed in the order represented by the arrows. Unless explicitly stated in this embodiment, the execution of these steps is not strictly limited in order, and these steps can be executed in other orders. Moreover, at least some of the steps in the above flow chart may include multiple steps or multiple stages. These steps or stages are not necessarily executed at the same time, but may be executed at different times. The execution order of these steps or stages It does not necessarily need to be performed sequentially, but may be performed in turn or alternately with other steps or at least part of steps or stages in other steps.

需要说明的是,在本申请的各个具体实施方式中,当涉及到需要根据目标虚拟机属性信息或属性信息集合等与目标虚拟机特性相关的数据进行相关处理时,都会先获得目标虚拟机的许可或者同意,而且,对这些数据的收集、使用和处理等,都会遵守相关国家和地区的相关法律法规和标准。此外,当本申请实施例需要获取目标虚拟机属性信息时,会通过弹窗或者跳转到确认页面等方式获得目标虚拟机的单独许可或者单独同意,在明确获得目标虚拟机的单独许可或者单独同意之后,再获取用于使本申请实施例能够正常运行的必要的目标虚拟机相关数据。It should be noted that in each specific implementation manner of the present application, when it is necessary to perform relevant processing based on the target virtual machine attribute information or attribute information collection and other data related to the characteristics of the target virtual machine, the target virtual machine will first be obtained. Permission or consent, and the collection, use and processing of such data will comply with relevant laws, regulations and standards of relevant countries and regions. In addition, when the embodiment of the present application needs to obtain the attribute information of the target virtual machine, the individual permission or independent consent of the target virtual machine will be obtained through a pop-up window or jumping to a confirmation page. After explicitly obtaining the individual permission or independent consent of the target virtual machine, After agreeing, obtain the necessary target virtual machine-related data for normal operation of the embodiment of this application.

图12为本公开实施例提供的流量监测装置1200的结构图。该流量监测装置1200包括:Figure 12 is a structural diagram of a flow monitoring device 1200 provided by an embodiment of the present disclosure. The flow monitoring device 1200 includes:

第一获取单元1210,用于从网络空间靶场的安全事件数据库中获取网络安全事件;The first acquisition unit 1210 is used to acquire network security events from the security event database of the cyberspace shooting range;

第二获取单元1220,用于获取网络安全事件的特征数据;The second acquisition unit 1220 is used to acquire characteristic data of network security events;

第一查询单元1230,用于基于特征数据,在网络空间靶场的流量数据库中查询网络安全事件对应的流量数据,其中,流量数据库存储了网络安全事件在网络空间靶场中发生的全流量镜像数据。The first query unit 1230 is configured to query traffic data corresponding to network security events in the traffic database of the cyberspace shooting range based on the characteristic data, where the traffic database stores full traffic mirroring data of network security events occurring in the cyberspace shooting range.

可选地,第一获取单元1210具体用于:Optionally, the first acquisition unit 1210 is specifically used to:

确定监测周期与监测时长;Determine the monitoring cycle and monitoring duration;

按照监测周期,根据监测时长确定监测时间区间;According to the monitoring cycle, the monitoring time interval is determined according to the monitoring duration;

从网络空间靶场的安全事件数据库中,随机抽取预定数目个在监测时间区间发生的网络安全事件。Randomly select a predetermined number of network security events that occur within the monitoring time interval from the security event database of the cyberspace shooting range.

可选地,特征数据包含网络安全事件发生的源地址、源端口、目标地址、目标端口、虚拟局域网标识、与时间戳。Optionally, the characteristic data includes the source address, source port, destination address, destination port, virtual LAN identifier, and timestamp of the network security event.

可选地,流量数据库中包含多个流量接口,每个流量接口对应于一个网络安全事件;每一个流量接口中包含流量开始时间、流量结束时间、流量参数组,流量参数组中包含流量虚拟局域网标识、流量源地址、流量源端口、流量目标地址、流量目标端口;Optionally, the traffic database contains multiple traffic interfaces, each traffic interface corresponds to a network security event; each traffic interface includes a traffic start time, a traffic end time, and a traffic parameter group, and the traffic parameter group includes a traffic virtual LAN Identification, traffic source address, traffic source port, traffic destination address, traffic destination port;

第一查询单元1230具体用于:The first query unit 1230 is specifically used to:

基于流量开始时间、流量结束时间、与时间戳,在流量数据库中确定候选流量端口;Determine candidate traffic ports in the traffic database based on the traffic start time, traffic end time, and timestamp;

基于源地址与流量源地址的匹配关系、源端口与流量源端口的匹配关系、目标地址与流量目标地址的匹配关系、目标端口与流量目标端口的匹配关系、虚拟局域网标识与流量虚拟局域网标识的匹配关系,在候选流量端口中确定网络安全事件对应的目标流量端口;Based on the matching relationship between the source address and the traffic source address, the matching relationship between the source port and the traffic source port, the matching relationship between the destination address and the traffic destination address, the matching relationship between the destination port and the traffic destination port, the matching relationship between the virtual LAN identifier and the traffic virtual LAN identifier. Matching relationship, determine the target traffic port corresponding to the network security event among the candidate traffic ports;

由目标流量接口返回网络安全事件的流量数据。The traffic data of network security events is returned by the target traffic interface.

可选地,网络安全事件包含事件标识;Optionally, the network security event includes an event identifier;

特征数据包含正向特征数据、与逆向特征数据;Feature data includes forward feature data and reverse feature data;

第二获取单元1220具体用于:The second acquisition unit 1220 is specifically used for:

根据事件标识在安全事件数据库中调取网络安全事件的源地址、源端口、目标地址、目标端口、虚拟局域网标识、与时间戳;Retrieve the source address, source port, destination address, destination port, virtual LAN identifier, and timestamp of the network security event from the security event database according to the event identifier;

将源地址、源端口、目标地址、目标端口、虚拟局域网标识、与时间戳组合成为正向特征数据;Combine the source address, source port, destination address, destination port, virtual LAN identifier, and timestamp into forward feature data;

将目标地址作为逆向源地址,将目标端口作为逆向源端口,将源地址作为逆向目标地址,将源端口作为逆向目标端口;Use the destination address as the reverse source address, the destination port as the reverse source port, the source address as the reverse destination address, and the source port as the reverse destination port;

将逆向源地址、逆向源端口、逆向目标地址、与逆向目标端口、虚拟局域网标识、与时间戳组合成为逆向特征数据。The reverse source address, reverse source port, reverse destination address, reverse destination port, virtual LAN identifier, and timestamp are combined into reverse feature data.

可选地,流量数据包括正向流量数据与逆向流量数据;Optionally, the traffic data includes forward traffic data and reverse traffic data;

第一查询单元1230具体用于:The first query unit 1230 is specifically used to:

基于正向特征数据中的源地址、源端口、目标地址、目标端口、虚拟局域网标识、与时间戳,在流量数据库中确定网络安全事件对应的正向流量数据;Based on the source address, source port, destination address, destination port, virtual LAN identifier, and timestamp in the forward characteristic data, determine the forward traffic data corresponding to the network security event in the traffic database;

基于逆向特征数据中的逆向源地址、逆向源端口、逆向目标地址、与逆向目标端口、虚拟局域网标识、与时间戳,在流量数据库中确定网络安全事件对应的逆向流量数据。Based on the reverse source address, reverse source port, reverse destination address, reverse destination port, virtual LAN identifier, and timestamp in the reverse feature data, the reverse traffic data corresponding to the network security event is determined in the traffic database.

可选地,第二获取单元1220具体用于:Optionally, the second acquisition unit 1220 is specifically used to:

从安全事件数据库中的融合安全事件索引库中获取网络安全事件的特征数据;融合安全事件索引库是基于安全事件数据库中的多个网络安全事件生成的。Obtain characteristic data of network security events from the converged security event index library in the security event database; the converged security event index library is generated based on multiple network security events in the security event database.

可选地,流量数据库通过以下过程获取网络安全事件的全流量镜像数据:Optionally, the traffic database obtains full traffic mirroring data of network security events through the following process:

在网络空间靶场的各个节点插入流量探针;Insert traffic probes into various nodes in the cyberspace range;

在网络安全事件发生时,利用流量探针捕获流量数据;Use traffic probes to capture traffic data when network security incidents occur;

如果流量探针在网络安全事件发生的各个节点都捕获到流量数据,将流量数据镜像后存储在流量数据库中,得到全流量镜像数据。If the traffic probe captures traffic data at each node where a network security event occurs, the traffic data will be mirrored and stored in the traffic database to obtain full traffic mirroring data.

可选地,流量监测装置1200还包括:Optionally, the flow monitoring device 1200 also includes:

告警发起单元(未示出),用于如果未查询到网络安全事件对应的流量数据,发起告警事件;An alarm initiating unit (not shown), used to initiate an alarm event if the traffic data corresponding to the network security event is not queried;

第二查询单元(未示出),用于基于告警事件,间隔预设时间后在流量数据库中再次查询网络安全事件对应的流量数据。The second query unit (not shown) is used to query the traffic data corresponding to the network security event in the traffic database again after a preset time interval based on the alarm event.

参照图13,图13为实现本公开实施例的控制终端的部分的结构框图,该控制终端包括:射频(Radio Frequency,简称RF)电路1310、存储器1315、输入单元1330、显示单元1340、传感器1350、音频电路1360、无线保真(wireless fidelity,简称WiFi)模块1370、处理器1380、以及电源1390等部件。本领域技术人员可以理解,图13示出的终端结构并不构成对手机或电脑的限定,可以包括比图示更多或更少的部件,或者组合某些部件,或者不同的部件布置。Referring to Figure 13, Figure 13 is a structural block diagram of a part of a control terminal that implements an embodiment of the present disclosure. The control terminal includes: a radio frequency (Radio Frequency, RF for short) circuit 1310, a memory 1315, an input unit 1330, a display unit 1340, and a sensor 1350 , audio circuit 1360, wireless fidelity (WiFi) module 1370, processor 1380, and power supply 1390 and other components. Those skilled in the art can understand that the terminal structure shown in Figure 13 is not limited to a mobile phone or a computer, and may include more or fewer components than shown in the figure, or combine certain components, or arrange different components.

RF电路1310可用于收发信息或通话过程中,信号的接收和发送,特别地,将基站的下行信息接收后,给处理器1380处理;另外,将设计上行的数据发送给基站。The RF circuit 1310 can be used to receive and transmit information or signals during a call. In particular, after receiving downlink information from the base station, it is processed by the processor 1380; in addition, the designed uplink data is sent to the base station.

存储器1315可用于存储软件程序以及模块,处理器1380通过运行存储在存储器1315的软件程序以及模块,从而执行终端的各种功能应用以及数据处理。The memory 1315 can be used to store software programs and modules. The processor 1380 executes various functional applications and data processing of the terminal by running the software programs and modules stored in the memory 1315 .

输入单元1330可用于接收输入的数字或字符信息,以及产生与终端的设置以及功能控制有关的键信号输入。具体地,输入单元1330可包括触控面板1331以及其他输入装置1332。The input unit 1330 may be used to receive input numeric or character information, and generate key signal input related to settings and function control of the terminal. Specifically, the input unit 1330 may include a touch panel 1331 and other input devices 1332.

显示单元1340可用于显示输入的信息或提供的信息以及终端的各种菜单。显示单元1340可包括显示面板1341。The display unit 1340 may be used to display input information or provided information as well as various menus of the terminal. The display unit 1340 may include a display panel 1341.

音频电路1360、扬声器1361,传声器1362可提供音频接口。The audio circuit 1360, speaker 1361, and microphone 1362 can provide an audio interface.

在本实施例中,该终端所包括的处理器1380可以执行前面实施例的流量监测方法。In this embodiment, the processor 1380 included in the terminal can execute the traffic monitoring method in the previous embodiment.

本公开实施例的控制终端包括但不限于手机、电脑、智能语音交互设备、飞行器等。本发明实施例可应用于各种场景,包括但不限于网络安全、通讯安全等。Control terminals in embodiments of the present disclosure include but are not limited to mobile phones, computers, intelligent voice interaction devices, aircraft, etc. Embodiments of the present invention can be applied to various scenarios, including but not limited to network security, communication security, etc.

图14为实施本公开实施例的网络空间靶场的服务器的部分的结构框图。服务器可因配置或性能不同而产生比较大的差异,可以包括一个或一个以上中央处理器(CentralProcessing Units,简称CPU)1422(例如,一个或一个以上处理器)和存储器1432,一个或一个以上存储应用程序1442或数据1444的存储介质1430(例如一个或一个以上海量存储装置)。其中,存储器1432和存储介质1430可以是短暂存储或持久存储。存储在存储介质1430的程序可以包括一个或一个以上模块(图示没标出),每个模块可以包括对服务器中的一系列指令操作。更进一步地,中央处理器1422可以设置为与存储介质1430通信,在服务器上执行存储介质1430中的一系列指令操作。FIG. 14 is a structural block diagram of a part of a server in a cyberspace shooting range that implements an embodiment of the present disclosure. The server may vary greatly due to different configurations or performance, and may include one or more central processing units (CPU) 1422 (for example, one or more processors) and memory 1432, and one or more storage units. Storage medium 1430 for application 1442 or data 1444 (eg, one or more mass storage devices). Among them, the memory 1432 and the storage medium 1430 may be short-term storage or persistent storage. The program stored in the storage medium 1430 may include one or more modules (not shown in the figure), and each module may include a series of instruction operations on the server. Furthermore, the central processor 1422 may be configured to communicate with the storage medium 1430 and execute a series of instruction operations in the storage medium 1430 on the server.

服务器还可以包括一个或一个以上电源1426,一个或一个以上有线或无线网络接口1450,一个或一个以上输入输出接口1458,和/或,一个或一个以上操作系统1441,例如Windows ServerTM,Mac OS XTM,UnixTM,LinuxTM,FreeBSDTM等等。The server may also include one or more power supplies 1426, one or more wired or wireless network interfaces 1450, one or more input and output interfaces 1458, and/or, one or more operating systems 1441, such as Windows Server™, Mac OS X™ , UnixTM, LinuxTM, FreeBSDTM and so on.

服务器中的中央处理器1422可以用于执行本公开实施例的流量监测方法。The central processor 1422 in the server may be used to execute the traffic monitoring method of the embodiment of the present disclosure.

本公开实施例还提供一种计算机可读存储介质,计算机可读存储介质用于存储程序代码,程序代码用于执行前述各个实施例的流量监测方法。Embodiments of the present disclosure also provide a computer-readable storage medium, the computer-readable storage medium is used to store program code, and the program code is used to execute the traffic monitoring method of each of the foregoing embodiments.

本公开实施例还提供了一种计算机程序产品,该计算机程序产品包括计算机程序。计算机设备的处理器读取该计算机程序并执行,使得该计算机设备执行实现上述的流量监测方法。An embodiment of the present disclosure also provides a computer program product, which includes a computer program. The processor of the computer device reads the computer program and executes it, so that the computer device executes the above traffic monitoring method.

本公开的说明书及上述附图中的术语“第一”、“第二”、“第三”、“第四”等(如果存在)是用于区别类似的对象,而不必用于描述特定的顺序或先后次序。应该理解这样使用的数据在适当情况下可以互换,以便这里描述的本公开的实施例例如能够以除了在这里图示或描述的那些以外的顺序实施。此外,术语“包括”和“包含”以及他们的任何变形,意图在于覆盖不排他的包含,例如,包含了一系列步骤或单元的过程、方法、系统、产品或装置不必限于清楚地列出的那些步骤或单元,而是可包括没有清楚地列出的或对于这些过程、方法、产品或装置固有的其它步骤或单元。The terms "first", "second", "third", "fourth", etc. (if present) in the description of the present disclosure and the above-mentioned drawings are used to distinguish similar objects and are not necessarily used to describe specific objects. Sequence or sequence. It is to be understood that data so used are interchangeable under appropriate circumstances so that the embodiments of the disclosure described herein, for example, can be practiced in sequences other than those illustrated or described herein. Furthermore, the terms "include" and "comprises" and any variations thereof are intended to cover non-exclusive inclusions, for example, a process, method, system, product or apparatus that includes a series of steps or units and need not be limited to those explicitly listed. Those steps or elements may instead include other steps or elements not expressly listed or inherent to the process, method, product or apparatus.

应当理解,在本公开中,“至少一个(项)”是指一个或者多个,“多个”是指两个或两个以上。“和/或”,用于描述关联对象的关联关系,表示可以存在三种关系,例如,“A和/或B”可以表示:只存在A,只存在B以及同时存在A和B三种情况,其中A,B可以是单数或者复数。字符“/”一般表示前后关联对象是一种“或”的关系。“以下至少一项(个)”或其类似表达,是指这些项中的任意组合,包括单项(个)或复数项(个)的任意组合。例如,a,b或c中的至少一项(个),可以表示:a,b,c,“a和b”,“a和c”,“b和c”,或“a和b和c”,其中a,b,c可以是单个,也可以是多个。It should be understood that in this disclosure, “at least one (item)” refers to one or more, and “plurality” refers to two or more. "And/or" is used to describe the relationship between associated objects, indicating that there can be three relationships. For example, "A and/or B" can mean: only A exists, only B exists, and A and B exist simultaneously. , where A and B can be singular or plural. The character "/" generally indicates that the related objects are in an "or" relationship. “At least one of the following” or similar expressions thereof refers to any combination of these items, including any combination of a single item (items) or a plurality of items (items). For example, at least one of a, b or c can mean: a, b, c, "a and b", "a and c", "b and c", or "a and b and c" ”, where a, b, c can be single or multiple.

应了解,在本公开实施例的描述中,多个(或多项)的含义是两个以上,大于、小于、超过等理解为不包括本数,以上、以下、以内等理解为包括本数。It should be understood that in the description of the embodiments of the present disclosure, the meaning of multiple (or multiple items) is two or more, greater than, less than, more than, etc. are understood as excluding the number, and above, below, within, etc. are understood as including the number.

在本公开所提供的几个实施例中,应该理解到,所揭露的系统,装置和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。In the several embodiments provided in this disclosure, it should be understood that the disclosed systems, devices and methods can be implemented in other ways. For example, the device embodiments described above are only illustrative. For example, the division of units is only a logical function division. In actual implementation, there may be other division methods. For example, multiple units or components may be combined or integrated. to another system, or some features can be ignored, or not implemented. On the other hand, the coupling or direct coupling or communication connection between each other shown or discussed may be through some interfaces, and the indirect coupling or communication connection of the devices or units may be in electrical, mechanical or other forms.

作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。A unit described as a separate component may or may not be physically separate. A component shown as a unit may or may not be a physical unit, that is, it may be located in one place, or it may be distributed to multiple network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of this embodiment.

另外,在本公开各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。上述集成的单元既可以采用硬件的形式实现,也可以采用软件功能单元的形式实现。In addition, each functional unit in various embodiments of the present disclosure may be integrated into one processing unit, or each unit may exist physically alone, or two or more units may be integrated into one unit. The above integrated units can be implemented in the form of hardware or software functional units.

集成的单元如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本公开的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的全部或部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机装置(可以是个人计算机,服务器,或者网络装置等)执行本公开各个实施例方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(Read-Only Memory,简称ROM)、随机存取存储器(Random Access Memory,简称RAM)、磁碟或者光盘等各种可以存储程序代码的介质。Integrated units may be stored in a computer-readable storage medium if they are implemented in the form of software functional units and sold or used as independent products. Based on this understanding, the technical solution of the present disclosure is essentially or contributes to the existing technology, or all or part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium , including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute all or part of the steps of the methods of various embodiments of the present disclosure. The aforementioned storage media include: U disk, mobile hard disk, read-only memory (ROM), random access memory (RAM), magnetic disk or optical disk, etc., which can store program code. medium.

还应了解,本公开实施例提供的各种实施方式可以任意进行组合,以实现不同的技术效果。It should also be understood that the various implementation modes provided by the embodiments of the present disclosure can be combined arbitrarily to achieve different technical effects.

以上是对本公开的实施方式的具体说明,但本公开并不局限于上述实施方式,熟悉本领域的技术人员在不违背本公开精神的条件下还可作出种种等同的变形或替换,这些等同的变形或替换均包括在本公开权利要求所限定的范围内。The above is a specific description of the embodiments of the present disclosure, but the disclosure is not limited to the above-mentioned embodiments. Those skilled in the art can also make various equivalent modifications or substitutions without violating the spirit of the disclosure. These equivalents Variations or substitutions are included within the scope defined by the claims of this disclosure.

Claims (13)

1. The flow monitoring method based on the network space target range is characterized by comprising the following steps of:
acquiring a network security event from a security event database of the network space shooting range;
acquiring characteristic data of the network security event;
and inquiring flow data corresponding to the network security event in a flow database of the network space target range based on the characteristic data, wherein the flow database stores full-flow mirror image data of the network security event in the network space target range.
2. The method of traffic monitoring according to claim 1, wherein said obtaining network security events from a security event database of the network space target comprises:
Determining a monitoring period and a monitoring duration;
according to the monitoring period, determining a monitoring time interval according to the monitoring duration;
randomly extracting a predetermined number of the network security events occurring during the monitoring time interval from the security event database of the network space target range.
3. The traffic monitoring method according to claim 1, wherein the characteristic data comprises a source address, a source port, a destination address, a destination port, a virtual local area network identification, and a timestamp of the network security event occurrence.
4. A method of traffic monitoring according to claim 3, wherein the traffic database comprises a plurality of traffic interfaces, each of the traffic interfaces corresponding to one of the network security events; each flow interface comprises a flow start time, a flow end time and a flow parameter set, wherein the flow parameter set comprises a flow virtual local area network identifier, a flow source address, a flow source port, a flow target address and a flow target port;
the querying, based on the feature data, flow data corresponding to the network security event in a flow database of the network space target range includes:
Determining candidate traffic ports in the traffic database based on the traffic start time, traffic end time, and the time stamp;
determining a target traffic port corresponding to the network security event in the candidate traffic ports based on the matching relationship of the source address and the traffic source address, the matching relationship of the source port and the traffic source port, the matching relationship of the target address and the traffic target address, the matching relationship of the target port and the traffic target port, and the matching relationship of the virtual local area network identifier and the traffic virtual local area network identifier;
the traffic data of the network security event is returned by the target traffic interface.
5. A method of traffic monitoring according to claim 3, wherein the network security event comprises an event identification;
the characteristic data comprises forward characteristic data and reverse characteristic data;
the acquiring the characteristic data of the network security event comprises the following steps:
invoking the source address, the source port, the destination address, the destination port, the virtual local area network identifier, and the timestamp of the network security event in the security event database according to the event identifier;
Combining the source address, the source port, the destination address, the destination port, the virtual local area network identification, and the timestamp into the forward feature data;
taking the target address as a reverse source address, taking the target port as a reverse source port, taking the source address as a reverse target address, and taking the source port as a reverse target port;
combining the reverse source address, the reverse source port, the reverse destination address, the reverse destination port, the virtual local area network identification, and the timestamp into the reverse feature data.
6. The flow monitoring method of claim 5, wherein the flow data comprises forward flow data and reverse flow data; the querying, based on the feature data, flow data corresponding to the network security event in a flow database of the network space target range includes:
determining forward traffic data corresponding to the network security event in the traffic database based on the source address, the source port, the destination address, the destination port, the virtual local area network identification, and the timestamp in the forward feature data;
And determining the reverse flow data corresponding to the network security event in the flow database based on the reverse source address, the reverse source port, the reverse target address, the reverse target port, the virtual local area network identifier and the timestamp in the reverse feature data.
7. The method of traffic monitoring according to claim 1, wherein the obtaining the characteristic data of the network security event comprises:
acquiring characteristic data of the network security event from a fusion security event index library in the security event database; the fused security event index library is generated based on a plurality of the network security events in the security event database.
8. The traffic monitoring method according to claim 1, wherein the traffic database obtains the full traffic mirror data of the network security event by:
inserting flow probes at each node of the network space range;
capturing the traffic data with the traffic probe upon occurrence of the network security event;
and if the flow probe captures the flow data at each node where the network security event occurs, mirroring the flow data and storing the flow data in the flow database to obtain the full-flow mirrored data.
9. The traffic monitoring method according to claim 1, wherein after the querying the traffic database of the cyber space yard for traffic data corresponding to the cyber security event based on the feature data, the traffic monitoring method further comprises:
if the flow data corresponding to the network security event is not queried, initiating an alarm event;
and based on the alarm event, querying the flow data corresponding to the network security event in the flow database again after a preset time interval.
10. A flow monitoring device based on network space range, characterized by comprising:
the first acquisition unit is used for acquiring network security events from a security event database of the network space shooting range;
the second acquisition unit is used for acquiring the characteristic data of the network security event;
and the first query unit is used for querying flow data corresponding to the network security event in a flow database of the network space target range based on the characteristic data, wherein the flow database stores full-flow mirror image data of the network security event in the network space target range.
11. An electronic device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor implements the flow monitoring method according to any one of claims 1 to 9 when executing the computer program.
12. A computer readable storage medium storing a computer program, characterized in that the computer program, when executed by a processor, implements the flow monitoring method according to any one of claims 1 to 9.
13. A computer program product comprising a computer program, which computer program is read and executed by a processor of a computer device, causing the computer device to perform the flow monitoring method according to any one of claims 1 to 9.
CN202311052106.1A 2023-08-18 2023-08-18 Traffic monitoring methods, devices, equipment and media based on cyberspace shooting range Pending CN116980221A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311052106.1A CN116980221A (en) 2023-08-18 2023-08-18 Traffic monitoring methods, devices, equipment and media based on cyberspace shooting range

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311052106.1A CN116980221A (en) 2023-08-18 2023-08-18 Traffic monitoring methods, devices, equipment and media based on cyberspace shooting range

Publications (1)

Publication Number Publication Date
CN116980221A true CN116980221A (en) 2023-10-31

Family

ID=88475081

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311052106.1A Pending CN116980221A (en) 2023-08-18 2023-08-18 Traffic monitoring methods, devices, equipment and media based on cyberspace shooting range

Country Status (1)

Country Link
CN (1) CN116980221A (en)

Similar Documents

Publication Publication Date Title
US12124326B2 (en) Automatic correlation of dynamic system events within computing devices
CN111092852B (en) Network security monitoring method, device, equipment and storage medium based on big data
US11196756B2 (en) Identifying notable events based on execution of correlation searches
US9294338B2 (en) Management computer and method for root cause analysis
US10540358B2 (en) Telemetry data contextualized across datasets
CN111881011A (en) Log management method, platform, server and storage medium
US10367838B2 (en) Real-time detection of abnormal network connections in streaming data
CN107124289B (en) Weblog time alignment method, device and host
JP7069399B2 (en) Systems and methods for reporting computer security incidents
US20200341868A1 (en) System and Method for Reactive Log Spooling
CN111371623B (en) Service performance and safety monitoring method and device, storage medium and electronic equipment
CN111726358A (en) Attack path analysis method and device, computer equipment and storage medium
US9645877B2 (en) Monitoring apparatus, monitoring method, and recording medium
US7653742B1 (en) Defining and detecting network application business activities
CN116155519A (en) Threat alert information processing method, threat alert information processing device, computer equipment and storage medium
CN114461864A (en) An alarm tracing method and device
Lin et al. Correlation of cyber threat intelligence with sightings for intelligence assessment and augmentation
CN116980221A (en) Traffic monitoring methods, devices, equipment and media based on cyberspace shooting range
CN115827379B (en) Abnormal process detection method, device, equipment and medium
CN117914511A (en) Security audit system based on data exchange and log analysis
JP2017199250A (en) Computer system, analysis method of data, and computer
CN113660223B (en) Network security data processing method, device and system based on alarm information
CN115484326A (en) Method, system and storage medium for processing data
CN118779189A (en) Data processing method, device, electronic device, storage medium and program product
Balcerek et al. ACARM-ng: next generation correlation framework

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination