CN116980221A - Flow monitoring method, device, equipment and medium based on network space target range - Google Patents

Flow monitoring method, device, equipment and medium based on network space target range Download PDF

Info

Publication number
CN116980221A
CN116980221A CN202311052106.1A CN202311052106A CN116980221A CN 116980221 A CN116980221 A CN 116980221A CN 202311052106 A CN202311052106 A CN 202311052106A CN 116980221 A CN116980221 A CN 116980221A
Authority
CN
China
Prior art keywords
flow
traffic
security event
network
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202311052106.1A
Other languages
Chinese (zh)
Inventor
林文辉
杨树强
陶莎
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Peng Cheng Laboratory
Original Assignee
Peng Cheng Laboratory
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Peng Cheng Laboratory filed Critical Peng Cheng Laboratory
Priority to CN202311052106.1A priority Critical patent/CN116980221A/en
Publication of CN116980221A publication Critical patent/CN116980221A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The disclosure provides a flow monitoring method, device, equipment and medium based on a network space shooting range. The flow monitoring method comprises the following steps: acquiring a network security event from a security event database of the network space target range; acquiring characteristic data of a network security event; and inquiring flow data corresponding to the network security event in a flow database of the network space target range based on the characteristic data, wherein the flow database stores full-flow mirror image data of the network security event in the network space target range. The embodiment of the disclosure can ensure that the monitored data flow is complete, thereby improving the accuracy of judging the state of the flow acquisition and storage equipment by utilizing the data flow. The embodiment of the disclosure can be applied to network security, communication security and the like.

Description

Flow monitoring method, device, equipment and medium based on network space target range
Technical Field
The present disclosure relates to the field of network security, and in particular, to a method, apparatus, device, and medium for monitoring traffic based on a network space target range.
Background
Traffic data is an important component for analyzing network security events occurring in a network space target. In order to ensure that the flow can be correctly and completely collected, the flow needs to be monitored to ensure that the state of the flow collection and storage equipment is normal.
In the prior art, network traffic data is generally monitored by monitoring traffic collection configuration states of a traffic collection device and a traffic mirroring device of a network space target range. However, due to the huge number of nodes and complex topological association of the network space range, even if some acquisition nodes fail or part of uplink and downlink networks are blocked, the flow acquisition equipment can still acquire flow data through the connection between the non-failed nodes and the non-blocked network. The traffic data monitored in this manner may not be complete and therefore may not be representative of the normal condition of the traffic acquisition and storage devices throughout the network space. Therefore, the flow monitoring method in the prior art cannot accurately reflect whether the flow acquisition and storage equipment in the network space shooting range is abnormal.
Disclosure of Invention
The embodiment of the disclosure provides a flow monitoring method, a device, equipment and a medium based on a network space shooting range, which can ensure that the monitored data flow is complete, thereby improving the accuracy of judging the state of flow acquisition and storage equipment by utilizing the data flow.
According to an aspect of the present disclosure, there is provided a flow monitoring method based on a network space range, including:
Acquiring a network security event from a security event database of the network space shooting range;
acquiring characteristic data of the network security event;
and inquiring flow data corresponding to the network security event in a flow database of the network space target range based on the characteristic data, wherein the flow database stores full-flow mirror image data of the network security event in the network space target range.
According to an aspect of the present disclosure, there is provided a flow monitoring device based on a network space range, including:
the first acquisition unit is used for acquiring network security events from a security event database of the network space shooting range;
the second acquisition unit is used for acquiring the characteristic data of the network security event;
and the first query unit is used for querying flow data corresponding to the network security event in a flow database of the network space target range based on the characteristic data, wherein the flow database stores full-flow mirror image data of the network security event in the network space target range.
Optionally, the first obtaining unit is specifically configured to:
determining a monitoring period and a monitoring duration;
According to the monitoring period, determining a monitoring time interval according to the monitoring duration;
randomly extracting a predetermined number of the network security events occurring during the monitoring time interval from the security event database of the network space target range.
Optionally, the characteristic data includes a source address, a source port, a destination address, a destination port, a virtual local area network identifier, and a timestamp of the network security event.
Optionally, the flow database includes a plurality of flow interfaces, each corresponding to one of the network security events; each flow interface comprises a flow start time, a flow end time and a flow parameter set, wherein the flow parameter set comprises a flow virtual local area network identifier, a flow source address, a flow source port, a flow target address and a flow target port;
the first query unit is specifically configured to:
determining candidate traffic ports in the traffic database based on the traffic start time, traffic end time, and the time stamp;
determining a target traffic port corresponding to the network security event in the candidate traffic ports based on the matching relationship of the source address and the traffic source address, the matching relationship of the source port and the traffic source port, the matching relationship of the target address and the traffic target address, the matching relationship of the target port and the traffic target port, and the matching relationship of the virtual local area network identifier and the traffic virtual local area network identifier;
The traffic data of the network security event is returned by the target traffic interface.
Optionally, the network security event comprises an event identification;
the characteristic data comprises forward characteristic data and reverse characteristic data;
the second obtaining unit is specifically configured to:
invoking the source address, the source port, the destination address, the destination port, the virtual local area network identifier, and the timestamp of the network security event in the security event database according to the event identifier;
combining the source address, the source port, the destination address, the destination port, the virtual local area network identification, and the timestamp into the forward feature data;
taking the target address as a reverse source address, taking the target port as a reverse source port, taking the source address as a reverse target address, and taking the source port as a reverse target port;
combining the reverse source address, the reverse source port, the reverse destination address, the reverse destination port, the virtual local area network identification, and the timestamp into the reverse feature data.
Optionally, the traffic data includes forward traffic data and reverse traffic data;
The first query unit is specifically configured to:
determining forward traffic data corresponding to the network security event in the traffic database based on the source address, the source port, the destination address, the destination port, the virtual local area network identification, and the timestamp in the forward feature data;
and determining the reverse flow data corresponding to the network security event in the flow database based on the reverse source address, the reverse source port, the reverse target address, the reverse target port, the virtual local area network identifier and the timestamp in the reverse feature data.
Optionally, the second obtaining unit is specifically configured to:
acquiring characteristic data of the network security event from a fusion security event index library in the security event database; the fused security event index library is generated based on a plurality of the network security events in the security event database.
Optionally, the traffic database obtains the full traffic mirror data of the network security event by:
inserting flow probes at each node of the network space range;
Capturing the traffic data with the traffic probe upon occurrence of the network security event;
and if the flow probe captures the flow data at each node where the network security event occurs, mirroring the flow data and storing the flow data in the flow database to obtain the full-flow mirrored data.
Optionally, the flow monitoring device further comprises:
the alarm initiating unit is used for initiating an alarm event if the flow data corresponding to the network security event is not queried;
and the second query unit is used for querying the flow data corresponding to the network security event in the flow database again after a preset time interval based on the alarm event.
According to an aspect of the present disclosure, there is provided an electronic device comprising a memory storing a computer program and a processor implementing the flow monitoring method as described above when executing the computer program.
According to an aspect of the present disclosure, there is provided a computer readable storage medium storing a computer program which, when executed by a processor, implements a flow monitoring method as described above.
According to an aspect of the present disclosure, there is provided a computer program product comprising a computer program, which is read and executed by a processor of a computer device, causing the computer device to perform the flow monitoring method as described above.
In the embodiment of the disclosure, a network security event is acquired from a security event database of a network space target range, then feature data of the network security event is acquired, and flow data generated when the network security event occurs is queried in a flow database of the network space target range according to the feature data. The traffic database stores full-image traffic data when a network security event occurs. If some nodes in the flow acquisition device are abnormal, the flow data cannot be completely acquired, and the flow data cannot be mirrored and then stored in the flow database. Therefore, the flow data queried in the flow database according to the data characteristics of the network security event must be the complete flow data corresponding to the network security event. If the flow data generated when the network security event occurs cannot be queried in the flow database according to the characteristic data, the flow data in the network space shooting range is indicated to be invalid or certain nodes in the storage device are blocked from being connected with the network, and the repair needs to be checked as soon as possible. If the flow data can be queried, the flow acquisition and storage device is indicated to be in a normal state. Therefore, the embodiment of the disclosure ensures that the monitored flow data is complete, thereby improving the accuracy of judging the state of the flow acquisition and storage equipment by utilizing the data flow.
Additional features and advantages of the disclosure will be set forth in the description which follows, and in part will be apparent from the description, or may be learned by practice of the disclosure. The objectives and other advantages of the disclosure will be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
Drawings
The accompanying drawings are included to provide a further understanding of the disclosed embodiments and are incorporated in and constitute a part of this specification, illustrate embodiments of the disclosure and together with the description serve to explain, without limitation, the disclosed embodiments.
Fig. 1 is a schematic diagram of a system architecture of a method for monitoring traffic based on a network space range according to an embodiment of the present disclosure;
FIG. 2 is a flow chart of a method of flow monitoring based on a network space target range in accordance with an embodiment of the present disclosure;
FIG. 3 is a specific flowchart of step 210 of FIG. 2;
FIG. 4 is an exemplary diagram of determining a monitoring event interval;
FIG. 5 is a specific flowchart of step 230 of FIG. 2;
FIG. 6 is a specific flowchart of step 220 of FIG. 2;
FIG. 7 is a schematic diagram of the forward feature data and the reverse feature data of FIG. 6;
FIG. 8 is a specific flowchart of step 230 of FIG. 2;
FIG. 9 is a particular flow diagram of a flow database acquiring full flow mirror data;
FIG. 10 is a particular flow chart following FIG. 2 if traffic data is not queried;
FIG. 11 is an overall flow chart of an embodiment of the present disclosure;
FIG. 12 is a block diagram of a flow monitoring device of an embodiment of the present disclosure;
fig. 13 is a control terminal structure diagram of the flow monitoring method shown in fig. 2 according to an embodiment of the present disclosure;
fig. 14 is a server configuration diagram of the flow monitoring method shown in fig. 2 according to an embodiment of the present disclosure.
Detailed Description
In order to make the objects, technical solutions and advantages of the present disclosure more apparent, the present disclosure will be further described in detail with reference to the accompanying drawings and examples. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the present disclosure.
Before proceeding to further detailed description of the disclosed embodiments, the terms and terms involved in the disclosed embodiments are described, which are applicable to the following explanation:
network space target range: the network space shooting range is a technology or product for simulating and reproducing the network architecture, system equipment, running state of service flow and running environment in the real open network space based on a virtualization technology so as to more effectively realize learning, research and the like related to network safety, thereby improving the network safety countermeasure level of personnel and the defending capability of the system. And determining a protection strategy by analyzing network security events in the network space shooting range so as to improve the stability and security of the network in the real environment.
Flow mirroring: traffic mirroring is a networking technology used to replicate network traffic in real-time to another interface (or interfaces) for analysis and monitoring. The flow mirror image can help operation staff and security staff monitor the stability and security of network equipment and application in real time, and problems are checked and attack protection is carried out by analyzing the flow. Meanwhile, the traffic mirror image does not affect the network bandwidth and does not interfere with the normal operation of the network.
Data acquisition probe: a data acquisition probe refers to a device that captures and analyzes specified network traffic during network communication. In the capture phase, the probe will grab the network traffic connected through it and store the grabbed data in the memory or hard disk. During the analysis phase, the probe will decode, reassemble, filter, etc. the captured data to extract useful information therefrom.
Fig. 1 is a system architecture diagram to which a flow monitoring method according to an embodiment of the present disclosure is applied. It comprises the following steps: the system comprises a control terminal and a network space shooting range, wherein the network space shooting range comprises a safety event database, a flow database and a flow acquisition device.
The control terminal is used for initiating the operations of monitoring the network space shooting range, checking the monitoring result, processing the abnormal result when the monitoring result is abnormal, and the like. It includes desktop computers, laptops, PDAs (personal digital assistants), cell phones, dedicated terminals, etc. In addition, the device can be a single device or a set of a plurality of devices. For example, a plurality of devices are connected through a local area network, and a display device is commonly used for cooperative work to form a control terminal.
The network space target range is a computer system for a user to perform network security attack and defense exercise. The network space target range may be a high-performance computer, a combination of parts drawn from multiple high-performance computers, or the like. The database of security events in the cyber space is used to store all cyber security events that occur at the cyber space. The flow collection device is used for collecting flow data when a network security event occurs, and after the flow data is collected, the data mirror image is stored in the flow database.
When the control terminal is used for carrying out flow monitoring on the network space shooting range, the time of each computer in the network is required to be synchronized by using the network time protocol, so that the flow data of the network security event can be accurately found.
According to one embodiment of the present disclosure, a method for monitoring traffic based on a network space range is provided.
The flow monitoring is used for monitoring flow data in the network space target range, and when the monitored flow data is abnormal, related responsible persons can detect and repair the flow data even if the monitored flow data is abnormal, so that the network space target range can accurately acquire the flow data and analyze network security events. In the prior art, network traffic data is generally monitored by monitoring the traffic collection configuration states of a traffic collection device and a traffic mirroring device of a network space target range. However, this method cannot ensure that the collected traffic data is complete, and thus cannot ensure that all nodes and connection states of the traffic collection and storage device are normal.
The flow data acquired by the flow monitoring method of the embodiment of the disclosure is necessarily complete, so that the states of each node and connection in the flow acquisition and storage device can be accurately reflected.
As shown in fig. 2, the flow monitoring method according to the embodiment of the present disclosure includes:
step 210, acquiring a network security event from a security event database of a network space shooting range;
step 220, obtaining characteristic data of the network security event;
And 230, inquiring flow data corresponding to the network security event in a flow database of the network space target range based on the characteristic data, wherein the flow database stores full-flow mirror image data of the network security event in the network space target range.
In step 210, a network security event that occurs in a network space target is stored in a security event database. After the simulation attack and defense action events in the network space target range are identified by using the security equipment (such as a firewall/an intrusion prevention system/an intrusion monitoring system and the like) in the network space target range, network security event data are generated through big data calculation and stored in a security event database. When a network security event occurs, corresponding traffic data is generated. Therefore, the traffic data can be used for judging the state of the traffic collection and storage device in the network space shooting range when the network security event occurs.
In one embodiment, the network security event is obtained in real-time from a security event database of the network space target.
Network security events occurring in a network space target are often continuous. Therefore, the flow data in the network space shooting range can be monitored in real time, so that continuous network safety events can be ensured to normally run.
When a network security event occurs in the network space shooting range, the network security event is stored in a security event library, and the flow data is mirrored and stored in a flow database. After storage is complete, the network security event is acquired and steps 220-230 are performed to enable real-time monitoring of the streaming data.
Because the cyber space target can provide cyber security attack and defense exercise scenes for a plurality of objects at the same time, a plurality of cyber security events may occur in the cyber space target at the same time. However, anomalies in traffic collection and storage devices are often checked using a single network security event, and are certainly wasteful if traffic data for each network security event is monitored. Thus, a predetermined number of network security events stored simultaneously in the security event database may be acquired. The predetermined number is often 1, and in order to avoid inaccuracy of a single monitoring result, the predetermined number may be determined to be 2 or 3. The acquisition of a predetermined number of network security events can improve the monitoring efficiency of real-time monitoring, and the real-time state of the data acquisition and storage device can be reflected by using fewer network security events.
The method has the advantages that the data can be monitored in real time by real-time acquisition, so that the state of flow data acquisition and storage can be monitored in time, the abnormal state can be processed in time, and the timeliness of processing the abnormal state is improved.
Since the cyber space range also needs to provide computing resources for the subject to perform cyber safety exercises, if the flow monitoring occurs simultaneously with the cyber safety exercises, the load of the cyber space range may be increased, thereby affecting the efficiency of the cyber safety exercises. Thus, in one embodiment, as shown in FIG. 3, step 210 includes:
step 310, determining a monitoring period and a monitoring duration;
step 320, determining a monitoring time interval according to the monitoring period and the monitoring duration;
step 330, randomly extracting a predetermined number of network security events occurring in the monitoring time interval from the security event database of the network space target range.
In this embodiment, the traffic is monitored according to a predetermined monitoring period, for example, the traffic is monitored once every hour, and whether the traffic collection and storage device status is abnormal during the period is determined by the network security event occurring in the monitoring period. The monitoring period may be preset to a fixed duration, for example, 1 hour, 2 hours, etc.; the monitoring period can be shortened appropriately to improve the accuracy of flow monitoring, for example, the number of network security events in the network space shooting range is increased rapidly in a certain period of time, which is easy to cause abnormal flow data acquisition.
If an abnormality exists in the monitoring period, no manual intervention exists, and the abnormality can exist continuously, so that the network security event in the whole monitoring period is not required to be acquired, and the network security event in the monitoring period is acquired by determining the monitoring period. The monitoring duration is set to 1 minute, 5 minutes, 10 minutes, 15 minutes, etc., and may be determined according to the number of network security events occurring in the monitoring period, and if the number of network security events occurring in the monitoring period is large, the monitoring duration may be set to be shorter.
The monitoring time interval is a time period for flow monitoring in one monitoring period. The flow monitoring result in the monitoring time interval can reflect the flow monitoring result of the whole monitoring interval. The time starting point of the monitoring time interval is the time point obtained by subtracting the monitoring time length from the time point of executing the flow monitoring, and the time ending point is the time point of executing the flow monitoring. For example, as shown in FIG. 4, the monitoring period is 1 hour, then one flow monitoring needs to be performed at all 10:00, 11:00, 12:00. The monitoring time period is 15 minutes, then at 11:00, 10:45 to 11:00 are monitoring time intervals, and at 12:00, 11:45 to 12:00 are monitoring time intervals. If a data monitoring anomaly occurs between 10:00 and 10:45, then the anomaly still exists for a monitoring time interval of 10:45 to 11:00. Thus, the flow state of the whole monitoring period can be reflected by monitoring the flow in a small range of time.
After determining the monitoring time interval, randomly extracting a predetermined number of network security events occurring within the detection time interval from the security event database. The predetermined number of random draws is dependent on the load of the network space range. The larger the predetermined number, the more accurate the monitoring result, but the more load on the system. The predetermined number of determinations may be set to a fixed value, for example 10, depending on the load of the network space range; the system can also be dynamically adjusted according to the number of network security events running in the network space target range, for example, if the number of network security events running in the current network space target range is large, the preset number needs to be reduced to ensure that the flow monitoring does not influence the normal running of the network security events.
The method has the advantages that the flow monitoring is carried out according to the preset period, and the situation that the flow monitoring occupies computing resources required by network security drilling in a network space shooting range to influence the normal drilling is avoided.
In step 220, feature data for the network security event is obtained.
In one embodiment, obtaining characteristic data of a network security event includes: and acquiring the characteristic data of the network security event from a fusion security event index database in the security event database.
The fused security event index library is generated based on a plurality of network security events in the security event database, and the function of the fused security event index library in the network space shooting range is to fuse network security events from different security devices together for comprehensive analysis. Therefore, the fusion security event index library can unify the formats of multiple fields of different network security events so as to fuse. For example, the time formats of network security events from different security devices may be different, and in the converged security event index library, the events in different formats may be unified into the same format and ordered. The fused security event index library also performs duplication and impurity removal on the network security event, for example, through the network security event identifier or the virtual local area network identifier, to judge whether the network security event is a valid event. Therefore, the data features acquired by fusing the security event index library are more accurate and easier to search.
The main fields of the network security event contained in the converged security event index library are shown in table 1:
TABLE 1
Because each network security event has a variety of characteristic data, the event identification can be used to obtain characteristic data associated with the traffic data. In one embodiment, the characteristic data includes a source address, a source port, a destination address, a destination port, a virtual local area network identification, and a timestamp of the occurrence of the network security event.
The source address is the IP address of the initiator of the network security event; the source port is an initiator port number at which a network security event occurs; the target address is the IP address of the receiver where the network security event occurs; the destination port is a receiver port number where the network security event occurs; the virtual local area network identifier is a virtual network identifier of the network security event isolation running in the network space shooting range; the timestamp is the time at which the network security event occurred.
The advantage of obtaining the characteristic data from various characteristic data is that the purpose of inquiring flow data can be achieved by using a small amount of characteristic data, and the inquiring efficiency is improved.
Based on this embodiment, the flow database in step 230 includes a plurality of flow interfaces, each corresponding to a network security event, through which flow data of the network security event can be obtained, and each flow interface includes a flow start time, a flow end time, and a flow parameter set, where the flow parameter set includes a flow virtual local area network identifier, a flow source address, a flow source port, a flow destination address, and a flow destination port. Thus, as shown in fig. 5, step 230 includes:
step 510, determining candidate traffic ports in a traffic database based on the traffic start time, the traffic end time, and the time stamp;
Step 520, determining a target traffic port corresponding to the network security event in the candidate traffic ports based on the matching relationship between the source address and the traffic source address, the matching relationship between the source port and the traffic source port, the matching relationship between the target address and the traffic target address, the matching relationship between the target port and the traffic target port, and the matching relationship between the virtual local area network identifier and the traffic virtual local area network identifier;
and step 530, returning the flow data of the network security event by the target flow interface.
In this embodiment, a target traffic interface corresponding to the network security event is determined in a traffic database according to the acquired feature data of the network security event. The type of traffic interface may be a restul API. The data content of the request header portion of the traffic interface is shown in table 2:
table 2 the data content of the request body of the traffic interface is shown in table 3:
TABLE 3 Table 3
The request header portion of the traffic interface contains data information of the traffic interface and cannot be used to query traffic data retrievable via the traffic interface. The request body part contains the flow data which can be fetched through the flow interface, so that the flow interface is queried through the request body.
First, a candidate traffic port is determined by the traffic start time, the traffic end time in the request body data, and the timestamp in the feature data of the network security event. If the time of the network security event occurs between the flow start time and the flow end time, the flow data representing the flow interface is matched with the time of the network security event. And then selecting a target flow interface from the candidate flow interfaces matched in time. It should be noted that the time formats of the flow start time, the flow end time, and the time stamp need to be unified for comparison.
Table 2, "filetunearray" in the request body is a flow parameter set, where "vlan id" is a flow vlan id; "sourceIp" is the traffic source address; "desteip" is the traffic destination address; "sourcePort" is the traffic source port; "destPort" is the traffic destination port.
Only when the virtual local area network identifier is the same as the flow virtual local area network identifier, the source address is the same as the flow source address, the target address is the same as the flow target address, the source port is the same as the flow source port, the target port is the same as the flow target port, the flow data corresponding to the flow interface is the flow data of the network security event, and the flow interface is the target flow port corresponding to the network security event.
After the target traffic interface is found, the traffic data of the network security event is returned by the target traffic interface. The returned results are shown in Table 4:
sequence number Parameter name Type(s) Description of the invention
1 Code Integer type Querying task status, 0 as success, 1 as failure
2 Msg Character string If the task fails, returning failure information
3 totalBytes Character string Total number of bytes of query traffic data
4 totalPackets Integer type Total number of packets for querying traffic data
TABLE 4 Table 4
The parameter "Code" in table 4 is used to indicate whether the target traffic interface is queried, 0 if successful, 1 if failed, and failure information is returned by the parameter "Msg". The total bytes and total data packets of the queried flow data are represented by the total bytes and the total data packets, and if the two parameters are not 0, the flow acquisition and storage equipment of the network space range is represented to be normal; otherwise, if one of the two parameters is 0, the abnormal state of the flow acquisition and storage device of the network space target range is represented.
The advantage of using the flow interface to query the flow data in the embodiment is that the server load caused by directly querying the flow data is reduced, the searching efficiency is improved, meanwhile, the flow data is not directly operated, and the data safety and accuracy are improved.
The occurrence of the network security event uses unidirectional traffic transmission from the sender to the receiver, and in practical application, it may happen that traffic collection from the sender to the receiver is normal, but traffic collection from the receiver to the sender is blocked. If another network security event is utilized to verify the traffic acquisition status from the receiver to the sender, the network space range load will be increased. Thus, in one embodiment, the network security event comprises an event identification, and the characteristic data in step 220 comprises forward characteristic data and reverse characteristic data. The forward characteristic data is characteristic data from a sender to a receiver of the network security event; the reverse profile is the profile of the receiver to sender of the network security event. Based on this, as shown in fig. 6, step 220 includes:
step 610, retrieving the source address, source port, destination address, destination port, virtual local area network identifier and time stamp of the network security event from the security event database according to the event identifier;
Step 620, combining the source address, the source port, the destination address, the destination port, the virtual local area network identifier, and the timestamp into forward feature data;
step 630, taking the target address as a reverse source address, the target port as a reverse source port, the source address as a reverse target address, and the source port as a reverse target port;
step 640, combining the reverse source address, the reverse source port, the reverse destination address, the reverse destination port, the virtual local area network identifier, and the timestamp into reverse feature data.
Referring to table 1, the source address, source port, destination address, destination port, virtual local area network identification, and time stamp of the network security event, which are forward characteristic data from the sender to the receiver, can be acquired through the event identification.
The target address is used as a reverse source address, the target port is used as a reverse source port, the source address is used as a reverse target address, and the source port is used as a reverse target port. As shown in fig. 7, the forward direction sender is regarded as the reverse direction receiver in this process, and the forward direction receiver is regarded as the reverse direction sender. And combining the converted characteristic data with the virtual local area network identifier and the time stamp to obtain reverse characteristic data.
The method and the device have the advantages that bidirectional characteristic data are acquired by utilizing one network security event so as to acquire bidirectional flow characteristics, so that the completeness of flow data query is ensured, and the monitoring efficiency is improved.
Based on the present embodiment, the flow data includes forward flow data and reverse flow data, and thus, as shown in fig. 8, step 230 includes:
step 810, determining forward flow data corresponding to the network security event in a flow database based on the source address, the source port, the target address, the target port, the virtual local area network identifier and the timestamp in the forward feature data;
step 820, determining reverse traffic data corresponding to the network security event in the traffic database based on the reverse source address, the reverse source port, the reverse destination address, the reverse destination port, the virtual local area network identifier, and the timestamp in the reverse feature data.
In this embodiment, the traffic data from the forward sender to the forward receiver may be acquired in the traffic database based on the forward feature data, and the traffic data from the reverse sender to the reverse receiver may be acquired based on the reverse feature data.
The process of determining forward traffic data in the traffic database based on the source address, the source port, the destination address, the destination port, the virtual local area network identifier, and the timestamp is the same as that of the foregoing embodiment, and will not be described herein.
The advantages of this embodiment are the same as the advantages of acquiring the bidirectional feature data in the foregoing embodiment, and will not be described here again.
The traffic database stores full traffic mirror image data of the network security event in the network space shooting range, so that the traffic data queried from the traffic database can be ensured to be the complete traffic of the network security event.
In one embodiment, as shown in FIG. 9, the traffic database obtains full traffic mirrored data of network security events by:
step 910, inserting flow probes at each node of the network space target range;
step 920, capturing traffic data by using a traffic probe when a network security event occurs;
and 930, if the flow probe captures the flow data at each node where the network security event occurs, mirroring the flow data and storing the flow data in a flow database to obtain full-flow mirrored data.
In this embodiment, each node of the network space range is plugged with a flow probe for capturing flow data. When a network security event occurs, the flow probes of all nodes passing through the network security event in the network space target range are taken as a whole, and only if the flow probes capture flow data, the flow data can be stored in a flow database after being mirrored, so that full-flow mirror image data are obtained. As long as one flow probe cannot capture flow data, full flow mirror data cannot be formed in the flow database.
Because of this, it is ensured that the traffic data queried from the traffic database is the complete traffic for the network security event. Thus, the present implementation ensures the integrity of the traffic data stored in the traffic database.
When the flow data of the network security event is queried in the flow database, the flow collection and storage equipment is not abnormal, and the flow monitoring of the next network security event can be performed.
When the traffic data of the network security event is not queried in the traffic database, the traffic data indicates that the traffic acquisition and storage equipment is abnormal in state and needs to be processed.
In one embodiment, as shown in fig. 10, after step 230, the flow monitoring method further includes:
step 1010, if the flow data corresponding to the network security event is not queried, initiating an alarm event;
and 1020, based on the alarm event, inquiring the flow data corresponding to the network security event in the flow database again after the preset time interval.
If no flow data is queried, the abnormal flow characteristics are sent to an automatic abnormal processing platform through an abnormal processing interface so as to carry out subsequent processing.
After receiving the alarm event, the automatic exception handling platform queries flow data corresponding to the network security event in the flow database after a preset time interval. The purpose of this is to prevent a difference in storage time between the traffic database and the security event database, i.e. the security event database has stored therein network security events, but the traffic database has not stored therein traffic data corresponding to the network security events. Therefore, the flow data can be queried again after the preset time, if the flow data can be queried, the flow acquisition and storage equipment is normal, and if the flow data can not be queried, the flow data can not be queried yet, the flow acquisition and storage equipment is abnormal, and repair is needed.
The method and the device have the advantages that the problem that flow data cannot be queried due to storage time difference is avoided, and accuracy of flow monitoring is improved.
The handling of abnormal conditions requires the acquisition of information of the network security event, the emulated network region, and the traffic collection and storage device that generated the alarm. By checking the above information, abnormality is checked, repair is performed in a predetermined manner for a specific problem, and a log is recorded. If the state abnormality cannot be repaired or not found, the relevant responsible person needs to be informed of the alarm through a short message or mail and the like, and the information is checked by manual intervention to determine the reason of the abnormality and solve the problem.
The overall flow of the flow monitoring method of the embodiment of the disclosure is shown in fig. 11, and a network security event is obtained from a security event database; acquiring characteristic data of a network security event; inquiring flow data of the network security event in a flow database based on the characteristic data; judging whether flow data is inquired; if yes, acquiring the next network security event for flow monitoring; if not, initiating an alarm event, and checking the alarm reason by the automatic exception handling platform and related responsible persons to repair an exception state; and after the abnormality is repaired, acquiring the network security event again to monitor the flow.
The apparatus and devices of embodiments of the present disclosure are described below.
It will be appreciated that, although the steps in the various flowcharts described above are shown in succession in the order indicated by the arrows, the steps are not necessarily executed in the order indicated by the arrows. The steps are not strictly limited in order unless explicitly stated in the present embodiment, and may be performed in other orders. Moreover, at least some of the steps in the flowcharts described above may include a plurality of steps or stages that are not necessarily performed at the same time but may be performed at different times, and the order of execution of the steps or stages is not necessarily sequential, but may be performed in turn or alternately with at least a portion of the steps or stages in other steps or other steps.
In the embodiments of the present application, when related processing is performed on data related to the characteristics of the target virtual machine according to attribute information or attribute information set of the target virtual machine, permission or agreement of the target virtual machine is obtained first, and the collection, use, processing, etc. of the data complies with relevant laws and regulations and standards of relevant countries and regions. In addition, when the embodiment of the application needs to acquire the attribute information of the target virtual machine, the independent permission or independent consent of the target virtual machine is acquired through a popup window or a jump to a confirmation page and the like, and after the independent permission or independent consent of the target virtual machine is definitely acquired, the necessary related data of the target virtual machine for enabling the embodiment of the application to normally operate is acquired.
Fig. 12 is a block diagram of a flow monitoring device 1200 provided in an embodiment of the present disclosure. The flow monitoring device 1200 includes:
a first obtaining unit 1210, configured to obtain a network security event from a security event database of a network space target range;
a second obtaining unit 1220, configured to obtain feature data of the network security event;
the first querying unit 1230 is configured to query, based on the feature data, flow data corresponding to the network security event in a flow database of the network space target, where the flow database stores full-flow mirror data of the network security event occurring in the network space target.
Alternatively, the first acquisition unit 1210 is specifically configured to:
determining a monitoring period and a monitoring duration;
according to the monitoring period, determining a monitoring time interval according to the monitoring duration;
randomly extracting a predetermined number of network security events occurring in the monitoring time interval from a security event database of the network space target range.
Optionally, the characteristic data comprises a source address, a source port, a destination address, a destination port, a virtual local area network identification, and a timestamp of the occurrence of the network security event.
Optionally, the flow database includes a plurality of flow interfaces, each flow interface corresponding to a network security event; each flow interface comprises a flow start time, a flow end time and a flow parameter set, wherein the flow parameter set comprises a flow virtual local area network identifier, a flow source address, a flow source port, a flow target address and a flow target port;
The first query unit 1230 is specifically configured to:
determining candidate traffic ports in a traffic database based on the traffic start time, the traffic end time, and the time stamp;
determining a target flow port corresponding to a network security event in the candidate flow ports based on the matching relationship of the source address and the flow source address, the matching relationship of the source port and the flow source port, the matching relationship of the target address and the flow target address, the matching relationship of the target port and the flow target port, and the matching relationship of the virtual local area network identifier and the flow virtual local area network identifier;
traffic data for the network security event is returned by the target traffic interface.
Optionally, the network security event comprises an event identification;
the characteristic data comprises forward characteristic data and reverse characteristic data;
the second obtaining unit 1220 is specifically configured to:
according to the event identification, calling the source address, the source port, the target address, the target port, the virtual local area network identification and the time stamp of the network security event in the security event database;
combining the source address, the source port, the target address, the target port, the virtual local area network identifier and the timestamp into forward characteristic data;
taking the target address as a reverse source address, taking the target port as a reverse source port, taking the source address as a reverse target address, and taking the source port as a reverse target port;
The reverse source address, the reverse source port, the reverse destination address, the reverse destination port, the virtual local area network identifier, and the timestamp are combined into reverse feature data.
Optionally, the traffic data includes forward traffic data and reverse traffic data;
the first query unit 1230 is specifically configured to:
determining forward flow data corresponding to the network security event in a flow database based on the source address, the source port, the target address, the target port, the virtual local area network identifier and the time stamp in the forward characteristic data;
and determining reverse flow data corresponding to the network security event in a flow database based on the reverse source address, the reverse source port, the reverse target address, the reverse target port, the virtual local area network identifier and the timestamp in the reverse feature data.
Optionally, the second obtaining unit 1220 is specifically configured to:
acquiring characteristic data of a network security event from a fusion security event index database in a security event database; the fused security event index library is generated based on a plurality of network security events in the security event database.
Optionally, the traffic database obtains full traffic mirrored data of the network security event by:
Inserting flow probes at each node of the network space target range;
capturing traffic data with a traffic probe when a network security event occurs;
if the flow probe captures flow data at each node where the network security event occurs, mirroring the flow data and storing the flow data in a flow database to obtain full-flow mirrored data.
Optionally, the flow monitoring device 1200 further includes:
an alarm initiating unit (not shown) for initiating an alarm event if traffic data corresponding to the network security event is not queried;
and the second query unit (not shown) is used for querying the flow data corresponding to the network security event in the flow database again after a preset time interval based on the alarm event.
Referring to fig. 13, fig. 13 is a block diagram of a portion of a control terminal implementing an embodiment of the present disclosure, the control terminal including: radio Frequency (RF) circuitry 1310, memory 1315, input unit 1330, display unit 1340, sensors 1350, audio circuitry 1360, wireless fidelity (wireless fidelity, wiFi) modules 1370, processor 1380, and power supply 1390. It will be appreciated by those skilled in the art that the terminal structure shown in fig. 13 is not limiting of a cell phone or computer and may include more or fewer components than shown, or may combine certain components, or a different arrangement of components.
The RF circuit 1310 may be used for receiving and transmitting signals during a message or a call, and in particular, after receiving downlink information of a base station, the RF circuit may process the downlink information for the processor 1380; in addition, the data of the design uplink is sent to the base station.
The memory 1315 may be used to store software programs and modules, and the processor 1380 performs various functional applications and data processing of the terminal by executing the software programs and modules stored in the memory 1315.
The input unit 1330 may be used to receive input numerical or character information and to generate key signal inputs related to the setting and function control of the terminal. Specifically, the input unit 1330 may include a touch panel 1331 and other input devices 1332.
The display unit 1340 may be used to display input information or provided information and various menus of the terminal. The display unit 1340 may include a display panel 1341.
Audio circuitry 1360, speaker 1361, microphone 1362 may provide an audio interface.
In this embodiment, the processor 1380 included in the terminal may perform the traffic monitoring method of the previous embodiment.
The control terminal of the embodiment of the disclosure comprises, but is not limited to, a mobile phone, a computer, intelligent voice interaction equipment, an aircraft and the like. The embodiment of the invention can be applied to various scenes, including but not limited to network security, communication security and the like.
Fig. 14 is a block diagram of a portion of a server implementing a network space range according to an embodiment of the present disclosure. Servers may vary widely in configuration or performance, and may include one or more central processing units (Central Processing Units, simply CPU) 1422 (e.g., one or more processors) and memory 1432, one or more storage media 1430 (e.g., one or more mass storage devices) that store applications 1442 or data 1444. Wherein the memory 1432 and storage medium 1430 can be transitory or persistent storage. The program stored in the storage medium 1430 may include one or more modules (not shown), each of which may include a series of instruction operations on a server. Further, the central processor 1422 may be provided in communication with a storage medium 1430, executing a series of instruction operations on the server in the storage medium 1430.
The servers may also include one or more power supplies 1426, one or more wired or wireless network interfaces 1450, one or more input/output interfaces 1458, and/or one or more operating systems 1441, such as Windows Server, mac OS XTM, unixTM, linuxTM, freeBSDTM, etc.
The central processor 1422 in the server may be used to perform the traffic monitoring methods of embodiments of the present disclosure.
The disclosed embodiments also provide a computer readable storage medium storing program code for executing the flow monitoring method of the foregoing embodiments.
The disclosed embodiments also provide a computer program product comprising a computer program. The processor of the computer device reads the computer program and executes it, causing the computer device to execute the flow monitoring method described above.
The terms "first," "second," "third," "fourth," and the like in the description of the present disclosure and in the above-described figures, if any, are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the disclosure described herein may be capable of operation in sequences other than those illustrated or described herein, for example. Furthermore, the terms "comprises," "comprising," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed or inherent to such process, method, article, or apparatus.
It should be understood that in this disclosure, "at least one" means one or more, and "a plurality" means two or more. "and/or" for describing the association relationship of the association object, the representation may have three relationships, for example, "a and/or B" may represent: only a, only B and both a and B are present, wherein a, B may be singular or plural. The character "/" generally indicates that the context-dependent object is an "or" relationship. "at least one of" or the like means any combination of these items, including any combination of single item(s) or plural items(s). For example, at least one (one) of a, b or c may represent: a, b, c, "a and b", "a and c", "b and c", or "a and b and c", wherein a, b, c may be single or plural.
It should be understood that in the description of the embodiments of the present disclosure, the meaning of a plurality (or multiple) is two or more, and that greater than, less than, exceeding, etc. is understood to not include the present number, and that greater than, less than, within, etc. is understood to include the present number.
In the several embodiments provided in the present disclosure, it should be understood that the disclosed systems, devices, and methods may be implemented in other manners. For example, the apparatus embodiments described above are merely illustrative, e.g., the division of elements is merely a logical functional division, and there may be additional divisions of actual implementation, e.g., multiple elements or components may be combined or integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed over a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in each embodiment of the present disclosure may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present disclosure may be embodied in essence or a part contributing to the prior art or all or part of the technical solution in the form of a software product stored in a storage medium, including several instructions to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the methods of the various embodiments of the present disclosure. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
It should also be appreciated that the various implementations provided by the embodiments of the present disclosure may be arbitrarily combined to achieve different technical effects.
The above is a specific description of the embodiments of the present disclosure, but the present disclosure is not limited to the above embodiments, and various equivalent modifications and substitutions can be made by those skilled in the art without departing from the spirit of the present disclosure, and are included in the scope of the present disclosure as defined in the claims.

Claims (13)

1. The flow monitoring method based on the network space target range is characterized by comprising the following steps of:
acquiring a network security event from a security event database of the network space shooting range;
acquiring characteristic data of the network security event;
and inquiring flow data corresponding to the network security event in a flow database of the network space target range based on the characteristic data, wherein the flow database stores full-flow mirror image data of the network security event in the network space target range.
2. The method of traffic monitoring according to claim 1, wherein said obtaining network security events from a security event database of the network space target comprises:
Determining a monitoring period and a monitoring duration;
according to the monitoring period, determining a monitoring time interval according to the monitoring duration;
randomly extracting a predetermined number of the network security events occurring during the monitoring time interval from the security event database of the network space target range.
3. The traffic monitoring method according to claim 1, wherein the characteristic data comprises a source address, a source port, a destination address, a destination port, a virtual local area network identification, and a timestamp of the network security event occurrence.
4. A method of traffic monitoring according to claim 3, wherein the traffic database comprises a plurality of traffic interfaces, each of the traffic interfaces corresponding to one of the network security events; each flow interface comprises a flow start time, a flow end time and a flow parameter set, wherein the flow parameter set comprises a flow virtual local area network identifier, a flow source address, a flow source port, a flow target address and a flow target port;
the querying, based on the feature data, flow data corresponding to the network security event in a flow database of the network space target range includes:
Determining candidate traffic ports in the traffic database based on the traffic start time, traffic end time, and the time stamp;
determining a target traffic port corresponding to the network security event in the candidate traffic ports based on the matching relationship of the source address and the traffic source address, the matching relationship of the source port and the traffic source port, the matching relationship of the target address and the traffic target address, the matching relationship of the target port and the traffic target port, and the matching relationship of the virtual local area network identifier and the traffic virtual local area network identifier;
the traffic data of the network security event is returned by the target traffic interface.
5. A method of traffic monitoring according to claim 3, wherein the network security event comprises an event identification;
the characteristic data comprises forward characteristic data and reverse characteristic data;
the acquiring the characteristic data of the network security event comprises the following steps:
invoking the source address, the source port, the destination address, the destination port, the virtual local area network identifier, and the timestamp of the network security event in the security event database according to the event identifier;
Combining the source address, the source port, the destination address, the destination port, the virtual local area network identification, and the timestamp into the forward feature data;
taking the target address as a reverse source address, taking the target port as a reverse source port, taking the source address as a reverse target address, and taking the source port as a reverse target port;
combining the reverse source address, the reverse source port, the reverse destination address, the reverse destination port, the virtual local area network identification, and the timestamp into the reverse feature data.
6. The flow monitoring method of claim 5, wherein the flow data comprises forward flow data and reverse flow data; the querying, based on the feature data, flow data corresponding to the network security event in a flow database of the network space target range includes:
determining forward traffic data corresponding to the network security event in the traffic database based on the source address, the source port, the destination address, the destination port, the virtual local area network identification, and the timestamp in the forward feature data;
And determining the reverse flow data corresponding to the network security event in the flow database based on the reverse source address, the reverse source port, the reverse target address, the reverse target port, the virtual local area network identifier and the timestamp in the reverse feature data.
7. The method of traffic monitoring according to claim 1, wherein the obtaining the characteristic data of the network security event comprises:
acquiring characteristic data of the network security event from a fusion security event index library in the security event database; the fused security event index library is generated based on a plurality of the network security events in the security event database.
8. The traffic monitoring method according to claim 1, wherein the traffic database obtains the full traffic mirror data of the network security event by:
inserting flow probes at each node of the network space range;
capturing the traffic data with the traffic probe upon occurrence of the network security event;
and if the flow probe captures the flow data at each node where the network security event occurs, mirroring the flow data and storing the flow data in the flow database to obtain the full-flow mirrored data.
9. The traffic monitoring method according to claim 1, wherein after the querying the traffic database of the cyber space yard for traffic data corresponding to the cyber security event based on the feature data, the traffic monitoring method further comprises:
if the flow data corresponding to the network security event is not queried, initiating an alarm event;
and based on the alarm event, querying the flow data corresponding to the network security event in the flow database again after a preset time interval.
10. A flow monitoring device based on network space range, characterized by comprising:
the first acquisition unit is used for acquiring network security events from a security event database of the network space shooting range;
the second acquisition unit is used for acquiring the characteristic data of the network security event;
and the first query unit is used for querying flow data corresponding to the network security event in a flow database of the network space target range based on the characteristic data, wherein the flow database stores full-flow mirror image data of the network security event in the network space target range.
11. An electronic device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor implements the flow monitoring method according to any one of claims 1 to 9 when executing the computer program.
12. A computer readable storage medium storing a computer program, characterized in that the computer program, when executed by a processor, implements the flow monitoring method according to any one of claims 1 to 9.
13. A computer program product comprising a computer program, which computer program is read and executed by a processor of a computer device, causing the computer device to perform the flow monitoring method according to any one of claims 1 to 9.
CN202311052106.1A 2023-08-18 2023-08-18 Flow monitoring method, device, equipment and medium based on network space target range Pending CN116980221A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311052106.1A CN116980221A (en) 2023-08-18 2023-08-18 Flow monitoring method, device, equipment and medium based on network space target range

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311052106.1A CN116980221A (en) 2023-08-18 2023-08-18 Flow monitoring method, device, equipment and medium based on network space target range

Publications (1)

Publication Number Publication Date
CN116980221A true CN116980221A (en) 2023-10-31

Family

ID=88475081

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311052106.1A Pending CN116980221A (en) 2023-08-18 2023-08-18 Flow monitoring method, device, equipment and medium based on network space target range

Country Status (1)

Country Link
CN (1) CN116980221A (en)

Similar Documents

Publication Publication Date Title
CN103428196B (en) A kind of WEB application intrusion detection method based on URL white list
CN112631913B (en) Method, device, equipment and storage medium for monitoring operation faults of application program
CN111092852A (en) Network security monitoring method, device, equipment and storage medium based on big data
US11178114B2 (en) Data processing method, device, and system
KR20180079395A (en) Method and apparatus for processing alarm information, system, and computer storage medium
CN111162950A (en) Fault event processing method, device and system
KR101281456B1 (en) Apparatus and method for anomaly detection in SCADA network using self-similarity
CN111740868A (en) Alarm data processing method and device and storage medium
CN116980958A (en) Radio equipment electric fault monitoring method and system based on data identification
Zali et al. Real-time attack scenario detection via intrusion detection alert correlation
CN111585819A (en) Distribution network communication equipment fault analysis method and system
CN111526109B (en) Method and device for automatically detecting running state of web threat recognition defense system
US9645877B2 (en) Monitoring apparatus, monitoring method, and recording medium
CN110830416A (en) Network intrusion detection method and device
Zali et al. Real-time intrusion detection alert correlation and attack scenario extraction based on the prerequisite-consequence approach
CN116662127A (en) Method, system, equipment and medium for classifying and early warning equipment alarm information
CN116980221A (en) Flow monitoring method, device, equipment and medium based on network space target range
CN116192607A (en) Fault alarm method and device
CN114006719B (en) AI verification method, device and system based on situation awareness
CN115484326A (en) Method, system and storage medium for processing data
CN116015808A (en) Network port abnormity open sensing method and device, electronic equipment and storage medium
CN116155519A (en) Threat alert information processing method, threat alert information processing device, computer equipment and storage medium
CN114205855A (en) Feeder automation service network anomaly detection method facing 5G slices
CN113014587A (en) API detection method and device, electronic equipment and storage medium
CN114756469B (en) Data relationship analysis method and device and electronic equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination