CN117118740A - Network security analysis method, device, communication equipment and storage medium - Google Patents

Network security analysis method, device, communication equipment and storage medium Download PDF

Info

Publication number
CN117118740A
CN117118740A CN202311250645.6A CN202311250645A CN117118740A CN 117118740 A CN117118740 A CN 117118740A CN 202311250645 A CN202311250645 A CN 202311250645A CN 117118740 A CN117118740 A CN 117118740A
Authority
CN
China
Prior art keywords
target
data
terminal
message data
access rule
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202311250645.6A
Other languages
Chinese (zh)
Inventor
谭志龙
罗育专
刘健
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Tg Net Botone Technology Co ltd
Original Assignee
Shenzhen Tg Net Botone Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Tg Net Botone Technology Co ltd filed Critical Shenzhen Tg Net Botone Technology Co ltd
Priority to CN202311250645.6A priority Critical patent/CN117118740A/en
Publication of CN117118740A publication Critical patent/CN117118740A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application relates to a network security analysis method, a network security analysis device, communication equipment and a storage medium. Comprising the following steps: receiving target message data sent by a terminal, and scanning a target field of the target message data to obtain target equipment information corresponding to the terminal; matching the target equipment information with a preset feature library, wherein the preset standard library comprises the corresponding relation between the equipment information of each terminal and the corresponding data access rule; when the matching is successful, determining a corresponding target data access rule according to the target equipment information, and judging whether the target message data accords with the target data access rule; when the target message data does not accord with the target data access rule, generating first mirror image data according to the target message data, and sending the first mirror image data to the edge safety equipment, wherein the edge safety equipment is used for carrying out network safety analysis on network access behaviors of the corresponding terminal according to the received mirror image data, so that the processing efficiency of the edge safety equipment on the mirror image data can be effectively improved.

Description

Network security analysis method, device, communication equipment and storage medium
Technical Field
The present application relates to the field of communications technologies, and in particular, to a network security method, a device, a communications device, and a storage medium.
Background
With the development of communication technologies, network security technologies play an important role in ensuring secure operation of a communication network, and among them, a method for performing network security analysis on mirror image data generated when each terminal in the communication network is operated has been receiving more and more attention.
In the conventional technology, all data in a switch in a communication network are mirrored to an edge security device, so that analysis of network security is realized, the calculation load of mirrored data is large, and bandwidth resources of a mirrored port of the edge security device are tensed.
Disclosure of Invention
In view of the foregoing, it is desirable to provide a network security analysis method, apparatus, communication, computer readable storage medium, and computer program product, which can effectively improve the processing efficiency of the edge security device on the mirror data.
In a first aspect, the present application provides a network security analysis method, including:
receiving target message data sent by a terminal, and scanning a target field of the target message data to obtain target equipment information corresponding to the terminal;
matching the target equipment information with a preset feature library, wherein the preset standard library comprises the corresponding relation between the equipment information of each terminal and the corresponding data access rule;
when the matching is successful, determining a corresponding target data access rule according to the target equipment information, and judging whether the target message data accords with the target data access rule;
when the target message data does not accord with the target data access rule, generating first mirror image data according to the target message data, and sending the first mirror image data to the edge safety equipment, wherein the edge safety equipment is used for carrying out network security analysis on network access behaviors of the corresponding terminals according to the received mirror image data.
In one embodiment, receiving target message data sent by a terminal, and scanning a target field of the target message data to obtain target equipment information corresponding to the terminal, where the method includes:
scanning MAC address, TCP port number, UDP port number, message key word and application protocol type field of the target message data;
and determining terminal type information corresponding to the terminal and the information of the manufacturer based on the scanned target MAC address, target TCP port number, target UDP port number, target message keyword and target application protocol type field.
In one embodiment, when the matching is successful, determining a corresponding target data access rule according to the target device information, and determining whether the target message data accords with the target data access rule, includes:
comparing the data type, the destination network address and the target data access rule of the target message data;
when the comparison results are consistent, determining that the target message data accords with the target data access rule;
and when the comparison results are inconsistent, determining that the target message data does not accord with the target data access rule.
In one embodiment, the network security analysis method further includes:
and when the matching fails, generating corresponding second mirror image data according to the target message data, and sending the second mirror image data to the edge safety equipment.
In one embodiment, the network security analysis method further includes:
receiving a violation record of message data sent by a terminal in a preset time period sent by edge safety equipment, wherein the violation record is used for representing the access times of the message data sent by the terminal, which does not accord with a target data access rule;
the target data access rule is updated based on the violation record.
In one embodiment, updating the target data access rule based on the violation record includes:
when the illegal access times of the message data sent by the display terminal in the illegal record exceeds a preset threshold, determining the network address corresponding to the message data with the illegal access times exceeding the preset threshold as a legal access address;
based on the legal access address, a corresponding data access rule is generated.
In a second aspect, a network security analysis apparatus includes:
the receiving module is used for receiving target message data sent by the terminal, and scanning a target field of the target message data to obtain target equipment information corresponding to the terminal;
the matching module is used for matching the target equipment information with a preset feature library, and the preset standard library comprises the corresponding relation between the equipment information of each terminal and the corresponding data access rule;
the judging module is used for determining a corresponding target data access rule according to the target equipment information when the matching is successful, and judging whether the target message data accords with the target data access rule or not; when the target message data does not accord with the target data access rule, generating first mirror image data according to the target message data, and sending the first mirror image data to the edge safety equipment, wherein the edge safety equipment is used for carrying out network security analysis on network access behaviors of the corresponding terminals according to the received mirror image data.
In a third aspect, the present application also provides a communication device comprising a memory storing a computer program and a processor which when executing the computer program performs the steps of:
receiving target message data sent by a terminal, and scanning a target field of the target message data to obtain target equipment information corresponding to the terminal;
matching the target equipment information with a preset feature library, wherein the preset standard library comprises the corresponding relation between the equipment information of each terminal and the corresponding data access rule;
when the matching is successful, determining a corresponding target data access rule according to the target equipment information, and judging whether the target message data accords with the target data access rule; when the target message data does not accord with the target data access rule, generating first mirror image data according to the target message data, and sending the first mirror image data to the edge safety equipment, wherein the edge safety equipment is used for carrying out network security analysis on network access behaviors of the corresponding terminals according to the received mirror image data.
In a fourth aspect, the present application also provides a computer readable storage medium having stored thereon a computer program which when executed by a processor performs the steps of:
receiving target message data sent by a terminal, and scanning a target field of the target message data to obtain target equipment information corresponding to the terminal;
matching the target equipment information with a preset feature library, wherein the preset standard library comprises the corresponding relation between the equipment information of each terminal and the corresponding data access rule;
when the matching is successful, determining a corresponding target data access rule according to the target equipment information, and judging whether the target message data accords with the target data access rule; when the target message data does not accord with the target data access rule, generating first mirror image data according to the target message data, and sending the first mirror image data to the edge safety equipment, wherein the edge safety equipment is used for carrying out network security analysis on network access behaviors of the corresponding terminals according to the received mirror image data.
In a fifth aspect, the present application also provides a computer program product. Computer program product comprising a computer program which, when executed by a processor, realizes the steps of:
receiving target message data sent by a terminal, and scanning a target field of the target message data to obtain target equipment information corresponding to the terminal;
matching the target equipment information with a preset feature library, wherein the preset standard library comprises the corresponding relation between the equipment information of each terminal and the corresponding data access rule;
when the matching is successful, determining a corresponding target data access rule according to the target equipment information, and judging whether the target message data accords with the target data access rule; when the target message data does not accord with the target data access rule, generating first mirror image data according to the target message data, and sending the first mirror image data to the edge safety equipment, wherein the edge safety equipment is used for carrying out network security analysis on network access behaviors of the corresponding terminals according to the received mirror image data.
According to the network security analysis method, the device, the communication equipment and the storage medium, the target message data sent by the terminal is scanned to obtain the target equipment information corresponding to the terminal, then the target data access rule corresponding to the terminal is determined according to the target equipment information of the terminal and matched in the preset standard library, then whether the network access behavior corresponding to the target message data accords with the target data access rule is judged based on the target data access rule, if so, the corresponding mirror image data does not need to be generated, if not, the mirror image data corresponding to the target message data is generated, and the mirror image data is sent to the edge security equipment, so that the edge security equipment can conduct network security analysis according to the mirror image data corresponding to the target message data.
Drawings
FIG. 1 is a diagram of an application environment for a network security analysis method in one embodiment;
FIG. 2 is a flow chart of a network security analysis method according to an embodiment;
fig. 3 is a schematic flow chart of determining device information corresponding to a terminal in an embodiment;
FIG. 4 is a flow chart of determining whether target message data meets a target data access rule according to an embodiment;
FIG. 5 is a flow diagram of updating target data access rules in one embodiment;
FIG. 6 is a flow diagram of generating corresponding data access rules in one embodiment;
FIG. 7 is a schematic diagram of a framework for setting a mirroring policy based on a terminal type in one embodiment;
FIG. 8 is a schematic diagram of a data flow for setting a mirroring policy based on a terminal type in one embodiment;
FIG. 9 is a schematic diagram of the switch operation corresponding to the processing of mirror image operations in one embodiment;
FIG. 10 is a flow diagram of setting a mirroring policy based on a terminal type in one embodiment;
FIG. 11 is a block diagram of a network security analysis device in one embodiment;
fig. 12 is an internal structural diagram of a communication device in one embodiment.
Detailed Description
The present application will be described in further detail with reference to the drawings and examples, in order to make the objects, technical solutions and advantages of the present application more apparent. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the application.
The network security analysis method provided by the application can be applied to an application environment shown in figure 1. As shown in fig. 1, the application environment includes a terminal 102, a communication device 104, and an edge security device 106. Wherein the terminal 102 communicates with the communication device 104 via a network and the communication device 104 communicates with the edge security device 106 via the network. The terminal 102 may be, but is not limited to, various personal computers, notebook computers, smart phones, tablet computers, smart cameras, portable wearable devices, and the like. The edge security device 106 of the communication device 104 may be an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, or a cloud server providing cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, CDNs, basic cloud computing services such as big data and artificial intelligence platforms, and the like.
In one embodiment, as shown in fig. 2, a network security analysis method is provided, which is illustrated by using the method applied to the communication device 104 in fig. 1 as an example, and includes the following steps:
step S202, receiving target message data sent by a terminal, and scanning a target field of the target message data to obtain target equipment information corresponding to the terminal.
The target message data is a data message for network communication between the terminal and the target access equipment, and the target equipment information is used for representing information such as the terminal type and the manufacturer of the corresponding terminal.
Specifically, the communication device receives target message data sent from the terminal, performs field scanning on each target field of the target message data to obtain a scanning result, wherein the scanning result comprises a field type of the target field, and determines target device information of the terminal corresponding to the target message data according to the field type obtained by the scanning.
And step S204, matching the target equipment information with a preset feature library.
The preset standard library comprises equipment information of each terminal and corresponding relations of corresponding data access rules.
Specifically, the communication device matches the target device information determined in the above step with the device information in the preset feature library, where the purpose of matching is to determine whether the target device information is the device information recorded in the preset feature library, where all the recorded device information in the preset feature library has a corresponding data access rule, if the target device information is the recorded device information, it indicates that the terminal corresponding to the target device information is a terminal device familiar to the communication device, so that the network access behavior of the terminal device is known by the communication device, the network access security of the terminal device is high in identifiability, and otherwise the terminal device is an unfamiliar device (i.e. a strange terminal), and therefore the network access security of the terminal device is unknown, and more data needs to be subjected to image analysis.
Step S206, when the matching is successful, determining a corresponding target data access rule according to the target device information, and judging whether the target message data accords with the target data access rule.
Specifically, the communication device matches the target device information with the preset feature library according to the steps, if the matching is successful, a target data access rule corresponding to the target device information is obtained, and the target data access rule is used as a judgment standard, specifically, whether the data type of the target message data and the sent object accord with the target data access rule is judged.
Step S208, when the target message data does not accord with the target data access rule, generating first mirror image data according to the target message data, and sending the first mirror image data to the edge safety device.
The edge safety device is used for carrying out network safety analysis on network access behaviors of the corresponding terminals according to the received mirror image data.
Specifically, when the target message data does not meet the target data access rule, the terminal device is an unfamiliar device (i.e. a strange terminal) of the passing device, so that the security of network access is unknown, and the target message data needs to be mirrored to generate first mirrored data and send the first mirrored data to the edge security device.
In this embodiment, target device information corresponding to a terminal is obtained by scanning target message data sent by the terminal, then the target device information corresponding to the terminal is matched in a preset standard library according to the target device information of the terminal, a target data access rule corresponding to the terminal is determined, then whether network access behavior corresponding to the target message data accords with the target data access rule is judged based on the target data access rule, if so, corresponding mirror image data is not required to be generated, if not, the mirror image data corresponding to the target message data is generated, and the mirror image data is sent to an edge safety device, so that the edge safety device can perform network safety analysis according to the mirror image data corresponding to the target message data.
In one embodiment, as shown in fig. 3, receiving target message data sent by a terminal, and scanning a target field of the target message data to obtain target device information corresponding to the terminal, where the method includes:
in step S302, the MAC address, TCP port number, UDP port number, message key, and application protocol type field of the target message data are scanned.
Specifically, the communication device compares the MAC address, TCP port number, UDP port number, message key, and application protocol type field of the target message data with preset field types to obtain each field type of the target message data.
Step S304, based on the scanned target MAC address, target TCP port number, target UDP port number, target message keyword and target application protocol type field, determining the terminal type information corresponding to the terminal and the information of the manufacturer.
Specifically, the communication device determines terminal type information of a corresponding terminal according to the MAC address, then obtains a preset number of characters of the MAC address in the target message data (for example, the first three bits of the MAC address can be taken), compares the preset number of characters with the vendor OUI, thereby determining information of the vendor to which the terminal belongs, and can also carry out TCP connection by the central processing unit through a TCP service port opened by an application on the terminal, match with a key field of a response message, identify the type of the terminal, and also can carry out communication connection with a UDP service port opened by the application on the terminal, match with a key field of the response message, and be used for identifying the type of the terminal, or identify the type of the terminal through some standard protocols, such as Ws-discovery, onvif, RTSP, ICMP protocol.
In this embodiment, the MAC address, the port information, and the message key in the target message data are scanned, and then the terminal type information and the production information corresponding to the terminal are determined according to the scanning result, so that the type information and the production information of the terminal corresponding to the target message data are effectively determined according to the target message data, and the accuracy of determining the terminal type information and the production information is improved.
In one embodiment, as shown in fig. 4, when the matching is successful, determining a corresponding target data access rule according to the target device information, and determining whether the target message data meets the target data access rule includes:
step S402, the data type, the destination network address and the target data access rule of the target message data are compared.
Step S404, when the comparison results are consistent, determining that the target message data accords with the target data access rule.
Step S406, when the comparison result is inconsistent, determining that the target message data does not accord with the target data access rule.
Specifically, the communication device compares the data type, the destination network address and the target data access rule of the target message data, and determines whether the network access behavior corresponding to the current target message data accords with the target data access rule according to the comparison result.
In this embodiment, the data type, the destination network address and the target data access rule of the target message data are compared, and whether the network access behavior corresponding to the current target message data accords with the target data access rule is determined according to the comparison result, so that whether the network access behavior corresponding to the target message data is abnormal or not can be accurately and rapidly determined, and the accuracy of judging the network access behavior is improved.
In one embodiment, the network security analysis method further includes:
and when the matching fails, generating corresponding second mirror image data according to the target message data, and sending the second mirror image data to the edge safety equipment.
It should be noted that, when the matching between the target device information and the preset feature library fails, it indicates that the terminal device corresponding to the target message data is an unrepeated strange device for the communication device, so that the security of the network access behavior cannot be estimated according to the existing historical network access data, so that the communication device needs to generate corresponding second mirror image data according to the target message data, and send the second mirror image data to the edge security device.
In this embodiment, when the matching fails, corresponding second mirror image data is generated according to the target message data, and the second mirror image data is sent to the edge security device, so that reliability of network security analysis is effectively ensured.
In one embodiment, as shown in fig. 5, the network security analysis method further includes:
step S502, receiving the violation record of the message data sent by the terminal in the preset time period sent by the edge safety equipment.
The violation records are used for representing the access times of the message data sent by the terminal, wherein the access times are not in accordance with the target data access rule.
Specifically, the communication device receives the violation record of the corresponding terminal message data sent by the edge security device, and analyzes the violation record.
Step S504, updating the target data access rule based on the violation record.
Specifically, the communication device analyzes the violation record, updates the target data access rule according to the analysis result, for example, when the a device generates N times of violation records within a preset time period, and when N is greater than a preset threshold, it indicates that the data access rule corresponding to the a device does not conform to the normal network access behavior, and the data access rule corresponding to the a device should be updated.
In this embodiment, by receiving the violation record of the message data sent by the terminal in the preset time period and sent by the edge security device, the target data access rule is updated based on the violation record, so that the corresponding data access rule can be timely and accurately updated according to the actual network access behavior of the terminal, and the reliability of the data access rule is improved.
In one embodiment, as shown in FIG. 6, updating the target data access rule based on the violation record includes:
step S602, when the number of illegal access times of the message data sent by the display terminal in the illegal record exceeds a preset threshold, determining the network address corresponding to the message data with the number of illegal access times exceeding the preset threshold as a legal access address.
The preset threshold can be set by a technician according to actual needs; legal access addresses refer to network addresses of access objects that comply with data access rules.
Step S604, based on the legal access address, a corresponding data access rule is generated.
Specifically, the communication device determines the network communication behavior between the corresponding terminal and the legal access address as the legal access behavior, and generates the corresponding data access rule by using the legal access address as the network address of the new target access object.
In this embodiment, when the number of illegal accesses of the message data sent by the display terminal in the illegal record exceeds a preset threshold, determining a network address corresponding to the message data with the number of illegal accesses exceeding the preset threshold as a legal access address, and generating a corresponding data access rule based on the legal access address, thereby timely and accurately updating the corresponding data access rule according to the actual network access behavior of the terminal and improving the reliability of the data access rule.
The application also provides an application scene, which applies the network security analysis method, and the method is applied to a scene that the switch sets the mirror image strategy according to the terminal type. Specifically, the application of the network security analysis method in the application scene is as follows:
currently, edge security solutions based on the internet of things have been gradually deployed in many critical industries, such as: finance, schools, etc.; for manufacturers of edge security solutions, in order to analyze the security risk, it is necessary to collect, from multiple aspects, data generated when each terminal in the internet of things is running, and one of the best sources of such data is the mirrored data from the switch. If all the data in the switch are mirrored to the edge safety device, as shown in fig. 7, on one hand, a higher requirement is put on the performance of the edge safety device, so that the cost burden of the edge safety device is increased; on the other hand, the number of the mirror ports is often only one, and for an Internet of things network with larger data volume, the bandwidth of the mirror ports is easily insufficient, so that the problems of incomplete mirror data and incomplete analysis of potential safety hazards are caused.
Because of the particularity of the internet of things, for each terminal device of the internet of things, the main network behavior is basically predictable, and the terminal device of the internet of things can only communicate with the corresponding server, and the communication TCP|UDP application port is also usually determined, so that for the edge safety device, the hidden danger of the network is discovered, and only data outside the normal applications need to be analyzed. Taking a camera as an example, the generated data is mainly video information which is reported to a server, and the reported data does not have destructive influence on the Internet of things, so that the edge safety equipment does not need to analyze the potential safety hazards of the data.
In this embodiment, normal data forwarding is performed on data which explicitly corresponds to terminal validity based on different terminal types on a switch, and data with uncertain potential safety hazards is mirrored to an edge safety device, so that performance pressure of the edge safety device and the problem of insufficient bandwidth of a mirrored port are reduced, as shown in fig. 8.
As shown in fig. 9, a preset feature library is set on the CPU of the switch, where the feature library is used to identify a terminal type, and ACL (Access Control List ) rule a corresponding to legal data behavior of the terminal type in the network. When the CPU obtains the terminal type through ARP, TCP|UDP scanning and other means, ACL rule A is issued to the exchange chip.
The exchange chip directly forwards the message meeting the ACL rule A for the input message from the terminal through the ACL mirror image strategy, and copies one part of the message which does not meet the ACL rule A to the mirror image port while forwarding, specifically: and starting ARP scanning and ARP interception, starting TCP|UDP and protocol scanning aiming at the terminal after finding out that a new terminal appears, comparing the scanning result with a local feature library, and identifying the type of the terminal and the information of the manufacturer to which the terminal belongs, wherein the process is shown in figure 10.
In addition, during network operation, initializing preset ACL rule a may not satisfy all conditions in the actual network, so the switch also needs to provide some tools for a network administrator to manually edit ACL rule a, so that ACL rule a can satisfy better application effects.
Therefore, the switch also needs to collect all data flow behavior of the terminal, for example, to build the following table 1 for providing to the network administrator:
TABLE 1
The number of hits of ACL rule a of camera 10.1.1.10 is 0, which indicates that ACL rule a is actually invalid, and the network administrator can clearly see that application port 8000 of the camera is data of a commonly used legal application, so that local application port 8000 and destination IP 10.1.1.2 can be set as ACL rule a.
In this embodiment, the terminal type information corresponding to the terminal is obtained by scanning the target message data sent by the terminal, then the terminal type information is matched in a preset standard library according to the terminal type information of the terminal, the switch presets the corresponding ACL rule a for different terminal types, and after the switch recognizes the terminal type, the switch issues the corresponding ACL rule a to the switch chip according to the terminal type, and sets to forward normally the message meeting the ACL rule a, and mirror the message not meeting the ACL rule a. And the mirror image data is sent to the edge safety equipment, so that the edge safety equipment can perform network safety analysis according to the mirror image data corresponding to the target message data.
It should be understood that, although the steps in the flowcharts related to the embodiments described above are sequentially shown as indicated by arrows, these steps are not necessarily sequentially performed in the order indicated by the arrows. The steps are not strictly limited to the order of execution unless explicitly recited herein, and the steps may be executed in other orders. Moreover, at least some of the steps in the flowcharts described in the above embodiments may include a plurality of steps or a plurality of stages, which are not necessarily performed at the same time, but may be performed at different times, and the order of the steps or stages is not necessarily performed sequentially, but may be performed alternately or alternately with at least some of the other steps or stages.
In one embodiment, as shown in fig. 11, a network security analysis apparatus is provided, where the apparatus may use a software module or a hardware module, or a combination of both, as a part of a communication device, and specifically includes: a receiving module 1102, a matching module 1104, and a judging module 1106, wherein:
the receiving module 1102 is configured to receive target message data sent by a terminal, and scan a target field of the target message data to obtain target device information corresponding to the terminal;
the matching module 1104 is configured to match the target device information with a preset feature library, where the preset standard library includes device information of each terminal and a corresponding relationship of corresponding data access rules;
the judging module 1106 is configured to determine a corresponding target data access rule according to the target device information when the matching is successful, and judge whether the target message data meets the target data access rule; when the target message data does not accord with the target data access rule, generating first mirror image data according to the target message data, and sending the first mirror image data to the edge safety equipment, wherein the edge safety equipment is used for carrying out network security analysis on network access behaviors of the corresponding terminals according to the received mirror image data.
In one embodiment, the receiving module 1102 is further configured to scan the MAC address, TCP port number, UDP port number, message key, and application protocol type field of the target message data; and determining terminal type information corresponding to the terminal and the information of the manufacturer based on the scanned target MAC address, target TCP port number, target UDP port number, target message keyword and target application protocol type field.
In one embodiment, the judging module 1106 is further configured to compare the data type, the destination network address and the target data access rule of the target message data; when the comparison results are consistent, determining that the target message data accords with the target data access rule; and when the comparison results are inconsistent, determining that the target message data does not accord with the target data access rule.
In one embodiment, the judging module 1106 is further configured to receive a violation record of the message data sent by the terminal in a preset period of time sent by the edge security device, where the violation record is used to characterize the number of accesses of the message data sent by the terminal, where the number of accesses does not meet the target data access rule; the target data access rule is updated based on the violation record.
In one embodiment, the determining module 1106 is further configured to generate corresponding second mirror data according to the target message data when the matching fails, and send the second mirror data to the edge security device.
In one embodiment, the judging module 1106 is further configured to receive a violation record of the message data sent by the terminal in a preset period of time sent by the edge security device, where the violation record is used to characterize the number of accesses of the message data sent by the terminal, where the number of accesses does not meet the target data access rule; the target data access rule is updated based on the violation record.
In one embodiment, the judging module 1106 is further configured to determine, as the legal access address, a network address corresponding to the message data with the number of illegal accesses exceeding the preset threshold when the number of illegal accesses of the message data sent by the display terminal in the illegal record exceeds the preset threshold; based on the legal access address, a corresponding data access rule is generated.
According to the network security analysis device, the target message data sent by the terminal is scanned to obtain the target device information corresponding to the terminal, then the target device information corresponding to the terminal is matched in the preset standard library according to the target device information of the terminal, the target data access rule corresponding to the terminal is determined, whether the network access behavior corresponding to the target message data accords with the target data access rule is judged based on the target data access rule, if so, the corresponding mirror image data does not need to be generated, if not, the mirror image data corresponding to the target message data is generated, and the mirror image data is sent to the edge security equipment, so that the edge security equipment can conduct network security analysis according to the mirror image data corresponding to the target message data.
For specific limitations of the network security analysis device, reference may be made to the above limitation of the network security analysis method, and no further description is given here. The above-described respective modules in the network security analysis apparatus may be implemented in whole or in part by software, hardware, and a combination thereof. The above modules may be embedded in hardware or may be independent of a processor in the communication device, or may be stored in software in a memory in the communication device, so that the processor may call and execute operations corresponding to the above modules.
In one embodiment, a communication device is provided, which may be a switch, the internal structure of which may be as shown in fig. 12. The communication includes a processor, a memory, a communication interface, a display screen, and an input device connected by a system bus. Wherein the processor of the communication device is configured to provide computing and control capabilities. The memory of the communication device includes a non-volatile storage medium, an internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The communication interface of the communication device is used for carrying out wired or wireless communication with an external terminal, and the wireless mode can be realized through WIFI, a mobile cellular network, NFC (near field communication) or other technologies. The computer program is executed by a processor to implement a network security analysis method. The display screen of the communication equipment can be a liquid crystal display screen or an electronic ink display screen, and the input device of the communication equipment can be a touch layer covered on the display screen, can also be a key, a track ball or a touch pad arranged on the shell of the communication equipment, and can also be an external keyboard, a touch pad or a mouse and the like.
It will be appreciated by those skilled in the art that the structure shown in fig. 12 is merely a block diagram of a portion of the structure associated with the present inventive arrangements and is not limiting of the communication device to which the present inventive arrangements are applied, and that a particular communication device may include more or fewer components than shown, or may combine certain components, or have a different arrangement of components.
In an embodiment, there is also provided a communication device including a memory and a processor, the memory storing a computer program, the processor implementing the steps of the method embodiments described above when executing the computer program.
In one embodiment, a computer-readable storage medium is provided, storing a computer program which, when executed by a processor, implements the steps of the method embodiments described above.
In one embodiment, a computer program product or computer program is provided that includes computer instructions stored in a computer readable storage medium. The processor of the communication device reads the computer instructions from the computer readable storage medium, and the processor executes the computer instructions, so that the communication device performs the steps in the above-described method embodiments.
Those skilled in the art will appreciate that implementing all or part of the above described methods may be accomplished by way of a computer program stored on a non-transitory computer readable storage medium, which when executed, may comprise the steps of the embodiments of the methods described above. Any reference to memory, database, or other medium used in embodiments provided herein may include at least one of non-volatile and volatile memory. The nonvolatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical Memory, high density embedded nonvolatile Memory, resistive random access Memory (ReRAM), magnetic random access Memory (Magnetoresistive Random Access Memory, MRAM), ferroelectric Memory (Ferroelectric Random Access Memory, FRAM), phase change Memory (Phase Change Memory, PCM), graphene Memory, and the like. Volatile memory can include random access memory (Random Access Memory, RAM) or external cache memory, and the like. By way of illustration, and not limitation, RAM can be in the form of a variety of forms, such as static random access memory (Static Random Access Memory, SRAM) or dynamic random access memory (Dynamic Random Access Memory, DRAM), and the like. The databases referred to in the embodiments provided herein may include at least one of a relational database and a non-relational database. The non-relational database may include, but is not limited to, a blockchain-based distributed database, and the like. The processor referred to in the embodiments provided in the present application may be a general-purpose processor, a central processing unit, a graphics processor, a digital signal processor, a programmable logic unit, a data processing logic unit based on quantum computing, or the like, but is not limited thereto.
The technical features of the above embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description.
The foregoing examples illustrate only a few embodiments of the application and are described in detail herein without thereby limiting the scope of the application. It should be noted that it will be apparent to those skilled in the art that several variations and modifications can be made without departing from the spirit of the application, which are all within the scope of the application. Accordingly, the scope of the application should be assessed as that of the appended claims.

Claims (10)

1. A method of network security analysis, the method comprising:
receiving target message data sent by a terminal, and scanning a target field of the target message data to obtain target equipment information corresponding to the terminal;
matching the target equipment information with a preset feature library, wherein the preset standard library comprises the corresponding relation between the equipment information of each terminal and the corresponding data access rule;
when the matching is successful, determining a corresponding target data access rule according to the target equipment information, and judging whether the target message data accords with the target data access rule or not;
when the target message data does not accord with the target data access rule, generating first mirror image data according to the target message data, and sending the first mirror image data to edge safety equipment, wherein the edge safety equipment is used for carrying out network security analysis on network access behaviors of corresponding terminals according to the received mirror image data.
2. The method according to claim 1, wherein the receiving the target message data sent by the terminal and scanning a target field of the target message data to obtain target device information corresponding to the terminal includes:
scanning the MAC address, TCP port number, UDP port number, message key word and application protocol type field of the target message data;
and determining terminal type information corresponding to the terminal and the information of the manufacturer of the terminal based on the scanned target MAC address, target TCP port number, target UDP port number, target message keyword and target application protocol type field.
3. The method according to claim 1, wherein when the matching is successful, determining a corresponding target data access rule according to the target device information, and determining whether the target message data meets the target data access rule, includes:
comparing the data type, the destination network address and the target data access rule of the target message data;
when the comparison results are consistent, determining that the target message data accords with the target data access rule;
and when the comparison results are inconsistent, determining that the target message data does not accord with the target data access rule.
4. The method according to claim 1, wherein the method further comprises:
and when the matching is failed, generating corresponding second mirror image data according to the target message data, and sending the second mirror image data to the edge safety equipment.
5. The method according to claim 1, wherein the method further comprises:
receiving a violation record of message data sent by the terminal in a preset time period sent by the edge safety equipment, wherein the violation record is used for representing the access times of the message data sent by the terminal, which does not accord with the target data access rule;
updating the target data access rule based on the violation record.
6. The method of claim 5, wherein updating the target data access rule based on the violation record comprises:
when the illegal access times of the message data sent by the terminal are displayed in the illegal record and exceed a preset threshold, determining the network address corresponding to the message data with the illegal access times exceeding the preset threshold as a legal access address;
and generating a corresponding data access rule based on the legal access address.
7. A network security analysis apparatus, the apparatus comprising:
the receiving module is used for receiving target message data sent by a terminal, and scanning a target field of the target message data to obtain target equipment information corresponding to the terminal;
the matching module is used for matching the target equipment information with a preset feature library, and the preset standard library comprises the equipment information of each terminal and the corresponding relation of the corresponding data access rule;
the judging module is used for determining a corresponding target data access rule according to the target equipment information when the matching is successful, and judging whether the target message data accords with the target data access rule or not; when the target message data does not accord with the target data access rule, generating first mirror image data according to the target message data, and sending the first mirror image data to edge safety equipment, wherein the edge safety equipment is used for carrying out network security analysis on network access behaviors of corresponding terminals according to the received mirror image data.
8. A communication device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor implements the steps of the method of any of claims 1 to 6 when the computer program is executed.
9. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the steps of the method of any of claims 1 to 6.
10. A computer program product comprising a computer program, characterized in that the computer program, when being executed by a processor, implements the steps of the method of any of claims 1 to 6.
CN202311250645.6A 2023-09-26 2023-09-26 Network security analysis method, device, communication equipment and storage medium Pending CN117118740A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311250645.6A CN117118740A (en) 2023-09-26 2023-09-26 Network security analysis method, device, communication equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311250645.6A CN117118740A (en) 2023-09-26 2023-09-26 Network security analysis method, device, communication equipment and storage medium

Publications (1)

Publication Number Publication Date
CN117118740A true CN117118740A (en) 2023-11-24

Family

ID=88802324

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311250645.6A Pending CN117118740A (en) 2023-09-26 2023-09-26 Network security analysis method, device, communication equipment and storage medium

Country Status (1)

Country Link
CN (1) CN117118740A (en)

Similar Documents

Publication Publication Date Title
WO2019144549A1 (en) Vulnerability testing method and device, computer equipment, and storage medium
US10887307B1 (en) Systems and methods for identifying users
WO2020228038A1 (en) Domain name processing method, apparatus, electronic device, and storage medium
US9864870B2 (en) Restricting network spidering
CN114244808B (en) Offline illegal external connection method and device based on passive inspection of non-client mode
CN113242331B (en) Different types of address conversion method, device, computer equipment and storage medium
CN113472803A (en) Vulnerability attack state detection method and device, computer equipment and storage medium
CN112738018A (en) ARP spoofing attack detection method, device, computer equipment and storage medium
US11570274B1 (en) Systems for exchange of data between remote devices
US11765195B2 (en) Distributed network-level probabilistic attack graph generation
CN116684196A (en) Network data processing method, device, communication equipment and storage medium
CN117061254A (en) Abnormal flow detection method, device and computer equipment
CN117118740A (en) Network security analysis method, device, communication equipment and storage medium
CN110381016A (en) The means of defence and device, storage medium, computer equipment of CC attack
CN114826727A (en) Flow data acquisition method and device, computer equipment and storage medium
CN114143042A (en) Vulnerability simulation method and device, computer equipment and storage medium
CN113890753A (en) Digital identity management method, device, system, computer equipment and storage medium
CN114826726B (en) Network asset vulnerability detection method, device, computer equipment and storage medium
JP2020057240A (en) Data construction system for belonging area analysis, data construction program for belonging area analysis, and belonging area analysis system
CN114070768B (en) Penetration test method, penetration test device, computer equipment and storage medium
CN114726757B (en) Equipment networking test method, device, computer equipment and storage medium
CN116226841A (en) Intrusion detection method, intrusion detection device, computer equipment and storage medium
CN116055186A (en) Access authentication method, device, computer equipment and storage medium
CN117424721A (en) Front-end application security protection method and device, computer equipment and storage medium
CN117370176A (en) Application security test method, device, computer equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination