CN117201062A - Network security perception system, method, equipment and storage medium - Google Patents

Network security perception system, method, equipment and storage medium Download PDF

Info

Publication number
CN117201062A
CN117201062A CN202310862016.2A CN202310862016A CN117201062A CN 117201062 A CN117201062 A CN 117201062A CN 202310862016 A CN202310862016 A CN 202310862016A CN 117201062 A CN117201062 A CN 117201062A
Authority
CN
China
Prior art keywords
log
data
security
module
network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310862016.2A
Other languages
Chinese (zh)
Inventor
蒋以义
朱宝锋
李晓明
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Youtejie Information Technology Co ltd
Original Assignee
Beijing Youtejie Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Youtejie Information Technology Co ltd filed Critical Beijing Youtejie Information Technology Co ltd
Priority to CN202310862016.2A priority Critical patent/CN117201062A/en
Publication of CN117201062A publication Critical patent/CN117201062A/en
Pending legal-status Critical Current

Links

Landscapes

  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention relates to the technical field of computers and discloses a network security sensing system, a network security sensing method, network security sensing equipment and a storage medium. The system comprises: acquiring a log index matched with the log data through a data storage module according to the log cluster corresponding to the acquired log data, and storing the log data into the log index; generating a pre-arranged automatic response flow through a safety arrangement automation and response module according to arrangement operation of a user on the automatic response flow; and carrying out security event analysis on the log data according to the automatic response flow by a data analysis module so as to obtain a security perception result, and carrying out user display on the security perception result by a visual display module. According to the technical scheme, the log data is stored in an index mode, an automatic response flow is generated, automatic safety event analysis of the log data is carried out according to the automatic response flow, the risk of data leakage can be reduced, and the efficiency of network safety perception can be improved.

Description

Network security perception system, method, equipment and storage medium
Technical Field
The present invention relates to the field of computer technologies, and in particular, to a network security sensing system, a network security sensing method, a network security sensing device, and a storage medium.
Background
In the context of big data of network security, how to realize overall storage and management, real-time alarm security event, quick positioning security event and the like aiming at complicated security data has become one of important research directions in the field of network security.
At present, an existing network security sensing method generally utilizes an existing log analysis platform, such as a cloud intelligent operation and maintenance platform or a splenk log analysis platform, to analyze log data generated by different security devices, so as to realize network security sensing according to analysis results. However, in the prior art, the existing log analysis platform needs to upload log data to the cloud, so that the data security is difficult to ensure, and moreover, the automatic processing of the log data cannot be realized, so that the response speed and the efficiency of network security perception are lower.
Disclosure of Invention
The invention provides a network security sensing system, a network security sensing method, network security sensing equipment and a storage medium, which can reduce the risk of data leakage, improve the security of data and improve the response efficiency of network security sensing.
According to an aspect of the invention, there is provided a network security perception system comprising a data storage module, a data analysis module, a security orchestration automation and response module and a visual display module;
the data storage module is connected with the data analysis module and is used for acquiring a log index matched with the log data according to the log cluster corresponding to the collected log data, storing the log data to the log index and sending the log data corresponding to the data reading instruction to the data analysis module when the data reading instruction of the data analysis module is received;
the data analysis module is respectively connected with the visual display module and the security arrangement automation and response module and is used for sending a data reading instruction to the data storage module, receiving a pre-arranged automatic response flow sent by the security arrangement automation and response module, analyzing the security event of the log data according to the automatic response flow so as to obtain a security perception result, and sending the security perception result to the visual display module;
the security arrangement automation and response module is used for generating a pre-arranged automatic response flow according to arrangement operation of a user on the automatic response flow and sending the pre-arranged automatic response flow to the data analysis module;
The visual display module is used for displaying the safety perception result by a user.
Optionally, the network security sensing system further comprises a log acquisition module and a data cache module;
the log acquisition module is connected with the data caching module and is used for acquiring log data of the network security equipment and sending the log data to the data caching module;
the data caching module is connected with the data storage module and is used for temporarily storing the log data by adopting a data queue and sending the temporarily stored log data to the data storage module based on a preset data output rule.
Optionally, the log data includes at least one of a firewall log, a domain name server log, a load balancing log, a distributed denial of service attack resistant device log, a virtual private network device log, a web application firewall log, a mail gateway log, a network intrusion detection device log, a host intrusion detection device log, an antivirus device log, a fort device log, a threat intelligence device log, and an asset information log.
Optionally, the data storage module is specifically configured to:
clustering the log data to obtain log clusters corresponding to the log data;
According to the log clusters corresponding to the log data and the corresponding relation between the preset log clusters and the log indexes, acquiring the log indexes corresponding to the log data and storing the log data to the log indexes;
the log index comprises at least one of a weblog index, a webintrusion detection log index, a host guard log index, an application guard log index and an aggregate log index.
Optionally, the data analysis module comprises a safety data cleaning unit, a safety event warning unit, a user behavior analysis unit and a data analysis linkage unit;
the safety data cleaning unit is respectively connected with the safety event alarming unit and the user behavior analysis unit and is used for cleaning the log data to obtain a formatted log corresponding to a unified data format and sending the formatted log to the safety event alarming unit and the user behavior analysis unit;
the security event alarm unit is connected with the data analysis linkage unit and is used for carrying out security information analysis on the formatted log to obtain potential security threats, carrying out security vulnerability analysis on the formatted log to obtain network security vulnerabilities, carrying out security attack analysis on the formatted log to obtain network attack information, and sending the potential security threats, the network security vulnerabilities and the network attack information to the data analysis linkage unit;
The user behavior analysis unit is connected with the data analysis linkage unit and is used for carrying out safety behavior analysis on the formatted log so as to acquire potential risk behaviors and sending the potential risk behaviors to the data analysis linkage unit;
the data analysis linkage unit is used for generating push information according to the potential security threat, the network security vulnerability, the network attack information and the potential risk behavior and sending the push information to an automatic service gateway so as to intercept a risk internet protocol address according to the push information through the automatic service gateway.
Optionally, the visual display module is further configured to obtain a network security situation corresponding to the log data according to the security perception result, and perform visual display on the network security situation.
Optionally, the network security posture includes at least one of a secure communication network posture, a secure computing environment posture, and a secure regional boundary posture;
the security communication network situation comprises at least one of a network security access control situation, a network full-flow intrusion situation, a virtual private network access situation and a network access flow pressure situation;
The secure computing environment situation comprises at least one of a user access situation, a host intrusion situation and an antivirus situation;
the security zone boundary situation includes at least one of a web application firewall situation, an anti-distributed denial of service situation, and a threat intelligence situation.
According to another aspect of the present invention, there is provided a network security sensing method applied to the network security sensing system according to any embodiment of the present invention, including:
acquiring a log index matched with the log data according to the log cluster corresponding to the acquired log data by a data storage module, and storing the log data into the log index;
generating a pre-arranged automatic response flow through a safety arrangement automation and response module according to arrangement operation of a user on the automatic response flow;
and carrying out security event analysis on the log data according to the automatic response flow by a data analysis module so as to obtain a security perception result, and carrying out user display on the security perception result by a visual display module.
According to another aspect of the present invention, there is provided an electronic apparatus including:
At least one processor; and
a memory communicatively coupled to the at least one processor; wherein,
the memory stores a computer program executable by the at least one processor to enable the at least one processor to perform the network security awareness method of any of the embodiments of the present invention.
According to another aspect of the present invention, there is provided a computer readable storage medium storing computer instructions for causing a processor to implement the network security aware method according to any embodiment of the present invention when executed.
According to the technical scheme, firstly, a data storage module acquires log indexes matched with log data according to log clusters corresponding to the collected log data, and stores the log data into the log indexes; then, generating a pre-arranged automatic response flow through a safety arrangement automation and response module according to arrangement operation of a user on the automatic response flow; finally, carrying out security event analysis on the log data according to the automatic response flow by a data analysis module to obtain a security perception result, and carrying out user display on the security perception result by a visual display module; by carrying out index storage on the log data, generating an automatic response flow and carrying out automatic safety event analysis on the log data according to the automatic response flow, the risk of data leakage can be reduced, the data safety can be improved, and the response efficiency of network safety perception can be improved.
It should be understood that the description in this section is not intended to identify key or critical features of the embodiments of the invention or to delineate the scope of the invention. Other features of the present invention will become apparent from the description that follows.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required for the description of the embodiments will be briefly described below, and it is apparent that the drawings in the following description are only some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1A is a schematic structural diagram of a network security aware system according to a first embodiment of the present invention;
FIG. 1B is a schematic diagram of an automated response flow provided in accordance with a first embodiment of the present invention;
FIG. 1C is a schematic diagram of another network security aware system according to a first embodiment of the present invention;
fig. 1D is a schematic diagram of a correspondence between a log type and a log cluster according to a first embodiment of the present invention;
FIG. 1E is a schematic diagram of a data analysis module according to a first embodiment of the present invention;
FIG. 1F is a schematic diagram of a data cleansing method according to a first embodiment of the present invention;
FIG. 1G is a schematic diagram of a data processing flow of a data analysis linkage unit according to a first embodiment of the present invention;
FIG. 1H is a schematic diagram of a secure communication network scenario provided according to a first embodiment of the present invention;
FIG. 1I is a schematic diagram of a secure computing environment scenario provided according to a first embodiment of the present invention;
FIG. 1J is a schematic diagram of a security zone boundary situation provided in accordance with a first embodiment of the present invention;
FIG. 1K is a schematic diagram of another network security aware system according to a first embodiment of the present invention;
fig. 2 is a flowchart of a network security aware method according to a second embodiment of the present invention;
fig. 3 is a schematic structural diagram of an electronic device implementing a network security aware method according to an embodiment of the present invention.
Detailed Description
In order that those skilled in the art will better understand the present invention, a technical solution in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in which it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present invention without making any inventive effort, shall fall within the scope of the present invention.
It should be noted that the terms "first," "second," "target," and the like in the description and claims of the present invention and in the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the invention described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
Example 1
Fig. 1A is a schematic structural diagram of a network security sensing system according to a first embodiment of the present invention, where the network security sensing system 100 may include a data storage module 110, a data analysis module 120, a security arrangement automation and response module 130, and a visual display module 140;
The data storage module 110 is connected to the data analysis module 120, and is configured to obtain a log index matched with the log data according to a log cluster corresponding to the collected log data, store the log data to the log index, and send the log data corresponding to the data reading instruction to the data analysis module 120 when receiving the data reading instruction of the data analysis module 120.
The log data may be log data from different network security devices, for example, structured data or unstructured data. In this embodiment, the log data may be acquired from different network security devices by file acquisition, database acquisition, syslog acquisition, or other methods.
It should be noted that, log data acquired from various devices is stored in a local disk, so that the data volume is huge, and if a simple database is adopted for searching, a large amount of access performance is consumed. In this embodiment, a loader search engine may be used to provide data storage and data query functions, and data entry and data search may be completed in a few seconds. Secondly, in order to improve log management efficiency and data query efficiency, log data can be divided into a certain number of log clusters according to a log function, and corresponding log indexes can be respectively established for each log cluster. Therefore, when the log data is stored, the log data can be stored under the corresponding log index according to the log cluster corresponding to the log data. The log index can be regarded as a data storage directory, and corresponds to a storage space divided in advance.
Optionally, when storing the log data, the attribute information such as the acquisition time and the acquisition path of the log data may be stored together to the corresponding log index. Correspondingly, when the stored data is queried, the query of the stored data by adopting the attribute information can be supported.
The data read instruction may be command information of the read log data generated by the data analysis module 120, typically, a loader search instruction. For example, the data reading instruction may include information such as a log index identifier, a log data identifier, etc.; in this embodiment, the data reading instruction may be parsed to obtain a log index identifier and a log data identifier corresponding to log data to be searched, and log data corresponding to the data reading instruction may be searched based on the log index identifier and the log data identifier.
The data analysis module 120 is respectively connected with the visual display module 140 and the security arrangement automation and response module 130, and is configured to send a data reading instruction to the data storage module 110, receive a pre-arranged automatic response flow sent by the security arrangement automation and response module 130, perform security event analysis on the log data according to the automatic response flow, obtain a security perception result, and send the security perception result to the visual display module 140.
In this embodiment, the data analysis module 120 may automatically generate the data reading instruction periodically based on the preset instruction generation rule, and send the data reading instruction to the data storage module 110; for example, a data reading instruction for searching log data in a past period of time may be generated according to a preset time period and a preset instruction template. Alternatively, the data analysis module 120 may generate the current data reading instruction according to the data search information input by the user and the preset instruction template.
The automated response flow may be a workflow that is pre-programmed by the user through the security programming automation and response module 130 to automatically perform security event analysis and handling. In this embodiment, the data analysis module 120 may automatically perform security event analysis on the log data according to an automatic response flow when a preset trigger condition (for example, reaching a set period, etc.) is satisfied; when the security events such as the potential threat, the network attack, the security hole and the like are successfully detected, the data analysis module 120 can also automatically and correspondingly treat the security events; finally, the detected security event and the corresponding treatment result may be jointly used as a security perception result and sent to the visual display module 140.
Optionally, the data analysis module 120 may further generate a current visual report according to the security sensing result and a preset report template, and may send the visual report to the visual display module 140 for user display.
A security orchestration automation and response module 130, configured to generate a preprogrammed automated response flow according to an orchestration operation performed by a user on the automated response flow, and send the preprogrammed automated response flow to the data analysis module 120.
The security arrangement automation and response (Security Orchestration, automation and Response, SOAR) module 130 has functions of security event response automation, automatic workflow, third party system integration, report generation and analysis, notification and reminding, function arrangement and the like, and can perform function customization according to actual requirements, better manage security events and improve security event response efficiency. For example, automated threat handling may be performed on security events when the data center is faced with a security event threat.
In one specific example, the automated response flow may be as shown in FIG. 1B. Specifically, a flow drawing page may be provided to a user through the SOAR module, where the flow drawing page may include a node library and a canvas area, and the node library may include graphics of different shapes. The user can select different graphs in the node library according to the needs and drag the different graphs to the canvas area; then, the graphics in the canvas area can be configured with connection and attribute information to complete the drawing of the automated response flow.
In this embodiment, the functions of the security orchestration automation and response module 130 may include, but are not limited to, automated response capabilities, security orchestration capabilities, automated traceability capabilities, security decision capabilities, and automated handling capabilities. Through the automatic response capability, the safety event can be automatically responded, a large amount of safety event and threat information can be automatically processed, and the safety operation efficiency is improved; through the security arrangement capability, security arrangement can be realized, the cooperativity and the efficiency of security event response are improved, and the security event and threat information can be responded more quickly.
Secondly, through the automatic traceability, traceability analysis can be automatically performed when a security event is triggered, for example, the traceability analysis can be performed by analyzing metadata, network flow data and related log information of the event, the path of the event can be automatically tracked, and the action and attack path of an attacker can be further determined from the source of the attack to a target system; through the security decision capability, the security event and threat information can be better known, corresponding security suggestions and decision support are provided, and the security decision capability can be improved; through the automated handling capability, the process flow can be automated, and the security events and threat intelligence can be processed through the automated process flow, for example, the response speed and efficiency can be improved by automatically intercepting malicious IP, automatically intercepting malicious mail, isolating risk devices, and the like.
And the visual display module 140 is used for displaying the safety perception result by a user. In this embodiment, the visual display module 140 may adopt a chart or an image, etc. to visually display the log data and the corresponding security sensing result.
According to the technical scheme, firstly, a data storage module acquires log indexes matched with log data according to log clusters corresponding to the collected log data, and stores the log data into the log indexes; then, generating a pre-arranged automatic response flow through a safety arrangement automation and response module according to arrangement operation of a user on the automatic response flow; finally, carrying out security event analysis on the log data according to the automatic response flow by a data analysis module to obtain a security perception result, and carrying out user display on the security perception result by a visual display module; by carrying out index storage on the log data, generating an automatic response flow and carrying out automatic safety event analysis on the log data according to the automatic response flow, the risk of data leakage can be reduced, the data safety can be improved, and the response efficiency of network safety perception can be improved.
Optionally, as shown in fig. 1C, the network security aware system 100 may further include a log acquisition module 150 and a data caching module 160;
the log collection module 150 is connected with the data cache module 160, and is used for collecting log data of the network security device and sending the log data to the data cache module 160;
the data buffer module 160 is connected to the data storage module 110, and is configured to temporarily store the log data by using a data queue, and send the temporarily stored log data to the data storage module 110 based on a preset data output rule. The data buffer module 160 may buffer log data in a queue through kafka, zookeeper or the like. The preset data output rule may be that data is output according to a preset rate, or output is sequentially performed according to a rule of first in first out.
The network security equipment can comprise a firewall, a domain name server, a mail gateway, a fort machine and the like; in this embodiment, log data of different types of network security devices may be acquired through file acquisition, database acquisition, syslog acquisition, and other manners.
The log data may include at least one of a firewall log, a domain name server log, a load balancing log, a distributed denial of service attack resistant device log, a virtual private network device log, a web application firewall log, a mail gateway log, a network intrusion detection device log, a host intrusion detection device log, an antivirus device log, a fort device log, a threat intelligence device log, and an asset information log. In this embodiment, the log type of the log data may be adaptively adjusted according to the scene requirement.
Specifically, the firewall log records traffic information entering and exiting the enterprise network, and can be used for judging whether access is authorized or not and monitoring rebound shell external events after an attacker permeates the system. The load balancing log is a load balancing device (carrying a massive access request) log, and is used for distributing traffic load to a plurality of servers to improve service performance, and information such as a request event of a client, an internet protocol (Internet Protocol, IP) address of the client, network delay, a request path, and response time of the server are generally recorded. The access behavior of the user can be analyzed through the load balancing log, and the access behavior can be used for judging whether the user has malicious access or not in network security perception, such as DDoS (Distributed Denial of Service ) attack and the like.
And the DDoS attack resistant device logs record information of which the bandwidth is consumed due to malicious access. The virtual private network (Virtual Private Network, VPN) device logs authorized private network user behavior, and users can access the enterprise internal network directly from the external network through the VPN across the network monitoring device. The Web page (Web) application firewall logs record the information that the Web application is attacked by SQL injection, cross-site script attack, web page tampering, web page hanging horse, file inclusion and the like, and the Web page application firewall is used for filtering and monitoring the hypertext transfer protocol communication between the Web application and the Internet so as to block malicious access.
The mail gateway log records malicious mail information, and the mail gateway is mainly applied to enterprise mailboxes to prevent malicious mails such as junk mails, virus mails and social mails from entering an enterprise mail system. The log of the network intrusion detection device records attack behavior information such as viruses, worms, trojan horses, DDoS, scanning, SQL injection, buffer overflow, deception hijacking and the like, and the network intrusion detection device is a safety device for monitoring network traffic and can detect various attack attempts, behaviors or results according to a safety strategy.
The host intrusion detection device (Host based Intrusion Detection System, HIDS) logs, which record the malicious behavior log of the host layer, and the HIDS is used for detecting the intrusion behavior of the host layer, but is not limited to detecting the malicious behaviors of the back door, trojan horse, rebound shell, malicious command, host component vulnerability, user right lifting, user management and the like of the host layer. The anti-virus device log is used for detecting and recording information of various known and unknown threat attacks such as viruses, worms, trojans and the like, and the anti-virus device is used for providing a virus scanning function.
The bastion machine device log records information such as authority control, operation audit, safety compliance and the like, and the bastion machine is an operation and maintenance management and control platform for operation and audit of a host system and can be used for account management, authorization and authentication and user behavior audit. The log of threat information equipment (information base) records information of attacker, organization or personal alias, country or region and related event, etc. and can be used for the portrayal of attacker and the restoration of real attacker, the threat information is data describing the network security threat of hacker organization or personal, and is security information after research and judgment. Aiming at the asset information log, various asset information of enterprises and institutions is recorded in the asset information log so as to facilitate unified management and searching.
Optionally, the data storage module 110 may be specifically configured to: clustering the log data to obtain log clusters corresponding to the log data; according to the log clusters corresponding to the log data and the corresponding relation between the preset log clusters and the log indexes, acquiring the log indexes corresponding to the log data and storing the log data to the log indexes;
the log index may include at least one of a network log index (network index), a network intrusion detection log index (nids index), a host log index (host index), a host guard log index (hostsafe index), an application log index (application index), an application guard log index (application index), and an aggregate log index (aggregation index).
In this embodiment, clustering processing may be performed on log data to determine log clustering; for example, a correspondence between the log features and the log clusters may be pre-established, and when the log data is obtained, the log features corresponding to the log data may be extracted, so that the log clusters corresponding to the log data may be obtained according to the current log features and the pre-established correspondence. Or, the corresponding relation between the log type and the log cluster can be pre-established, after the log data is acquired, the log type corresponding to the log data is firstly acquired, and then the log cluster corresponding to the log data can be acquired according to the log type and the pre-established corresponding relation.
The log clusters may include, among other things, a weblog, a network intrusion detection log, a host guard log, an application guard log, and an aggregate log. The log clusters are in one-to-one correspondence with the log indexes. In this embodiment, the correspondence between the log type and the log cluster may be as shown in fig. 1D; the firewall log, the domain name server log, the load balancing log and the VPN device log may correspond to a network log cluster, the network intrusion detection device log may correspond to a network intrusion detection log cluster, the system login log, the system audit log and the asset information log may correspond to a host log cluster, the host intrusion detection device log, the antivirus device log and the fort device log may correspond to a host protection log cluster, the application running log may correspond to an application log cluster, and the DDoS attack resistant device log, the Web application firewall log, the mail gateway log and the threat information device log may correspond to an application protection log cluster.
In this embodiment, for each log index, a corresponding storage space may be divided in advance in the local disk; therefore, after the log index corresponding to the current log data is obtained, the current log data can be stored in the corresponding storage space.
Optionally, as shown in fig. 1E, the data analysis module 120 may include a security data cleansing unit 121, a security event alert unit 122, a user behavior analysis unit 123, and a data analysis linkage unit 124;
the security data cleansing unit 121 is respectively connected to the security event alert unit 122 and the user behavior analysis unit 123, and is configured to conduct data cleansing on the log data to obtain a formatted log corresponding to a unified data format, and send the formatted log to the security event alert unit 122 and the user behavior analysis unit 123.
It should be noted that, log patterns output by different network security devices are different, which results in increased difficulty in data analysis. In this embodiment, a unified data format may be formulated in advance, and the acquired log data may be subjected to data cleansing by the secure data cleansing unit 121 to convert the log data into the unified data format. The data cleaning method may be as shown in fig. 1F, and specifically may include canonical analysis, json analysis, key-value analysis, xml analysis, and the like.
The advantage of the arrangement is that the analysis capability and the analysis efficiency of the multi-source log data can be improved.
The security event alarm unit 122 is connected to the data analysis linkage unit 124, and is configured to perform security information analysis on the formatted log to obtain a potential security threat, perform security vulnerability analysis on the formatted log to obtain a network security vulnerability, perform security attack analysis on the formatted log to obtain network attack information, and send the potential security threat, the network security vulnerability, and the network attack information to the data analysis linkage unit 124.
In this embodiment, the security event alert unit 122 may be specifically used for security information analysis, security vulnerability analysis, and security attack analysis; when the safety information is analyzed, potential safety threats and risks can be found timely through collection and analysis of the safety information, necessary related measures such as pushing work orders or mails are adopted, safety management staff can be helped to update safety strategies and protection measures timely, and network safety can be improved.
Secondly, when security vulnerability analysis is performed, vulnerability information of software, systems, network equipment and the like is mainly collected, arranged, analyzed and processed so as to timely take corresponding repair and protection measures. By comprehensively knowing and analyzing the loopholes in detail and evaluating risks and providing corresponding suggestions and precautionary measures such as closing related ports, updating patches, reinforcing network protection and the like, the security engineer can quickly and effectively repair the loopholes and defend network security, and the information security of enterprises can be ensured.
In addition, when security attack analysis is carried out, network attack information such as attack means, attack purposes, attack paths, attack tools, attack times, attack IP and the like of an attacker can be analyzed and obtained, so that security protection and attack countermeasures can be timely and effectively carried out by security engineers, and the security of networks, systems and data can be ensured. For example, security attack analysis may be performed based on structured log data to obtain network attack information.
The user behavior analysis unit 123 is connected to the data analysis linkage unit 124, and is configured to perform security behavior analysis on the formatted log to obtain a potentially dangerous behavior, and send the potentially dangerous behavior to the data analysis linkage unit 124; the security behavior analysis mainly analyzes the software and hardware use conditions of internal staff, including system login, system management, use operation, data transmission and other behaviors, and whether the security management specification is met. For example, when it is detected that the IP address of the user accessing the web page is an unknown IP address, the web page access behavior may be determined to be a potentially risky behavior; alternatively, the system operation behavior may be determined to be a potentially risky behavior when it is detected that the user's system operation exceeds its system rights.
In the embodiment, through analysis of the employee safety behaviors, the safety management situation of the employee can be known, potential safety hazards and risks can be found timely, the safety awareness and the safety quality of the employee can be improved, and the safety management and the safety precaution are enhanced. It should be noted that, the security action analysis needs to inform the staff in advance and obtain the authority of the staff.
The data analysis linkage unit 124 is configured to generate push information according to the potential security threat, the network security vulnerability, the network attack information and the potential risk behavior, and send the push information to an automated service gateway, so as to intercept a risk internet protocol address according to the push information through the automated service gateway.
In a specific example, the data processing flow of the data analysis linkage unit 124 may be as shown in fig. 1G. Specifically, in the security event alarm, information such as intelligence, loopholes, attacks and the like can be integrated, the security alarm event details and user behaviors are analyzed by using a low-code search statement SPL, and whether the user behaviors are compliant or not is ensured in the environment authorized by the user; then, security event alarm details and user behavior compliance details (such as potential security threats, network security vulnerabilities, network attack information, potential risk behaviors and the like) can be synthesized, a risk IP address is acquired, and push information such as a push work order, push mail or push interception and the like can be generated according to the risk IP address. And finally, sending the push information to an automatic service gateway, wherein the automatic service gateway can automatically call a work order system, a mail system or a safety device after receiving the push information, and alarming or intercepting a risk IP address contained in the push information.
In this embodiment, by adopting the data analysis linkage unit 124, automatic handling of the security event can be achieved, and the efficiency of network security perception can be further improved.
Optionally, the visual display module 140 may be further configured to obtain a network security situation corresponding to the log data according to the security perception result, and perform visual display on the network security situation.
The network security situation is used for representing the network security level; in this embodiment, the corresponding relationship between the security event and the network security situation may be pre-established according to the degree of influence of different security events on the system security. Therefore, after the security sensing result is obtained, the security sensing result can be analyzed to obtain the current security event, and then the current network security situation corresponding to the log data can be obtained according to the pre-established corresponding relation and the current security event.
Wherein the network security posture may include at least one of a secure communication network posture, a secure computing environment posture, and a secure regional boundary posture;
the secure communication network situation can comprise at least one of a network security access control situation, a network full-flow intrusion situation, a virtual private network access situation and a network access flow pressure situation;
The secure computing environment posture may include at least one of a user access posture, a host intrusion posture, and an antivirus posture;
the security zone boundary posture may include at least one of a web application firewall posture, an anti-distributed denial of service posture, and a threat intelligence posture.
In a specific example, the security communication network situation may be as shown in fig. 1H, where the security communication network is supported by load balancing, a firewall, a domain name server, a VPN, a network intrusion detection device, and the like, and detection of a network security access control situation, a network full-flow intrusion situation, a virtual private network access situation, and a network access flow pressure situation may be implemented by performing network communication security situation mining on a large number of network communication records generated by these devices.
In another specific example, a secure computing environment situation may be as shown in FIG. 1I, where the secure computing environment is supported by a host system with login logs, audit logs, asset information, and host intrusion detection, anti-virus, bastion devices, etc. By mining a large number of records in the computing environment, a secure computing environment situation can be obtained, wherein the secure computing environment takes a host or a terminal as a main body, and provides computing services under the secure environment. Host intrusion detection is the last line of defense for network security, and the finer the detection, the more secure the computing environment can be provided. Secondly, under the holding of the fort machine, the user controlled access can be provided, and meanwhile, under the holding of the anti-virus equipment, the risk of paralysis of the computing environment caused by large-scale virus diffusion can be reduced. Thus, the secure computing environment posture may be comprised of a user access posture of the computing environment, a host intrusion posture of the computing environment, and an antivirus posture of the computing environment.
In another specific example, a security zone boundary situation may be as shown in fig. 1J, where the security zone boundary is generally composed of services deployed in an isolated zone, mainly including services such as mail systems, domain name systems, web applications, and the like. Such services are typically kept in contact with the outside world to provide services, and the network area that they make up is referred to as a network border area. The Web application firewall, DDoS resistant device, and threat intelligence information may provide security support for the network border area, whereby the security area border situation may be composed of the Web application firewall situation, DDoS resistant situation, and threat intelligence situation.
In a specific implementation of this embodiment, the network security aware system 100 may be as shown in fig. 1K; wherein, log data of different network security devices, such as log data of a firewall, a mail gateway, an antivirus device, a fort machine, etc., can be collected by the log collection module 150; then, the log data can be subjected to queue caching by adopting a data caching module 160, kafka, zookeeper and the like; further, the log data may be stored to a corresponding log index, such as a network index, a network intrusion index, a host protection index, etc., by the data storage module 110.
Secondly, the stored log data can be read through the data analysis module 120 and can be subjected to processing such as safety data cleaning, safety event warning, user behavior analysis and the like so as to acquire a data processing result; typically, the data analysis module 120 may perform automatic security event analysis on the log data according to an automatic response procedure programmed by the user through the security programming automation and response module 130, so as to obtain a security perception result. Finally, the security sensing result may be visually displayed by the visual display module 140, or a network security situation corresponding to the log data may be obtained according to the security sensing result, and the network security situation may be visually displayed.
In this embodiment, compared with the large amount of time and resources spent in manually processing data and analyzing the data in the prior art, the network security perception system 100 can automatically process a large amount of structured and unstructured data, can monitor data flow in real time and automatically identify anomalies and threats, and has more powerful data processing capability; secondly, compared with the prior art that manual response events are needed, the threat response can be automated, the response time can be reduced, and the safety performance can be improved; moreover, events can be analyzed and monitored in real-time, providing quick response and decision making, meaning that security teams can discover and solve problems faster, thereby reducing potential security risks; meanwhile, various security tools and data sources can be integrated, comprehensive security analysis and threat detection are provided, and a security team can more comprehensively know threats and vulnerabilities in the system.
Further, through the network security perception system 100, visual analysis and reporting can be provided, which helps security team to quickly identify threats and problems, and more visual data can be provided for security team, so that security team can make decision more quickly; secondly, the user is allowed to customize rules and strategies so as to configure and adjust according to the specific requirements and security threats of the organization, and the system and data of the organization can be better protected; in addition, highly scalable deployments can be made for large enterprises and organizations to cope with ever-increasing data volumes and complex security requirements; finally, a unified platform can be provided, all security data and events are concentrated at one position for analysis and monitoring, so that a security team can manage and analyze the data more easily, and the security problem can be found and solved more quickly.
Example two
Fig. 2 is a flowchart of a network security sensing method according to a second embodiment of the present invention, where the method can be applied to the network security sensing system 100 according to the first embodiment of the present invention, and the network security sensing system 100 can be typically configured in an electronic device, for example, a computer device or a server. As shown in fig. 2, the method comprises the steps of:
S210, acquiring a log index matched with the log data through a data storage module according to the log cluster corresponding to the acquired log data, and storing the log data into the log index.
In a specific example, first, log data corresponding to different formats may be collected from each network security device by using the log collection module 150, and the collected log data may be buffered by using the data buffer module 160 in a data queue format. Further, the buffered log data may be sequentially output to the data storage module 110 according to a preset data output rule.
Then, after receiving the log data, the data storage module 110 may perform clustering processing on the log data to obtain a log cluster corresponding to the log data; further, according to the log cluster corresponding to the log data and the corresponding relation between the pre-established log cluster and the log index, the log index corresponding to the log data can be searched and obtained, and the log data can be stored in the corresponding log index.
S220, generating a pre-arranged automatic response flow through a safety arrangement automation and response module according to arrangement operation of a user on the automatic response flow.
In a specific example, the process drawing page may be presented to the user by the security orchestration automation and response module 130, and the user-preprogrammed automated response process may be obtained according to the user's drawing operation in the process drawing page.
S230, carrying out security event analysis on the log data according to the automatic response flow through a data analysis module so as to obtain a security perception result, and carrying out user display on the security perception result through a visual display module.
Specifically, the data analysis module 120 is used to automatically perform data cleaning, security event analysis and handling (such as intercepting risk IP, intercepting risk mailbox, abnormal alarm, etc.) on the log data according to the automatic response flow, so as to obtain a security event corresponding to the log data and a corresponding event handling result as a security perception result. Finally, the visual display module 140 can be used for visually displaying the safety perception result in the form of a graph or a chart.
In this embodiment, through the visual display module 140, massive security events and threat information can be presented in a visual form, so that the visualization degree and the perception capability of enterprises on the security events can be improved; the security events can be displayed in the forms of charts, graphs and the like, so that data analysis and mining are easier to perform, security information analysis can be enhanced, and enterprises can be helped to better identify threats and risks; the security state and threat information of the enterprise can be monitored in real time, and security events can be found and responded in time, so that the security performance and efficiency are improved; data analysis and mining can be performed according to different dimensions (such as time, geographic position, attack type and the like), so that enterprises can be helped to more comprehensively know security events and threat information; visual reports can be generated and decision support is provided for a management layer; the source and the influence range of the safety event can be rapidly and accurately positioned, corresponding measures are taken for processing and repairing, and the safety response speed and the safety response efficiency can be improved.
According to the technical scheme, firstly, a data storage module acquires log indexes matched with log data according to log clusters corresponding to the collected log data, and stores the log data into the log indexes; then, generating a pre-arranged automatic response flow through a safety arrangement automation and response module according to arrangement operation of a user on the automatic response flow; finally, carrying out security event analysis on the log data according to the automatic response flow by a data analysis module to obtain a security perception result, and carrying out user display on the security perception result by a visual display module; by carrying out index storage on the log data, generating an automatic response flow and carrying out automatic safety event analysis on the log data according to the automatic response flow, the risk of data leakage can be reduced, the data safety can be improved, and the response efficiency of network safety perception can be improved.
It should be noted that, in the technical solution of the present embodiment, the related acquisition, storage, application, etc. of the personal information of the user all conform to the rules of the related laws and regulations, and do not violate the popular regulations of the public order.
Example III
Fig. 3 shows a schematic diagram of an electronic device 30 that may be used to implement an embodiment of the invention. Electronic devices are intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. Electronic equipment may also represent various forms of mobile devices, such as personal digital processing, cellular telephones, smartphones, wearable devices (e.g., helmets, glasses, watches, etc.), and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be exemplary only, and are not meant to limit implementations of the inventions described and/or claimed herein.
As shown in fig. 3, the electronic device 30 includes at least one processor 31, and a memory, such as a Read Only Memory (ROM) 32, a Random Access Memory (RAM) 33, etc., communicatively connected to the at least one processor 31, wherein the memory stores a computer program executable by the at least one processor, and the processor 31 can perform various suitable actions and processes according to the computer program stored in the Read Only Memory (ROM) 32 or the computer program loaded from the storage unit 38 into the Random Access Memory (RAM) 33. In the RAM 33, various programs and data required for the operation of the electronic device 30 may also be stored. The processor 31, the ROM 32 and the RAM 33 are connected to each other via a bus 34. An input/output (I/O) interface 35 is also connected to bus 34.
Various components in electronic device 30 are connected to I/O interface 35, including: an input unit 36 such as a keyboard, a mouse, etc.; an output unit 37 such as various types of displays, speakers, and the like; a storage unit 38 such as a magnetic disk, an optical disk, or the like; and a communication unit 39 such as a network card, modem, wireless communication transceiver, etc. The communication unit 39 allows the electronic device 30 to exchange information/data with other devices via a computer network, such as the internet, and/or various telecommunication networks.
The processor 31 may be a variety of general and/or special purpose processing components having processing and computing capabilities. Some examples of processor 31 include, but are not limited to, a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), various specialized Artificial Intelligence (AI) computing chips, various processors running machine learning model algorithms, digital Signal Processors (DSPs), and any suitable processor, controller, microcontroller, etc. The processor 31 performs the various methods and processes described above, such as the network security aware method.
In some embodiments, the network security aware method may be implemented as a computer program tangibly embodied on a computer readable storage medium, such as the storage unit 38. In some embodiments, part or all of the computer program may be loaded and/or installed onto the electronic device 30 via the ROM 32 and/or the communication unit 39. When the computer program is loaded into RAM 33 and executed by processor 31, one or more steps of the network security aware method described above may be performed. Alternatively, in other embodiments, the processor 31 may be configured to perform the network security aware method in any other suitable manner (e.g., by means of firmware).
Various implementations of the systems and techniques described here above may be implemented in digital electronic circuitry, integrated circuit systems, field Programmable Gate Arrays (FPGAs), application Specific Integrated Circuits (ASICs), application Specific Standard Products (ASSPs), systems On Chip (SOCs), load programmable logic devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs, the one or more computer programs may be executed and/or interpreted on a programmable system including at least one programmable processor, which may be a special purpose or general-purpose programmable processor, that may receive data and instructions from, and transmit data and instructions to, a storage system, at least one input device, and at least one output device.
A computer program for carrying out methods of the present invention may be written in any combination of one or more programming languages. These computer programs may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the computer programs, when executed by the processor, cause the functions/acts specified in the flowchart and/or block diagram block or blocks to be implemented. The computer program may execute entirely on the machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of the present invention, a computer-readable storage medium may be a tangible medium that can contain, or store a computer program for use by or in connection with an instruction execution system, apparatus, or device. The computer readable storage medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. Alternatively, the computer readable storage medium may be a machine readable signal medium. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
To provide for interaction with a user, the systems and techniques described here can be implemented on an electronic device having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to a user; and a keyboard and a pointing device (e.g., a mouse or a trackball) through which a user can provide input to the electronic device. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user may be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic input, speech input, or tactile input.
The systems and techniques described here can be implemented in a computing system that includes a background component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such background, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), wide Area Networks (WANs), blockchain networks, and the internet.
The computing system may include clients and servers. The client and server are typically remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The server can be a cloud server, also called a cloud computing server or a cloud host, and is a host product in a cloud computing service system, so that the defects of high management difficulty and weak service expansibility in the traditional physical hosts and VPS service are overcome.
It should be appreciated that various forms of the flows shown above may be used to reorder, add, or delete steps. For example, the steps described in the present invention may be performed in parallel, sequentially, or in a different order, so long as the desired results of the technical solution of the present invention are achieved, and the present invention is not limited herein.
The above embodiments do not limit the scope of the present invention. It will be apparent to those skilled in the art that various modifications, combinations, sub-combinations and alternatives are possible, depending on design requirements and other factors. Any modifications, equivalent substitutions and improvements made within the spirit and principles of the present invention should be included in the scope of the present invention.

Claims (10)

1. The network security perception system is characterized by comprising a data storage module, a data analysis module, a security arrangement automation and response module and a visual display module;
the data storage module is connected with the data analysis module and is used for acquiring a log index matched with the log data according to the log cluster corresponding to the collected log data, storing the log data to the log index and sending the log data corresponding to the data reading instruction to the data analysis module when the data reading instruction of the data analysis module is received;
The data analysis module is respectively connected with the visual display module and the security arrangement automation and response module and is used for sending a data reading instruction to the data storage module, receiving a pre-arranged automatic response flow sent by the security arrangement automation and response module, analyzing the security event of the log data according to the automatic response flow so as to obtain a security perception result, and sending the security perception result to the visual display module;
the security arrangement automation and response module is used for generating a pre-arranged automatic response flow according to arrangement operation of a user on the automatic response flow and sending the pre-arranged automatic response flow to the data analysis module;
the visual display module is used for displaying the safety perception result by a user.
2. The system of claim 1, further comprising a log collection module and a data caching module;
the log acquisition module is connected with the data caching module and is used for acquiring log data of the network security equipment and sending the log data to the data caching module;
The data caching module is connected with the data storage module and is used for temporarily storing the log data by adopting a data queue and sending the temporarily stored log data to the data storage module based on a preset data output rule.
3. The system of claim 2, wherein the log data comprises at least one of a firewall log, a domain name server log, a load balancing log, a denial of service attack resistant log, a virtual private network device log, a web application firewall log, a mail gateway log, a network intrusion detection device log, a host intrusion detection device log, an antivirus device log, a fort device log, a threat intelligence device log, and an asset information log.
4. The system according to claim 1, characterized in that said data storage module is in particular adapted to:
clustering the log data to obtain log clusters corresponding to the log data;
according to the log clusters corresponding to the log data and the corresponding relation between the preset log clusters and the log indexes, acquiring the log indexes corresponding to the log data and storing the log data to the log indexes;
The log index comprises at least one of a weblog index, a webintrusion detection log index, a host guard log index, an application guard log index and an aggregate log index.
5. The system of claim 1, wherein the data analysis module comprises a security data cleansing unit, a security event alert unit, a user behavior analysis unit, and a data analysis linkage unit;
the safety data cleaning unit is respectively connected with the safety event alarming unit and the user behavior analysis unit and is used for cleaning the log data to obtain a formatted log corresponding to a unified data format and sending the formatted log to the safety event alarming unit and the user behavior analysis unit;
the security event alarm unit is connected with the data analysis linkage unit and is used for carrying out security information analysis on the formatted log to obtain potential security threats, carrying out security vulnerability analysis on the formatted log to obtain network security vulnerabilities, carrying out security attack analysis on the formatted log to obtain network attack information, and sending the potential security threats, the network security vulnerabilities and the network attack information to the data analysis linkage unit;
The user behavior analysis unit is connected with the data analysis linkage unit and is used for carrying out safety behavior analysis on the formatted log so as to acquire potential risk behaviors and sending the potential risk behaviors to the data analysis linkage unit;
the data analysis linkage unit is used for generating push information according to the potential security threat, the network security vulnerability, the network attack information and the potential risk behavior and sending the push information to an automatic service gateway so as to intercept a risk internet protocol address according to the push information through the automatic service gateway.
6. The system of claim 1, wherein the visual display module is further configured to obtain a network security situation corresponding to the log data according to the security perception result, and perform visual display on the network security situation.
7. The system of claim 6, wherein the network security posture comprises at least one of a secure communication network posture, a secure computing environment posture, and a secure regional boundary posture;
the security communication network situation comprises at least one of a network security access control situation, a network full-flow intrusion situation, a virtual private network access situation and a network access flow pressure situation;
The secure computing environment situation comprises at least one of a user access situation, a host intrusion situation and an antivirus situation;
the security zone boundary situation includes at least one of a web application firewall situation, an anti-distributed denial of service situation, and a threat intelligence situation.
8. A network security awareness method, applied to the network security awareness system of any one of claims 1-7, comprising:
acquiring a log index matched with the log data according to the log cluster corresponding to the acquired log data by a data storage module, and storing the log data into the log index;
generating a pre-arranged automatic response flow through a safety arrangement automation and response module according to arrangement operation of a user on the automatic response flow;
and carrying out security event analysis on the log data according to the automatic response flow by a data analysis module so as to obtain a security perception result, and carrying out user display on the security perception result by a visual display module.
9. An electronic device, the electronic device comprising:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein,
The memory stores a computer program executable by the at least one processor to enable the at least one processor to perform the network security awareness method of claim 8.
10. A computer readable storage medium storing computer instructions for causing a processor to implement the network security awareness method of claim 8 when executed.
CN202310862016.2A 2023-07-13 2023-07-13 Network security perception system, method, equipment and storage medium Pending CN117201062A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310862016.2A CN117201062A (en) 2023-07-13 2023-07-13 Network security perception system, method, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310862016.2A CN117201062A (en) 2023-07-13 2023-07-13 Network security perception system, method, equipment and storage medium

Publications (1)

Publication Number Publication Date
CN117201062A true CN117201062A (en) 2023-12-08

Family

ID=89000468

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310862016.2A Pending CN117201062A (en) 2023-07-13 2023-07-13 Network security perception system, method, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN117201062A (en)

Similar Documents

Publication Publication Date Title
US11785040B2 (en) Systems and methods for cyber security alert triage
US20210273961A1 (en) Apparatus and method for a cyber-threat defense system
JP6894003B2 (en) Defense against APT attacks
US11388186B2 (en) Method and system to stitch cybersecurity, measure network cyber health, generate business and network risks, enable realtime zero trust verifications, and recommend ordered, predictive risk mitigations
US10356044B2 (en) Security information and event management
US10601844B2 (en) Non-rule based security risk detection
CN106790186B (en) Multi-step attack detection method based on multi-source abnormal event correlation analysis
US20220201042A1 (en) Ai-driven defensive penetration test analysis and recommendation system
EP2955895B1 (en) Threat indicator analytics system
EP2955894B1 (en) Deception network system
US9438616B2 (en) Network asset information management
CN111245793A (en) Method and device for analyzing abnormity of network data
US11882128B2 (en) Improving incident classification and enrichment by leveraging context from multiple security agents
WO2018099206A1 (en) Apt detection method, system, and device
WO2011153227A2 (en) Dynamic multidimensional schemas for event monitoring priority
US11588839B2 (en) Leveraging user-behavior analytics for improved security event classification
CN105550593A (en) Cloud disk file monitoring method and device based on local area network
CN108551449B (en) Anti-virus management system and method
CN113709170A (en) Asset safe operation system, method and device
CN114050937B (en) Mailbox service unavailability processing method and device, electronic equipment and storage medium
Caesarano et al. Network forensics for detecting SQL injection attacks using NIST method
Skendžić et al. Management and monitoring security events in a business organization-siem system
CN115150124A (en) Fraud defense system
CN117201062A (en) Network security perception system, method, equipment and storage medium
CN116089940A (en) Multi-source security threat detection method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination