CN1450757A - Method and system for monitoring network intrusion - Google Patents
Method and system for monitoring network intrusion Download PDFInfo
- Publication number
- CN1450757A CN1450757A CN 02131143 CN02131143A CN1450757A CN 1450757 A CN1450757 A CN 1450757A CN 02131143 CN02131143 CN 02131143 CN 02131143 A CN02131143 A CN 02131143A CN 1450757 A CN1450757 A CN 1450757A
- Authority
- CN
- China
- Prior art keywords
- protocol
- characteristic
- data
- module
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Landscapes
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The method includes the following steps: a seizing original message data packet in network, b. carrying on protocol analysis for the original message data packet to obtain protocol variable, i.e. protocol data at each layer for the orignial message data packet, c. fetching preset characteristic data and making comparison and match for the characteristic data with relevant protocol data of current protocol variable, d. exporting the matched result. The method can be used to process all IDS characteristic event so the speed of intrusion detection analysis for network is raised effectively.
Description
Technical field
The present invention relates to filed of network information security, relate to specifically a kind of when carrying out message transmission between a plurality of digital devices of a network or between a plurality of network, by the data that send or receive being monitored and check and then analyze the method and system of the network intrusion monitoring of its concrete behavior.
Background technology
Obtain today of develop rapidly at computer network, network security problem becomes increasingly conspicuous, and obtained especially using extremely widely as the network intrusion monitoring system (NIDS:NetworkIntrusion Detection System) of one of staple product of network security, the diverse network safety product upgrades day by day.In existing computer network; data on the network are grouped into the discrete unit that is called the original message packet; each original message packet has the indication of a source place and destination; the network intrusion monitoring system is installed in the protected network segment; by handling these packets of information; generate the most basic security incident in the network intrusion monitoring system, promptly characteristic event is reported the improper situation that takes place in this section network.When the network data in the network includes specific data (data pattern or match pattern) in the specific region, promptly during characteristic, generate a characteristic event.
The prior art of network intrusion monitoring field generating feature incident mainly comprises following two kinds: first kind is program creating method, it all is embodied in all data patterns in the program code, the corresponding characteristic event of subprogram, this subprogram reads original message packet in the network and directly mates and judge whether to take place corresponding characteristic event then; Second kind is thick matching method, and it all is stored in all data patterns in the data buffer zone, then program read in the network the original message packet directly and the characteristic in the data buffer zone mate, judge whether to take place corresponding characteristic event.
And along with the continuous variation of development of internet technology and attack technology, nids system also should improve fast for the detection of new attack means, above-mentioned existing network intrusion monitoring method is for the detection of attack, promptly characteristic of Gong Jiing and characteristic event is related, all be to adopt the mode of hard coded to realize,, can only lean on the ROMPaq that to discern this attack to carry out program upgrade for emerging attack means, obviously there are many deficiencies, specifically comprise:
1, the program that increases newly can make system unreliable;
2, because the upgrading of program is upgraded, cause waste of time, low-response;
3, can not be at the scene according to user's specific demand custom features incident;
4, characteristic event reports accurate rate variance.
Summary of the invention
At said circumstances, the present invention proposes a kind ofly on the basis of protocol analysis, data pattern is only accurately mated with relevant protocol data, find the method and system of the network intrusion monitoring of characteristic.
For achieving the above object, the method for network intrusion monitoring of the present invention, it comprises following concrete steps:
A, catch the original message packet in the network;
B, this original message packet is carried out protocol analysis, obtain the agreement variable, i.e. each layer protocol data of this original message packet;
The characteristic of c, reading pre-set, and to this characteristic and respective protocol variable data comparison match;
D, with the output of this matching result.
Wherein, carry out protocol analysis among the described step b and be meant according to the level of agreement and divide the end of from successively, the institute's protocols having that comprises application layer protocol is resolved according to incremental mode to the top.And the described protocol analysis that carries out further comprises: if agreement is the IP agreement, after then the protocol data in resolving being recombinated, further continue protocol analysis again, so that obtain the real features of network data, otherwise, might lose deliberately data are carried out burst to hide the malicious attack behavior of attack signature; If agreement is a Transmission Control Protocol, after then the message flow of TCP being recombinated, further continue protocol analysis again, so that obtain connection status and the later data of stream reorganization of TCP.
Each layer protocol data more specifically is meant MAC Address, IP address, protocol type data and other characteristics such as http_url, telnet_user among the described step b.
The characteristic of reading pre-set more specifically is meant from independent database, file or port and reads among the described step c.Among the described step c this characteristic and corresponding protocol variable data comparison match more specifically are meant: this characteristic and corresponding protocol variable data are carried out the mathematical logic computing.Among the described step c this characteristic and corresponding protocol variable data comparison match are further comprised: this characteristic and corresponding protocol variable data are carried out the multilayer nest comparison match.
Described steps d further comprises: if this matching result is successfully to mate, then output reports, and does not report otherwise do not export.
The invention allows for a kind of system of network intrusion monitoring, it includes:
Data capture module: the original message packet that is used for catching network;
Protocol analysis module: be used for this original message packet is carried out protocol analysis;
Protocol data buffer zone module: be used to store each layer protocol data;
The characteristic module is used to store characteristic;
The event matches module: be used for the characteristic of reading pre-set, and to this characteristic and corresponding protocol data comparison match;
Reporting events module: be used for this matching result output;
After at first described data capture module is caught original message packet in the network, deliver to described protocol analysis module it is carried out protocol analysis, obtain each layer protocol data of this original message packet, be stored to described protocol data buffer zone module, secondly described event matches module is by the characteristic of this characteristic module reading pre-set, each layer protocol data of itself and described protocol data buffer zone module are compared coupling, at last by described reporting events module with this matching result output.
The present invention is on the basis of data characteristics Network Based and the research of communication protocol standard, the disparate networks data characteristics is carried out comprehensive statistics, analysis, in the generation of characteristic event, accurately mate and the protocal analysis technology in conjunction with feature, provide effective, an extendible monitoring method and system all characteristic events in the network.The present invention can be contained pattern and the tcp/ip communication agreement that all NIDS need handle, the characteristic of characteristic event and the analytical method of protocol specification organic unity have been realized, come simple displaying to describe all NIDS (network intrusion monitoring system, Network Intrusion Detection System) characteristic event, more specifically, the present invention has the following advantages:
1, can improve the speed that network intrusion monitoring is analyzed effectively;
2, can save the match event time greatly, reduce rate of false alarm, improve accuracy rate;
3, when the network event new feature occurring and when paying close attention to the ad hoc network data characteristics, can under the prerequisite of upgrade applications not, promptly these features be increased in the characteristic module that contains the NIDS event base, reach the purpose of warning;
4, pass through user's definable interface flexibly, realized that the renewal of characteristic module and program are irrelevant, guaranteed the quick response of nids system security incident, but and the ability of user's on-site customization characteristic event.
Describe the present invention in detail below in conjunction with the drawings and specific embodiments.
Description of drawings
Fig. 1 is the flow chart of the method for network intrusion monitoring of the present invention;
Fig. 2 is the composition Organization Chart of the system of network intrusion monitoring of the present invention;
Fig. 3 is the structural representation behind the protocol analysis of the present invention.
Specific implementation
Current internet (WAN) and local area network (LAN) (LAN) have obtained using very widely, in these networks, the ICP/IP protocol of Ethernet is to use extremely typical case and general agreement, scanning behavior wherein is the operation that hacker (or hacker) often uses, it is the Ping Scan characteristic event, as everyone knows, the pairing characteristic of Ping Scan is that the type codes of ICMP agreement equals 8.The method and system of the described network intrusion monitoring of the embodiment of the invention is that example is described in detail as follows with monitoring Ping Scan characteristic event:
Network environment is in the present embodiment: the hacker is positioned on the far-end computer, the system of the described network intrusion monitoring of present embodiment is installed on local computer network, between far-end computer and local computer, link to each other by Ethernet, when use corresponding vulnerability scanning instrument that certain computer in the local network is scanned at far-end computer, and when selecting before the scanning to survey main frame and exist with ping, its implementation process is to send a series of relevant original message packets to local network, and comprises following initial data.Respective description is as shown in table 1 below:
Table 1
| Original message | Agreement | The data field explanation | The agreement variable | Remarks |
| ?00?50?ba?ba?35?d5 | The ether agreement | Purpose mac address | Dmac | |
| ?00?50?ba?65?6f?eb | Mac address, source | Smac | ||
| ?08?00 | The ether protocol type | Eth_type | ||
| ?45?00?00?3c?98 ?b6?00?00?80 | The IP agreement | ?????????????……………… | ||
| ?01 | IP protocol type | Ip_type | ||
| ?17?a4?c0?a8?04 ?18?c0?a8?04?fe | ?????????????……………… | |||
| ?08 ?00?39?5c?02 | The ICMP agreement | The Icmp protocol type | Icmp_type | ??????Icmp_type=8 |
| ?00?12?00 | ?????????????……………… | |||
| ?61?62?63?64?65 ?66?67?68?69?6a ?6b?6c | The ICMP data | ?????????????……………… | ||
| ?49?53?53 | Characteristic | [String.12] | ??????[string.12]=ISS | |
| ?6d?6e?70?71?72 ?73?74?75?76?77 | ?????????????……………… |
Wherein, agreement variable in the last table is in order to write down the characteristic of corresponding data field explanation, and [string.12]=ISS shows that (INTERNET CoNTROL MESSAGEPROTOCOL: internet control information agreement) side-play amount of data field is that the string variable at 12 byte places is " ISS " at ICMP;
As shown in Figure 2, the system of the network intrusion monitoring of installing on the local network includes:
Data capture module: the original message packet that is used for catching network;
Protocol analysis module: be used for this original message packet is carried out protocol analysis;
Protocol data buffer zone module: be used to store each layer protocol data two
Characteristic module: be used to store characteristic;
The event matches module: be used for the characteristic of reading pre-set, and to this characteristic and corresponding protocol data comparison match:
Reporting events module: be used for this matching result output.
When the system of the network intrusion monitoring that starts local computer, this system is carried out initialization, promptly from described characteristic module, read characteristics such as relevant protocol data, arithmetic type, computing variable name, computing variate-value, characteristic event return value variable, and be stored in the built-in storage of computer; This characteristic is for " Ping ISS " scan feature incident, be specially: agreement variable (data) is that icmp_type and [string.12], arithmetic type are that character string and integer operation type, computing variable name are that to equal operation (=) and comprise operation (^), computing variate-value be that the title of character string ISS and integer value 8, characteristic event return value variable is " length ", and the corresponding protocol variable is " icmp_length ".
The system of the network intrusion monitoring of local computer begins the monitoring network intrusion behavior, and as shown in Figure 1, it specifically comprises the steps:
The first, catch original message packet in the network.
Data capture module captures the as above original message packet described in the table 1.
The second, this original message packet is carried out protocol analysis, obtain each layer protocol data of this original message packet.
The protocol analysis module is carried out protocol analysis to the as above original message packet described in the table 1, is the structural representation behind the protocol analysis of the present invention as shown in Figure 3.Protocol analysis is to divide incremental according to the level of procotol, it successively carries out end of to the top, and the protocol data assignment after will resolving is given the agreement variable, promptly store the protocol data buffer zone module into, as " 8 " assignment being given " ICMP_type ", will " ISS " assignment to " [String.12] " etc.
Three, the characteristic of reading pre-set, and to this characteristic and corresponding protocol data comparison match.
Characteristic in the built-in storage of setting when described event matches module at first reads initialization that is stored to computer, as the protocol type data promptly " ICMP_type " be " 8 ", computer name promptly the side-play amount in the ICMP data field be that " [String.12] is that the logical relation value of " ISS ", aforementioned two kinds of comparison operations is and function " AND " for the character string at 12 byte places; Then with this characteristic respectively and the value of the agreement variable in the protocol data buffer zone module in the corresponding above-mentioned steps two compare, the result who promptly obtains " ICMP_type=8 " is for true, " [String.12]=ISS " also is true, after the logical relation of two kinds of comparison operations was got " AND ", its result still was true.
Four, with this matching result output.
Obviously, the matching result in the step 3 is true, is successfully to mate, and is then reported by described reporting events module output, as outputs to the computer foreground and show output, or output to and save as disk file in the file.
Claims (10)
1, a kind of method of network intrusion monitoring is characterized in that, this method comprises following steps:
A, catch the original message packet in the network;
B, this original message packet is carried out protocol analysis, obtain the agreement variable, i.e. the protocal layers data of this original message packet;
The characteristic of c, reading pre-set, and to this characteristic and agreement variable data comparison match;
D, with the output of this matching result.
2, the method for a kind of network intrusion monitoring as claimed in claim 1 is characterized in that, carries out protocol analysis among the described step b and is meant to divide the end of to the top according to the level of agreement and successively carries out, and the institute's protocols having that comprises application layer protocol is resolved.
3, the method for a kind of network intrusion monitoring as claimed in claim 1, it is characterized in that, carrying out protocol analysis among the described step b further comprises: if agreement is the IP agreement, after then the protocol data in resolving being recombinated, further continue protocol analysis again.
4, the method for a kind of network intrusion monitoring as claimed in claim 1 is characterized in that, carries out protocol analysis among the described step b and further comprises: if agreement is a Transmission Control Protocol, after then the message flow of TCP being recombinated, further continue protocol analysis again.
5, the method for a kind of network intrusion monitoring as claimed in claim 1 is characterized in that, each layer protocol data more specifically is meant MAC Address, IP address, protocol type data and other characteristics such as http_url, telnet_user among the described step b.
6, the method for a kind of network intrusion monitoring as claimed in claim 1 is characterized in that, the characteristic of reading pre-set more specifically is meant from independent database, file or port and reads among the described step c.
7, the method for a kind of network intrusion monitoring as claimed in claim 1, it is characterized in that, among the described step c this characteristic and corresponding protocol variable data comparison match more specifically are meant: this characteristic and corresponding protocol variable data are carried out the mathematical logic computing.
8, the method for a kind of network intrusion monitoring as claimed in claim 1, it is characterized in that, among the described step c this characteristic and corresponding protocol variable data comparison match are further comprised: this characteristic and corresponding protocol variable data are carried out the multilayer nest comparison match.
9, the method for a kind of network intrusion monitoring as claimed in claim 1 is characterized in that, described steps d further comprises: if this matching result is successfully to mate, then output reports, and does not report otherwise do not export.
10, a kind of system of network intrusion monitoring is characterized in that, this system includes:
Data capture module: the original message packet that is used for catching network;
Protocol analysis module: be used for this original message packet is carried out protocol analysis;
Protocol data buffer zone module: be used to store each layer protocol data;
The characteristic module is used to store characteristic;
The event matches module: be used for the characteristic of reading pre-set, and to this characteristic and corresponding protocol data comparison match;
Reporting events module: be used for this matching result output;
After at first described data capture module is caught original message packet in the network, deliver to described protocol analysis module it is carried out protocol analysis, obtain each layer protocol data of this original message packet, be stored to described protocol data buffer zone module, secondly described event matches module is by the characteristic of this characteristic module reading pre-set, each layer protocol data of itself and described protocol data buffer zone module are compared coupling, at last by described reporting events module with this matching result output.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 02131143 CN1203641C (en) | 2002-10-11 | 2002-10-11 | Method and system for monitoring network intrusion |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 02131143 CN1203641C (en) | 2002-10-11 | 2002-10-11 | Method and system for monitoring network intrusion |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1450757A true CN1450757A (en) | 2003-10-22 |
| CN1203641C CN1203641C (en) | 2005-05-25 |
Family
ID=28680801
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 02131143 Expired - Fee Related CN1203641C (en) | 2002-10-11 | 2002-10-11 | Method and system for monitoring network intrusion |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1203641C (en) |
Cited By (20)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2008064551A1 (en) * | 2006-11-27 | 2008-06-05 | Coobol Technologis Co. Ltd. | A system and method for preventing the intrusion of malicious code |
| CN101035111B (en) * | 2007-04-13 | 2010-10-13 | 北京启明星辰信息技术股份有限公司 | Intelligent protocol parsing method and device |
| CN102035855A (en) * | 2010-12-30 | 2011-04-27 | 江苏省电力公司 | Network security incident association analysis system |
| CN102217281A (en) * | 2011-06-13 | 2011-10-12 | 华为技术有限公司 | Method and apparatus for protocol analysis |
| US8060633B2 (en) | 2006-11-24 | 2011-11-15 | Hangzhou H3C Technologies Co., Ltd. | Method and apparatus for identifying data content |
| CN102244610A (en) * | 2011-06-24 | 2011-11-16 | 吉林中软吉大信息技术有限公司 | Method for resolving protocol by using capture data |
| CN101695031B (en) * | 2009-10-27 | 2011-12-07 | 成都市华为赛门铁克科技有限公司 | Upgrading method and device of intrusion prevention system |
| CN101562603B (en) * | 2008-04-17 | 2012-06-20 | 北京启明星辰信息技术股份有限公司 | Method and system for parsing telnet protocol by echoing |
| CN101753316B (en) * | 2008-12-02 | 2012-08-08 | 北京启明星辰信息技术股份有限公司 | Method and system for intelligently extracting features |
| CN101562604B (en) * | 2008-04-17 | 2012-08-08 | 北京启明星辰信息技术股份有限公司 | Non-cache model matching method based on message flow data |
| CN1612532B (en) * | 2003-10-31 | 2013-01-23 | 国际商业机器公司 | Host-based network intrusion detection systems |
| CN101771575B (en) * | 2008-12-29 | 2014-04-16 | 华为技术有限公司 | Method, device and system for processing IP partitioned message |
| CN104023000A (en) * | 2013-09-05 | 2014-09-03 | 田玥 | Network intrusion detection method |
| CN104135490A (en) * | 2014-08-14 | 2014-11-05 | 浪潮(北京)电子信息产业有限公司 | Intrusion detection system (IDS) analysis method and intrusion detection system |
| CN102217281B (en) * | 2011-06-13 | 2016-11-30 | 华为技术有限公司 | protocol analysis method and device |
| CN106209488A (en) * | 2015-04-28 | 2016-12-07 | 北京瀚思安信科技有限公司 | For detecting the method and apparatus that website is attacked |
| CN106446720A (en) * | 2016-09-08 | 2017-02-22 | 上海携程商务有限公司 | IDS rule optimization system and optimization method |
| CN105678188B (en) * | 2016-01-07 | 2019-01-29 | 杨龙频 | The leakage-preventing protocol recognition method of database and device |
| CN112565290A (en) * | 2020-12-22 | 2021-03-26 | 深信服科技股份有限公司 | Intrusion prevention method, system and related equipment |
| CN112997467A (en) * | 2020-09-18 | 2021-06-18 | 华为技术有限公司 | Intrusion monitoring system, method and related product |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100338915C (en) * | 2005-08-19 | 2007-09-19 | 杭州华三通信技术有限公司 | Message mirroring method and network equipment with message mirroring function |
| CN100342692C (en) * | 2005-09-02 | 2007-10-10 | 杭州华三通信技术有限公司 | Invasion detecting device and invasion detecting system |
| CN100429617C (en) * | 2006-05-16 | 2008-10-29 | 北京启明星辰信息技术有限公司 | Automatic protocol recognition method and system |
-
2002
- 2002-10-11 CN CN 02131143 patent/CN1203641C/en not_active Expired - Fee Related
Cited By (25)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1612532B (en) * | 2003-10-31 | 2013-01-23 | 国际商业机器公司 | Host-based network intrusion detection systems |
| US8060633B2 (en) | 2006-11-24 | 2011-11-15 | Hangzhou H3C Technologies Co., Ltd. | Method and apparatus for identifying data content |
| WO2008064551A1 (en) * | 2006-11-27 | 2008-06-05 | Coobol Technologis Co. Ltd. | A system and method for preventing the intrusion of malicious code |
| CN101035111B (en) * | 2007-04-13 | 2010-10-13 | 北京启明星辰信息技术股份有限公司 | Intelligent protocol parsing method and device |
| CN101562604B (en) * | 2008-04-17 | 2012-08-08 | 北京启明星辰信息技术股份有限公司 | Non-cache model matching method based on message flow data |
| CN101562603B (en) * | 2008-04-17 | 2012-06-20 | 北京启明星辰信息技术股份有限公司 | Method and system for parsing telnet protocol by echoing |
| CN101753316B (en) * | 2008-12-02 | 2012-08-08 | 北京启明星辰信息技术股份有限公司 | Method and system for intelligently extracting features |
| CN101771575B (en) * | 2008-12-29 | 2014-04-16 | 华为技术有限公司 | Method, device and system for processing IP partitioned message |
| CN101695031B (en) * | 2009-10-27 | 2011-12-07 | 成都市华为赛门铁克科技有限公司 | Upgrading method and device of intrusion prevention system |
| CN102035855A (en) * | 2010-12-30 | 2011-04-27 | 江苏省电力公司 | Network security incident association analysis system |
| CN102035855B (en) * | 2010-12-30 | 2014-05-07 | 江苏省电力公司 | Network security incident association analysis system |
| CN102217281B (en) * | 2011-06-13 | 2016-11-30 | 华为技术有限公司 | protocol analysis method and device |
| CN102217281A (en) * | 2011-06-13 | 2011-10-12 | 华为技术有限公司 | Method and apparatus for protocol analysis |
| WO2012171166A1 (en) * | 2011-06-13 | 2012-12-20 | 华为技术有限公司 | Method and apparatus for protocol parsing |
| US9112915B2 (en) | 2011-06-13 | 2015-08-18 | Huawei Technologies Co., Ltd. | Method and apparatus for protocol parsing |
| CN102244610A (en) * | 2011-06-24 | 2011-11-16 | 吉林中软吉大信息技术有限公司 | Method for resolving protocol by using capture data |
| CN104023000A (en) * | 2013-09-05 | 2014-09-03 | 田玥 | Network intrusion detection method |
| CN104135490A (en) * | 2014-08-14 | 2014-11-05 | 浪潮(北京)电子信息产业有限公司 | Intrusion detection system (IDS) analysis method and intrusion detection system |
| CN106209488A (en) * | 2015-04-28 | 2016-12-07 | 北京瀚思安信科技有限公司 | For detecting the method and apparatus that website is attacked |
| CN105678188B (en) * | 2016-01-07 | 2019-01-29 | 杨龙频 | The leakage-preventing protocol recognition method of database and device |
| CN106446720A (en) * | 2016-09-08 | 2017-02-22 | 上海携程商务有限公司 | IDS rule optimization system and optimization method |
| CN106446720B (en) * | 2016-09-08 | 2019-02-01 | 上海携程商务有限公司 | The optimization system and optimization method of IDS rule |
| CN112997467A (en) * | 2020-09-18 | 2021-06-18 | 华为技术有限公司 | Intrusion monitoring system, method and related product |
| CN112997467B (en) * | 2020-09-18 | 2022-08-19 | 华为技术有限公司 | Intrusion monitoring system, method and related product |
| CN112565290A (en) * | 2020-12-22 | 2021-03-26 | 深信服科技股份有限公司 | Intrusion prevention method, system and related equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1203641C (en) | 2005-05-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1203641C (en) | Method and system for monitoring network intrusion | |
| US9848004B2 (en) | Methods and systems for internet protocol (IP) packet header collection and storage | |
| US7903566B2 (en) | Methods and systems for anomaly detection using internet protocol (IP) traffic conversation data | |
| US7995496B2 (en) | Methods and systems for internet protocol (IP) traffic conversation detection and storage | |
| US8726382B2 (en) | Methods and systems for automated detection and tracking of network attacks | |
| CN101656634B (en) | Intrusion detection method based on IPv6 network environment | |
| CN101018121B (en) | Log convergence processing method and convergence processing device | |
| US8762515B2 (en) | Methods and systems for collection, tracking, and display of near real time multicast data | |
| US8296842B2 (en) | Detecting public network attacks using signatures and fast content analysis | |
| CN1697404A (en) | System and method for detecting network worm in interactive mode | |
| US20030084318A1 (en) | System and method of graphically correlating data for an intrusion protection system | |
| CN1269030A (en) | Method and apparatus for automated network surveillance and security breanch intervention | |
| US20030083847A1 (en) | User interface for presenting data for an intrusion protection system | |
| CN1909488A (en) | Virus detection and invasion detection combined method and system | |
| CN1529248A (en) | Network invasion related event detecting method and system | |
| CN101640594A (en) | Method and unit for extracting traffic attack message characteristics on network equipment | |
| CN112532642B (en) | Industrial control system network intrusion detection method based on improved Suricata engine | |
| CN112507336A (en) | Server-side malicious program detection method based on code characteristics and flow behaviors | |
| CN1848745A (en) | Worm virus detecting method based on network flow characteristic | |
| CN111770097B (en) | Content lock firewall method and system based on white list | |
| CN1317855C (en) | Invasion detecting system and its invasion detecting method | |
| KR101078851B1 (en) | Botnet group detecting system using group behavior matrix based on network and botnet group detecting method using group behavior matrix based on network | |
| CN115333915B (en) | Heterogeneous host-oriented network management and control system | |
| CN104023000A (en) | Network intrusion detection method | |
| CN1477811A (en) | Formalized description method of network infection behaviour and normal behaviour |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C41 | Transfer of patent application or patent right or utility model | ||
| C56 | Change in the name or address of the patentee | ||
| CP03 | Change of name, title or address |
Address after: No 12, No. 188 South Main Street, Beijing, Haidian District, Zhongguancun Patentee after: BEIJING VENUSTECH Inc. Address before: No 12, No. 188 South Main Street, Beijing, Haidian District, Zhongguancun Patentee before: Beijing Venus Information Technology Co.,Ltd. |
|
| TR01 | Transfer of patent right |
Effective date of registration: 20090320 Address after: Building 100193, building 21, Zhongguancun Software Park, 8 West Wang Xi Road, Beijing, Haidian District Co-patentee after: BEIJING VENUSTECH CYBERVISION Co.,Ltd. Patentee after: BEIJING VENUSTECH Inc. Address before: 12, 100081 South Main Street, Beijing, Haidian District, 188: zip code: Patentee before: BEIJING VENUSTECH Inc. |
|
| C56 | Change in the name or address of the patentee |
Owner name: BEIJING QIMINGXINGCHEN INFORMATION TECHNOLOGY CO., Free format text: FORMER NAME: BEIJING QIMING XINGCHEN INFORMATION TECHNOLOGY CO. LTD. |
|
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20050525 Termination date: 20141011 |
|
| EXPY | Termination of patent right or utility model |