WO2019136954A1 - Method for detecting network compliance, apparatus, device and medium - Google Patents

Method for detecting network compliance, apparatus, device and medium Download PDF

Info

Publication number
WO2019136954A1
WO2019136954A1 PCT/CN2018/096108 CN2018096108W WO2019136954A1 WO 2019136954 A1 WO2019136954 A1 WO 2019136954A1 CN 2018096108 W CN2018096108 W CN 2018096108W WO 2019136954 A1 WO2019136954 A1 WO 2019136954A1
Authority
WO
WIPO (PCT)
Prior art keywords
terminal
software
network
server
detecting
Prior art date
Application number
PCT/CN2018/096108
Other languages
French (fr)
Chinese (zh)
Inventor
戴昌
涂大志
王新成
Original Assignee
深圳市联软科技股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 深圳市联软科技股份有限公司 filed Critical 深圳市联软科技股份有限公司
Publication of WO2019136954A1 publication Critical patent/WO2019136954A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/24Traffic characterised by specific attributes, e.g. priority or QoS
    • H04L47/2475Traffic characterised by specific attributes, e.g. priority or QoS for supporting traffic characterised by the type of applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services

Definitions

  • the present invention relates to the field of network security technologies, and in particular, to a network compliance detection method, apparatus, device, and medium.
  • the existing intranet management method is mainly performed by installing similar monitoring software to the terminal. It is difficult for administrators to guarantee the installation rate of software, and it is impossible to manage a large number of terminals in a unified manner. In other words, the existing intranet management methods are not sufficiently effective and flexible.
  • the technical problem to be solved by the present application is to provide a network compliance detection method, device, device and medium, which realizes asset security of the terminal, possible risks in the intranet, external attack behavior, and terminal disagreement through network data analysis.
  • the behavior of the rule is detected.
  • the terminal user is transparent, the risk of the terminal is detected, and the terminal can be alerted to ensure the security of the internal network.
  • the embodiment of the present application provides a network compliance detection method, where the method includes:
  • All the traffic information generated by all the terminals in the internal network is mirrored to the specified server network card;
  • a non-compliant alarm is sent to the terminal that does not have the specified software installed to prompt the user to install the specified software.
  • detecting whether the specified software is installed on each terminal includes:
  • the terminal does not generate traffic that communicates with the software server in the software time window, it is determined that the specified software is not installed on the terminal.
  • the software time window required for the terminal to communicate with the software server corresponding to the specified software is determined, including:
  • the product of the smallest integer greater than the ratio of the first value to the average number value, and the second time length is determined as the software time window.
  • the method further comprises: detecting, according to the traffic information on the server network card, whether each terminal uses a proxy server for network communication.
  • the method further comprises:
  • a non-compliant alarm is sent to a terminal that does not use a proxy server for network communication to prompt the user to use a proxy server for network communication to ensure network security.
  • the method further comprises: detecting whether each terminal successfully logs into the active directory domain.
  • detecting whether each terminal successfully logs into the active directory domain includes:
  • the terminal According to the information in the authentication package and the information in the response packet, it is determined whether the terminal successfully logs in to the active directory domain.
  • the embodiment of the present application provides a network compliance detecting apparatus, where the apparatus includes:
  • a mirroring unit configured to mirror all traffic information generated by all terminals in the internal network to a specified server network card
  • a detecting unit configured to detect, according to the traffic information on the server network card, whether the specified software is installed on each terminal;
  • the alarm unit is configured to send a non-compliant alarm to the terminal that does not have the specified software to prompt the user to install the specified software.
  • the detecting unit is specifically configured to:
  • the terminal does not generate traffic that communicates with the software server in the software time window, it is determined that the specified software is not installed on the terminal.
  • the detecting unit is further configured to:
  • the product of the smallest integer greater than the ratio of the first value to the average number value, and the second time length is determined as the software time window.
  • the detecting unit is further configured to:
  • the alarm unit is further configured to:
  • a non-compliant alarm is sent to a terminal that does not use a proxy server for network communication to prompt the user to use a proxy server for network communication to ensure network security.
  • the detecting unit is further configured to: detect whether each terminal successfully logs in to the active directory domain.
  • the detecting unit is further configured to:
  • the terminal According to the information in the authentication package and the information in the response packet, it is determined whether the terminal successfully logs in to the active directory domain.
  • an embodiment of the present application provides a computer device, including: at least one processor, at least one memory, and computer program instructions stored in a memory, which are implemented when the computer program instructions are executed by the processor. The method of the first aspect.
  • an embodiment of the present application provides a computer readable storage medium having stored thereon computer program instructions that, when executed by a processor, implement the method of the first aspect of the above embodiments.
  • the network compliance detection method, device, device and medium provided by the embodiments of the present invention detect network assets security, possible risks in the intranet, external attack behaviors, and terminal non-compliance behaviors through network data analysis.
  • the terminal user is transparent, the risk of the terminal is detected, and the terminal can be alerted to ensure the security of the internal network.
  • the detection mode of the managed terminal is transparent.
  • the terminal can be managed uniformly on the server side.
  • FIG. 1 is a flowchart of a network compliance detecting method according to an embodiment of the present invention
  • FIG. 2 is a block diagram of a network compliance detecting apparatus according to an embodiment of the present invention.
  • FIG. 3 is a schematic structural diagram of hardware of a computer device according to an embodiment of the present invention.
  • the network compliance detection method provided by this embodiment includes:
  • Step S1 Mirror all the traffic information generated by all the terminals in the internal network to the designated server network card;
  • Step S2 detecting, according to the traffic information on the server network card, whether the specified software is installed on each terminal;
  • step S3 a non-compliant alarm is sent to the terminal that does not have the specified software to prompt the user to install the specified software.
  • the network compliance detection method provided by the embodiment of the present invention detects the non-compliance behavior of the terminal through network data analysis, detects the risk of the terminal when the terminal user is transparent, and can alarm the terminal. Guarantee the security of the internal network.
  • the method of the present embodiment mainly relies on a pre-built network security prism system to operate. Specifically, on the switch of the internal network, all the traffic of the intranet is mirrored to the network card of the network security prism system server, and then the specific data or characteristics of the traffic of the server network card are captured and analyzed.
  • detecting whether the specified software is installed on each terminal includes:
  • the terminal does not generate traffic that communicates with the software server in the software time window, it is determined that the specified software is not installed on the terminal.
  • the software time window required for the terminal to communicate with the software server corresponding to the specified software is determined, including:
  • the product of the smallest integer greater than the ratio of the first value to the average number value, and the second time length is determined as the software time window.
  • all traffic in the intranet of the enterprise is recorded in the server network card.
  • the software time window is used to determine whether the terminal is installed with the specified software, and specifically, after obtaining the software time window, whether the terminal has installed or not in the software time window to confirm whether the terminal is installed or not is installed.
  • the software time window is the communication interval between the terminal and the software server corresponding to the specified software.
  • the software time window of the specified software after defining the server IP and port of the software, by analyzing the traffic within a plurality of days, the number of communication packets in which each IP communicates with the software is recorded. Take the median of the number and then calculate how many communication packets the source IP sent to the software server every 15 minutes. If the number is greater than 3, the software time window is set to 15 minutes; when less than 3, the smallest integer a is greater than 3/the number of communication packets, and the software time window is set to a*15 minutes.
  • the method further comprises: detecting, according to the traffic information on the server network card, whether each terminal uses a proxy server for network communication.
  • the following characteristic parts of the communication traffic with the proxy server are utilized:
  • HTTP proxy Common port 8080, using the HTTP protocol.
  • the terminal Before the terminal sends the data, the terminal sends an HTTP packet of the "CONNECT" type to the proxy server, and tells the proxy server terminal the destination address IP and port to be accessed. And the HTTP package contains proxy-related variables, such as "Proxy-Connection". Specifically, for example, an HTTP proxy is used to log in to QQ.
  • the terminal Before the terminal sends the data, the terminal sends a "Connect" type Scoks packet to the proxy server, and tells the proxy server terminal the destination address IP and port to be accessed. Specifically, for example, the QQ is registered using the SOCKS proxy.
  • the method further comprises:
  • a non-compliant alarm is sent to a terminal that does not use a proxy server for network communication to prompt the user to use a proxy server for network communication to ensure network security.
  • Proxy Server Proxy Server
  • Proxy Server is an important security function provided by Internet link-level gateways. The main functions are: breaking through its own IP access restrictions, improving access speed, and hiding real IP from attacks.
  • the method further comprises: detecting whether each terminal successfully logs into the active directory domain.
  • detecting whether each terminal successfully logs into the active directory domain includes:
  • the terminal when logging in to the Active Directory (AD) domain, the terminal sends an authentication packet to the domain controller, and the protocol of the authentication packet adopts kerberos.
  • the detailed information in the authentication packet can be viewed, and after parsing,
  • the information of the authentication package includes information such as a user name and a domain name.
  • the embodiment determines whether the terminal successfully logs in to the active directory domain according to the authentication package and the response packet.
  • a network compliance detecting apparatus includes:
  • the mirroring unit 1 is configured to mirror all the traffic information generated by all the terminals in the internal network to the designated server network card;
  • the detecting unit 2 is configured to detect, according to the traffic information on the server network card, whether the specified software is installed on each terminal;
  • the alarm unit 3 is configured to send a non-compliant alarm to the terminal that does not have the specified software to prompt the user to install the specified software.
  • the network compliance detection apparatus detects the non-compliance behavior of the terminal through network data analysis, detects the risk of the terminal when the terminal user is transparent, and can alarm the terminal. Guarantee the security of the internal network.
  • the present embodiment relies primarily on a pre-built network security prism system to operate. Specifically, all the traffic of the intranet is mirrored on the network card of the network security prism system server on the switch of the internal network, and then the specific data or characteristics of the traffic of the server network card are captured and analyzed.
  • the detecting unit 2 is specifically configured to
  • the terminal does not generate traffic that communicates with the software server in the software time window, it is determined that the specified software is not installed on the terminal.
  • the software time window required for the terminal to communicate with the software server corresponding to the specified software is determined, including:
  • the product of the smallest integer greater than the ratio of the first value to the average number value, and the second time length is determined as the software time window.
  • all traffic in the intranet of the enterprise is recorded in the server network card.
  • the software time window is used to determine whether the terminal is installed with the specified software, and specifically, after obtaining the software time window, whether the terminal has installed or not in the software time window to confirm whether the terminal is installed or not is installed.
  • the software time window is the communication interval between the terminal and the software server corresponding to the specified software.
  • the software time window of the specified software after defining the server IP and port of the software, by analyzing the traffic within a plurality of days, the number of communication packets in which each IP communicates with the software is recorded. Take the median of the number and then calculate how many communication packets the source IP sent to the software server every 15 minutes. If the number is greater than 3, the software time window is set to 15 minutes; when less than 3, the smallest integer a is greater than 3/the number of communication packets, and the software time window is set to a*15 minutes.
  • the detecting unit 2 is further configured to: according to the traffic information on the server network card, detect whether each terminal uses a proxy server for network communication.
  • the following characteristic parts of the communication traffic with the proxy server are utilized:
  • HTTP proxy Common port 8080, using the HTTP protocol.
  • the terminal Before the terminal sends the data, the terminal sends an HTTP packet of the "CONNECT" type to the proxy server, and tells the proxy server terminal the destination address IP and port to be accessed. And the HTTP package contains proxy-related variables, such as "Proxy-Connection". Specifically, for example, an HTTP proxy is used to log in to QQ.
  • the terminal Before the terminal sends the data, the terminal sends a "Connect" type Scoks packet to the proxy server, and tells the proxy server terminal the destination address IP and port to be accessed. Specifically, for example, the QQ is registered using the SOCKS proxy.
  • the alarm unit 3 is further used to:
  • a non-compliant alarm is sent to a terminal that does not use a proxy server for network communication to prompt the user to use a proxy server for network communication to ensure network security.
  • Proxy Server Proxy Server
  • Proxy Server is an important security function provided by Internet link-level gateways. The main functions are: breaking through its own IP access restrictions, improving access speed, and hiding real IP from attacks.
  • the detecting unit 2 is further configured to: detect whether each terminal successfully logs into the active directory domain.
  • the detecting unit 2 is further configured to:
  • the terminal According to the information in the authentication package and the information in the response packet, it is determined whether the terminal successfully logs in to the active directory domain.
  • the terminal when logging in to the Active Directory (AD) domain, the terminal sends an authentication packet to the domain controller, and the protocol of the authentication packet adopts kerberos.
  • the detailed information in the authentication packet can be viewed, and after parsing,
  • the information of the authentication package includes information such as a user name and a domain name.
  • the embodiment determines whether the terminal successfully logs in to the active directory domain according to the authentication package and the response packet.
  • FIG. 3 is a schematic diagram showing the hardware structure of a computer device according to an embodiment of the present invention.
  • a computer device implementing a network compliance detection method can include a processor 401 and a memory 402 storing computer program instructions.
  • the processor 401 may include a central processing unit (CPU), or an application specific integrated circuit (ASIC), or may be configured to implement one or more integrated circuits of the embodiments of the present invention. .
  • CPU central processing unit
  • ASIC application specific integrated circuit
  • Memory 402 can include mass storage for data or instructions.
  • the memory 402 can include a Hard Disk Drive (HDD), a floppy disk drive, a flash memory, an optical disk, a magneto-optical disk, a magnetic tape, or a Universal Serial Bus (USB) drive, or two or more. A combination of more than one of these.
  • Memory 402 may include removable or non-removable (or fixed) media, where appropriate.
  • Memory 402 may be internal or external to the data processing device, where appropriate.
  • memory 402 is a non-volatile solid state memory.
  • memory 402 includes a Read-Only Memory (ROM).
  • the ROM may be a mask-programmed ROM, a Programmable Read-only Memory (PROM), an Erasable Programmable ROM (EPROM), or an electrically erasable PROM (Electrically Erasable Programmable).
  • PROM Programmable Read-only Memory
  • EPROM Erasable Programmable ROM
  • PROM Electrically Erasable Programmable
  • EEPROM Electrically rewritable ROM
  • flash memory or a combination of two or more of these.
  • the processor 401 implements any of the network compliance detection methods of the above embodiments by reading and executing computer program instructions stored in the memory 402.
  • the computer device can also include a communication interface 403 and a bus 410. As shown in FIG. 3, the processor 401, the memory 402, and the communication interface 403 are connected by the bus 410 and complete communication with each other.
  • the communication interface 403 is mainly used to implement communication between modules, devices, units and/or devices in the embodiments of the present invention.
  • Bus 410 includes hardware, software, or both that couples components of the computer device to each other.
  • the bus may include Accelerated Graphic Ports (AGP) or other graphics bus, Enhanced Industry Standard Architecture (ESA) bus, Front Side Bus (FSB), Super HyperTransport (HT) interconnect, Industry Standard Architecture (ISA) bus, infinite bandwidth interconnect, Low Pin Count (LPC) bus, memory bus, MicroChannel Architecture (MCA) ) Bus, Peripheral Component Interconnect (PCI) bus, PCI-Express (PCI-X) bus, Serial Advanced Technology Attachment (SATA) bus, Video Electronics Standards Association (VESA local bus) , VLB) bus or other suitable bus or a combination of two or more of these.
  • Bus 410 may include one or more buses, where appropriate. Although specific embodiments of the present invention are described and illustrated, the present invention contemplates any suitable bus or interconnect.
  • the embodiment of the present invention may be implemented by providing a computer readable storage medium.
  • the computer readable storage medium stores computer program instructions; when the computer program instructions are executed by the processor, the network compliance detection method of any of the above embodiments is implemented.
  • the functional blocks shown in the block diagrams described above may be implemented as hardware, software, firmware, or a combination thereof.
  • hardware When implemented in hardware, it can be, for example, an electronic circuit, an application specific integrated circuit (ASIC), suitable firmware, plug-ins, function cards, and the like.
  • ASIC application specific integrated circuit
  • the elements of the present invention are programs or code segments that are used to perform the required tasks.
  • the program or code segments can be stored in a machine readable medium or transmitted over a transmission medium or communication link through a data signal carried in the carrier.
  • a "machine-readable medium” can include any medium that can store or transfer information.
  • machine readable media examples include electronic circuitry, semiconductor memory devices, ROM, flash memory, erasable ROM (EROM), floppy disks, CD-ROMs, optical disks, hard disks, optical media, radio frequency (RF) links, and the like.
  • the code segments can be downloaded via a computer network such as the Internet, an intranet, and the like.
  • the exemplary embodiments referred to in the present invention describe some methods or systems based on a series of steps or devices.
  • the present invention is not limited to the order of the above steps, that is, the steps may be performed in the order mentioned in the embodiment, or may be different from the order in the embodiment, or several steps may be simultaneously performed.

Abstract

Provided in the present invention are a method for detecting network compliance, an apparatus, a device and a medium; the method comprises: fully mirroring, onto a designated server network card, traffic information generated by all terminals within the intranet; according to the traffic information on the server network card, detecting whether each terminal is installed having designated software; and transmitting a non-compliance warning to terminals that do not have the designated software installed thereon so as to prompt a user to install the designated software. The method for detecting network compliance, apparatus, device and medium provided in the present invention achieve the detection of asset safety of a terminal, possible existing risk in the intranet, external attack behaviors, and non-compliance behavior of the terminal by means of network data analysis; existing risks for the terminal are detected when transparent to a terminal user and the terminal may be warned, thereby guaranteeing intranet safety.

Description

网络合规检测方法、装置、设备及介质Network compliance detection method, device, device and medium 技术领域Technical field
本发明涉及网络安全技术领域,尤其涉及一种网络合规检测方法、装置、设备及介质。The present invention relates to the field of network security technologies, and in particular, to a network compliance detection method, apparatus, device, and medium.
背景技术Background technique
现有的许多有赖于终端的成功部署和运行的终端产品(例如桌面运维、安全防护、监控审计类产品),其功能的运行有赖于内网终端的成功部署和运行,其管理效果也依赖于内网终端的部署和运行。目前,阻碍内部网络管理技术发展的三个主要因素为:第一,在大多数组织中,内部网是异构的——内部网中包含的硬件和软件组件是由多个公司制造的。第二,技术不断变化,这意味着新设备和新服务不断出现。第三,大部分内部网规模比较大,这意味着内部网某些部分与其他部分相隔距离较远,而且要检测出远程设备中通信问题的原因可能会特别困难。Many of the existing terminal products (such as desktop operation and maintenance, security protection, and monitoring and auditing products) rely on the successful deployment and operation of the terminal. The operation of the functions depends on the successful deployment and operation of the intranet terminals, and the management effect depends on them. Deployment and operation of the intranet terminal. At present, the three main factors hindering the development of internal network management technology are: First, in most organizations, the intranet is heterogeneous - the hardware and software components contained in the intranet are manufactured by multiple companies. Second, technology is constantly changing, which means new devices and new services are constantly emerging. Third, most intranets are relatively large, which means that some parts of the intranet are far apart from other parts, and it may be particularly difficult to detect the cause of communication problems in remote devices.
但是,现有的内网管理方法主要是通过给终端安装类似监控的软件来进行。管理员难以保证软件的安装率,也无法对大量的终端进行统一的管理。也就是说,现有的内网管理方法,监管力度和灵活性不够,比较被动。However, the existing intranet management method is mainly performed by installing similar monitoring software to the terminal. It is difficult for administrators to guarantee the installation rate of software, and it is impossible to manage a large number of terminals in a unified manner. In other words, the existing intranet management methods are not sufficiently effective and flexible.
发明内容Summary of the invention
本申请要解决的技术问题是提供一种网络合规检测方法、装置、设备及介质,通过网络数据分析实现对终端的资产安全、内网中的可能存在的风险、外部攻击行为、终端不合规行为进行检测,在对终端用户透明的情况下,检测出终端存在的风险,并可以对终端进行告警,以保障内网安全。The technical problem to be solved by the present application is to provide a network compliance detection method, device, device and medium, which realizes asset security of the terminal, possible risks in the intranet, external attack behavior, and terminal disagreement through network data analysis. The behavior of the rule is detected. When the terminal user is transparent, the risk of the terminal is detected, and the terminal can be alerted to ensure the security of the internal network.
为解决上述技术问题,本申请提供的技术方案是:To solve the above technical problem, the technical solution provided by the present application is:
第一方面,本申请实施例提供了一种网络合规检测方法,方法包括:In a first aspect, the embodiment of the present application provides a network compliance detection method, where the method includes:
将内网中的所有终端产生的流量信息全部镜像到指定的服务器网卡上;All the traffic information generated by all the terminals in the internal network is mirrored to the specified server network card;
根据服务器网卡上的流量信息,检测每个终端上是否安装有指定软件;Detect whether the specified software is installed on each terminal according to the traffic information on the server network card;
对未安装指定软件的终端发送不合规告警,以提示用户对指定软件进行安装。A non-compliant alarm is sent to the terminal that does not have the specified software installed to prompt the user to install the specified software.
优选地,根据服务器网卡上的流量信息,检测每个终端上是否安装有指定软件,包括:Preferably, according to the traffic information on the server network card, detecting whether the specified software is installed on each terminal, includes:
确定终端与指定软件对应的软件服务器进行通信所需的软件时间窗口;Determining a software time window required for the terminal to communicate with a software server corresponding to the specified software;
在软件时间窗口内,终端未产生与软件服务器通信的流量时,判定终端上未安装指定软件。When the terminal does not generate traffic that communicates with the software server in the software time window, it is determined that the specified software is not installed on the terminal.
优选地,确定终端与指定软件对应的软件服务器进行通信所需的软件时间窗口,包括:Preferably, the software time window required for the terminal to communicate with the software server corresponding to the specified software is determined, including:
统计至少三个终端在第一时间长度内,分别发送给软件服务器的通信数据包的数量值;Counting, by the at least three terminals, the quantity value of the communication data packet respectively sent to the software server within the first time length;
取多个数量值的中位数;Take the median of multiple quantity values;
根据中位数,计算平均每间隔第二时间长度,终端向软件服务器发送的通信数据包的平均数量值;Calculating an average number of communication packets sent by the terminal to the software server according to the median, calculating the average length of the second time interval;
在平均数量值大于预设的第一值时,将第二时间长度确定为软件时间窗口;When the average quantity value is greater than the preset first value, determining the second time length as a software time window;
在平均数量值小于第一值时,将大于第一值与平均数量值的比值的最小整数,与第二时间长度的乘积,确定为软件时间窗口。When the average number value is less than the first value, the product of the smallest integer greater than the ratio of the first value to the average number value, and the second time length, is determined as the software time window.
优选地,方法还包括:根据服务器网卡上的流量信息,检测每个终端是否使用了代理服务器进行网络通信。Preferably, the method further comprises: detecting, according to the traffic information on the server network card, whether each terminal uses a proxy server for network communication.
优选地,方法还包括:Preferably, the method further comprises:
对未使用代理服务器进行网络通信的终端发送不合规告警,以提示用户使用代理服务器进行网络通信,保证网络安全。A non-compliant alarm is sent to a terminal that does not use a proxy server for network communication to prompt the user to use a proxy server for network communication to ensure network security.
优选地,方法还包括:检测每个终端是否成功登陆活动目录域。Preferably, the method further comprises: detecting whether each terminal successfully logs into the active directory domain.
优选地,检测每个终端是否成功登陆活动目录域,包括:Preferably, detecting whether each terminal successfully logs into the active directory domain includes:
获取终端向域控制器发送的认证包;Obtaining an authentication package sent by the terminal to the domain controller;
获取域控制器针对认证包发送给终端的回应包;Obtaining a response packet sent by the domain controller to the terminal for the authentication packet;
根据认证包中的信息和回应包中的信息,确定终端是否成功登陆活动目录域。According to the information in the authentication package and the information in the response packet, it is determined whether the terminal successfully logs in to the active directory domain.
第二方面,本申请实施例提供了一种网络合规检测装置,装置包括:In a second aspect, the embodiment of the present application provides a network compliance detecting apparatus, where the apparatus includes:
镜像单元,用于将内网中的所有终端产生的流量信息全部镜像到指定的服务器网卡上;a mirroring unit, configured to mirror all traffic information generated by all terminals in the internal network to a specified server network card;
检测单元,用于根据服务器网卡上的流量信息,检测每个终端上是否安装有指定软件;a detecting unit, configured to detect, according to the traffic information on the server network card, whether the specified software is installed on each terminal;
告警单元,用于对未安装指定软件的终端发送不合规告警,以提示用户对指定软件进行安装。The alarm unit is configured to send a non-compliant alarm to the terminal that does not have the specified software to prompt the user to install the specified software.
优选地,所述检测单元具体用于:Preferably, the detecting unit is specifically configured to:
确定终端与指定软件对应的软件服务器进行通信所需的软件时间窗口;Determining a software time window required for the terminal to communicate with a software server corresponding to the specified software;
在软件时间窗口内,终端未产生与软件服务器通信的流量时,判定终端上未安装指定软件。When the terminal does not generate traffic that communicates with the software server in the software time window, it is determined that the specified software is not installed on the terminal.
优选地,所述检测单元还用于:Preferably, the detecting unit is further configured to:
统计至少三个终端在第一时间长度内,分别发送给软件服务器的通信数据包的数量值;Counting, by the at least three terminals, the quantity value of the communication data packet respectively sent to the software server within the first time length;
取多个数量值的中位数;Take the median of multiple quantity values;
根据中位数,计算平均每间隔第二时间长度,终端向软件服务器发送的通信数据包的平均数量值;Calculating an average number of communication packets sent by the terminal to the software server according to the median, calculating the average length of the second time interval;
在平均数量值大于预设的第一值时,将第二时间长度确定为软件时间窗口;When the average quantity value is greater than the preset first value, determining the second time length as a software time window;
在平均数量值小于第一值时,将大于第一值与平均数量值的比值的最小整数,与第二时间长度的乘积,确定为软件时间窗口。When the average number value is less than the first value, the product of the smallest integer greater than the ratio of the first value to the average number value, and the second time length, is determined as the software time window.
优选地,所述检测单元具体还用于:Preferably, the detecting unit is further configured to:
根据所述服务器网卡上的流量信息,检测每个所述终端是否使用了代理服务器进行网络通信。And detecting, according to the traffic information on the server network card, whether each of the terminals uses a proxy server for network communication.
优选地,所述告警单元还用于:Preferably, the alarm unit is further configured to:
对未使用代理服务器进行网络通信的终端发送不合规告警,以提示用户使用代理服务器进行网络通信,保证网络安全。A non-compliant alarm is sent to a terminal that does not use a proxy server for network communication to prompt the user to use a proxy server for network communication to ensure network security.
优选地,所述检测单元还用于:检测每个终端是否成功登陆活动目录域。Preferably, the detecting unit is further configured to: detect whether each terminal successfully logs in to the active directory domain.
优选地,所述检测单元还用于:Preferably, the detecting unit is further configured to:
获取终端向域控制器发送的认证包;Obtaining an authentication package sent by the terminal to the domain controller;
获取域控制器针对认证包发送给终端的回应包;Obtaining a response packet sent by the domain controller to the terminal for the authentication packet;
根据认证包中的信息和回应包中的信息,确定终端是否成功登陆活动目录域。According to the information in the authentication package and the information in the response packet, it is determined whether the terminal successfully logs in to the active directory domain.
第三方面,本申请实施例提供了一种计算机设备,包括:至少一个处理器、至少一个存储器以及存储在存储器中的计算机程序指令,当计算机程序指令被处理器执行时实现如上述实施方式中第一方面的方法。In a third aspect, an embodiment of the present application provides a computer device, including: at least one processor, at least one memory, and computer program instructions stored in a memory, which are implemented when the computer program instructions are executed by the processor. The method of the first aspect.
第四方面,本申请实施例提供了一种计算机可读存储介质,其上存储有计算机程序指令,当计算机程序指令被处理器执行时实现如上述实施方式中第一方面的方法。In a fourth aspect, an embodiment of the present application provides a computer readable storage medium having stored thereon computer program instructions that, when executed by a processor, implement the method of the first aspect of the above embodiments.
本申请实施例提供的网络合规检测方法、装置、设备及介质,通过网络数据分析实现对终端的资产安全、内网中的可能存在的风险、外部攻击行为、终端不合规行为进行检测,在对终端用户透明的情况下,检测出终端存在的风险,并可以对终端进行告警,以保障内网安全。The network compliance detection method, device, device and medium provided by the embodiments of the present invention detect network assets security, possible risks in the intranet, external attack behaviors, and terminal non-compliance behaviors through network data analysis. When the terminal user is transparent, the risk of the terminal is detected, and the terminal can be alerted to ensure the security of the internal network.
本申请的有益效果为:The beneficial effects of the application are:
1、不需要在终端安装任何检测软件,摆脱了对终端软件的成功部署和运行的依赖性。1. No need to install any detection software in the terminal, and get rid of the dependence on the successful deployment and operation of the terminal software.
2、对被管理的终端的检测方式透明。2. The detection mode of the managed terminal is transparent.
3、可以在服务器端对终端进行统一的管理。3. The terminal can be managed uniformly on the server side.
4、可以忽略终端的软件、硬件结构。4. The software and hardware structure of the terminal can be ignored.
5、部署简单,检测范围广、准确度高。5. Simple deployment, wide detection range and high accuracy.
附图说明DRAWINGS
图1是本发明实施例提供的网络合规检测方法的流程图;FIG. 1 is a flowchart of a network compliance detecting method according to an embodiment of the present invention;
图2是本发明实施例提供的网络合规检测装置的框图;2 is a block diagram of a network compliance detecting apparatus according to an embodiment of the present invention;
图3是本发明实施例提供的计算机设备的硬件结构示意图。FIG. 3 is a schematic structural diagram of hardware of a computer device according to an embodiment of the present invention.
具体实施方式Detailed ways
下面通过具体的实施例进一步说明本发明,但是,应当理解为,这些实施例仅仅是用于更详细具体地说明之用,而不应理解为用于以任何形式限制本发明。The invention is further illustrated by the following examples, which are intended to be in no way intended to
实施例一Embodiment 1
结合图1,本实施例提供的网络合规检测方法,方法包括:With reference to FIG. 1, the network compliance detection method provided by this embodiment includes:
步骤S1,将内网中的所有终端产生的流量信息全部镜像到指定的服务器网卡上;Step S1: Mirror all the traffic information generated by all the terminals in the internal network to the designated server network card;
步骤S2,根据服务器网卡上的流量信息,检测每个终端上是否安装有指定软件;Step S2: detecting, according to the traffic information on the server network card, whether the specified software is installed on each terminal;
步骤S3,对未安装指定软件的终端发送不合规告警,以提示用户对指定软件进行安装。In step S3, a non-compliant alarm is sent to the terminal that does not have the specified software to prompt the user to install the specified software.
本发明实施例提供的网络合规检测方法,通过网络数据分析实现对终端不合规行为进行检测,在对终端用户透明的情况下,检测出终端存在的风险,并可以对终端进行告警,以保障内网安全。The network compliance detection method provided by the embodiment of the present invention detects the non-compliance behavior of the terminal through network data analysis, detects the risk of the terminal when the terminal user is transparent, and can alarm the terminal. Guarantee the security of the internal network.
具体地,本实施例的方法,主要依赖预先构建的网络安全棱镜系统运行。且具体地,在内网的交换机上将内网的流量全部都镜像到网络安全棱镜系统服 务器的网卡上,继而抓取服务器网卡的流量具体数据或特征,进行解析。Specifically, the method of the present embodiment mainly relies on a pre-built network security prism system to operate. Specifically, on the switch of the internal network, all the traffic of the intranet is mirrored to the network card of the network security prism system server, and then the specific data or characteristics of the traffic of the server network card are captured and analyzed.
优选地,根据服务器网卡上的流量信息,检测每个终端上是否安装有指定软件,包括:Preferably, according to the traffic information on the server network card, detecting whether the specified software is installed on each terminal, includes:
确定终端与指定软件对应的软件服务器进行通信所需的软件时间窗口;Determining a software time window required for the terminal to communicate with a software server corresponding to the specified software;
在软件时间窗口内,终端未产生与软件服务器通信的流量时,判定终端上未安装指定软件。When the terminal does not generate traffic that communicates with the software server in the software time window, it is determined that the specified software is not installed on the terminal.
进一步优选地,确定终端与指定软件对应的软件服务器进行通信所需的软件时间窗口,包括:Further preferably, the software time window required for the terminal to communicate with the software server corresponding to the specified software is determined, including:
统计至少三个终端在第一时间长度内,分别发送给软件服务器的通信数据包的数量值;Counting, by the at least three terminals, the quantity value of the communication data packet respectively sent to the software server within the first time length;
取多个数量值的中位数;Take the median of multiple quantity values;
根据中位数,计算平均每间隔第二时间长度,终端向软件服务器发送的通信数据包的平均数量值;Calculating an average number of communication packets sent by the terminal to the software server according to the median, calculating the average length of the second time interval;
在平均数量值大于预设的第一值时,将第二时间长度确定为软件时间窗口;When the average quantity value is greater than the preset first value, determining the second time length as a software time window;
在平均数量值小于第一值时,将大于第一值与平均数量值的比值的最小整数,与第二时间长度的乘积,确定为软件时间窗口。When the average number value is less than the first value, the product of the smallest integer greater than the ratio of the first value to the average number value, and the second time length, is determined as the software time window.
具体地,本实施例中,服务器网卡中记录有企业内网内的所有流量。此外,本实施例通过软件时间窗口来判断终端是否安装了指定软件,且具体为,得到软件时间窗口后,通过某个终端在软件时间窗口内有没有与该软件通信的流量来确认终端是否安装了该软件。其中,软件时间窗口为终端与指定软件对应的软件服务器的通信间隔时间。Specifically, in this embodiment, all traffic in the intranet of the enterprise is recorded in the server network card. In addition, in this embodiment, the software time window is used to determine whether the terminal is installed with the specified software, and specifically, after obtaining the software time window, whether the terminal has installed or not in the software time window to confirm whether the terminal is installed or not is installed. The software. The software time window is the communication interval between the terminal and the software server corresponding to the specified software.
具体地,为了获取指定软件的软件时间窗口,在定义好软件的服务端IP和端口后,通过分析多天以内的流量,记录每个IP与这个软件进行通信的通信数据包的数量。取数量的中位数,然后算出平均每15分钟源IP给该软件服务器发送了多少个通信数据包。如果数量大于3,就设定该软件时间窗口为15分钟;当小于3时,取大于3/通信数据包数量的最小整数a,且设定该软件时间 窗口为a*15分钟。Specifically, in order to obtain the software time window of the specified software, after defining the server IP and port of the software, by analyzing the traffic within a plurality of days, the number of communication packets in which each IP communicates with the software is recorded. Take the median of the number and then calculate how many communication packets the source IP sent to the software server every 15 minutes. If the number is greater than 3, the software time window is set to 15 minutes; when less than 3, the smallest integer a is greater than 3/the number of communication packets, and the software time window is set to a*15 minutes.
进一步优选地,方法还包括:根据服务器网卡上的流量信息,检测每个终端是否使用了代理服务器进行网络通信。Further preferably, the method further comprises: detecting, according to the traffic information on the server network card, whether each terminal uses a proxy server for network communication.
本实施例中,具体地,对于检测终端是否使用了代理服务器这一功能,利用了与代理服务器通信流量的如下特征部分:In this embodiment, specifically, for detecting whether the terminal uses the proxy server function, the following characteristic parts of the communication traffic with the proxy server are utilized:
1)HTTP代理:常用端口8080,使用HTTP协议。1) HTTP proxy: Common port 8080, using the HTTP protocol.
终端在发送数据前,终端会向代理服务器发送“CONNECT”类型的HTTP包,告诉代理服务器终端要访问的目的地址IP和端口。并且HTTP包中包含代理相关的变量,如“Proxy-Connection”。具体地,例如,使用HTTP代理登录QQ。Before the terminal sends the data, the terminal sends an HTTP packet of the "CONNECT" type to the proxy server, and tells the proxy server terminal the destination address IP and port to be accessed. And the HTTP package contains proxy-related variables, such as "Proxy-Connection". Specifically, for example, an HTTP proxy is used to log in to QQ.
2)SOCKS代理:常用端口1080,使用Socks协议。2) SOCKS proxy: commonly used port 1080, using the Socks protocol.
终端在发送数据前,终端会向代理服务器发送“Connect”类型的Scoks包,告诉代理服务器终端要访问的目的地址IP和端口。具体地,例如,使用SOCKS代理登录QQ。Before the terminal sends the data, the terminal sends a "Connect" type Scoks packet to the proxy server, and tells the proxy server terminal the destination address IP and port to be accessed. Specifically, for example, the QQ is registered using the SOCKS proxy.
进一步优选地,方法还包括:Further preferably, the method further comprises:
对未使用代理服务器进行网络通信的终端发送不合规告警,以提示用户使用代理服务器进行网络通信,保证网络安全。A non-compliant alarm is sent to a terminal that does not use a proxy server for network communication to prompt the user to use a proxy server for network communication to ensure network security.
本实施例中,需要说明的是,代理服务器英文全称是(Proxy Server),其功能就是代理网络用户去取得网络信息。代理服务器是网络信息的中转站,就好象一个大的Cache,能显著提高浏览速度和效率。更重要的是:Proxy Server(代理服务器)是Internet链路级网关所提供的一种重要的安全功能,主要的功能有:突破自身IP访问限制,提高访问速度,隐藏真实IP以免受攻击。In this embodiment, it should be noted that the full name of the proxy server in English is (Proxy Server), and its function is to proxy network users to obtain network information. The proxy server is a transit point for network information, just like a large Cache, which can significantly improve browsing speed and efficiency. More importantly: Proxy Server (Proxy Server) is an important security function provided by Internet link-level gateways. The main functions are: breaking through its own IP access restrictions, improving access speed, and hiding real IP from attacks.
优选地,方法还包括:检测每个终端是否成功登陆活动目录域。Preferably, the method further comprises: detecting whether each terminal successfully logs into the active directory domain.
进一步优选地,检测每个终端是否成功登陆活动目录域,包括:Further preferably, detecting whether each terminal successfully logs into the active directory domain includes:
获取终端向域控制器发送的认证包;Obtaining an authentication package sent by the terminal to the domain controller;
获取域控制器针对认证包发送给终端的回应包;Obtaining a response packet sent by the domain controller to the terminal for the authentication packet;
根据认证包中的信息和回应包中的信息,确定终端是否成功登陆活动目录 域。Based on the information in the authentication package and the information in the response packet, determine whether the terminal successfully logs into the Active Directory domain.
本实施例中,登陆活动目录(Active Directory,AD)域时,终端会向域控制器发送认证包,且认证包的协议采用kerberos,在wireshark中可以查看认证包中的详细信息,且解析后,认证包的信息包括用户名,域名等信息。此外,本实施例根据认证包和回应包确定终端是否成功登陆活动目录域。In this embodiment, when logging in to the Active Directory (AD) domain, the terminal sends an authentication packet to the domain controller, and the protocol of the authentication packet adopts kerberos. In the wireshark, the detailed information in the authentication packet can be viewed, and after parsing, The information of the authentication package includes information such as a user name and a domain name. In addition, the embodiment determines whether the terminal successfully logs in to the active directory domain according to the authentication package and the response packet.
实施例二Embodiment 2
结合图2,本发明实施例提供的网络合规检测装置,装置包括:With reference to FIG. 2, a network compliance detecting apparatus according to an embodiment of the present invention includes:
镜像单元1,用于将内网中的所有终端产生的流量信息全部镜像到指定的服务器网卡上;The mirroring unit 1 is configured to mirror all the traffic information generated by all the terminals in the internal network to the designated server network card;
检测单元2,用于根据服务器网卡上的流量信息,检测每个终端上是否安装有指定软件;The detecting unit 2 is configured to detect, according to the traffic information on the server network card, whether the specified software is installed on each terminal;
告警单元3,用于对未安装指定软件的终端发送不合规告警,以提示用户对指定软件进行安装。The alarm unit 3 is configured to send a non-compliant alarm to the terminal that does not have the specified software to prompt the user to install the specified software.
本发明实施例提供的网络合规检测装置,通过网络数据分析实现对终端不合规行为进行检测,在对终端用户透明的情况下,检测出终端存在的风险,并可以对终端进行告警,以保障内网安全。The network compliance detection apparatus provided by the embodiment of the present invention detects the non-compliance behavior of the terminal through network data analysis, detects the risk of the terminal when the terminal user is transparent, and can alarm the terminal. Guarantee the security of the internal network.
具体地,本实施例主要依赖预先构建的网络安全棱镜系统运行。且具体地,在内网的交换机上将内网的流量全部都镜像到网络安全棱镜系统服务器的网卡上,继而抓取服务器网卡的流量具体数据或特征,进行解析。In particular, the present embodiment relies primarily on a pre-built network security prism system to operate. Specifically, all the traffic of the intranet is mirrored on the network card of the network security prism system server on the switch of the internal network, and then the specific data or characteristics of the traffic of the server network card are captured and analyzed.
优选地,检测单元2具体用于,Preferably, the detecting unit 2 is specifically configured to
确定终端与指定软件对应的软件服务器进行通信所需的软件时间窗口;Determining a software time window required for the terminal to communicate with a software server corresponding to the specified software;
在软件时间窗口内,终端未产生与软件服务器通信的流量时,判定终端上未安装指定软件。When the terminal does not generate traffic that communicates with the software server in the software time window, it is determined that the specified software is not installed on the terminal.
进一步优选地,确定终端与指定软件对应的软件服务器进行通信所需的软件时间窗口,包括:Further preferably, the software time window required for the terminal to communicate with the software server corresponding to the specified software is determined, including:
统计至少三个终端在第一时间长度内,分别发送给软件服务器的通信数据 包的数量值;Counting the number of communication packets sent by the at least three terminals to the software server respectively within the first time length;
取多个数量值的中位数;Take the median of multiple quantity values;
根据中位数,计算平均每间隔第二时间长度,终端向软件服务器发送的通信数据包的平均数量值;Calculating an average number of communication packets sent by the terminal to the software server according to the median, calculating the average length of the second time interval;
在平均数量值大于预设的第一值时,将第二时间长度确定为软件时间窗口;When the average quantity value is greater than the preset first value, determining the second time length as a software time window;
在平均数量值小于第一值时,将大于第一值与平均数量值的比值的最小整数,与第二时间长度的乘积,确定为软件时间窗口。When the average number value is less than the first value, the product of the smallest integer greater than the ratio of the first value to the average number value, and the second time length, is determined as the software time window.
具体地,本实施例中,服务器网卡中记录有企业内网内的所有流量。此外,本实施例通过软件时间窗口来判断终端是否安装了指定软件,且具体为,得到软件时间窗口后,通过某个终端在软件时间窗口内有没有与该软件通信的流量来确认终端是否安装了该软件。其中,软件时间窗口为终端与指定软件对应的软件服务器的通信间隔时间。Specifically, in this embodiment, all traffic in the intranet of the enterprise is recorded in the server network card. In addition, in this embodiment, the software time window is used to determine whether the terminal is installed with the specified software, and specifically, after obtaining the software time window, whether the terminal has installed or not in the software time window to confirm whether the terminal is installed or not is installed. The software. The software time window is the communication interval between the terminal and the software server corresponding to the specified software.
具体地,为了获取指定软件的软件时间窗口,在定义好软件的服务端IP和端口后,通过分析多天以内的流量,记录每个IP与这个软件进行通信的通信数据包的数量。取数量的中位数,然后算出平均每15分钟源IP给该软件服务器发送了多少个通信数据包。如果数量大于3,就设定该软件时间窗口为15分钟;当小于3时,取大于3/通信数据包数量的最小整数a,且设定该软件时间窗口为a*15分钟。Specifically, in order to obtain the software time window of the specified software, after defining the server IP and port of the software, by analyzing the traffic within a plurality of days, the number of communication packets in which each IP communicates with the software is recorded. Take the median of the number and then calculate how many communication packets the source IP sent to the software server every 15 minutes. If the number is greater than 3, the software time window is set to 15 minutes; when less than 3, the smallest integer a is greater than 3/the number of communication packets, and the software time window is set to a*15 minutes.
进一步优选地,检测单元2具体还用于:根据服务器网卡上的流量信息,检测每个终端是否使用了代理服务器进行网络通信。Further preferably, the detecting unit 2 is further configured to: according to the traffic information on the server network card, detect whether each terminal uses a proxy server for network communication.
本实施例中,具体地,对于检测终端是否使用了代理服务器这一功能,利用了与代理服务器通信流量的如下特征部分:In this embodiment, specifically, for detecting whether the terminal uses the proxy server function, the following characteristic parts of the communication traffic with the proxy server are utilized:
1)HTTP代理:常用端口8080,使用HTTP协议。1) HTTP proxy: Common port 8080, using the HTTP protocol.
终端在发送数据前,终端会向代理服务器发送“CONNECT”类型的HTTP包,告诉代理服务器终端要访问的目的地址IP和端口。并且HTTP包中包含代理相关的变量,如“Proxy-Connection”。具体地,例如,使用HTTP代理登录QQ。Before the terminal sends the data, the terminal sends an HTTP packet of the "CONNECT" type to the proxy server, and tells the proxy server terminal the destination address IP and port to be accessed. And the HTTP package contains proxy-related variables, such as "Proxy-Connection". Specifically, for example, an HTTP proxy is used to log in to QQ.
2)SOCKS代理:常用端口1080,使用Socks协议。2) SOCKS proxy: commonly used port 1080, using the Socks protocol.
终端在发送数据前,终端会向代理服务器发送“Connect”类型的Scoks包,告诉代理服务器终端要访问的目的地址IP和端口。具体地,例如,使用SOCKS代理登录QQ。Before the terminal sends the data, the terminal sends a "Connect" type Scoks packet to the proxy server, and tells the proxy server terminal the destination address IP and port to be accessed. Specifically, for example, the QQ is registered using the SOCKS proxy.
进一步优选地,告警单元3具体还用于:Further preferably, the alarm unit 3 is further used to:
对未使用代理服务器进行网络通信的终端发送不合规告警,以提示用户使用代理服务器进行网络通信,保证网络安全。A non-compliant alarm is sent to a terminal that does not use a proxy server for network communication to prompt the user to use a proxy server for network communication to ensure network security.
本实施例中,需要说明的是,代理服务器英文全称是(Proxy Server),其功能就是代理网络用户去取得网络信息。代理服务器是网络信息的中转站,就好象一个大的Cache,能显著提高浏览速度和效率。更重要的是:Proxy Server(代理服务器)是Internet链路级网关所提供的一种重要的安全功能,主要的功能有:突破自身IP访问限制,提高访问速度,隐藏真实IP以免受攻击。In this embodiment, it should be noted that the full name of the proxy server in English is (Proxy Server), and its function is to proxy network users to obtain network information. The proxy server is a transit point for network information, just like a large Cache, which can significantly improve browsing speed and efficiency. More importantly: Proxy Server (Proxy Server) is an important security function provided by Internet link-level gateways. The main functions are: breaking through its own IP access restrictions, improving access speed, and hiding real IP from attacks.
优选地,检测单元2具体还用于:检测每个终端是否成功登陆活动目录域。Preferably, the detecting unit 2 is further configured to: detect whether each terminal successfully logs into the active directory domain.
进一步优选地,检测单元2还用于:Further preferably, the detecting unit 2 is further configured to:
获取终端向域控制器发送的认证包;Obtaining an authentication package sent by the terminal to the domain controller;
获取域控制器针对认证包发送给终端的回应包;Obtaining a response packet sent by the domain controller to the terminal for the authentication packet;
根据认证包中的信息和回应包中的信息,确定终端是否成功登陆活动目录域。According to the information in the authentication package and the information in the response packet, it is determined whether the terminal successfully logs in to the active directory domain.
本实施例中,登陆活动目录(Active Directory,AD)域时,终端会向域控制器发送认证包,且认证包的协议采用kerberos,在wireshark中可以查看认证包中的详细信息,且解析后,认证包的信息包括用户名,域名等信息。此外,本实施例根据认证包和回应包确定终端是否成功登陆活动目录域。In this embodiment, when logging in to the Active Directory (AD) domain, the terminal sends an authentication packet to the domain controller, and the protocol of the authentication packet adopts kerberos. In the wireshark, the detailed information in the authentication packet can be viewed, and after parsing, The information of the authentication package includes information such as a user name and a domain name. In addition, the embodiment determines whether the terminal successfully logs in to the active directory domain according to the authentication package and the response packet.
实施例三Embodiment 3
结合图3描述的本发明实施例的网络合规检测方法可以由计算机设备来实现。图3示出了本发明实施例提供的计算机设备的硬件结构示意图。The network compliance detection method of the embodiment of the present invention described in conjunction with FIG. 3 can be implemented by a computer device. FIG. 3 is a schematic diagram showing the hardware structure of a computer device according to an embodiment of the present invention.
实现网络合规检测方法的计算机设备可以包括处理器401以及存储有计算机程序指令的存储器402。A computer device implementing a network compliance detection method can include a processor 401 and a memory 402 storing computer program instructions.
具体地,上述处理器401可以包括中央处理器(Central Processing Unit,CPU),或者特定集成电路(Application Specific Integrated Circuit,ASIC),或者可以被配置成实施本发明实施例的一个或多个集成电路。Specifically, the processor 401 may include a central processing unit (CPU), or an application specific integrated circuit (ASIC), or may be configured to implement one or more integrated circuits of the embodiments of the present invention. .
存储器402可以包括用于数据或指令的大容量存储器。举例来说而非限制,存储器402可包括硬盘驱动器(Hard Disk Drive,HDD)、软盘驱动器、闪存、光盘、磁光盘、磁带或通用串行总线(Universal Serial Bus,USB)驱动器或者两个或更多个以上这些的组合。在合适的情况下,存储器402可包括可移除或不可移除(或固定)的介质。在合适的情况下,存储器402可在数据处理装置的内部或外部。在特定实施例中,存储器402是非易失性固态存储器。在特定实施例中,存储器402包括只读存储器(Read-Only Memory,ROM)。在合适的情况下,该ROM可以是掩模编程的ROM、可编程ROM(Programmable read-only memory,PROM)、可擦除PROM(Erasable Programmable ROM,EPROM)、电可擦除PROM(Electrically Erasable Programmable Read Only Memory,EEPROM)、电可改写ROM(EAROM)或闪存或者两个或更多个以上这些的组合。 Memory 402 can include mass storage for data or instructions. By way of example and not limitation, the memory 402 can include a Hard Disk Drive (HDD), a floppy disk drive, a flash memory, an optical disk, a magneto-optical disk, a magnetic tape, or a Universal Serial Bus (USB) drive, or two or more. A combination of more than one of these. Memory 402 may include removable or non-removable (or fixed) media, where appropriate. Memory 402 may be internal or external to the data processing device, where appropriate. In a particular embodiment, memory 402 is a non-volatile solid state memory. In a particular embodiment, memory 402 includes a Read-Only Memory (ROM). Where appropriate, the ROM may be a mask-programmed ROM, a Programmable Read-only Memory (PROM), an Erasable Programmable ROM (EPROM), or an electrically erasable PROM (Electrically Erasable Programmable). Read Only Memory (EEPROM), electrically rewritable ROM (EAROM) or flash memory or a combination of two or more of these.
处理器401通过读取并执行存储器402中存储的计算机程序指令,以实现上述实施例中的任意一种网络合规检测方法。The processor 401 implements any of the network compliance detection methods of the above embodiments by reading and executing computer program instructions stored in the memory 402.
在一个示例中,计算机设备还可包括通信接口403和总线410。其中,如图3所示,处理器401、存储器402、通信接口403通过总线410连接并完成相互间的通信。In one example, the computer device can also include a communication interface 403 and a bus 410. As shown in FIG. 3, the processor 401, the memory 402, and the communication interface 403 are connected by the bus 410 and complete communication with each other.
通信接口403,主要用于实现本发明实施例中各模块、装置、单元和/或设备之间的通信。The communication interface 403 is mainly used to implement communication between modules, devices, units and/or devices in the embodiments of the present invention.
总线410包括硬件、软件或两者,将计算机设备的部件彼此耦接在一起。举例来说而非限制,总线可包括加速图形端口(Accelerated Graphic Ports,AGP)或其他图形总线、增强工业标准架构(Extended Industry Standard Architecture, EISA)总线、前端总线(Front Side Bus,FSB)、超传输(HyperTransport,HT)互连、工业标准架构(Industry Standard Architecture,ISA)总线、无限带宽互连、低引脚数(Low Pin Count,LPC)总线、存储器总线、微信道架构(MicroChannel Architecture,MCA)总线、外围组件互连(Peripheral Component Interconnect,PCI)总线、PCI-Express(PCI-X)总线、串行高级技术附件(Serial Advanced Technology Attachment,SATA)总线、视频电子标准协会局部(VESA local bus,VLB)总线或其他合适的总线或者两个或更多个以上这些的组合。在合适的情况下,总线410可包括一个或多个总线。尽管本发明实施例描述和示出了特定的总线,但本发明考虑任何合适的总线或互连。 Bus 410 includes hardware, software, or both that couples components of the computer device to each other. By way of example and not limitation, the bus may include Accelerated Graphic Ports (AGP) or other graphics bus, Enhanced Industry Standard Architecture (ESA) bus, Front Side Bus (FSB), Super HyperTransport (HT) interconnect, Industry Standard Architecture (ISA) bus, infinite bandwidth interconnect, Low Pin Count (LPC) bus, memory bus, MicroChannel Architecture (MCA) ) Bus, Peripheral Component Interconnect (PCI) bus, PCI-Express (PCI-X) bus, Serial Advanced Technology Attachment (SATA) bus, Video Electronics Standards Association (VESA local bus) , VLB) bus or other suitable bus or a combination of two or more of these. Bus 410 may include one or more buses, where appropriate. Although specific embodiments of the present invention are described and illustrated, the present invention contemplates any suitable bus or interconnect.
实施例四Embodiment 4
另外,结合上述实施例中的网络合规检测方法,本发明实施例可提供一种计算机可读存储介质来实现。该计算机可读存储介质上存储有计算机程序指令;该计算机程序指令被处理器执行时实现上述实施例中的任意一种网络合规检测方法。In addition, in conjunction with the network compliance detection method in the foregoing embodiment, the embodiment of the present invention may be implemented by providing a computer readable storage medium. The computer readable storage medium stores computer program instructions; when the computer program instructions are executed by the processor, the network compliance detection method of any of the above embodiments is implemented.
需要明确的是,本发明并不局限于上文所描述并在图中示出的特定配置和处理。为了简明起见,这里省略了对已知方法的详细描述。在上述实施例中,描述和示出了若干具体的步骤作为示例。但是,本发明的方法过程并不限于所描述和示出的具体步骤,本领域的技术人员可以在领会本发明的精神后,作出各种改变、修改和添加,或者改变步骤之间的顺序。It is to be understood that the invention is not limited to the specific configurations and processes described above and illustrated in the drawings. For the sake of brevity, a detailed description of known methods is omitted here. In the above embodiments, several specific steps have been described and illustrated as examples. However, the method of the present invention is not limited to the specific steps described and illustrated, and those skilled in the art can make various changes, modifications and additions, or change the order between the steps after the spirit of the invention.
以上所述的结构框图中所示的功能块可以实现为硬件、软件、固件或者它们的组合。当以硬件方式实现时,其可以例如是电子电路、专用集成电路(ASIC)、适当的固件、插件、功能卡等等。当以软件方式实现时,本发明的元素是被用于执行所需任务的程序或者代码段。程序或者代码段可以存储在机器可读介质中,或者通过载波中携带的数据信号在传输介质或者通信链路上传送。“机器可读介质”可以包括能够存储或传输信息的任何介质。机器可读介质的例子包括电子电路、半导体存储器设备、ROM、闪存、可擦除ROM(EROM)、软盘、CD-ROM、 光盘、硬盘、光纤介质、射频(RF)链路,等等。代码段可以经由诸如因特网、内联网等的计算机网络被下载。The functional blocks shown in the block diagrams described above may be implemented as hardware, software, firmware, or a combination thereof. When implemented in hardware, it can be, for example, an electronic circuit, an application specific integrated circuit (ASIC), suitable firmware, plug-ins, function cards, and the like. When implemented in software, the elements of the present invention are programs or code segments that are used to perform the required tasks. The program or code segments can be stored in a machine readable medium or transmitted over a transmission medium or communication link through a data signal carried in the carrier. A "machine-readable medium" can include any medium that can store or transfer information. Examples of machine readable media include electronic circuitry, semiconductor memory devices, ROM, flash memory, erasable ROM (EROM), floppy disks, CD-ROMs, optical disks, hard disks, optical media, radio frequency (RF) links, and the like. The code segments can be downloaded via a computer network such as the Internet, an intranet, and the like.
还需要说明的是,本发明中提及的示例性实施例,基于一系列的步骤或者装置描述一些方法或系统。但是,本发明不局限于上述步骤的顺序,也就是说,可以按照实施例中提及的顺序执行步骤,也可以不同于实施例中的顺序,或者若干步骤同时执行。It should also be noted that the exemplary embodiments referred to in the present invention describe some methods or systems based on a series of steps or devices. However, the present invention is not limited to the order of the above steps, that is, the steps may be performed in the order mentioned in the embodiment, or may be different from the order in the embodiment, or several steps may be simultaneously performed.
以上所述,仅为本发明的具体实施方式,所属领域的技术人员可以清楚地了解到,为了描述的方便和简洁,上述描述的系统、模块和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。应理解,本发明的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本发明揭露的技术范围内,可轻易想到各种等效的修改或替换,这些修改或替换都应涵盖在本发明的保护范围之内。The above is only a specific embodiment of the present invention, and those skilled in the art can clearly understand that for the convenience and brevity of the description, the specific working processes of the system, module and unit described above can refer to the foregoing method embodiments. The corresponding process in the description will not be repeated here. It should be understood that the scope of the present invention is not limited thereto, and any equivalent modifications or substitutions may be easily conceived by those skilled in the art without departing from the scope of the present invention. It is within the scope of the invention.
尽管本发明已进行了一定程度的描述,明显地,在不脱离本发明的精神和范围的条件下,可进行各个条件的适当变化。可以理解,本发明不限于所述实施方案,而归于权利要求的范围,其包括所述每个因素的等同替换。While the invention has been described in detail, it is obvious that various changes in the various conditions can be made without departing from the spirit and scope of the invention. It is to be understood that the invention is not limited to the embodiments, but is intended to be included within the scope of the appended claims.

Claims (16)

  1. 一种网络合规检测方法,其特征在于,所述方法包括:A network compliance detecting method, the method comprising:
    将内网中的所有终端产生的流量信息全部镜像到指定的服务器网卡上;All the traffic information generated by all the terminals in the internal network is mirrored to the specified server network card;
    根据所述服务器网卡上的流量信息,检测每个所述终端上是否安装有指定软件;Determining, according to the traffic information on the server network card, whether the specified software is installed on each of the terminals;
    对未安装所述指定软件的所述终端发送不合规告警,以提示用户对所述指定软件进行安装。Sending a non-compliant alarm to the terminal that does not install the specified software to prompt the user to install the specified software.
  2. 根据权利要求1所述的网络合规检测方法,其特征在于,所述根据所述服务器网卡上的流量信息,检测每个所述终端上是否安装有指定软件,包括:The network compliance detection method according to claim 1, wherein the detecting, according to the traffic information on the server network card, whether the specified software is installed on each of the terminals, includes:
    确定所述终端与所述指定软件对应的软件服务器进行通信所需的软件时间窗口;Determining a software time window required for the terminal to communicate with a software server corresponding to the specified software;
    在所述软件时间窗口内,所述终端未产生与所述软件服务器通信的流量时,判定所述终端上未安装所述指定软件。When the terminal does not generate traffic that communicates with the software server in the software time window, it is determined that the specified software is not installed on the terminal.
  3. 根据权利要求2所述的网络合规检测方法,其特征在于,所述确定所述终端与所述指定软件对应的软件服务器进行通信所需的软件时间窗口,包括:The network compliance detection method according to claim 2, wherein the determining a software time window required for the terminal to communicate with the software server corresponding to the specified software comprises:
    统计至少三个所述终端在第一时间长度内,分别发送给所述软件服务器的通信数据包的数量值;Counting, by the at least three terminals, a quantity value of the communication data packet respectively sent to the software server within a first time length;
    取多个数量值的中位数;Take the median of multiple quantity values;
    根据所述中位数,计算平均每间隔第二时间长度,所述终端向所述软件服务器发送的通信数据包的平均数量值;Calculating, according to the median, an average number of communication packets sent by the terminal to the software server, for an average interval of the second time interval;
    在所述平均数量值大于预设的第一值时,将所述第二时间长度确定为软件时间窗口;When the average quantity value is greater than a preset first value, determining the second time length as a software time window;
    在所述平均数量值小于所述第一值时,将大于所述第一值与所述平均数量值的比值的最小整数,与所述第二时间长度的乘积,确定为软件时间窗口。When the average quantity value is less than the first value, a product of a minimum integer greater than a ratio of the first value to the average quantity value and a second time length is determined as a software time window.
  4. 根据权利要求1所述的网络合规检测方法,其特征在于,所述方法还包括:根据所述服务器网卡上的流量信息,检测每个所述终端是否使用了代理服 务器进行网络通信。The network compliance detecting method according to claim 1, wherein the method further comprises: detecting, according to the traffic information on the server network card, whether each of the terminals uses a proxy server for network communication.
  5. 根据权利要求4所述的网络合规检测方法,其特征在于,所述方法还包括:The network compliance detecting method according to claim 4, wherein the method further comprises:
    对未使用所述代理服务器进行网络通信的所述终端发送不合规告警,以提示用户使用所述代理服务器进行网络通信,保证网络安全。The terminal that does not use the proxy server to perform network communication sends a non-compliant alarm to prompt the user to use the proxy server for network communication to ensure network security.
  6. 根据权利要求1所述的网络合规检测方法,其特征在于,所述方法还包括:检测每个所述终端是否成功登陆活动目录域。The network compliance detecting method according to claim 1, wherein the method further comprises: detecting whether each of the terminals successfully logs in to the active directory domain.
  7. 根据权利要求6所述的网络合规检测方法,其特征在于,所述检测每个所述终端是否成功登陆活动目录域,包括:The network compliance detection method according to claim 6, wherein the detecting whether each of the terminals successfully logs into an active directory domain comprises:
    获取所述终端向域控制器发送的认证包;Obtaining an authentication package sent by the terminal to the domain controller;
    获取所述域控制器针对所述认证包发送给所述终端的回应包;Obtaining a response packet sent by the domain controller to the terminal for the authentication packet;
    根据所述认证包中的信息和所述回应包中的信息,确定所述终端是否成功登陆所述活动目录域。Determining whether the terminal successfully logs in to the active directory domain according to the information in the authentication package and the information in the response packet.
  8. 一种网络合规检测装置,其特征在于,包括:A network compliance detecting apparatus, comprising:
    镜像单元,用于将内网中的所有终端产生的流量信息全部镜像到指定的服务器网卡上;a mirroring unit, configured to mirror all traffic information generated by all terminals in the internal network to a specified server network card;
    检测单元,用于根据所述服务器网卡上的流量信息,检测每个所述终端上是否安装有指定软件;a detecting unit, configured to detect, according to the traffic information on the server network card, whether the specified software is installed on each of the terminals;
    告警单元,用于对未安装所述指定软件的所述终端发送不合规告警,以提示用户对所述指定软件进行安装。And an alarm unit, configured to send a non-compliant alarm to the terminal that does not install the specified software, to prompt the user to install the specified software.
  9. 根据权利要求8所述的网络合规监测装置,其特征在于,所述检测单元具体用于:The network compliance monitoring device according to claim 8, wherein the detecting unit is specifically configured to:
    确定终端与指定软件对应的软件服务器进行通信所需的软件时间窗口;Determining a software time window required for the terminal to communicate with a software server corresponding to the specified software;
    在软件时间窗口内,终端未产生与软件服务器通信的流量时,判定终端上未安装指定软件。When the terminal does not generate traffic that communicates with the software server in the software time window, it is determined that the specified software is not installed on the terminal.
  10. 根据权利要求9所述的网络合规监测装置,其特征在于,所述检测单 元还用于:The network compliance monitoring device according to claim 9, wherein the detecting unit is further configured to:
    统计至少三个终端在第一时间长度内,分别发送给软件服务器的通信数据包的数量值;Counting, by the at least three terminals, the quantity value of the communication data packet respectively sent to the software server within the first time length;
    取多个数量值的中位数;Take the median of multiple quantity values;
    根据中位数,计算平均每间隔第二时间长度,终端向软件服务器发送的通信数据包的平均数量值;Calculating an average number of communication packets sent by the terminal to the software server according to the median, calculating the average length of the second time interval;
    在平均数量值大于预设的第一值时,将第二时间长度确定为软件时间窗口;When the average quantity value is greater than the preset first value, determining the second time length as a software time window;
    在平均数量值小于第一值时,将大于第一值与平均数量值的比值的最小整数,与第二时间长度的乘积,确定为软件时间窗口。When the average number value is less than the first value, the product of the smallest integer greater than the ratio of the first value to the average number value, and the second time length, is determined as the software time window.
  11. 根据权利要求8所述的网络合规监测装置,其特征在于,所述检测单元具体还用于:The network compliance monitoring device according to claim 8, wherein the detecting unit is further configured to:
    根据所述服务器网卡上的流量信息,检测每个所述终端是否使用了代理服务器进行网络通信。And detecting, according to the traffic information on the server network card, whether each of the terminals uses a proxy server for network communication.
  12. 根据权利要求11所述的网络合规监测装置,其特征在于,所述告警单元还用于:The network compliance monitoring device according to claim 11, wherein the alarm unit is further configured to:
    对未使用代理服务器进行网络通信的终端发送不合规告警,以提示用户使用代理服务器进行网络通信,保证网络安全。A non-compliant alarm is sent to a terminal that does not use a proxy server for network communication to prompt the user to use a proxy server for network communication to ensure network security.
  13. 根据权利要求12所述的网络合规监测装置,其特征在于,所述检测单元还用于:检测每个终端是否成功登陆活动目录域。The network compliance monitoring apparatus according to claim 12, wherein the detecting unit is further configured to: detect whether each terminal successfully logs into the active directory domain.
  14. 根据权利要求13所述的网络合规监测装置,其特征在于,所述检测单元还用于:The network compliance monitoring device according to claim 13, wherein the detecting unit is further configured to:
    获取终端向域控制器发送的认证包;Obtaining an authentication package sent by the terminal to the domain controller;
    获取域控制器针对认证包发送给终端的回应包;Obtaining a response packet sent by the domain controller to the terminal for the authentication packet;
    根据认证包中的信息和回应包中的信息,确定终端是否成功登陆活动目录域。According to the information in the authentication package and the information in the response packet, it is determined whether the terminal successfully logs in to the active directory domain.
  15. 一种计算机设备,其特征在于,包括:至少一个处理器、至少一个存储器以及存储在所述存储器中的计算机程序指令,当所述计算机程序指令被所述处理器执行时实现如权利要求1-7中任一项所述的方法。A computer apparatus, comprising: at least one processor, at least one memory, and computer program instructions stored in the memory, when the computer program instructions are executed by the processor, implementing claim 1 The method of any of 7.
  16. 一种计算机可读存储介质,其上存储有计算机程序指令,其特征在于,当所述计算机程序指令被处理器执行时实现如权利要求1-7中任一项所述的方法。A computer readable storage medium having stored thereon computer program instructions, wherein the method of any one of claims 1-7 is implemented when the computer program instructions are executed by a processor.
PCT/CN2018/096108 2018-01-15 2018-07-18 Method for detecting network compliance, apparatus, device and medium WO2019136954A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201810035882.3A CN108322452A (en) 2018-01-15 2018-01-15 Network closes rule detection method, device, equipment and medium
CN201810035882.3 2018-01-15

Publications (1)

Publication Number Publication Date
WO2019136954A1 true WO2019136954A1 (en) 2019-07-18

Family

ID=62894588

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2018/096108 WO2019136954A1 (en) 2018-01-15 2018-07-18 Method for detecting network compliance, apparatus, device and medium

Country Status (2)

Country Link
CN (1) CN108322452A (en)
WO (1) WO2019136954A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111104577A (en) * 2019-10-31 2020-05-05 北京金堤科技有限公司 Data processing method and device, computer readable storage medium and electronic equipment
CN111988333A (en) * 2020-08-31 2020-11-24 深信服科技股份有限公司 Method, device and medium for detecting working abnormity of proxy software
CN113905042A (en) * 2021-10-18 2022-01-07 杭州安恒信息技术股份有限公司 FTP server positioning method, device, equipment and storage medium

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110278123B (en) * 2019-05-10 2021-04-06 新华三技术有限公司 Checking method, checking device, electronic equipment and readable storage medium
CN111857778A (en) * 2020-07-17 2020-10-30 北京北信源软件股份有限公司 Automatic installation method and system for Windows7 expansion security update

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104486431A (en) * 2014-12-18 2015-04-01 北京奇虎科技有限公司 Method, device and system for monitoring terminal
CN105007282A (en) * 2015-08-10 2015-10-28 济南大学 Malicious software network behavior detection method specific to network service provider and system thereof
CN105187394A (en) * 2015-08-10 2015-12-23 济南大学 Proxy server having mobile terminal malicious software behavior detection capability and method
CN107566320A (en) * 2016-06-30 2018-01-09 中国电信股份有限公司 A kind of network kidnaps detection method, device and network system

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1797337B (en) * 2004-12-29 2010-05-05 北京软通科技有限责任公司 Method for installing software of computer automatically
US7957272B2 (en) * 2006-03-10 2011-06-07 Alcatel-Lucent Usa Inc. Method and apparatus for coincidence counting for estimating flow statistics
CN104601570A (en) * 2015-01-13 2015-05-06 国家电网公司 Network security monitoring method based on bypass monitoring and software packet capturing technology
CN106034131A (en) * 2015-03-18 2016-10-19 北京启明星辰信息安全技术有限公司 Business compliance detecting method and system based on Flow analysis
CN106453299B (en) * 2016-09-30 2020-04-07 北京奇虎测腾科技有限公司 Network security monitoring method and device and cloud WEB application firewall

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104486431A (en) * 2014-12-18 2015-04-01 北京奇虎科技有限公司 Method, device and system for monitoring terminal
CN105007282A (en) * 2015-08-10 2015-10-28 济南大学 Malicious software network behavior detection method specific to network service provider and system thereof
CN105187394A (en) * 2015-08-10 2015-12-23 济南大学 Proxy server having mobile terminal malicious software behavior detection capability and method
CN107566320A (en) * 2016-06-30 2018-01-09 中国电信股份有限公司 A kind of network kidnaps detection method, device and network system

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111104577A (en) * 2019-10-31 2020-05-05 北京金堤科技有限公司 Data processing method and device, computer readable storage medium and electronic equipment
CN111104577B (en) * 2019-10-31 2023-11-14 北京金堤科技有限公司 Data processing method, data processing device, computer readable storage medium and electronic equipment
CN111988333A (en) * 2020-08-31 2020-11-24 深信服科技股份有限公司 Method, device and medium for detecting working abnormity of proxy software
CN111988333B (en) * 2020-08-31 2023-11-07 深信服科技股份有限公司 Proxy software work abnormality detection method, device and medium
CN113905042A (en) * 2021-10-18 2022-01-07 杭州安恒信息技术股份有限公司 FTP server positioning method, device, equipment and storage medium

Also Published As

Publication number Publication date
CN108322452A (en) 2018-07-24

Similar Documents

Publication Publication Date Title
WO2019136954A1 (en) Method for detecting network compliance, apparatus, device and medium
US11509671B2 (en) Anomaly detection in computer networks
US10581915B2 (en) Network attack detection
EP2633646B1 (en) Methods and systems for detecting suspected data leakage using traffic samples
US10855700B1 (en) Post-intrusion detection of cyber-attacks during lateral movement within networks
US9860278B2 (en) Log analyzing device, information processing method, and program
US11924048B2 (en) Anomaly detection in computer networks
US8955091B2 (en) Systems and methods for integrating cloud services with information management systems
US20240073233A1 (en) System and method for providing security to in-vehicle network
US20180054458A1 (en) System and method for mitigating distributed denial of service attacks in a cloud environment
US20150163199A1 (en) Systems and methods for integrating cloud services with information management systems
US10581880B2 (en) System and method for generating rules for attack detection feedback system
CN110912927B (en) Method and device for detecting control message in industrial control system
US11838319B2 (en) Hardware acceleration device for denial-of-service attack identification and mitigation
US20230388278A1 (en) Detecting and mitigating forged authentication object attacks in multi - cloud environments with attestation
CN115147956A (en) Data processing method and device, electronic equipment and storage medium
CN113678419B (en) Port scan detection
Lima et al. BP-IDS: Using business process specification to leverage intrusion detection in critical infrastructures
CN114726579A (en) Method, apparatus, device, storage medium and program product for defending against network attacks
KR100656340B1 (en) Apparatus for analyzing the information of abnormal traffic and Method thereof
CN109462503B (en) Data detection method and device
US10454965B1 (en) Detecting network packet injection
CN113726799B (en) Processing method, device, system and equipment for application layer attack
WO2023233711A1 (en) Information processing method, abnormality determination method, and information processing device
US20230306297A1 (en) System and method for device attribute identification based on host configuration protocols

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18899868

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 18.11.2020)

122 Ep: pct application non-entry in european phase

Ref document number: 18899868

Country of ref document: EP

Kind code of ref document: A1