WO2021008028A1 - Procédé de traçage de et de protection contre une source d'attaque de réseau, dispositif de électronique et support de stockage informatique - Google Patents

Procédé de traçage de et de protection contre une source d'attaque de réseau, dispositif de électronique et support de stockage informatique Download PDF

Info

Publication number
WO2021008028A1
WO2021008028A1 PCT/CN2019/117165 CN2019117165W WO2021008028A1 WO 2021008028 A1 WO2021008028 A1 WO 2021008028A1 CN 2019117165 W CN2019117165 W CN 2019117165W WO 2021008028 A1 WO2021008028 A1 WO 2021008028A1
Authority
WO
WIPO (PCT)
Prior art keywords
target
network
data
protection
attack
Prior art date
Application number
PCT/CN2019/117165
Other languages
English (en)
Chinese (zh)
Inventor
刘建华
文莉
Original Assignee
平安科技(深圳)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 平安科技(深圳)有限公司 filed Critical 平安科技(深圳)有限公司
Publication of WO2021008028A1 publication Critical patent/WO2021008028A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • H04L63/205Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/146Tracing the source of attacks

Definitions

  • This application relates to the field of computer technology, in particular to a method for locating and protecting a network attack source, electronic equipment and computer storage media.
  • the embodiments of the present application provide a method for locating and protecting a network attack source, electronic equipment, and computer storage medium, which involve network security monitoring technology, which can accurately identify the source address of a real attack node, and use targeted protection strategies for network security protection.
  • the embodiments of the present application provide a method for locating and protecting a network attack source, the method including:
  • the determining the attack node included in the alarm log data includes:
  • the method further includes:
  • the method further includes:
  • An interception record of the transmission data is generated, the interception record includes the sender of the transmission data, the receiver of the transmission data, the transmission time of the transmission data, and the data type of the transmission data.
  • the method further includes:
  • the method further includes:
  • the network source address is a physical network card address.
  • an embodiment of the present application provides an electronic device, including: a monitoring module, an acquisition module, a determination module, an analysis module, and a protection module, wherein:
  • the monitoring module is configured to monitor network status data according to preset network status judgment rules to determine the target network status, the network status data includes traffic status data, and the determining the target network status includes:
  • the obtaining module is configured to obtain alarm log data if the target network state is in the abnormal traffic state; the determining module is configured to determine the attacking node contained in the alarm log data;
  • the analysis module is configured to determine the target source address corresponding to the attacking node from a set of network source addresses
  • the protection module is configured to determine the target attack source label corresponding to the target source address according to the correspondence between the preset address and the attack source label, and obtain the target according to the mapping relationship between the preset attack source label and the protection strategy The protection strategy corresponding to the attack source tag, and execute the acquired protection strategy.
  • an embodiment of the present application also provides an electronic device, including a processor, an input device, an output device, and a memory.
  • the processor, input device, output device, and memory are connected to each other, wherein the memory is used for A computer program is stored, the computer program includes program instructions, and the processor is configured to invoke the program instructions to execute the method described in the first aspect and any one of its possible implementation manners.
  • an embodiment of the present application provides a computer non-volatile readable storage medium, the computer non-volatile readable storage medium stores a computer program, the computer program includes program instructions, and the program instructions When executed by a processor, the processor is caused to execute the method of the foregoing first aspect and any one of its possible implementation manners.
  • the embodiment of the present application can accurately identify the source address of the real attacking node, and then use a targeted protection strategy for protection, thereby improving network security.
  • FIG. 1 is a schematic flowchart of a method for locating and protecting a network attack source provided by an embodiment of the present application
  • FIG. 2 is a schematic flowchart of a method for locating and protecting a network attack source according to another embodiment of the present application
  • FIG. 3 is a schematic structural diagram of an electronic device provided by an embodiment of the present application.
  • Fig. 4 is a schematic structural diagram of another electronic device provided by an embodiment of the present application.
  • the term “if” can be interpreted as “when” or “once” or “in response to determination” or “in response to detection” depending on the context .
  • the phrase “if determined” or “if detected [described condition or event]” can be interpreted as meaning “once determined” or “response to determination” or “once detected [described condition or event]” depending on the context ]” or “in response to detection of [condition or event described]”.
  • the electronic devices mentioned in the embodiments of the present application may include terminal devices.
  • the foregoing terminal devices are devices that can communicate with a server.
  • the foregoing servers are also called servers, which are devices that provide computing services and may allow multiple terminal devices to access.
  • the above-mentioned terminal equipment may be a computer or a mobile terminal, including various handheld devices with wireless communication functions, wearable devices, computing devices or other processing equipment connected to a wireless modem, and various forms of user equipment (UE) , Mobile Station (MS) and so on.
  • UE user equipment
  • MS Mobile Station
  • FIG. 1 is a schematic flowchart of a method for locating and protecting a network attack source according to an embodiment of the present application. As shown in FIG. 1, the method may include:
  • the aforementioned network status data includes flow status data, and the aforementioned determination of the target network status includes:
  • the above-mentioned traffic status data is data describing network traffic conditions, which can come from monitoring software or programs in electronic devices, or from a background monitoring process or independent monitoring plug-ins for each website.
  • IP address in this embodiment of the application is translated into an Internet Protocol address, which is a digital label assigned to an Internet Protocol (IP) device used by a user to surf the Internet.
  • IP Internet Protocol
  • IP attacker and attack source location refers to when a network attack (such as DDoS) occurs or after the attack is completed, the attack path is identified based on the existing information and the attack originating location is found.
  • the difficulty of attack source tracking and location technology is that it is difficult to accurately locate, because most of the source addresses of attack packets are randomly generated pseudo addresses. According to the structure of the attacking network and the gradual improvement of accuracy, it can be divided into positioning to launch an attack.
  • the aforementioned network status data is data describing network conditions, which can come from monitoring software or programs in electronic devices, or from a background monitoring process or independent monitoring plug-ins for each website.
  • the above electronic device may be a node in a local area network or a blockchain network.
  • the electronic device may store the above-mentioned preset network state judgment rules.
  • the above-mentioned preset network state judgment rules may include network parameters or indicators in different network states, which may specifically be the corresponding relationship between the network state and the network parameter, that is, through the above monitoring According to the network parameters in the network status data, the current network status can be judged based on the above-mentioned preset network status judgment rules, and the target network status corresponding to the monitored network status data can be determined, that is, the current network status.
  • the electronic device may store the above-mentioned preset flow monitoring rules, and the above-mentioned preset flow monitoring rules may include network flow parameters or indicators in different flow states (including the above-mentioned abnormal flow states), which may specifically be the correspondence between the flow state and the flow parameter Relationship, that is, through the flow parameters in the above-mentioned monitored flow status data, based on the above-mentioned preset flow monitoring rules, the current network flow status can be judged, and it can be determined whether the state corresponding to the monitored flow status data is the above-mentioned abnormal flow state . For example, at a certain moment, the flow of a certain data stream in an electronic device suddenly increases above the abnormal threshold preset for the data stream, and it can be judged that it is in a state of abnormal flow.
  • the network status data can also be monitored in other ways, and other abnormal conditions can be found.
  • the abnormal state may be a network state in a preset network state judgment rule.
  • the network state may include a normal state or at least one abnormal state, and step 102 may be executed when the abnormal state is detected.
  • step 102 can be executed.
  • the foregoing step of monitoring network status data may be performed periodically, and the foregoing step 101 may also be performed periodically to detect changes in the network environment in time.
  • the above-mentioned alarm log data mainly refers to the attack alarm log data on the network.
  • the electronic device can periodically collect the above-mentioned alarm log data of the website connected to the network environment.
  • the above-mentioned alarm log data may be generated by the network intrusion detection device in the network according to the network The offensive behaviors are formed and transmitted.
  • the above-mentioned network status data may include the above-mentioned alarm log data, which may come from a monitoring program that comes with the system or other network security protection software.
  • the attacking node can be determined according to the above-mentioned alarm log data ( Attacking node IP).
  • the above-mentioned alarm log data may include the identification of the node where the above-mentioned attack occurred, that is, the attacking node may be determined through the alarm log data.
  • the target field of the alarm log data may be extracted according to the preset field identifier, and the target field may be determined as the attack node IP. That is, the IP of the attacking node in the network can be determined by analyzing the specific field of the alarm log data, and the field corresponding to the preset field identifier can be extracted by the method of keyword extraction, that is, the target field mentioned above, and the information of the attacking node can be obtained to determine Attack the node.
  • the above-mentioned extracted target field may be an attacking node identification, such as attacking node address (in this case, a virtual address), attacking node name, etc., which is not limited in the embodiment of the present application.
  • the method of monitoring the abnormal state of the traffic mentioned in this application can be understood as filtering the traffic by tracing the attack source to obtain the characteristics of the attack packet.
  • You can also contact the Internet Service Provider (Internet Service Provider). , ISP) for help.
  • ISP Internet Service Provider
  • the aforementioned network source address may be a physical network card address.
  • strict identity management can be performed on each electronic device (terminal device), the real MAC address and the real IP are one-to-one correspondence, and the local data can be immunized through the immune driver to form a patrol
  • the immune solution can solve the problem of terminal detection and management under secondary routing, IP-MAC complete cloning, and control of terminal identity from system to packet, and other problems that cannot be solved or incompletely solved, and can further improve network protection performance.
  • the physical network card address in the embodiment of this application may be a media access control address (Media Access Control Address, MAC address), also called a local area network address (LAN Address), Ethernet address (Ethernet Address) or physical address (Physical Address), It is an address used to confirm the location of an online device.
  • Media Access Control Address Media Access Control Address
  • MAC address also called a local area network address (LAN Address), Ethernet address (Ethernet Address) or physical address (Physical Address)
  • LAN Address local area network address
  • Ethernet address Ethernet Address
  • Physical Address Physical Address
  • the MAC address is used to uniquely identify a network card in the network. If a device has one or more network cards, each network card needs and has a unique MAC address.
  • the electronic device may store a network source address set containing multiple network source addresses, which may be in the form of multiple network source address information tables, or the information table may be obtained in the network.
  • the source IP address of the attacking node can be determined by detecting the MAC address, that is, the target source address mentioned above.
  • Address Resolution Protocol is a TCP/IP protocol that obtains physical addresses based on IP addresses.
  • the device When the device sends information, it broadcasts the ARP request containing the target IP address to all devices on the network, and receives the return message to determine the physical address of the target; after receiving the return message, the IP address and physical address are stored in the local ARP It is kept in the cache for a certain period of time, and the ARP cache is directly queried when requested next time to save resources.
  • the address resolution protocol is based on the mutual trust of all devices in the network.
  • the devices on the network can independently send ARP response messages. When other devices receive the response message, they will not detect the authenticity of the message and will record it.
  • the attacking node can send a fake ARP response message to a certain device, so that the information sent cannot reach the expected device or the wrong device, which constitutes an ARP spoofing.
  • the above-mentioned ARP command can be used to query the correspondence between the IP address and the MAC address in the ARP cache of the electronic device, and can also add or delete static correspondence, etc., to facilitate address management and attack protection for the electronic device.
  • device A For example, suppose that there are two devices A and B in a local area network. Device A only knows the IP of device B but not its MAC address. Now, device A wants to communicate with device B. According to the OSI seven-layer model, when the data is encapsulated in the data link layer (ie, MAC layer), it will send an ARP request packet to all devices in the LAN. When B receives the request It will return an ARP response packet to A (with driver support in the middle) and tell B its MAC address so that both parties can continue data transmission. And if in the process of requesting and responding, there is a device C in the LAN with the same IP as A, then an IP conflict box will pop up. When this situation increases, it will constitute a LAN attack, causing the computer to be unable to communicate with the normal network, and it will become an ARP denial of service attack.
  • the data link layer ie, MAC layer
  • users of electronic devices can manually operate: enter ipconfig under cmd, find the default gateway, and then use the ARP-a command to find the physical address corresponding to the default gateway IP and copy it. When the network is normal, this is the correct address of the gateway. If it is attacked again, the network will be disconnected for virus detection.
  • preset programs and rules can be directly called through programming, based on the binding relationship between MAC and IP. The attack source is located for network protection.
  • the internal network device For the internal network environment, you can directly record the MAC address of the internal network device in the NAT table of the gateway to achieve the "innate immunity" of the gateway, and the internal network device needs to install an Internet driver. After installation, the driver will work on each device In the network card protocol stack, that is to say, the above-mentioned electronic devices can be managed for the network card of each device, but the MAC address of the gateway that controls the network card of each device is controlled, the number of accepted protocols is controlled, the suspected DDOS attack is locked, and the network is immune It works for the intranet switching network, which is equivalent to filling in the loopholes in the Ethernet protocol.
  • the embodiments of the application may include timely warnings of virus attacks and abnormal behaviors of all terminals in the internal network, real-time display, statistics and status evaluation of the bandwidth of the internal and external networks, network monitoring can realize remote operations, such as sending network monitoring reports to user terminals .
  • step 104 After determining the target source address corresponding to the attack node, step 104 may be executed.
  • the attack source tag and protection strategy can be preset, and the mapping relationship between the preset attack source tag and the protection strategy can be preset.
  • the attack type of the attack source can be determined through the above target source address, that is, the target attack source label can be determined in the above attack source label .
  • the correspondence relationship between the aforementioned preset address and the attack source tag may be stored, and it may be the correspondence relationship between the preset address interval and the attack source tag.
  • the target source may be determined according to the correspondence relationship.
  • the attack source label corresponding to the address is the target attack source label.
  • the protection strategy of the target attack source label is determined, and then the determined protection strategy is implemented for network protection, which can protect the target attack source in a targeted manner.
  • the attack source label can be divided according to the above attack types to determine the target attack
  • the protection strategy of the target attack source tag can be determined and activated, and the attack source can be protected in a targeted manner.
  • the system can update and modify the classification methods and protection strategies of the above attack source tags at any time.
  • the aforementioned protection strategy may be implemented by calling a pre-stored protection program.
  • the embodiment of the application determines the target network status by monitoring network status data according to preset network status judgment rules.
  • the network status data includes traffic status data.
  • the determining of the target network status includes: determining according to the traffic status data and the preset traffic monitoring rules. Whether it is in a traffic abnormal state, if it is, obtain the alarm log data, determine the attack node contained in the above alarm log data, and determine the target source address corresponding to the attack node from the network source address set, according to the preset address and the attack source tag Correspondence, determine the target attack source tag corresponding to the target source address, obtain the protection strategy corresponding to the target attack source tag according to the preset mapping relationship between the attack source tag and the protection strategy, and execute the protection strategy obtained above.
  • Monitoring the network status, and then analyzing various data to further determine the source of the attack you can more accurately identify the source address of the real attacking node, and then use a targeted protection strategy for protection, which improves network security.
  • FIG. 2 is a schematic flowchart of another method for locating and protecting a network attack source provided by an embodiment of the present application.
  • the embodiment shown in FIG. 2 may be obtained on the basis of the embodiment shown in FIG. 1, as The method shown in Figure 2 may include:
  • step 201 reference may be made to the specific description of step 10 in the embodiment shown in FIG. 1, which will not be repeated here.
  • the data type of the transmission data is a target data type
  • the target data type is a data type that is allowed to be transmitted between the sender of the transmission data and the receiver of the transmission data
  • the transmission data does not meet the preset data parameters, and the transmission data can be intercepted. If yes, the above-mentioned transmission data meets the above-mentioned preset data parameters, and the interception may not be performed, or the current transmission may continue to be monitored.
  • a preset firewall interception mechanism can be triggered to intercept data, or a data interception tool can be invoked to intercept the above-mentioned transmission data.
  • the method may further include:
  • the interception record of the transmission data is generated.
  • the interception record may include the sender of the transmission data, the receiver of the transmission data, the transmission time of the transmission data, and the data type of the transmission data.
  • the above-mentioned preset data parameters may be stored in the electronic device, which can be understood as a condition that restricts data transmission between the electronic device and other devices.
  • the above-mentioned preset data parameter may be a preset data format, data encryption method or data type.
  • the electronic device can detect the data type of the above transmission data.
  • node roles can be assigned to different devices in advance, similar to distributed system management, which restricts the type of information sent and received by the device, and only allows the device to transmit data types that match its own identity.
  • forged data can be intercepted and recorded in the network monitoring report, which is convenient for viewing data transmission problems and formulating network protection strategies.
  • step 202 to 204 reference may be made to the specific descriptions in step 102 to step 104 in the embodiment shown in FIG. 1 respectively, which will not be repeated here.
  • the attack source can be grouped by the aforementioned target source address.
  • the electronic device can obtain the network protection device information in the network, which includes the IP address of the aforementioned network protection device.
  • the electronic device can also store the aforementioned preset protection allocation rules, which can specifically be the corresponding relationship between the source address field and the network protection device, that is, based on the specific field of the target source address, the target network protection for the attack source can be determined equipment.
  • the network protection equipment of each group of attack sources can be determined separately, for example, it can be specifically allocated according to the network address field to realize grouping protection.
  • step 206 may be executed.
  • the protection instruction can be generated.
  • the protection instruction can include the attack source information and the acquired protection strategy.
  • the target network protection device can receive and respond to the protection instruction, and then execute the acquisition.
  • the protection strategy of the network protects the network to ensure network security.
  • the attack source information including the target source address may also be generated, and the attack source information may be sent to a preset server.
  • the above-mentioned preset server may be stored in the electronic device. After locating the attack source, it may also generate attack source information including the target source address, and broadcast the attack source information to the above-mentioned preset server, so that other servers can timely Know the attack source information and implement protection strategies.
  • the received attack source data packet packets are filtered, which can effectively suppress network attacks from the source.
  • the security of the network can be further improved by using the physical network card address.
  • the application group defense group control function can also be introduced for the internal network.
  • Each immune driver has the ability to perceive illegal access and attack behaviors of other devices in the same network segment, and notify those that may not be in the same broadcast domain. Immune operation center and gateway, so that the immune network will deal with the behavior accordingly.
  • the embodiments of the present application may also be combined with other tracking technologies to more accurately determine the attack source.
  • the current main DDoS tracking technologies include PacketMarking, ICMP tracking, Logging, and ControlledFlooding. These tracking technologies generally require the support of a router, but in practice they also need the assistance of an ISP.
  • the target network protection device determines whether the traffic is in an abnormal state according to the above-mentioned traffic status data and preset traffic monitoring rules, obtain alarm log data, and analyze the above-mentioned alarm log data according to the preset log analysis rules to determine the attacking node, and then obtain the network source Address, the target source address corresponding to the attack node is determined from the network source address, then the target attack source label can be determined according to the target source address, and the target attack source label is obtained according to the mapping relationship between the preset attack source label and the protection strategy According to the corresponding protection strategy, the target network protection device is determined according to the target source address and preset protection allocation rules, and a protection instruction is sent to the target network protection device to instruct the target network protection device to execute the protection strategy obtained above.
  • Network status and then analyze various data to further determine the attack source, you can more accurately identify the true source address of the attacking node, and then select appropriate network protection equipment to implement protection strategies to suppress network attacks and improve network security.
  • FIG. 3 is a schematic structural diagram of an electronic device provided by an embodiment of the present application.
  • the electronic device 300 includes a monitoring module 310, an acquisition module 320, a determination module 330, an analysis module 340, and a protection module 350, in which:
  • the above-mentioned monitoring module 310 is configured to monitor network status data according to preset network status judgment rules to determine the target network status, where the network status data includes traffic status data, and the determining the target network status includes:
  • the above-mentioned obtaining module 320 is configured to obtain alarm log data if the target network state is in the abnormal state of traffic; the above-mentioned determining module 330 is configured to determine the attacking node included in the alarm log data;
  • the aforementioned analysis module 340 is configured to determine the target source address corresponding to the attacking node from the network source address set;
  • the aforementioned protection module 350 is configured to determine the target attack source label corresponding to the target source address according to the correspondence between the preset address and the attack source label, and obtain the target according to the mapping relationship between the preset attack source label and the protection strategy The protection strategy corresponding to the attack source tag, and execute the acquired protection strategy.
  • the above determining module 330 is specifically configured to:
  • the aforementioned monitoring module 310 is also used for:
  • the above electronic device 300 further includes a generating module 360 for generating an interception record of the transmission data, the interception record including the sender of the transmission data, the receiver of the transmission data, and the transmission data The transmission time and the data type of the transmission data.
  • a generating module 360 for generating an interception record of the transmission data, the interception record including the sender of the transmission data, the receiver of the transmission data, and the transmission data The transmission time and the data type of the transmission data.
  • the aforementioned electronic device 300 further includes a transmission module 370;
  • the generating module 360 is further configured to: after the determining module 340 determines the target source address corresponding to the attacking node from the set of network source addresses, generate attack source information including the target source address; the transmission module 370 is used to forward Suppose the server sends the above attack source information.
  • the above determination module 340 is further configured to determine the target network protection device according to the above target source address and preset protection allocation rules after determining the target source address corresponding to the attack node from the network source address set;
  • the transmission module 370 is further configured to send a protection instruction to the target network protection device, where the protection instruction is used to instruct the target network protection device to execute the acquired protection strategy.
  • the aforementioned network source address is the address of a physical network card.
  • the steps 101 to 104 and 201 to 206 involved in the network attack source location and protection methods shown in FIG. 1 and FIG. 2 may be implemented by various modules in the electronic device 300 shown in FIG. 3 To execute.
  • steps 101 to 104 in FIG. 1 may be executed by the monitoring module 310, the acquisition module 320, the determination module 330, the analysis module 340, and the protection module 350 shown in FIG. 3, respectively.
  • the electronic device 300 can monitor network status data according to preset network status judgment rules to determine the target network status.
  • the network status data includes traffic status data.
  • the determination of the target network status includes: The status data and preset traffic monitoring rules determine whether the traffic is in an abnormal state.
  • FIG. 4 is a schematic structural diagram of another electronic device disclosed in an embodiment of the present application.
  • the electronic device 400 includes a processor 401 and a memory 402.
  • the electronic device 400 may also include a bus 403.
  • the processor 401 and the memory 402 may be connected to each other through the bus 403.
  • the bus 403 may be a peripheral component. Connect standard (Peripheral Component Interconnect, PCI) bus or extended industry standard architecture (Extended Industry Standard Architecture, EISA) bus, etc.
  • PCI Peripheral Component Interconnect
  • EISA Extended Industry Standard Architecture
  • the bus 403 can be divided into an address bus, a data bus, a control bus, and so on. For ease of presentation, only one thick line is used to represent in FIG. 4, but it does not mean that there is only one bus or one type of bus.
  • the electronic device 400 may also include an input/output device 404, and the input/output device 404 may include a display screen, such as a liquid crystal display screen.
  • the memory 402 is used to store one or more programs containing instructions; the processor 401 is used to call the instructions stored in the memory 402 to execute some or all of the method steps mentioned in the embodiments of FIG. 1 and FIG. 2.
  • the processor 401 may be a central processing unit (Central Processing Unit, CPU), and the processor may also be other general-purpose processors or digital signal processors (DSP). , Application Specific Integrated Circuit (ASIC), Field-Programmable Gate Array (FPGA) or other programmable logic devices, discrete gates or transistor logic devices, discrete hardware components, etc.
  • the general-purpose processor may be a microprocessor or the processor may also be any conventional processor or the like.
  • the input device 402 may include a touch panel, a fingerprint sensor (used to collect user fingerprint information and fingerprint orientation information), a microphone, etc.
  • the output device 403 may include a display (LCD, etc.), a speaker, and the like.
  • the memory 404 may include a read-only memory and a random access memory, and provides instructions and data to the processor 401.
  • a part of the memory 404 may also include a non-volatile random access memory.
  • the memory 404 may also store device type information.
  • the electronic device 400 can monitor network status data according to preset network status judgment rules to determine the target network status.
  • the network status data includes traffic status data
  • the determination of the target network status includes: The status data and preset traffic monitoring rules determine whether the traffic is in an abnormal state.
  • the embodiments of the present application also provide a computer non-volatile readable storage medium, wherein the computer non-volatile readable storage medium stores a computer program for electronic data exchange, and the computer program causes the computer to execute the method implementation as described above. Part or all of the steps of any network attack source location and protection method recorded in the example.
  • the disclosed device may be implemented in other ways.
  • the device embodiments described above are merely illustrative.
  • the division of the modules is only a logical function division, and there may be other divisions in actual implementation, for example, multiple units or components may be combined or may be Integrate into another system, or some features can be ignored or not implemented.
  • the displayed or discussed mutual coupling or direct coupling or communication connection may be indirect coupling or communication connection through some interfaces, devices or modules, and may be in electrical or other forms.
  • modules described as separate components may or may not be physically separated, and the components displayed as modules may or may not be physical modules, that is, they may be located in one place, or they may be distributed to multiple network modules. Some or all of the modules may be selected according to actual needs to achieve the objectives of the solutions of the embodiments.
  • the integrated module is implemented in the form of a software function module and sold or used as an independent product, it can be stored in a computer readable memory.
  • the technical solution of the present application essentially or the part that contributes to the prior art or all or part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a memory, A number of instructions are included to enable a computer device (which may be a personal computer, a server, or a network device, etc.) to execute all or part of the steps of the method described in each embodiment of the present application.
  • the aforementioned memory includes: U disk, read-only memory (Read-Only Memory, ROM), random access memory (Random Access Memory, RAM), mobile hard disk, magnetic disk or optical disk and other various media that can store program codes.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

L'invention concerne un procédé de traçage d'une source d'attaque de réseau et de protection contre celle-ci, un dispositif électronique et un support de stockage informatique, lesquels relèvent des technologies de surveillance de sécurité de réseau. Le procédé consiste à : surveiller des données d'état de réseau selon une règle de détermination d'état de réseau prédéfinie, de manière à déterminer un état de réseau cible, les données d'état de réseau comprenant des données d'état de trafic, et la détermination de l'état de réseau cible consistant à : déterminer, selon les données d'état de trafic et une règle de surveillance de trafic prédéfinie, si l'état de réseau cible est un état de trafic anormal ; si tel est le cas, acquérir des données de journal des alarmes, et déterminer un nœud d'attaque inclus dans les données de journal des alarmes ; déterminer, à partir d'un ensemble d'adresses de source de réseau, une adresse de source cible correspondant au nœud d'attaque ; puis, déterminer une étiquette source d'attaque cible correspondant à l'adresse source cible, et acquérir, selon une relation de mappage prédéfinie entre des étiquettes de source d'attaque et des stratégies de protection, une stratégie de protection correspondant à l'étiquette de source d'attaque cible, et exécuter la stratégie de protection. Une adresse de source de nœud d'attaque réelle peut être identifiée avec précision, et une stratégie de protection ciblée peut être utilisée pour une protection de la sécurité du réseau.
PCT/CN2019/117165 2019-07-18 2019-11-11 Procédé de traçage de et de protection contre une source d'attaque de réseau, dispositif de électronique et support de stockage informatique WO2021008028A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910652269.0A CN110445770B (zh) 2019-07-18 2019-07-18 网络攻击源定位及防护方法、电子设备及计算机存储介质
CN201910652269.0 2019-07-18

Publications (1)

Publication Number Publication Date
WO2021008028A1 true WO2021008028A1 (fr) 2021-01-21

Family

ID=68430790

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/117165 WO2021008028A1 (fr) 2019-07-18 2019-11-11 Procédé de traçage de et de protection contre une source d'attaque de réseau, dispositif de électronique et support de stockage informatique

Country Status (2)

Country Link
CN (1) CN110445770B (fr)
WO (1) WO2021008028A1 (fr)

Cited By (53)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112887333A (zh) * 2021-03-02 2021-06-01 深信服科技股份有限公司 一种异常设备检测方法、装置、电子设备及可读存储介质
CN112995175A (zh) * 2021-02-24 2021-06-18 西安热工研究院有限公司 一种基于水轮发电机组发电状态进行网络安全防护的方法
CN113037567A (zh) * 2021-04-01 2021-06-25 国网河北省电力有限公司电力科学研究院 一种用于电网企业的网络攻击行为仿真系统及其仿真方法
CN113032823A (zh) * 2021-02-26 2021-06-25 加和(北京)信息科技有限公司 设备id的生成方法及装置
CN113438249A (zh) * 2021-06-30 2021-09-24 北京科东电力控制系统有限责任公司 一种基于策略的攻击溯源方法
CN113472065A (zh) * 2021-05-18 2021-10-01 广东电网有限责任公司广州供电局 输电线路状态监测方法、装置、设备和存储介质
CN113572752A (zh) * 2021-07-20 2021-10-29 上海明略人工智能(集团)有限公司 异常流量的检测方法和装置、电子设备、存储介质
CN113626509A (zh) * 2021-08-09 2021-11-09 杭州安恒信息技术股份有限公司 数据接入方法、装置、电子设备及可读存储介质
CN113645224A (zh) * 2021-08-09 2021-11-12 杭州安恒信息技术股份有限公司 一种网络攻击检测方法、装置、设备及存储介质
CN113645233A (zh) * 2021-08-10 2021-11-12 康键信息技术(深圳)有限公司 流量数据的风控智能决策方法、装置、电子设备和介质
CN113706177A (zh) * 2021-09-02 2021-11-26 赵琦 一种基于大数据安防的威胁识别方法及数据安防服务器
CN113904958A (zh) * 2021-10-22 2022-01-07 深圳市润迅通投资有限公司 一种基于动态数据包采样的网络流量识别系统和方法
CN113992384A (zh) * 2021-10-22 2022-01-28 延安大学 一种基于分数阶傅里叶变换阶次复用的保密通信方法
CN114024769A (zh) * 2021-12-07 2022-02-08 中国建设银行股份有限公司 一种网络流量安全控制系统
CN114095274A (zh) * 2021-12-10 2022-02-25 北京天融信网络安全技术有限公司 一种攻击研判方法及装置
CN114095258A (zh) * 2021-11-23 2022-02-25 北京天融信网络安全技术有限公司 攻击防御方法、装置、电子设备及存储介质
CN114124540A (zh) * 2021-11-25 2022-03-01 中国工商银行股份有限公司 Ips封禁方法及装置
CN114143088A (zh) * 2021-11-30 2022-03-04 北京天融信网络安全技术有限公司 网络故障诊断方法、装置、设备及计算机可读存储介质
CN114172709A (zh) * 2021-11-30 2022-03-11 中汽创智科技有限公司 一种网络多步攻击检测方法、装置、设备及存储介质
CN114186269A (zh) * 2021-12-06 2022-03-15 淄博云科互联网信息技术有限公司 基于人工智能的大数据信息安全防护方法及人工智能系统
CN114199206A (zh) * 2021-11-02 2022-03-18 青岛海洋科学与技术国家实验室发展中心 水上拖曳式测量系统及以太网数据有线传输方法
CN114257414A (zh) * 2021-11-25 2022-03-29 国网山东省电力公司日照供电公司 一种网络安全智能值班方法及系统
CN114285660A (zh) * 2021-12-28 2022-04-05 赛尔网络有限公司 蜜网部署方法、装置、设备及介质
CN114301716A (zh) * 2022-02-22 2022-04-08 绿盟科技集团股份有限公司 一种网络安全评估方法、装置、网络安全设备及存储介质
CN114389840A (zh) * 2021-12-09 2022-04-22 华迪计算机集团有限公司 基于glm析因方法确定网络攻击源所在区域的方法及系统
CN114465746A (zh) * 2021-09-28 2022-05-10 北京卫达信息技术有限公司 一种网络攻击控制方法及系统
CN114553683A (zh) * 2022-03-08 2022-05-27 南宁市韶诚信息科技有限公司 基于安全大数据反馈的云端配置更新方法及信息安全系统
CN114584491A (zh) * 2022-04-21 2022-06-03 腾讯科技(深圳)有限公司 检测方法、装置、存储介质、设备及程序产品
CN114598740A (zh) * 2022-03-04 2022-06-07 北京优炫软件股份有限公司 一种微隔离数据抓取方法以及系统
CN114978884A (zh) * 2022-07-27 2022-08-30 北京搜狐新媒体信息技术有限公司 数据包处理方法及装置
CN115022155A (zh) * 2022-05-24 2022-09-06 深信服科技股份有限公司 信息处理方法、装置及存储介质
CN115086159A (zh) * 2022-05-24 2022-09-20 深信服科技股份有限公司 信息处理方法、装置及存储介质
CN115085951A (zh) * 2021-03-10 2022-09-20 中国移动通信集团山东有限公司 车联网安全预警方法和电子设备
CN115118473A (zh) * 2022-06-20 2022-09-27 中国联合网络通信集团有限公司 数据处理方法、装置、设备及存储介质
CN115174144A (zh) * 2022-05-30 2022-10-11 江苏安几科技有限公司 零信任网关自安全检测方法及装置
CN115208671A (zh) * 2022-07-15 2022-10-18 山石网科通信技术股份有限公司 防火墙配置方法、装置、电子设备和存储介质
CN115242608A (zh) * 2022-07-12 2022-10-25 广东润联信息技术有限公司 告警信息的生成方法、装置、设备及存储介质
CN115277256A (zh) * 2022-09-27 2022-11-01 中国民用航空局空中交通管理局航空气象中心 一种用于数据内外网过网闸传输的预警方法及系统
CN115333915A (zh) * 2022-06-01 2022-11-11 中电莱斯信息系统有限公司 一种面向异构主机的网络管控系统
CN115412359A (zh) * 2022-09-02 2022-11-29 中国电信股份有限公司 Web应用安全防护方法和装置、电子设备、存储介质
CN115442279A (zh) * 2022-09-02 2022-12-06 杭州安恒信息技术股份有限公司 一种告警源定位方法、装置、设备及存储介质
CN115514539A (zh) * 2022-09-02 2022-12-23 中国电信股份有限公司 一种网络攻击的防护方法及装置、存储介质及电子设备
CN115955334A (zh) * 2022-12-02 2023-04-11 深圳市铭励扬科技有限公司 一种基于边缘计算的网络攻击流量处理方法及系统
RU2796650C1 (ru) * 2022-11-10 2023-05-29 Акционерное общество "Научно-производственное предприятие "Цифровые решения" Способ проверки связанности узлов сети с использованием выделенного канала связи
CN116319005A (zh) * 2023-03-21 2023-06-23 上海安博通信息科技有限公司 结合自然语言处理模型的攻击检测方法、装置及处理系统
CN116578911A (zh) * 2023-07-13 2023-08-11 亚信科技(中国)有限公司 数据处理方法、装置、电子设备及计算机存储介质
CN117201195A (zh) * 2023-11-06 2023-12-08 联通(广东)产业互联网有限公司 进程网络策略限制方法及装置、设备、存储介质
CN117560228A (zh) * 2024-01-10 2024-02-13 西安电子科技大学杭州研究院 基于标签和图对齐的流式溯源图实时攻击检测方法及系统
WO2024060408A1 (fr) * 2022-09-23 2024-03-28 天翼安全科技有限公司 Procédé de détection d'attaque réseau et appareil, dispostif et support de stockage
CN117896186A (zh) * 2024-03-14 2024-04-16 沈阳市名域科技有限公司 一种基于日志分析的漏洞扫描方法、系统及存储介质
CN118200190A (zh) * 2024-05-15 2024-06-14 北京绿色苹果技术有限公司 基于人工智能的网络性能监控与维护方法、系统及介质
WO2024124706A1 (fr) * 2022-12-15 2024-06-20 上海观安信息技术股份有限公司 Procédé et appareil d'identification de trafic de base de données, support de stockage et dispositif informatique
CN118353722A (zh) * 2024-06-18 2024-07-16 北京辰信领创信息技术有限公司 网络攻击拦截方法、计算机装置、计算机可读存储介质

Families Citing this family (39)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110855796B (zh) * 2019-11-22 2022-11-04 北京浪潮数据技术有限公司 一种云平台web防护方法、系统、设备及计算机介质
CN111181978B (zh) * 2019-12-31 2022-09-30 深信服科技股份有限公司 异常网络流量的检测方法、装置、电子设备及存储介质
CN111355712A (zh) * 2020-02-20 2020-06-30 杭州涂鸦信息技术有限公司 一种适用于mqtt的安全防护方法及系统
CN111371777B (zh) * 2020-02-28 2022-06-24 北京天融信网络安全技术有限公司 一种车辆网络的攻击检测方法、装置、检测器及存储介质
CN111225002B (zh) * 2020-03-18 2022-05-27 深圳市腾讯计算机系统有限公司 一种网络攻击溯源方法、装置、电子设备和存储介质
CN111970261B (zh) * 2020-08-06 2023-04-07 完美世界(北京)软件科技发展有限公司 网络攻击的识别方法、装置及设备
CN111988331B (zh) * 2020-08-28 2021-04-16 清华大学 基于区块链的DDoS攻击追踪方法、系统、设备和介质
CN112272157B (zh) * 2020-09-15 2022-07-26 杭州数梦工场科技有限公司 主机ip地址的转换方法、装置、计算机设备及存储介质
CN112152854B (zh) * 2020-09-25 2023-11-07 绿盟科技集团股份有限公司 一种信息处理方法及装置
CN112214378B (zh) * 2020-10-23 2023-03-24 珠海格力电器股份有限公司 数据收集方法、装置、电子设备及存储介质
CN114745142B (zh) * 2020-12-23 2023-11-24 腾讯科技(深圳)有限公司 一种异常流量处理方法、装置、计算机设备及存储介质
CN112583850B (zh) * 2020-12-27 2023-02-24 杭州迪普科技股份有限公司 网络攻击防护方法、装置及系统
CN112822213A (zh) * 2021-02-07 2021-05-18 国网福建省电力有限公司电力科学研究院 一种针对于电力监控系统的攻击取证与溯源方法
CN113098904B (zh) * 2021-04-28 2023-08-15 北京吉安金芯信息技术有限公司 网络设备的通信方法及装置
CN113233269B (zh) * 2021-05-12 2023-06-16 广州广日电梯工业有限公司 电梯网络受攻击的诊断方法以及诊断装置
CN113872927A (zh) * 2021-05-25 2021-12-31 杭州复杂美科技有限公司 数据统计方法、防攻击方法、计算机设备和存储介质
CN113573350B (zh) * 2021-06-16 2024-08-16 新浪技术(中国)有限公司 一种无线设备风险监控方法和装置
CN113596044B (zh) * 2021-08-03 2023-04-25 北京恒安嘉新安全技术有限公司 一种网络防护方法、装置、电子设备及存储介质
CN113783884A (zh) * 2021-09-16 2021-12-10 杭州安恒信息技术股份有限公司 一种synflood攻击防护方法、装置、设备及存储介质
CN114462589B (zh) * 2021-09-28 2022-11-04 北京卫达信息技术有限公司 正常行为神经网络模型训练方法、系统、装置及存储介质
CN113923019B (zh) * 2021-10-09 2023-07-21 天翼物联科技有限公司 物联网系统安全防护方法、装置、设备及介质
CN114124453B (zh) * 2021-10-20 2024-06-21 国能信息技术有限公司 网络安全信息的处理方法、装置、电子设备及储存介质
CN114124744B (zh) * 2021-11-24 2023-06-02 绿盟科技集团股份有限公司 一种流量数据展示方法、装置、电子设备及存储介质
CN114338120B (zh) * 2021-12-23 2023-11-21 绿盟科技集团股份有限公司 一种扫段攻击检测方法、装置、介质和电子设备
CN114338593B (zh) * 2021-12-23 2023-07-04 上海观安信息技术股份有限公司 利用地址解析协议进行网络扫描的行为检测方法及装置
CN114448689B (zh) * 2022-01-19 2023-07-25 烽台科技(北京)有限公司 工控网络的边界设备确定方法、装置、设备及存储介质
CN114448716B (zh) * 2022-02-28 2024-06-21 奇安信科技集团股份有限公司 工控安全的控制方法及电子设备、存储介质
CN114567605B (zh) * 2022-02-28 2023-12-01 天翼安全科技有限公司 一种安全引擎的调度方法、装置及可读存储介质
CN114679341B (zh) * 2022-05-27 2022-08-16 江苏益柏锐信息科技有限公司 结合erp系统的网络入侵攻击分析方法、设备及介质
CN115150167B (zh) * 2022-06-30 2024-03-12 北京天融信网络安全技术有限公司 同步控制的方法、装置、电子设备及计算机可读存储介质
CN115225393B (zh) * 2022-07-20 2023-09-26 北京天融信网络安全技术有限公司 一种源限速方法及装置、电子设备
CN116015785B (zh) * 2022-12-14 2024-04-30 中国联合网络通信集团有限公司 信息安全防护方法及电子设备、存储介质
CN118337402A (zh) * 2023-01-11 2024-07-12 中兴通讯股份有限公司 一种基于软件定义网络的数据流处理方法及装置
CN116319077B (zh) * 2023-05-15 2023-08-22 鹏城实验室 网络攻击检测方法和装置、设备、存储介质和产品
CN116582339B (zh) * 2023-05-29 2024-03-08 四川云控交通科技有限责任公司 一种智能楼宇网络安全监控方法、监控系统
CN116436706B (zh) * 2023-06-14 2023-08-22 天津市天河计算机技术有限公司 数据中心环境下的网络攻击阻断方法、系统、设备及介质
CN117439825B (zh) * 2023-12-21 2024-03-01 江苏禾冠信息技术有限公司 面向家庭路由器的网络入侵防护方法及系统
CN117650947B (zh) * 2024-01-29 2024-04-12 深圳市众泰兄弟科技发展有限公司 基于机器学习的网络流量数据安全可视化监测系统
CN118075033B (zh) * 2024-04-19 2024-07-05 台州市大数据发展有限公司 一种网络安全防护方法及系统

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101127594A (zh) * 2007-10-10 2008-02-20 杭州华三通信技术有限公司 一种安全信息联动处理装置及方法
CN102075365A (zh) * 2011-02-15 2011-05-25 中国工商银行股份有限公司 一种网络攻击源定位及防护的方法、装置
CN107222462A (zh) * 2017-05-08 2017-09-29 汕头大学 一种局域网内部攻击源的自动定位、隔离方法
US20180367566A1 (en) * 2016-02-29 2018-12-20 Alibaba Group Holding Limited Prevention and control method, apparatus and system for network attack

Family Cites Families (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101087440B (zh) * 2006-06-06 2010-05-12 大唐移动通信设备有限公司 一种用于移动通信系统中数据调整的方法
WO2013176711A2 (fr) * 2012-02-15 2013-11-28 The Trustees Of Columbia University In The City Of New York Procédés, systèmes et supports pour empêcher des attaques sur des dispositifs embarqués
CN104202336A (zh) * 2014-09-22 2014-12-10 浪潮电子信息产业股份有限公司 一种基于信息熵的DDoS攻击检测方法
CN105704097A (zh) * 2014-11-26 2016-06-22 华为数字技术(苏州)有限公司 一种防御攻击的方法及装置
CN106936615A (zh) * 2015-12-31 2017-07-07 中兴通讯股份有限公司 一种报文处理方法及装置
US11281706B2 (en) * 2016-09-26 2022-03-22 Splunk Inc. Multi-layer partition allocation for query execution
CN109120612B (zh) * 2018-08-06 2021-04-30 浙江衣拿智能科技股份有限公司 一种数据包过滤方法、系统及应用程序
CN109743314A (zh) * 2018-12-29 2019-05-10 杭州迪普科技股份有限公司 网络异常的监控方法、装置、计算机设备及其存储介质
CN110505232A (zh) * 2019-08-27 2019-11-26 百度在线网络技术(北京)有限公司 网络攻击的检测方法及装置、电子设备、存储介质

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101127594A (zh) * 2007-10-10 2008-02-20 杭州华三通信技术有限公司 一种安全信息联动处理装置及方法
CN102075365A (zh) * 2011-02-15 2011-05-25 中国工商银行股份有限公司 一种网络攻击源定位及防护的方法、装置
US20180367566A1 (en) * 2016-02-29 2018-12-20 Alibaba Group Holding Limited Prevention and control method, apparatus and system for network attack
CN107222462A (zh) * 2017-05-08 2017-09-29 汕头大学 一种局域网内部攻击源的自动定位、隔离方法

Cited By (86)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112995175A (zh) * 2021-02-24 2021-06-18 西安热工研究院有限公司 一种基于水轮发电机组发电状态进行网络安全防护的方法
CN112995175B (zh) * 2021-02-24 2022-12-02 西安热工研究院有限公司 一种基于水轮发电机组发电状态进行网络安全防护的方法
CN113032823A (zh) * 2021-02-26 2021-06-25 加和(北京)信息科技有限公司 设备id的生成方法及装置
CN113032823B (zh) * 2021-02-26 2023-08-01 加和(北京)信息科技有限公司 设备id的生成方法及装置
CN112887333A (zh) * 2021-03-02 2021-06-01 深信服科技股份有限公司 一种异常设备检测方法、装置、电子设备及可读存储介质
CN115085951B (zh) * 2021-03-10 2024-05-28 中国移动通信集团山东有限公司 车联网安全预警方法和电子设备
CN115085951A (zh) * 2021-03-10 2022-09-20 中国移动通信集团山东有限公司 车联网安全预警方法和电子设备
CN113037567A (zh) * 2021-04-01 2021-06-25 国网河北省电力有限公司电力科学研究院 一种用于电网企业的网络攻击行为仿真系统及其仿真方法
CN113472065A (zh) * 2021-05-18 2021-10-01 广东电网有限责任公司广州供电局 输电线路状态监测方法、装置、设备和存储介质
CN113438249B (zh) * 2021-06-30 2023-01-31 北京科东电力控制系统有限责任公司 一种基于策略的攻击溯源方法
CN113438249A (zh) * 2021-06-30 2021-09-24 北京科东电力控制系统有限责任公司 一种基于策略的攻击溯源方法
CN113572752A (zh) * 2021-07-20 2021-10-29 上海明略人工智能(集团)有限公司 异常流量的检测方法和装置、电子设备、存储介质
CN113572752B (zh) * 2021-07-20 2023-11-07 上海明略人工智能(集团)有限公司 异常流量的检测方法和装置、电子设备、存储介质
CN113645224B (zh) * 2021-08-09 2022-12-09 杭州安恒信息技术股份有限公司 一种网络攻击检测方法、装置、设备及存储介质
CN113626509A (zh) * 2021-08-09 2021-11-09 杭州安恒信息技术股份有限公司 数据接入方法、装置、电子设备及可读存储介质
CN113645224A (zh) * 2021-08-09 2021-11-12 杭州安恒信息技术股份有限公司 一种网络攻击检测方法、装置、设备及存储介质
CN113645233A (zh) * 2021-08-10 2021-11-12 康键信息技术(深圳)有限公司 流量数据的风控智能决策方法、装置、电子设备和介质
CN113645233B (zh) * 2021-08-10 2023-07-28 康键信息技术(深圳)有限公司 流量数据的风控智能决策方法、装置、电子设备和介质
CN113706177A (zh) * 2021-09-02 2021-11-26 赵琦 一种基于大数据安防的威胁识别方法及数据安防服务器
CN113706177B (zh) * 2021-09-02 2022-04-29 广东奥飞数据科技股份有限公司 一种基于大数据安防的威胁识别方法及数据安防服务器
CN114465746B (zh) * 2021-09-28 2022-11-08 北京卫达信息技术有限公司 一种网络攻击控制方法及系统
CN114465746A (zh) * 2021-09-28 2022-05-10 北京卫达信息技术有限公司 一种网络攻击控制方法及系统
CN113992384B (zh) * 2021-10-22 2023-10-20 延安大学 一种基于分数阶傅里叶变换阶次复用的保密通信方法
CN113992384A (zh) * 2021-10-22 2022-01-28 延安大学 一种基于分数阶傅里叶变换阶次复用的保密通信方法
CN113904958B (zh) * 2021-10-22 2022-11-08 深圳市润迅通投资有限公司 一种基于动态数据包采样的网络流量识别系统和方法
CN113904958A (zh) * 2021-10-22 2022-01-07 深圳市润迅通投资有限公司 一种基于动态数据包采样的网络流量识别系统和方法
CN114199206A (zh) * 2021-11-02 2022-03-18 青岛海洋科学与技术国家实验室发展中心 水上拖曳式测量系统及以太网数据有线传输方法
CN114199206B (zh) * 2021-11-02 2024-06-04 青岛海洋科技中心 水上拖曳式测量系统及以太网数据有线传输方法
CN114095258B (zh) * 2021-11-23 2024-02-06 北京天融信网络安全技术有限公司 攻击防御方法、装置、电子设备及存储介质
CN114095258A (zh) * 2021-11-23 2022-02-25 北京天融信网络安全技术有限公司 攻击防御方法、装置、电子设备及存储介质
CN114124540B (zh) * 2021-11-25 2023-12-29 中国工商银行股份有限公司 Ips封禁方法及装置
CN114124540A (zh) * 2021-11-25 2022-03-01 中国工商银行股份有限公司 Ips封禁方法及装置
CN114257414A (zh) * 2021-11-25 2022-03-29 国网山东省电力公司日照供电公司 一种网络安全智能值班方法及系统
CN114143088A (zh) * 2021-11-30 2022-03-04 北京天融信网络安全技术有限公司 网络故障诊断方法、装置、设备及计算机可读存储介质
CN114143088B (zh) * 2021-11-30 2024-02-09 天融信雄安网络安全技术有限公司 网络故障诊断方法、装置、设备及计算机可读存储介质
CN114172709B (zh) * 2021-11-30 2024-05-24 中汽创智科技有限公司 一种网络多步攻击检测方法、装置、设备及存储介质
CN114172709A (zh) * 2021-11-30 2022-03-11 中汽创智科技有限公司 一种网络多步攻击检测方法、装置、设备及存储介质
CN114186269A (zh) * 2021-12-06 2022-03-15 淄博云科互联网信息技术有限公司 基于人工智能的大数据信息安全防护方法及人工智能系统
CN114024769A (zh) * 2021-12-07 2022-02-08 中国建设银行股份有限公司 一种网络流量安全控制系统
CN114389840B (zh) * 2021-12-09 2023-08-01 华迪计算机集团有限公司 基于glm析因方法确定网络攻击源所在区域的方法及系统
CN114389840A (zh) * 2021-12-09 2022-04-22 华迪计算机集团有限公司 基于glm析因方法确定网络攻击源所在区域的方法及系统
CN114095274B (zh) * 2021-12-10 2023-11-10 北京天融信网络安全技术有限公司 一种攻击研判方法及装置
CN114095274A (zh) * 2021-12-10 2022-02-25 北京天融信网络安全技术有限公司 一种攻击研判方法及装置
CN114285660B (zh) * 2021-12-28 2023-11-07 赛尔网络有限公司 蜜网部署方法、装置、设备及介质
CN114285660A (zh) * 2021-12-28 2022-04-05 赛尔网络有限公司 蜜网部署方法、装置、设备及介质
CN114301716A (zh) * 2022-02-22 2022-04-08 绿盟科技集团股份有限公司 一种网络安全评估方法、装置、网络安全设备及存储介质
CN114301716B (zh) * 2022-02-22 2023-05-26 绿盟科技集团股份有限公司 一种网络安全评估方法、装置、网络安全设备及存储介质
CN114598740A (zh) * 2022-03-04 2022-06-07 北京优炫软件股份有限公司 一种微隔离数据抓取方法以及系统
CN114598740B (zh) * 2022-03-04 2024-02-02 北京优炫软件股份有限公司 一种微隔离数据抓取方法以及系统
CN114553683A (zh) * 2022-03-08 2022-05-27 南宁市韶诚信息科技有限公司 基于安全大数据反馈的云端配置更新方法及信息安全系统
CN114584491A (zh) * 2022-04-21 2022-06-03 腾讯科技(深圳)有限公司 检测方法、装置、存储介质、设备及程序产品
CN114584491B (zh) * 2022-04-21 2023-09-08 腾讯科技(深圳)有限公司 检测方法、装置、存储介质及设备
CN115022155A (zh) * 2022-05-24 2022-09-06 深信服科技股份有限公司 信息处理方法、装置及存储介质
CN115086159A (zh) * 2022-05-24 2022-09-20 深信服科技股份有限公司 信息处理方法、装置及存储介质
CN115174144A (zh) * 2022-05-30 2022-10-11 江苏安几科技有限公司 零信任网关自安全检测方法及装置
CN115333915A (zh) * 2022-06-01 2022-11-11 中电莱斯信息系统有限公司 一种面向异构主机的网络管控系统
CN115333915B (zh) * 2022-06-01 2023-12-05 中电莱斯信息系统有限公司 一种面向异构主机的网络管控系统
CN115118473B (zh) * 2022-06-20 2023-07-14 中国联合网络通信集团有限公司 数据处理方法、装置、设备及存储介质
CN115118473A (zh) * 2022-06-20 2022-09-27 中国联合网络通信集团有限公司 数据处理方法、装置、设备及存储介质
CN115242608A (zh) * 2022-07-12 2022-10-25 广东润联信息技术有限公司 告警信息的生成方法、装置、设备及存储介质
CN115208671A (zh) * 2022-07-15 2022-10-18 山石网科通信技术股份有限公司 防火墙配置方法、装置、电子设备和存储介质
CN114978884B (zh) * 2022-07-27 2022-12-13 北京搜狐新媒体信息技术有限公司 数据包处理方法及装置
CN114978884A (zh) * 2022-07-27 2022-08-30 北京搜狐新媒体信息技术有限公司 数据包处理方法及装置
CN115514539A (zh) * 2022-09-02 2022-12-23 中国电信股份有限公司 一种网络攻击的防护方法及装置、存储介质及电子设备
CN115412359A (zh) * 2022-09-02 2022-11-29 中国电信股份有限公司 Web应用安全防护方法和装置、电子设备、存储介质
CN115442279A (zh) * 2022-09-02 2022-12-06 杭州安恒信息技术股份有限公司 一种告警源定位方法、装置、设备及存储介质
CN115442279B (zh) * 2022-09-02 2024-04-26 杭州安恒信息技术股份有限公司 一种告警源定位方法、装置、设备及存储介质
CN115412359B (zh) * 2022-09-02 2024-03-19 中国电信股份有限公司 Web应用安全防护方法和装置、电子设备、存储介质
CN115514539B (zh) * 2022-09-02 2024-01-30 中国电信股份有限公司 一种网络攻击的防护方法及装置、存储介质及电子设备
WO2024060408A1 (fr) * 2022-09-23 2024-03-28 天翼安全科技有限公司 Procédé de détection d'attaque réseau et appareil, dispostif et support de stockage
CN115277256B (zh) * 2022-09-27 2022-12-16 中国民用航空局空中交通管理局航空气象中心 一种用于数据内外网过网闸传输的预警方法及系统
CN115277256A (zh) * 2022-09-27 2022-11-01 中国民用航空局空中交通管理局航空气象中心 一种用于数据内外网过网闸传输的预警方法及系统
RU2796650C1 (ru) * 2022-11-10 2023-05-29 Акционерное общество "Научно-производственное предприятие "Цифровые решения" Способ проверки связанности узлов сети с использованием выделенного канала связи
CN115955334A (zh) * 2022-12-02 2023-04-11 深圳市铭励扬科技有限公司 一种基于边缘计算的网络攻击流量处理方法及系统
CN115955334B (zh) * 2022-12-02 2023-11-10 深圳市铭励扬科技有限公司 一种基于边缘计算的网络攻击流量处理方法及系统
WO2024124706A1 (fr) * 2022-12-15 2024-06-20 上海观安信息技术股份有限公司 Procédé et appareil d'identification de trafic de base de données, support de stockage et dispositif informatique
CN116319005A (zh) * 2023-03-21 2023-06-23 上海安博通信息科技有限公司 结合自然语言处理模型的攻击检测方法、装置及处理系统
CN116578911A (zh) * 2023-07-13 2023-08-11 亚信科技(中国)有限公司 数据处理方法、装置、电子设备及计算机存储介质
CN117201195B (zh) * 2023-11-06 2024-01-26 联通(广东)产业互联网有限公司 进程网络策略限制方法及装置、设备、存储介质
CN117201195A (zh) * 2023-11-06 2023-12-08 联通(广东)产业互联网有限公司 进程网络策略限制方法及装置、设备、存储介质
CN117560228B (zh) * 2024-01-10 2024-03-19 西安电子科技大学杭州研究院 基于标签和图对齐的流式溯源图实时攻击检测方法及系统
CN117560228A (zh) * 2024-01-10 2024-02-13 西安电子科技大学杭州研究院 基于标签和图对齐的流式溯源图实时攻击检测方法及系统
CN117896186A (zh) * 2024-03-14 2024-04-16 沈阳市名域科技有限公司 一种基于日志分析的漏洞扫描方法、系统及存储介质
CN117896186B (zh) * 2024-03-14 2024-05-31 沈阳市名域科技有限公司 一种基于日志分析的漏洞扫描方法、系统及存储介质
CN118200190A (zh) * 2024-05-15 2024-06-14 北京绿色苹果技术有限公司 基于人工智能的网络性能监控与维护方法、系统及介质
CN118353722A (zh) * 2024-06-18 2024-07-16 北京辰信领创信息技术有限公司 网络攻击拦截方法、计算机装置、计算机可读存储介质

Also Published As

Publication number Publication date
CN110445770A (zh) 2019-11-12
CN110445770B (zh) 2022-07-22

Similar Documents

Publication Publication Date Title
WO2021008028A1 (fr) Procédé de traçage de et de protection contre une source d'attaque de réseau, dispositif de électronique et support de stockage informatique
EP2612488B1 (fr) Détection des réseaux de bots
US7552478B2 (en) Network unauthorized access preventing system and network unauthorized access preventing apparatus
US7562390B1 (en) System and method for ARP anti-spoofing security
CN113612784B (zh) 使用蜜罐的动态服务处理
US20060143709A1 (en) Network intrusion prevention
JP2008177714A (ja) ネットワークシステム、サーバ、ddnsサーバおよびパケット中継装置
CN101589595A (zh) 用于潜在被污染端系统的牵制机制
AU2009200102A1 (en) Method and apparatus for inspecting inter-layer address binding protocols
US7596808B1 (en) Zero hop algorithm for network threat identification and mitigation
US20040250158A1 (en) System and method for protecting an IP transmission network against the denial of service attacks
AbdelSalam et al. An automated approach for preventing ARP spoofing attack using static ARP entries
Wang et al. Efficient and low‐cost defense against distributed denial‐of‐service attacks in SDN‐based networks
Ashutosh An insight in to network traffic analysis using packet sniffer
WO2019096104A1 (fr) Prévention contre les attaques
KR101593897B1 (ko) 방화벽, ids 또는 ips를 우회하는 네트워크 스캔 방법
Salim et al. Preventing ARP spoofing attacks through gratuitous decision packet
CN113014530B (zh) Arp欺骗攻击防范方法及系统
US20220103582A1 (en) System and method for cybersecurity
KR101188308B1 (ko) 악성 코드의 주소 결정 프로토콜 스푸핑 모니터링을 위한 가상 패킷 모니터링 시스템 및 그 방법
Jingna An analysis on DoS attack and defense technology
Sharma et al. Detection of ARP Spoofing: A command line execution method
CN111490989A (zh) 一种网络系统、攻击检测方法、装置及电子设备
CN112671783B (zh) 一种基于vlan用户组的防主机ip扫描方法
US20210392162A1 (en) Novel dns record type for network threat prevention

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19937557

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19937557

Country of ref document: EP

Kind code of ref document: A1