CN107995162A - Network security sensory perceptual system, method and readable storage medium storing program for executing - Google Patents

Network security sensory perceptual system, method and readable storage medium storing program for executing Download PDF

Info

Publication number
CN107995162A
CN107995162A CN201711032879.8A CN201711032879A CN107995162A CN 107995162 A CN107995162 A CN 107995162A CN 201711032879 A CN201711032879 A CN 201711032879A CN 107995162 A CN107995162 A CN 107995162A
Authority
CN
China
Prior art keywords
network
analysis
probe
analysis platform
sensory perceptual
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201711032879.8A
Other languages
Chinese (zh)
Inventor
吕晓滨
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sangfor Technologies Co Ltd
Original Assignee
Sangfor Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sangfor Technologies Co Ltd filed Critical Sangfor Technologies Co Ltd
Priority to CN201711032879.8A priority Critical patent/CN107995162A/en
Publication of CN107995162A publication Critical patent/CN107995162A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/04Processing captured monitoring data, e.g. for logfile generation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0876Network utilisation, e.g. volume of load or congestion level
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Environmental & Geological Engineering (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses a kind of network security sensory perceptual system, including:Multiple probes, are deployed on the interchanger or router of each monitoring network area respectively, and the mirror image flow of network area is each monitored for dynamic access and therefrom gathers particular flow rate information;The flow information of collection is uploaded into analysis platform by encrypted communication channel;Analysis platform, the flow information uploaded for dynamically receiving each probe, and various dimensions association analysis is carried out, to identify security threat present in whole network;Analysis result is presented with visual means.The invention also discloses a kind of implementation method and computer-readable storage medium of network security sensory perceptual system.The present invention can in a manner of net structure conduct monitoring at all levels whole network, potential security threat present in sensing network, protect the information security of whole network.

Description

Network security sensory perceptual system, method and readable storage medium storing program for executing
Technical field
The present invention relates to technical field of network information safety, more particularly to a kind of network security sensory perceptual system, method and meter Calculation machine readable storage medium storing program for executing.
Background technology
Current IT industries have been normally carried out larger change, the change of three big present situations below, force vast enterprise, government, The safety foundation construction of the industries such as education, finance is changed into network-wide security detection from inveteracy border defence thought, also deep Carve the meaning and defence no less important for recognizing detection:
(1) IT business becomes complicated, makes boundary vague, or there is no the border on pure sense;
(2) attack becomes more sophisticated, is more hidden, and attack means are also more brilliant, and attacker always has various methods to bypass border Defence, such as BYOD, stiff wooden worm, interior ghost;
(3) safety means constantly stacked can not simultaneously play 1+1>=2 effect, or even tie down network.
Due to a lack of effective all webs' watch mechanism, after attacker, which breaks through border defence, enters Intranet, it is carried out all Behavior is unknown to IT administrative staff, and then can produce serious threat to the information security of whole network, how not to be influenced It is imperative that whole network is monitored in real time in the case of network.
The content of the invention
It is a primary object of the present invention to provide a kind of network security sensory perceptual system, method and computer-readable storage medium Matter, it is intended to solve how the technical problem monitored in real time in the case where not influencing network to whole network.
To achieve the above object, the present invention provides a kind of network security sensory perceptual system, and the sensory perceptual system includes:
Multiple probes, are deployed on the interchanger or router of each monitoring network area, for dynamic access each respectively Monitor the mirror image flow of network area and therefrom gather particular flow rate information;The flow information of collection is passed through into encrypted communication channel Upload analysis platform;
Analysis platform, the flow information uploaded for dynamically receiving each probe, and various dimensions association analysis is carried out, with identification Security threat present in whole network;Analysis result is presented with visual means.
Alternatively, the monitoring network area includes at least:Intranet handles official business area, area of data center, network management area, external connection Service area, wide area network access area, linking Internet area.
Alternatively, the probe has management interface and data transmission interface, and the management interface is used to receive described point The management instruction that analysis platform issues, for managing probe device, the data transmission interface is used to upload to the analysis platform Data;
The probe is equipped with the foundation characteristic storehouse for flow information described in assistant analysis, and the foundation characteristic storehouse is at least Including:Network attack characteristic storehouse, malicious code feature database, Botnet feature database, malice IP feature databases, malice domain name feature Storehouse, loophole feature database.
Further, to achieve the above object, the present invention also provides a kind of implementation method of sensory perceptual system, the method bag Include following steps:
Coded communication is established with the analysis platform to be connected;
From the interchanger or router of corresponding deployment, dynamic access monitors the mirror image flow of network area, for therefrom Gather particular flow rate information;
The flow information of collection is uploaded into the analysis platform by encrypted communication channel, so that the analysis platform carries out Various dimensions association analysis, to identify security threat present in whole network, and analysis result is presented with visual means.
Alternatively, the method further includes:
Basic detection is carried out to the flow information of collection, and the result of the basis detection is uploaded into the analysis platform;
Wherein, the content of the basis detection includes at least following one or more:
Based on preset foundation characteristic storehouse, network attack, malicious code, corpse are at least identified from the flow information One or more in network service, malice IP, malice domain name, suspicious loophole;
Storehouse is identified based on preset base application, the application that request accesses is identified from the flow information, it is described to answer With including at least business related application, online application, office application;
Packet check is carried out to the flow information, to identify the abnormal data carried in outgoing packet.
Alternatively, the method further includes:
Receive the key monitoring instruction that the analysis platform issues, for exception IP determined by the analysis platform or Abnormal network region is monitored;
Acquisition abnormity IP or the flow information in abnormal network region, and upload the analysis platform.
Further, to achieve the above object, the present invention also provides a kind of implementation method of sensory perceptual system, the method bag Include following steps:
Coded communication is established with the probe to be connected;
Dynamic receives the flow information that the probe uploads, and carries out various dimensions association analysis, is deposited with identifying in whole network Security threat;Wherein, the flow information is the probe from the interchanger or router of corresponding deployment, dynamic access Monitor and collected in the mirror image flow of network area;
Analysis result is presented with visual means.
Alternatively, the content for carrying out various dimensions association analysis includes at least following one or more:
Based on vulnerability exploit attack rule, WEB application attack rule and Intranet operation system configuration information, the whole network is distinguished The value of each networked asset in network, and according to the value of networked asset, security threat event degree of impending is assessed;
Based on vulnerability exploit attack rule, WEB application attack rule and Botnet communication behavior, host of falling is identified With Attack Scenarios;
When identifying in whole network there are during security threat event, analyzing the event type of the security threat event, and will The security threat event is associated with the event type, for carrying out event correlation presentation;
When identifying in whole network there are during security threat event, based on preset basis of coding rule, the safety is identified Whether threat event is erroneous judgement caused by coding lack of standardization, if so, then cancelling the security threat event.
Further, to achieve the above object, the present invention also provides a kind of computer-readable recording medium, the computer Storage, which haves a sense of security, on readable storage medium storing program for executing knows program, and the safe awareness program realizes any of the above-described when being executed by processor The step of implementation method of the sensory perceptual system.
In the present invention, multiple probes are deployed in respectively on the interchanger or router of each monitoring network area, for moving State obtains each mirror image flow of monitoring network area and therefrom gathers particular flow rate information, and the flow information of collection is passed through Encrypted communication channel uploads analysis platform;And analysis platform is then used to dynamically receive the flow information that each probe uploads, and carry out Various dimensions association analysis, to identify security threat present in whole network, is finally again carried out analysis result with visual means Present, and then the unified comprehensive safety situation for showing whole network.The present invention can in a manner of net structure conduct monitoring at all levels it is whole Network, potential security threat present in sensing network, protects the information security of whole network.
Brief description of the drawings
Fig. 1 is the high-level schematic functional block diagram of safe one embodiment of sensory perceptual system of inventive network;
Fig. 2 is the deployment scenario schematic diagram of safe one embodiment of sensory perceptual system of inventive network;
Fig. 3 is the structure diagram for the probe running environment that the embodiment of the present invention is related to;
Fig. 4 is the structure diagram for the analysis platform running environment that the embodiment of the present invention is related to;
Fig. 5 is the flow diagram of the implementation method first embodiment of sensory perceptual system of the present invention;
Fig. 6 is the flow diagram of the implementation method second embodiment of sensory perceptual system of the present invention;
Fig. 7 is the flow diagram of the implementation method 3rd embodiment of sensory perceptual system of the present invention.
The embodiments will be further described with reference to the accompanying drawings for the realization, the function and the advantages of the object of the present invention.
Embodiment
It should be appreciated that specific embodiment described herein is not intended to limit the present invention only to explain the present invention.
With reference to Fig. 1, Fig. 1 is the high-level schematic functional block diagram of safe one embodiment of sensory perceptual system of inventive network.The present embodiment In, sensory perceptual system includes:Multiple probes 10, analysis platform 20.
In the present embodiment, each probe 10 is deployed on the interchanger or router of each monitoring network area respectively, specific to use The mirror image flow of network area is each monitored in dynamic access and therefrom gathers particular flow rate information, then again by the flow of collection Information uploads analysis platform 20 by encrypted communication channel.And analysis platform 20 is then used to dynamically receive the stream that each probe 10 uploads Information is measured, and carries out various dimensions association analysis, to identify security threat present in whole network, finally by analysis result with visual Change mode is presented, and then the unified comprehensive safety situation for showing whole network.
The deployment scenario schematic diagram of one embodiment of safe sensory perceptual system as shown in Figure 2.Each probe 10 is deployed in netted On the interchanger or router of each monitoring network area.In the present embodiment, probe 10 supports bypass deployment, can be with desampler Or the mirror image flow on router.In addition, the difference of the interface type by interchanger, probe 10 includes at least 100,000,000, gigabit, ten thousand The data interface types such as million.
As shown in Fig. 2, the network area of the deployment monitoring of probe 10 includes at least:Intranet handles official business area, area of data center, network Directorial area, external connection service area, wide area network access area, linking Internet area.Namely formed after multiple spot disposes monitoring probe 10 complete Net monitoring network, probe 10 is the same just as feeler, is dispersed in each crucial monitoring area and collects valid data, and analysis platform 20 It is like the whole network analysis brain, carries out collecting association analysis by 10 back information of probe at comprehensive no dead angle, and then It was found that the latent threat in the whole network, and the security postures of the whole network are grasped in real time.
Still optionally further, in one embodiment of sensory perceptual system of the present invention, probe 10 has management interface and data transfer Interface, management interface is used to receive the management instruction that analysis platform 20 issues, for managing probe device, such as control probe 10 Upload the basic operating condition of probe, assign control instruction etc. to probe 10;And data transmission interface is then used for analysis platform 20 upload data, such as the flow information gathered.
In addition, to reduce the workload of analysis platform 20, the bandwidth occupancy to analysis platform of transmission data band is reduced, Also it is that in the present embodiment, probe 10 possesses the security threat detectability on basis, can identify common deeper into monitoring at the same time Various attacks or security exception, and effectively data are grabbed from flow information.
Probe 10 is included at least equipped with the foundation characteristic storehouse for assistant analysis flow information, the foundation characteristic storehouse:
(1) network attack characteristic storehouse, available for the network attack in identification flow, such as IPS attacks, WAF attacks, ARP Attack, DoS/DDoS attacks etc.;
(2) malicious code feature database, available for malicious code common in identification flow;
(3) Botnet feature database, available for identification Botnet virus;
(4) malice IP feature databases, for example scanned by IP, port scan etc., identification malice IP;
(5) malice domain name feature database, for example scanned by IP, port scan etc., identify malice domain name;
(6) loophole feature database, available for identifying various loopholes.
Still optionally further, in another embodiment of sensory perceptual system of the present invention, analysis platform 20 possesses and has asset database, Inside and outside network segment IP can be distinguished, can identify intranet host IP, server assets IP, and then available for intranet host, server Safety analysis provide foundation.
In addition, analysis platform 20 supports big data processing, the transmission data of multiple probes 10 can be received and stored, are provided with The non-volatile memory medium of larger capacity, while the data of larger capacity can be quickly analyzed, and possess quick multidimensional association The global search ability of retrieval capability and critical data.
With reference to Fig. 3, Fig. 3 is the structure diagram for the probe running environment that the embodiment of the present invention is related to.
In the present invention, probe 10 can be flow collection equipment or other network equipments for possessing flow collection function.
As shown in figure 3, the probe 10 can include:Processor 1001, such as CPU, communication bus 1002, network interface 1003, memory 1004.Wherein, communication bus 1002 is used for realization the connection communication between these components.Network interface 1003 Standard wireline interface and wireless interface (such as WI-FI interfaces) can optionally be included.Memory 1004 can be that high-speed RAM is deposited Reservoir or the memory of stabilization (non-volatile memory), such as magnetic disk storage.Memory 1004 is optional The storage device that can also be independently of aforementioned processor 1001.
It will be understood by those skilled in the art that the hardware configuration of the probe 10 shown in Fig. 3 is not formed to probe 10 Limit, can include than illustrating more or fewer components, either combine some components or different components arrangement.
As shown in figure 3, as in a kind of memory 1004 of computer-readable recording medium can include operating system, net Network communication module and computer program, such as safe awareness program etc..Wherein, operating system be management and control probe 10 with The program of software resource, supports the operation of network communication module, safe awareness program and other programs or software.
In 10 hardware configuration of probe shown in Fig. 3, probe 10 is called in memory 1004 by processor 1001 and stored Safe awareness program, to perform following operation:
Coded communication is established with analysis platform to be connected;
From the interchanger or router of corresponding deployment, dynamic access monitors the mirror image flow of network area, for therefrom Gather particular flow rate information;
The flow information of collection is uploaded into analysis platform by encrypted communication channel, so that analysis platform carries out various dimensions pass Connection analysis, to identify security threat present in whole network, and analysis result is presented with visual means.
Further, the probe 10 calls the safe awareness program stored in memory 1004 by processor 1001, To perform following operation:
Basic detection is carried out to the flow information of collection, and the result of basis detection is uploaded into analysis platform;
Wherein, the content of basis detection includes at least following one or more:
Based on preset foundation characteristic storehouse, network attack, malicious code, Botnet are at least identified from flow information One or more in communication, malice IP, malice domain name, suspicious loophole;
Storehouse is identified based on preset base application, the application that request accesses is identified from flow information, using at least wrapping Include business related application, online application, office application;
Packet check is carried out to flow information, to identify the abnormal data carried in outgoing packet.
Further, the probe 10 calls the safe awareness program stored in memory 1004 by processor 1001, To perform following operation:
The key monitoring instruction that analysis platform issues is received, for exception IP or abnormal network determined by analysis platform Region is monitored;
Acquisition abnormity IP or the flow information in abnormal network region, and upload analysis platform.
With reference to Fig. 4, Fig. 4 is the structure diagram for the analysis platform running environment that the embodiment of the present invention is related to.
As shown in figure 4, the analysis platform 20 can include:Processor 2001, such as CPU, communication bus 2002, Yong Hujie Mouth 2003, network interface 2004, memory 2005.Wherein, the connection that communication bus 2002 is used for realization between these components is led to Letter.User interface 2003 can include display screen (Display), input unit such as keyboard (Keyboard).Network interface 2004 can optionally include standard wireline interface and wireless interface (such as WI-FI interfaces).Memory 2005 can be at a high speed RAM memory or the memory of stabilization (non-volatile memory), such as magnetic disk storage.Memory 2005 The optional storage device that can also be independently of aforementioned processor 2001.
It will be understood by those skilled in the art that the hardware configuration of the analysis platform 20 shown in Fig. 4 is not formed to analysis The restriction of platform 20, can include than illustrating more or fewer components, either combine some components or different component cloth Put.
As shown in figure 4, as in a kind of memory 2005 of computer-readable recording medium can include operating system, net Network communication module, Subscriber Interface Module SIM and computer program, such as safe awareness program etc..Wherein, operating system is management With the program of control analysis platform 20 and software resource, support network communication module, Subscriber Interface Module SIM, safe awareness program with And the operation of other programs or software;Network communication module is used to managing and controlling communication bus 2002;Subscriber Interface Module SIM is used In management and control user interface 2003.
In 20 hardware configuration of analysis platform shown in Fig. 4, network interface 2004 is mainly used for connecting wireless router, with For with each diagnosis connector into row data communication;User interface 2003 be mainly used for connect client (user terminal), with client into Row data communication;Analysis platform 20 calls the safe awareness program stored in memory 2005 by processor 2001, to perform Operate below:
Coded communication is established with probe to be connected;
Dynamic receives the flow information that probe uploads, and carries out various dimensions association analysis, to identify present in whole network Security threat;Wherein, flow information is probe from the interchanger or router of corresponding deployment, dynamic access monitoring network area Mirror image flow in collect;
Analysis result is presented with visual means.
Further, the analysis platform 20 calls the safety stored in memory 2005 to perceive journey by processor 2001 Sequence, to perform following operation:
Based on vulnerability exploit attack rule, WEB application attack rule and Intranet operation system configuration information, the whole network is distinguished The value of each networked asset in network, and according to the value of networked asset, security threat event degree of impending is assessed;
Based on vulnerability exploit attack rule, WEB application attack rule and Botnet communication behavior, host of falling is identified With Attack Scenarios;
When identifying in whole network there are during security threat event, analyzing the event type of the security threat event, and will The security threat event is associated with the event type, for carrying out event correlation presentation;
When identifying in whole network there are during security threat event, based on preset basis of coding rule, the safety is identified Whether threat event is erroneous judgement caused by coding lack of standardization, if so, then cancelling the security threat event.
Based on above-mentioned hardware configuration, each embodiment of the implementation method of proposition sensory perceptual system of the present invention.
With reference to Fig. 5, Fig. 5 is the flow diagram of the implementation method first embodiment of sensory perceptual system of the present invention.The present embodiment In, it the described method comprises the following steps:
Step S110, establishes coded communication with analysis platform and is connected;
In the present embodiment, monitoring is caused to fail to avoid monitoring data from being decrypted, therefore, probe 10 is needed in advance with dividing Analysis platform 20 establishes coded communication connection, for example establishes encrypted TCP communication connection.
Step S120, from the interchanger or router of corresponding deployment, dynamic access monitors the mirror image flow of network area, For therefrom gathering particular flow rate information;
In the present embodiment, probe 20 is preferably deployed on interchanger or router using bypass deployment way, and then can be connect Receive the mirror image data on interchanger or router, namely can place of dynamic acquisition unit administration interchanger or router place network area Mirror image flow.
In a network, mirror image is exactly by the message of designated port or meets the message of specified rule and copy to destination Mouthful, using mirror image technology, network supervision and troubleshooting can be carried out.
Optionally, monitoring network area preferably at least includes:Intranet handles official business area, area of data center, network management area, external connection Service area, wide area network access area, linking Internet area.
In the present embodiment, probe 10 possesses basic flow information acquisition capacity, supports multiple network agreement, and at least prop up The correlative flow acquisition capacity such as TCP, UDP is held, URL records and domain name record can be extracted from mirror image flow, and can be in feature thing The original message in mirror image flow is recorded based on five-tuple and two tuples (such as IP to) etc. when part triggers.
Optionally, probe 10 possesses packet check engine, and then can realize ip fragmentation restructuring, TCP flow restructuring, application layer association The function such as view identification and parsing.
Step S130, by the flow information of collection by encrypted communication channel upload analysis platform, for analysis platform into Row various dimensions association analysis, to identify security threat present in whole network, and by analysis result is in visual means It is existing.
In the present embodiment, the flow information of collection is uploaded analysis by the encrypted communication channel previously established and put down by probe 10 Platform 20, so that analysis platform 20 carries out various dimensions association analysis, to identify security threat present in whole network, and analysis is tied Fruit is presented with visual means.
In the present embodiment, the various dimensions association analysis that analysis platform 20 carries out includes at least:Context relation is analyzed, is illegal Access analysis, access association analysis, abnormal protocal analysis, abnormal behaviour analysis, the whole network flow analysis.Carry out various dimensions association point Analysis, can more comprehensively, deeper into and dynamically find potential security threat, and then lift the security performance of whole network.
In the present embodiment, multiple probes 10 are deployed in respectively on the interchanger or router of each monitoring network area, used The mirror image flow of network area is each monitored in dynamic access and therefrom gathers particular flow rate information, and by the flow information of collection Analysis platform 20 is uploaded by encrypted communication channel;And analysis platform 20 is then used to dynamically receive the flow letter that each probe uploads Breath, and carries out various dimensions association analysis, to identify security threat present in whole network, finally again by analysis result to visualize Mode is presented, and then the unified comprehensive safety situation for showing whole network.The present embodiment can be entirely square in a manner of net structure Position monitoring whole network, potential security threat present in sensing network, protects the information security of whole network.
Optionally, in one embodiment of implementation method of sensory perceptual system of the present invention, for the work for reduction analysis platform 20 Amount, reduces the bandwidth occupancy to analysis platform of transmission data band, at the same be also deeper into monitoring, it is described in the present embodiment Method further includes:
Basic detection is carried out to the flow information of collection, and the result of basis detection is uploaded into analysis platform;
Wherein, the content of basis detection includes at least following one or more:
(1) based on preset foundation characteristic storehouse, network attack, malicious code, corpse are at least identified from flow information One or more in network service, malice IP, malice domain name, suspicious loophole;
Probe 10 possesses the security threat detectability on basis, can identify common various attacks or security exception, and Effectively data are grabbed from flow information.
Probe 10 is included at least equipped with the foundation characteristic storehouse for assistant analysis flow information, the foundation characteristic storehouse:
1.1 network attack characteristic storehouses, available for the network attack in identification flow, such as IPS attacks, WAF attacks, ARP Attack, DoS/DDoS attacks etc.;
1.2 malicious code feature databases, available for malicious code common in identification flow;
1.3 Botnet feature databases, available for identification Botnet virus;
1.4 malice IP feature databases, for example scanned by IP, port scan etc., identification malice IP;
1.5 malice domain name feature databases, for example scanned by IP, port scan etc., identify malice domain name;
1.6 loophole feature databases, available for identifying various suspicious loopholes.
(2) storehouse is identified based on preset base application, the application that request accesses, the application is identified from flow information Including at least business related application, online application, office application;
(3) packet check is carried out to flow information, to identify the abnormal data carried in outgoing packet;For example note abnormalities Payload, lopsided message etc..
Further alternative, in the another embodiment of implementation method of sensory perceptual system of the present invention, probe 10 can be with analysis Platform 20 links, so that the key monitoring to suspicious region can be realized, realizes that process is as follows:
S1, receive the key monitoring instruction that analysis platform issues, for exception IP or exception determined by analysis platform Network area is monitored;
The flow information of S2, acquisition abnormity IP or abnormal network region, and upload analysis platform.
In the present embodiment, after analysis platform 20 carries out various dimensions association analysis by the flow information uploaded to probe 10 When thinking that an IP or region have exception and need key decryptor, then key monitoring instruction is issued to probe 10, for control 10 emphasis of probe gathers the IP or the flow information in region, and passes to analysis platform 20 and be further analyzed.
With reference to Fig. 6, Fig. 6 is the flow diagram of the implementation method second embodiment of sensory perceptual system of the present invention.The present embodiment In, probe 10 and the connection procedure of analysis platform 20 are as follows:
1st, probe 10 initiates connection request
Mode is established in the link address of Allocation Analysis platform 20 and connection on probe 10, and the deployment of probe 10 is good and reaches the standard grade Afterwards, actively connection request is initiated to analysis platform 20.
2nd, analysis platform 20 carries out legitimate verification to connection request
After analysis platform 20 detects the access request of probe 10, the probe 10 that analysis platform 20 needs to verify access is It is no to close rule (ratio is such as whether meet the version of fundamental importance), whether possess legal authorization, can the company of foundation if probe 10 possesses Connect.
3rd, analysis platform 20 transmits communication digital certificate
Consider for Information Security, analysis platform 20 needs to have certain coded communication energy with interacting for probe 10 Power, specifically issues communication digital certificate by analysis platform 20 after legitimate verification, and probe 10 carries out basis CRC after receiving successfully Verification, to determine whether the digital certificate is tampered.
4th, terminate current sessions, open new connection request
5th, both sides establish coded communication
The digital certificate that probe 10 is transmitted using analysis platform 20, re-initiates connection request, based on numeral by probe 10 Communication is encrypted in the cipher mode of book, builds the encrypted communication channel of interconnection.Analysis platform 20 can also be led to by the communication Instruction is assigned to probe 10 in road.
6th, probe 10 transmits gathered data to analysis platform 20 in real time
After communication to be encrypted is built successfully, the flow information that probe 10 can be gathered in real time passes through the encrypted communication channel Pass to analysis platform 20.It is flat for analyzing meanwhile probe 10 can also further transmit probe 10 equipment operation condition of itself Platform 20 is based on the operating condition and carries out management and control to probe 10.
With reference to Fig. 7, Fig. 7 is the flow diagram of the implementation method 3rd embodiment of sensory perceptual system of the present invention.The present embodiment In, it the described method comprises the following steps:
Step S210, establishes coded communication with probe and is connected;
In the present embodiment, monitoring is caused to fail to avoid monitoring data from being decrypted, therefore, probe 10 is needed in advance with dividing Analysis platform 20 establishes coded communication connection, for example establishes encrypted TCP communication connection.
Step S220, dynamic receives the flow information that probe uploads, and carries out various dimensions association analysis, to identify whole network Present in security threat;Wherein, flow information is probe from the interchanger or router of corresponding deployment, dynamic access monitoring Collected in the mirror image flow of network area;
Step S230, analysis result is presented with visual means.
Analysis platform 20 dynamically receives the flow information of the upload of probe 10, and carries out various dimensions association analysis, complete to identify Security threat present in network.
In the present embodiment, the various dimensions association analysis that analysis platform 20 carries out includes at least:Context relation is analyzed, is illegal Access analysis, access association analysis, abnormal protocal analysis, abnormal behaviour analysis, the whole network flow analysis.Carry out various dimensions association point Analysis, can more comprehensively, deeper into and dynamically find potential security threat, and then lift the security performance of whole network.
In the present embodiment, the security postures of whole network are intuitively had a clear understanding of for ease of operation maintenance personnel, therefore, analysis platform 20 Using visual means show various dimensions association analysis as a result, and then can effectively show network-wide security situation, such as with industry Business visual angle visualizes network security situation, so that operation maintenance personnel refers to and carries out Network Security Construction and the place of next step Reason.In addition, analysis platform 20 can also possess integrative analysis report function, network security problem can be periodically shown, such as, it is complete aobvious Show attack chain, various violations access, various high-risk operations, various abnormal access etc..
Optionally, analysis platform 20 possesses certain pre-alerting ability, when detect in network there are during security incident can and When early warning, notify administrator, for example sent a notification message by modes such as wechat public platform, mail, short message, phones.
Optionally, analysis platform 20 possesses UEBA (User and entity behavior analysis, user and reality Body behavioural analysis) analysis ability, it is entity based on user and server, cures basic behavioural analysis by constantly learning, and Detection is different from normal abnormal access behavior in the case of accessing, for the abnormal access in detection network.
In the present embodiment, multiple probes 10 are deployed in respectively on the interchanger or router of each monitoring network area, used The mirror image flow of network area is each monitored in dynamic access and therefrom gathers particular flow rate information, and by the flow information of collection Analysis platform 20 is uploaded by encrypted communication channel;And analysis platform 20 is then used to dynamically receive the flow letter that each probe uploads Breath, and carries out various dimensions association analysis, to identify security threat present in whole network, finally again by analysis result to visualize Mode is presented, and then the unified comprehensive safety situation for showing whole network.The present embodiment can be entirely square in a manner of net structure Position monitoring whole network, potential security threat present in sensing network, protects the information security of whole network.
It is further alternative, in one embodiment of implementation method of sensory perceptual system of the present invention, carry out various dimensions association analysis Content include at least it is following one or more:
1st, based on vulnerability exploit attack rule, WEB application attack rule and Intranet operation system configuration information, distinguish complete The value of each networked asset in network, and according to the value of networked asset, security threat event degree of impending is assessed;
Networked asset specifically includes business assets, host assets, server assets.Based on vulnerability exploit attack rule, WEB Using rule and Intranet operation system configuration information is attacked, the value of each networked asset in whole network, such as core industry are distinguished The assets value of business is higher than general business, and the assets value of backup host is less than core host.
2nd, based on vulnerability exploit attack rule, WEB application attack rule and Botnet communication behavior, master of falling is identified Machine and Attack Scenarios;
For example certain host there are C&C (Command and Control, order and control) communication behavior, then being believed that should Host is fallen by control, and corresponding Attack Scenarios are Botnet Attack Scenarios.
3rd, when identifying in whole network there are during security threat event, analyzing the event type of the security threat event, and The security threat event is associated with the event type, for carrying out event correlation presentation;
Analysis platform 20 can polymerize to repeating similar security incident, and relevant security incident is closed Connection, so that the maintenance work amoun for being a small amount of but valuable information, alleviating IT personnel for being presented to operation maintenance personnel.
4th, when identifying in whole network there are during security threat event, based on preset basis of coding rule, the peace is identified Whether full threat event is erroneous judgement caused by coding lack of standardization, if so, then cancelling the security threat event.
Analysis platform 20 possesses adaptive ability, can be identified based on preset basis of coding rule because coding lack of standardization is led The attack erroneous judgement situation of cause simultaneously excludes automatically, so as to only analyze real abnormal behaviour.
The present invention provides a kind of computer-readable recording medium applied to probe.
Storage, which haves a sense of security, in the present embodiment, on computer-readable recording medium knows program, and safe awareness program is processed Device realizes the step in first and second embodiment of implementation method of sensory perceptual system when performing.
The present invention also provides a kind of computer-readable recording medium applied to analysis platform.
Storage, which haves a sense of security, in the present embodiment, on computer-readable recording medium knows program, and safe awareness program is processed Device realizes the step in the implementation method 3rd embodiment of sensory perceptual system when performing.
Through the above description of the embodiments, those skilled in the art can be understood that above-described embodiment side Method can add the mode of required general hardware platform to realize by software, naturally it is also possible to by hardware, but in many cases The former is more preferably embodiment.Based on such understanding, technical scheme substantially in other words does the prior art Going out the part of contribution can be embodied in the form of software product, which is stored in a storage medium In (such as ROM/RAM, magnetic disc, CD), including some instructions are used so that a station terminal (can be mobile phone, computer, services Device, air conditioner, or network equipment etc.) perform method described in each embodiment of the present invention.
The embodiment of the present invention is described above in conjunction with attached drawing, but the invention is not limited in above-mentioned specific Embodiment, above-mentioned embodiment is only schematical, rather than restricted, those of ordinary skill in the art Under the enlightenment of the present invention, in the case of present inventive concept and scope of the claimed protection is not departed from, it can also make very much Form, every equivalent structure or equivalent flow shift made using description of the invention and accompanying drawing content, directly or indirectly Other related technical areas are used in, these are belonged within the protection of the present invention.

Claims (10)

1. a kind of network security sensory perceptual system, it is characterised in that the sensory perceptual system includes:
Multiple probes, are deployed on the interchanger or router of each monitoring network area, are each monitored for dynamic access respectively The mirror image flow of network area simultaneously therefrom gathers particular flow rate information;The flow information of collection is uploaded by encrypted communication channel Analysis platform;
Analysis platform, the flow information uploaded for dynamically receiving each probe, and various dimensions association analysis is carried out, to identify the whole network Security threat present in network;Analysis result is presented with visual means.
2. sensory perceptual system as claimed in claim 1, it is characterised in that the monitoring network area includes at least:Intranet handles official business Area, area of data center, network management area, external connection service area, wide area network access area, linking Internet area.
3. sensory perceptual system as claimed in claim 1 or 2, it is characterised in that the probe has management interface and data transfer Interface, the management interface is used to receive the management instruction that the analysis platform issues, for managing probe device, the data Coffret is used to upload data to the analysis platform;
The probe is at least wrapped equipped with the foundation characteristic storehouse for flow information described in assistant analysis, the foundation characteristic storehouse Include:Network attack characteristic storehouse, malicious code feature database, Botnet feature database, malice IP feature databases, malice domain name feature database, Loophole feature database.
A kind of 4. implementation method of the sensory perceptual system as any one of claims 1 to 3, it is characterised in that the method bag Include following steps:
Coded communication is established with the analysis platform to be connected;
From the interchanger or router of corresponding deployment, dynamic access monitors the mirror image flow of network area, for therefrom gathering Particular flow rate information;
The flow information of collection is uploaded into the analysis platform by encrypted communication channel, so that the analysis platform carries out multidimensional Association analysis is spent, to identify security threat present in whole network, and analysis result is presented with visual means.
5. the implementation method of sensory perceptual system as claimed in claim 4, it is characterised in that the method further includes:
Basic detection is carried out to the flow information of collection, and the result of the basis detection is uploaded into the analysis platform;
Wherein, the content of the basis detection includes at least following one or more:
Based on preset foundation characteristic storehouse, network attack, malicious code, Botnet are at least identified from the flow information One or more in communication, malice IP, malice domain name, suspicious loophole;
Storehouse is identified based on preset base application, the application that request accesses is identified from the flow information, it is described to be applied to Include business related application, online application, office application less;
Packet check is carried out to the flow information, to identify the abnormal data carried in outgoing packet.
6. the implementation method of sensory perceptual system as described in claim 4 or 5, it is characterised in that the method further includes:
The key monitoring instruction that the analysis platform issues is received, for exception IP or exception determined by the analysis platform Network area is monitored;
Acquisition abnormity IP or the flow information in abnormal network region, and upload the analysis platform.
A kind of 7. implementation method of the sensory perceptual system as any one of claims 1 to 3, it is characterised in that the method bag Include following steps:
Coded communication is established with the probe to be connected;
Dynamic receives the flow information that the probe uploads, and carries out various dimensions association analysis, to identify present in whole network Security threat;Wherein, the flow information is the probe from the interchanger or router of corresponding deployment, dynamic access monitoring Collected in the mirror image flow of network area;
Analysis result is presented with visual means.
8. the implementation method of sensory perceptual system as claimed in claim 7, it is characterised in that the progress various dimensions association analysis Content includes at least following one or more:
Based on vulnerability exploit attack rule, WEB application attack rule and Intranet operation system configuration information, distinguish in whole network The value of each networked asset, and according to the value of networked asset, security threat event degree of impending is assessed;
Host is fallen with attacking based on vulnerability exploit attack rule, WEB application attack rule and Botnet communication behavior, identification Hit scene;
When identifying in whole network there are during security threat event, the event type of the security threat event is analyzed, and this is pacified Full threat event is associated with the event type, for carrying out event correlation presentation;
When identifying in whole network there are during security threat event, based on preset basis of coding rule, the security threat is identified Whether event is erroneous judgement caused by coding lack of standardization, if so, then cancelling the security threat event.
9. a kind of computer-readable recording medium, it is characterised in that storage haves a sense of security on the computer-readable recording medium Know program, the realization side of the sensory perceptual system as described in claim 4 to 6 is realized when the safe awareness program is executed by processor The step of method.
10. a kind of computer-readable recording medium, it is characterised in that storage haves a sense of security on the computer-readable recording medium Know program, the safe awareness program realizes the realization side of sensory perceptual system as claimed in claim 7 or 8 when being executed by processor The step of method.
CN201711032879.8A 2017-10-27 2017-10-27 Network security sensory perceptual system, method and readable storage medium storing program for executing Pending CN107995162A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711032879.8A CN107995162A (en) 2017-10-27 2017-10-27 Network security sensory perceptual system, method and readable storage medium storing program for executing

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711032879.8A CN107995162A (en) 2017-10-27 2017-10-27 Network security sensory perceptual system, method and readable storage medium storing program for executing

Publications (1)

Publication Number Publication Date
CN107995162A true CN107995162A (en) 2018-05-04

Family

ID=62031148

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711032879.8A Pending CN107995162A (en) 2017-10-27 2017-10-27 Network security sensory perceptual system, method and readable storage medium storing program for executing

Country Status (1)

Country Link
CN (1) CN107995162A (en)

Cited By (40)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109067596A (en) * 2018-09-21 2018-12-21 南京南瑞继保电气有限公司 A kind of substation network security postures cognitive method and system
CN109444219A (en) * 2018-12-25 2019-03-08 北京食安链科技有限公司 A kind of quick detection probe of meat product nutritional quality and its detection method
CN110113350A (en) * 2019-05-15 2019-08-09 四川长虹电器股份有限公司 A kind of monitoring of Internet of things system security threat and system of defense and method
CN110120950A (en) * 2019-05-13 2019-08-13 四川长虹电器股份有限公司 It is a kind of to be impended the system and method for analysis based on Internet of Things flow
CN110138770A (en) * 2019-05-13 2019-08-16 四川长虹电器股份有限公司 One kind threatening information generation and shared system and method based on Internet of Things
CN110149307A (en) * 2019-04-03 2019-08-20 广东申立信息工程股份有限公司 A kind of IDC safety management system
CN110365709A (en) * 2019-08-09 2019-10-22 深圳永安在线科技有限公司 A kind of device based on upstream probe perception unknown network attack
CN110597690A (en) * 2019-09-16 2019-12-20 深圳力维智联技术有限公司 System behavior situation perception method, system and equipment
CN110620759A (en) * 2019-07-15 2019-12-27 公安部第一研究所 Network security event hazard index evaluation method and system based on multidimensional correlation
CN110636085A (en) * 2019-11-12 2019-12-31 ***通信集团广西有限公司 Attack detection method and device based on flow and computer readable storage medium
CN110650137A (en) * 2019-09-23 2020-01-03 煤炭科学技术研究院有限公司 Coal mine network abnormal behavior early warning method, system, equipment and readable storage medium
CN110708316A (en) * 2019-10-09 2020-01-17 杭州安恒信息技术股份有限公司 Method and system architecture for enterprise network security operation management
CN110798427A (en) * 2018-08-01 2020-02-14 深信服科技股份有限公司 Anomaly detection method, device and equipment in network security defense
CN110933099A (en) * 2019-12-09 2020-03-27 南京蓝升信息科技有限公司 Network safety data intelligent analysis system based on network probe
CN110958274A (en) * 2019-12-31 2020-04-03 深信服科技股份有限公司 Server security state detection method and device, electronic equipment and storage medium
CN111010362A (en) * 2019-03-20 2020-04-14 新华三技术有限公司 Monitoring method and device for abnormal host
CN111031050A (en) * 2019-12-16 2020-04-17 深圳市国电科技通信有限公司 Monitoring method and device for electricity consumption information acquisition system
CN111090615A (en) * 2019-12-11 2020-05-01 哈尔滨安天科技集团股份有限公司 Method and device for analyzing and processing mixed assets, electronic equipment and storage medium
CN111131294A (en) * 2019-12-30 2020-05-08 武汉英迈信息科技有限公司 Threat monitoring method, apparatus, device and storage medium
CN111147423A (en) * 2018-11-02 2020-05-12 千寻位置网络有限公司 Risk sensing method and device and monitoring system
CN111224956A (en) * 2019-12-26 2020-06-02 北京安码科技有限公司 Method, device and equipment for detecting transverse penetration in cloud computing environment and storage medium
CN111538777A (en) * 2020-03-20 2020-08-14 贵州电网有限责任公司 Enterprise intranet information safety visual display management platform
CN111538635A (en) * 2020-04-14 2020-08-14 北京宝兰德软件股份有限公司 System resource portrait generation method and device, electronic equipment and storage medium
CN111669376A (en) * 2020-05-27 2020-09-15 福建健康之路信息技术有限公司 Method and device for identifying safety risk of intranet
CN112583830A (en) * 2020-12-13 2021-03-30 北京哈工信息产业股份有限公司 Internet of things terminal network behavior protection system
CN112787836A (en) * 2019-11-07 2021-05-11 比亚迪股份有限公司 Information security network topology and method for implementing information security
CN113315760A (en) * 2021-05-13 2021-08-27 杭州木链物联网科技有限公司 Situation awareness method, system, equipment and medium based on knowledge graph
CN113472788A (en) * 2021-06-30 2021-10-01 深信服科技股份有限公司 Threat awareness method, system, equipment and computer readable storage medium
CN113489703A (en) * 2021-06-29 2021-10-08 深信服科技股份有限公司 Safety protection system
CN113726780A (en) * 2021-08-31 2021-11-30 平安科技(深圳)有限公司 Network monitoring method and device based on situation awareness and electronic equipment
CN113783876A (en) * 2021-09-13 2021-12-10 国网电子商务有限公司 Network security situation perception method based on graph neural network and related equipment
CN114039777A (en) * 2021-11-09 2022-02-11 国家工业信息安全发展研究中心 Intelligent threat perception method
CN114039900A (en) * 2021-11-03 2022-02-11 北京德塔精要信息技术有限公司 Efficient network data packet protocol analysis method and system
CN114301659A (en) * 2021-12-24 2022-04-08 中国电信股份有限公司 Network attack early warning method, system, device and storage medium
CN114301709A (en) * 2021-12-30 2022-04-08 山石网科通信技术股份有限公司 Message processing method and device, storage medium and processor
CN114499927A (en) * 2021-12-13 2022-05-13 航天信息股份有限公司 Network security processing method and system under hybrid cloud environment
CN114640548A (en) * 2022-05-18 2022-06-17 宁波市镇海区大数据投资发展有限公司 Network security sensing and early warning method and system based on big data
CN114666249A (en) * 2020-12-03 2022-06-24 腾讯科技(深圳)有限公司 Traffic collection method and device on cloud platform and computer-readable storage medium
CN114760117A (en) * 2022-03-30 2022-07-15 深信服科技股份有限公司 Data acquisition method and device and electronic equipment
CN115021974A (en) * 2022-05-13 2022-09-06 华东师范大学 Local area network security probe equipment set

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101605074A (en) * 2009-07-06 2009-12-16 中国人民解放军信息技术安全研究中心 The method and system of communication behavioural characteristic monitoring wooden horse Network Based
US20140101305A1 (en) * 2012-10-09 2014-04-10 Bruce A. Kelley, Jr. System And Method For Real-Time Load Balancing Of Network Packets
CN104753946A (en) * 2015-04-01 2015-07-01 浪潮电子信息产业股份有限公司 Security analysis framework based on network traffic meta data
CN106656991A (en) * 2016-10-28 2017-05-10 上海百太信息科技有限公司 Network threat detection system and detection method

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101605074A (en) * 2009-07-06 2009-12-16 中国人民解放军信息技术安全研究中心 The method and system of communication behavioural characteristic monitoring wooden horse Network Based
US20140101305A1 (en) * 2012-10-09 2014-04-10 Bruce A. Kelley, Jr. System And Method For Real-Time Load Balancing Of Network Packets
CN104753946A (en) * 2015-04-01 2015-07-01 浪潮电子信息产业股份有限公司 Security analysis framework based on network traffic meta data
CN106656991A (en) * 2016-10-28 2017-05-10 上海百太信息科技有限公司 Network threat detection system and detection method

Cited By (55)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110798427A (en) * 2018-08-01 2020-02-14 深信服科技股份有限公司 Anomaly detection method, device and equipment in network security defense
CN109067596B (en) * 2018-09-21 2021-12-10 南京南瑞继保电气有限公司 Substation network security situation sensing method and system
CN109067596A (en) * 2018-09-21 2018-12-21 南京南瑞继保电气有限公司 A kind of substation network security postures cognitive method and system
CN111147423A (en) * 2018-11-02 2020-05-12 千寻位置网络有限公司 Risk sensing method and device and monitoring system
CN109444219A (en) * 2018-12-25 2019-03-08 北京食安链科技有限公司 A kind of quick detection probe of meat product nutritional quality and its detection method
CN111010362B (en) * 2019-03-20 2021-09-21 新华三技术有限公司 Monitoring method and device for abnormal host
CN111010362A (en) * 2019-03-20 2020-04-14 新华三技术有限公司 Monitoring method and device for abnormal host
CN110149307A (en) * 2019-04-03 2019-08-20 广东申立信息工程股份有限公司 A kind of IDC safety management system
CN110138770B (en) * 2019-05-13 2021-08-06 四川长虹电器股份有限公司 Threat information generation and sharing system and method based on Internet of things
CN110120950A (en) * 2019-05-13 2019-08-13 四川长虹电器股份有限公司 It is a kind of to be impended the system and method for analysis based on Internet of Things flow
CN110138770A (en) * 2019-05-13 2019-08-16 四川长虹电器股份有限公司 One kind threatening information generation and shared system and method based on Internet of Things
CN110113350B (en) * 2019-05-15 2021-04-02 四川长虹电器股份有限公司 Internet of things system security threat monitoring and defense system and method
CN110113350A (en) * 2019-05-15 2019-08-09 四川长虹电器股份有限公司 A kind of monitoring of Internet of things system security threat and system of defense and method
CN110620759B (en) * 2019-07-15 2023-05-16 公安部第一研究所 Multi-dimensional association-based network security event hazard index evaluation method and system
CN110620759A (en) * 2019-07-15 2019-12-27 公安部第一研究所 Network security event hazard index evaluation method and system based on multidimensional correlation
CN110365709A (en) * 2019-08-09 2019-10-22 深圳永安在线科技有限公司 A kind of device based on upstream probe perception unknown network attack
CN110365709B (en) * 2019-08-09 2021-07-20 深圳永安在线科技有限公司 Device for sensing unknown network attack behavior based on upstream probe
CN110597690A (en) * 2019-09-16 2019-12-20 深圳力维智联技术有限公司 System behavior situation perception method, system and equipment
CN110650137A (en) * 2019-09-23 2020-01-03 煤炭科学技术研究院有限公司 Coal mine network abnormal behavior early warning method, system, equipment and readable storage medium
CN110708316A (en) * 2019-10-09 2020-01-17 杭州安恒信息技术股份有限公司 Method and system architecture for enterprise network security operation management
CN112787836A (en) * 2019-11-07 2021-05-11 比亚迪股份有限公司 Information security network topology and method for implementing information security
CN110636085A (en) * 2019-11-12 2019-12-31 ***通信集团广西有限公司 Attack detection method and device based on flow and computer readable storage medium
CN110933099A (en) * 2019-12-09 2020-03-27 南京蓝升信息科技有限公司 Network safety data intelligent analysis system based on network probe
CN111090615A (en) * 2019-12-11 2020-05-01 哈尔滨安天科技集团股份有限公司 Method and device for analyzing and processing mixed assets, electronic equipment and storage medium
CN111031050A (en) * 2019-12-16 2020-04-17 深圳市国电科技通信有限公司 Monitoring method and device for electricity consumption information acquisition system
CN111224956A (en) * 2019-12-26 2020-06-02 北京安码科技有限公司 Method, device and equipment for detecting transverse penetration in cloud computing environment and storage medium
CN111131294A (en) * 2019-12-30 2020-05-08 武汉英迈信息科技有限公司 Threat monitoring method, apparatus, device and storage medium
CN110958274A (en) * 2019-12-31 2020-04-03 深信服科技股份有限公司 Server security state detection method and device, electronic equipment and storage medium
CN111538777A (en) * 2020-03-20 2020-08-14 贵州电网有限责任公司 Enterprise intranet information safety visual display management platform
CN111538635A (en) * 2020-04-14 2020-08-14 北京宝兰德软件股份有限公司 System resource portrait generation method and device, electronic equipment and storage medium
CN111538635B (en) * 2020-04-14 2023-11-17 北京宝兰德软件股份有限公司 System resource portrait generation method, device, electronic equipment and storage medium
CN111669376A (en) * 2020-05-27 2020-09-15 福建健康之路信息技术有限公司 Method and device for identifying safety risk of intranet
CN114666249A (en) * 2020-12-03 2022-06-24 腾讯科技(深圳)有限公司 Traffic collection method and device on cloud platform and computer-readable storage medium
CN114666249B (en) * 2020-12-03 2023-07-07 腾讯科技(深圳)有限公司 Traffic collection method and equipment on cloud platform and computer readable storage medium
CN112583830A (en) * 2020-12-13 2021-03-30 北京哈工信息产业股份有限公司 Internet of things terminal network behavior protection system
CN113315760A (en) * 2021-05-13 2021-08-27 杭州木链物联网科技有限公司 Situation awareness method, system, equipment and medium based on knowledge graph
CN113489703A (en) * 2021-06-29 2021-10-08 深信服科技股份有限公司 Safety protection system
CN113472788A (en) * 2021-06-30 2021-10-01 深信服科技股份有限公司 Threat awareness method, system, equipment and computer readable storage medium
CN113472788B (en) * 2021-06-30 2023-09-08 深信服科技股份有限公司 Threat perception method, threat perception system, threat perception equipment and computer-readable storage medium
CN113726780B (en) * 2021-08-31 2022-10-11 平安科技(深圳)有限公司 Network monitoring method and device based on situation awareness and electronic equipment
CN113726780A (en) * 2021-08-31 2021-11-30 平安科技(深圳)有限公司 Network monitoring method and device based on situation awareness and electronic equipment
CN113783876B (en) * 2021-09-13 2023-10-03 国网数字科技控股有限公司 Network security situation awareness method based on graph neural network and related equipment
CN113783876A (en) * 2021-09-13 2021-12-10 国网电子商务有限公司 Network security situation perception method based on graph neural network and related equipment
CN114039900A (en) * 2021-11-03 2022-02-11 北京德塔精要信息技术有限公司 Efficient network data packet protocol analysis method and system
CN114039777B (en) * 2021-11-09 2022-09-20 国家工业信息安全发展研究中心 Intelligent threat perception method
CN114039777A (en) * 2021-11-09 2022-02-11 国家工业信息安全发展研究中心 Intelligent threat perception method
CN114499927A (en) * 2021-12-13 2022-05-13 航天信息股份有限公司 Network security processing method and system under hybrid cloud environment
CN114301659A (en) * 2021-12-24 2022-04-08 中国电信股份有限公司 Network attack early warning method, system, device and storage medium
CN114301659B (en) * 2021-12-24 2024-04-05 中国电信股份有限公司 Network attack early warning method, system, equipment and storage medium
CN114301709A (en) * 2021-12-30 2022-04-08 山石网科通信技术股份有限公司 Message processing method and device, storage medium and processor
CN114301709B (en) * 2021-12-30 2024-04-02 山石网科通信技术股份有限公司 Message processing method and device, storage medium and computing equipment
CN114760117A (en) * 2022-03-30 2022-07-15 深信服科技股份有限公司 Data acquisition method and device and electronic equipment
CN115021974A (en) * 2022-05-13 2022-09-06 华东师范大学 Local area network security probe equipment set
CN115021974B (en) * 2022-05-13 2023-09-08 华东师范大学 Local area network safety probe equipment set
CN114640548A (en) * 2022-05-18 2022-06-17 宁波市镇海区大数据投资发展有限公司 Network security sensing and early warning method and system based on big data

Similar Documents

Publication Publication Date Title
CN107995162A (en) Network security sensory perceptual system, method and readable storage medium storing program for executing
Pilli et al. Network forensic frameworks: Survey and research challenges
Lakkaraju et al. NVisionIP: netflow visualizations of system state for security situational awareness
Zhang et al. Detecting backdoors
US8056130B1 (en) Real time monitoring and analysis of events from multiple network security devices
US8176527B1 (en) Correlation engine with support for time-based rules
US7607169B1 (en) User interface for network security console
CN108289088A (en) Abnormal traffic detection system and method based on business model
CN114679338A (en) Network risk assessment method based on network security situation awareness
Pilli et al. A generic framework for network forensics
Sibiya et al. Digital forensic framework for a cloud environment
DE10249887A1 (en) Process, computer-readable medium and node for a three-layer burglary prevention system for the detection of network exploitation
CN106656922A (en) Flow analysis based protective method and device against network attack
CN109495423A (en) A kind of method and system preventing network attack
JPWO2014129587A1 (en) Network monitoring device, network monitoring method, and network monitoring program
CN107347047A (en) Attack guarding method and device
Lahre et al. Analyze different approaches for ids using kdd 99 data set
Kaushik et al. Network forensic system for port scanning attack
CN115134099B (en) Network attack behavior analysis method and device based on full flow
CN110035062A (en) A kind of network inspection method and apparatus
CN113411295A (en) Role-based access control situation awareness defense method and system
Saputra et al. Network forensics analysis of man in the middle attack using live forensics method
CN110365673B (en) Method, server and system for isolating network attack plane
CN113411297A (en) Situation awareness defense method and system based on attribute access control
JP5752020B2 (en) Attack countermeasure device, attack countermeasure method, and attack countermeasure program

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20180504