CN109462621A - Network safety protective method, device and electronic equipment - Google Patents

Network safety protective method, device and electronic equipment Download PDF

Info

Publication number
CN109462621A
CN109462621A CN201910025311.6A CN201910025311A CN109462621A CN 109462621 A CN109462621 A CN 109462621A CN 201910025311 A CN201910025311 A CN 201910025311A CN 109462621 A CN109462621 A CN 109462621A
Authority
CN
China
Prior art keywords
data
information
network
event
flows
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910025311.6A
Other languages
Chinese (zh)
Inventor
张超
蒋正威
梁野
金学奇
苏达
陶涛
章立宗
佟志鑫
卢巍
刘锦利
徐红泉
李航
张锋明
马志勇
章杜锡
张嵩
刘壮
王春艳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
State Grid Zhejiang Electric Power Co Ltd
Beijing Kedong Electric Power Control System Co Ltd
Hangzhou Power Supply Co of State Grid Zhejiang Electric Power Co Ltd
Original Assignee
State Grid Zhejiang Electric Power Co Ltd
Beijing Kedong Electric Power Control System Co Ltd
Hangzhou Power Supply Co of State Grid Zhejiang Electric Power Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by State Grid Zhejiang Electric Power Co Ltd, Beijing Kedong Electric Power Control System Co Ltd, Hangzhou Power Supply Co of State Grid Zhejiang Electric Power Co Ltd filed Critical State Grid Zhejiang Electric Power Co Ltd
Priority to CN201910025311.6A priority Critical patent/CN109462621A/en
Publication of CN109462621A publication Critical patent/CN109462621A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • H04L63/205Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Abstract

The present invention provides a kind of network safety protective method, device and electronic equipment, this method comprises: network security protection device sends data harvesting request to protected device, and then the data response message that protected device is returned according to data harvesting request is received;Then data on flows therein and security event data are compared and analyzed with standard information, obtains comparative analysis result;And comparative analysis result be there are when anomalous event, the communication of anomalous event is blocked.Network security protection device of the invention can be capable of the carry out data acquisition of active; in addition; it returns in obtained data response message comprising data on flows; Traffic Anomaly can be monitored, improve the precision of monitoring, simultaneously; obtain that there are when anomalous event determining; the communication of anomalous event can be blocked, the technical issues of data can only passively be received by alleviating existing network security protection mode, and rate of false alarm is high and lacks security protection.

Description

Network safety protective method, device and electronic equipment
Technical field
The present invention relates to the technical fields of network communication, more particularly, to a kind of network safety protective method, device and electricity Sub- equipment.
Background technique
As shown in Figure 1, network security monitoring device is deployed in station level on the spot in existing network security management system, It realizes and one's respective area (including the monitoring systems such as regulating and controlling mechanism, plant stand distribution and negative control) relevant device network security data is adopted Collection and processing, while the result of processing is sent according to the communication protocol set to scheduling institution deployment by means of communication Network security supervising platform.
The process of specific implementation is as follows: every protected device (include: host equipment, the network equipment, security device, Firewall etc.) on installation monitoring system client-side program, based on the monitoring system client-side program protected device to network pacify Connection request is established in full monitoring device initiation, and such protected device and network security monitoring device establish TCP connection, and then quilt Equipment is protected to send network security data to network security monitoring device, e.g., host equipment is sent to network security monitoring device All user's logins of operating system level, operation information, peripheral apparatus (keyboard, mouse and more have movable storage device) connect Enter the network security datas such as information and network external connection;The network equipment sends the relevant configuration of interchanger to network security monitoring device The network security datas such as change, flow information, network interface state;Security device sends lateral isolation dress to network security monitoring device The network security datas such as operating status, security incident and the configuration change set;Firewall sends factory to network security monitoring device It stands the network security datas such as the operating status of firewall, security incident, strategy change and unit exception.Network security monitoring device After receiving above-mentioned network security data, simple process is carried out to above-mentioned network security data, treated network security number According to network security supervising platform is sent to, treated network security data is carried out into one by network security supervising platform Step ground safety analysis is (for example, carry out safety point to events such as the change of host critical file, user right change, risky operation Analysis), and obtain in analysis there are when security incident, it is (including the illegal network external connection alarm of host equipment, longitudinal to carry out safe early warning The access for not meeting security strategy that encryption, isolation, firewall box are intercepted, cpu busy percentage Threshold Crossing Alert, illegality equipment connect Enter alarm, peripheral apparatus configuration alarm, the alarm of user's abnormal operation etc.).
Through the description to existing network security management system it is found that when carrying out network security data acquisition, use The method of Packet capturing mechanism (i.e. the mode of installation monitoring system client-side program in every protected device), this method is deposited In following two problem, first is that passively receiving the network security data of protected device transmission, lack the initiative of monitoring, and Installation monitoring system client-side program will cause the additional burden of protected device, protected device upgrading in protected device Maintenance is inconvenient, and safety is poor;It (generallys use pattern matching algorithm second is that data analysis efficiency is low or Fast Pattern Matching is calculated Method, very time-consuming to the matching of feature string).In addition, not accounting for obtaining Traffic Anomaly when carrying out safety analysis, accidentally Report rate is high;In addition, only having carried out safe early warning in whole process, effective security protection cannot achieve.
To sum up, there is passive receiving in existing network security protection mode, and rate of false alarm is high and lacks the skill of security protection Art problem.
Summary of the invention
In view of this, the purpose of the present invention is to provide a kind of network safety protective method, device and electronic equipment, with slow It solves existing network security protection mode and there is the technical issues of passively receiving, rate of false alarm is high and lacks security protection.
In a first aspect, being applied to network security protection the embodiment of the invention provides a kind of network safety protective method and filling It sets, comprising:
Data harvesting request is sent to protected device, wherein network to be collected is carried in the data harvesting request The information of secure data;
Receive the data response message that the protected device is returned according to the data harvesting request, wherein the number It include: the network security data and responsive state information of the protected device acquisition, the network security number according to response message According to including: data on flows and security event data;
The data on flows and the security event data are compared and analyzed with standard information, obtain comparative analysis knot Fruit;
When the comparative analysis result be there are when anomalous event, then the communication of the anomalous event is blocked, In, the anomalous event includes at least: network illegal external connection event, illegality equipment access events.
With reference to first aspect, the embodiment of the invention provides the first possible embodiments of first aspect, wherein Before sending data harvesting request to protected device, the method also includes:
Establish the communication connection between the protected device.
With reference to first aspect, the embodiment of the invention provides second of possible embodiments of first aspect, wherein builds The vertical communication connection between the protected device includes:
Transmission establishes connection request to the protected device;
The protected device is received according to the connection response information for establishing connection request return.
With reference to first aspect, the embodiment of the invention provides the third possible embodiments of first aspect, wherein will The data on flows and the security event data are compared and analyzed with standard information, are obtained comparative analysis result and are included:
Data on flows sample is extracted from the data on flows and the security event data using statistical analysis technique;
The data on flows sample and the normal flow information in the standard information are compared;
If the data on flows sample matches with the normal flow information, it is determined that anomalous event is not present;
If the data on flows sample and the normal flow information mismatch, it is determined that there are anomalous events.
With reference to first aspect, the embodiment of the invention provides the 4th kind of possible embodiments of first aspect, wherein will The data on flows and the security event data are compared and analyzed with standard information, are obtained comparative analysis result and are included:
Extracted from the data on flows and the security event data using statistical analysis technique mac address information and/ Or IP address information;
The mac address information and/or IP address information are compared with the white list information in the standard information, Wherein, the white list information includes: Standard MAC address information and standard IP address information;
If the mac address information and/or IP address information match with the white list information, it is determined that be not present Anomalous event;
If the mac address information and/or IP address information and the white list information mismatch, it is determined that there are different Ordinary affair part.
With reference to first aspect, the embodiment of the invention provides the 5th kind of possible embodiments of first aspect, wherein right The communication of the anomalous event block
Abnormal behaviour equipment is determined according to network security data corresponding to the anomalous event;
The abnormal behaviour equipment is blocked.
With reference to first aspect, the embodiment of the invention provides the 6th kind of possible embodiments of first aspect, wherein right The abnormal behaviour equipment block
RST flag data packet is sent to target device, so that the target device is closed according to the RST flag data packet Destination communications link, wherein the target device is the equipment communicated with the abnormal behaviour equipment, the destinations traffic Link is the communication link communicated with the abnormal behaviour equipment;
Alternatively,
Interchanger into the protected device, which is sent, closes port information corresponding to the abnormal behaviour equipment, with The interchanger is set to cut off the communication link between the abnormal behaviour equipment.
Second aspect, the embodiment of the invention also provides a kind of network security protection devices, comprising:
Sending module, for sending data harvesting request to protected device, wherein carried in the data harvesting request There is the information of network security data to be collected;
Receiving module, the data response letter returned for receiving the protected device according to the data harvesting request Breath, wherein the data response message includes: the network security data and responsive state information of the protected device acquisition, The network security data includes: data on flows and security event data;
Comparative analysis module, for comparing point the data on flows and the security event data and standard information Analysis, obtains comparative analysis result;
Exception processing module, for when the comparative analysis result is there are when anomalous event, then to the anomalous event Communication blocked, wherein the anomalous event includes at least: network illegal external connection event, illegality equipment access events.
In conjunction with second aspect, the embodiment of the invention provides the first possible embodiments of second aspect, wherein institute State device further include:
Link block is established, the communication connection for establishing between the protected device.
The third aspect the embodiment of the invention provides a kind of electronic equipment, including memory, processor and is stored in described On memory and the computer program that can run on the processor, the processor are realized when executing the computer program The step of above-mentioned first aspect described in any item methods.
The embodiment of the present invention bring it is following the utility model has the advantages that
In embodiments of the present invention, network security protection device can active transmission data harvesting request to being set by protection It is standby, and then receive the data response message that protected device is returned according to data harvesting request;Then by data on flows therein It is compared and analyzed with security event data and standard information, obtains comparative analysis result;And comparative analysis result be exist When anomalous event, the communication of anomalous event is blocked.As can be seen from the above description, in example in real time of the invention, network peace Full protection device actively can send data harvesting request to protected device, that is, be capable of the carry out data acquisition of active, Without the additional program of the safety in protected device, the burden of protected device is alleviated, is rung in addition, returning to obtained data It answers in information comprising data on flows, Traffic Anomaly can be monitored, improve the precision of monitoring, meanwhile, determining To there are when anomalous event, the communication of anomalous event can be blocked, alleviate existing network security protection mode only Data can passively be received, the technical issues of rate of false alarm is high and lacks security protection.
Other features and advantages of the present invention will illustrate in the following description, also, partly become from specification It obtains it is clear that understand through the implementation of the invention.The objectives and other advantages of the invention are in specification, claims And specifically noted structure is achieved and obtained in attached drawing.
To enable the above objects, features and advantages of the present invention to be clearer and more comprehensible, preferred embodiment is cited below particularly, and cooperate Appended attached drawing, is described in detail below.
Detailed description of the invention
It, below will be to specific in order to illustrate more clearly of the specific embodiment of the invention or technical solution in the prior art Embodiment or attached drawing needed to be used in the description of the prior art be briefly described, it should be apparent that, it is described below Attached drawing is some embodiments of the present invention, for those of ordinary skill in the art, before not making the creative labor It puts, is also possible to obtain other drawings based on these drawings.
Fig. 1 is the structural schematic diagram of network security management system provided in an embodiment of the present invention;
Fig. 2 is the flow chart of network safety protective method provided in an embodiment of the present invention;
Fig. 3 compares and analyzes data on flows and security event data with standard information to be provided in an embodiment of the present invention Flow chart;
Fig. 4 compares and analyzes data on flows and security event data with standard information to be provided in an embodiment of the present invention Another flow chart;
Fig. 5 is a kind of schematic diagram of network security protection device provided in an embodiment of the present invention.
Specific embodiment
In order to make the object, technical scheme and advantages of the embodiment of the invention clearer, below in conjunction with attached drawing to the present invention Technical solution be clearly and completely described, it is clear that described embodiments are some of the embodiments of the present invention, rather than Whole embodiments.Based on the embodiments of the present invention, those of ordinary skill in the art are not making creative work premise Under every other embodiment obtained, shall fall within the protection scope of the present invention.
Embodiment one:
According to embodiments of the present invention, a kind of embodiment of network safety protective method is provided, it should be noted that attached The step of process of figure illustrates can execute in a computer system such as a set of computer executable instructions, though also, So logical order is shown in flow charts, but in some cases, it can be to be different from shown by sequence execution herein Or the step of description.
Fig. 2 is a kind of flow chart of network safety protective method according to an embodiment of the present invention, as shown in Fig. 2, this method Include the following steps:
Step S202 sends data harvesting request to protected device, wherein carry in data harvesting request to be collected The information of network security data;
In embodiments of the present invention, the executing subject of the network safety protective method can be network security protection device, Broker program is disposed in network security protection device in advance, after the completion of deployment, which can execute the present invention The step of middle network safety protective method.
Specifically, protected device includes: host equipment, the network equipment, security device, firewall, interchanger and net Network safety monitoring assembly etc., the embodiment of the present invention is to above-mentioned protected device without concrete restriction.
It (is smelt in addition, network security protection device of the invention actively can send data harvesting request to protected device Spy formula), the information of network security data to be collected is carried in the data harvesting request, that is, carry and which number needed to acquire According to information.
It should be noted that network security protection device to protected device send data harvesting request when, specifically Data harvesting request is sent to protected device corresponding to preset IP address.
Step S204 receives the data response message that protected device is returned according to data harvesting request, wherein data are rung Answer information include: protected device acquisition network security data and responsive state information, network security data include: flow number According to and security event data;
Specifically, the data that protected device after receiving data harvesting request, can be returned according to data harvesting request Response message, the data response message that such network security protection device just obtains, can further to data response message into Row analysis.
Data on flows refers to data relevant with flow, for example, flow uses data;Security event data refers to and safety The relevant data of event, for example, the configuration change data of interchanger, the running state data etc. of lateral isolation device.
It should be noted that being included at least in network security data: host name, program name, version number, time and number Deng.
Data on flows and security event data are compared and analyzed with standard information, obtain comparative analysis by step S206 As a result;
After obtaining data on flows and security event data, data on flows and security event data and standard information are carried out The process of comparative analysis, specific comparative analysis will be described in detail below, and details are not described herein.
Step S208, when comparative analysis result be there are when anomalous event, then the communication of anomalous event is blocked, In, anomalous event includes at least: network illegal external connection event, illegality equipment access events.
In embodiments of the present invention, network security protection device can active transmission data harvesting request to being set by protection It is standby, and then receive the data response message that protected device is returned according to data harvesting request;Then by data on flows therein It is compared and analyzed with security event data and standard information, obtains comparative analysis result;And comparative analysis result be exist When anomalous event, the communication of anomalous event is blocked.As can be seen from the above description, in example in real time of the invention, network peace Full protection device actively can send data harvesting request to protected device, that is, be capable of the carry out data acquisition of active, Without the additional program of the safety in protected device, the burden of protected device is alleviated, is rung in addition, returning to obtained data It answers in information comprising data on flows, Traffic Anomaly can be monitored, improve the precision of monitoring, meanwhile, determining To there are when anomalous event, the communication of anomalous event can be blocked, alleviate existing network security protection mode only Data can passively be received, the technical issues of rate of false alarm is high and lacks security protection.
In addition, before sending data harvesting request to protected device, this method further include:
Establish the communication connection between protected device.
Connection request is established to protected device specifically, 1) send;2) protected device is received to ask according to connection is established Seek the connection response information of return.
When connection request is established in transmission, monitored item list can be obtained, the number for needing to acquire is determined according to monitored item list According to.Such as, the broker program in network security protection device opens TCP connection, is sent out according to preset IP address to protected device Send and establish connection request, protected device receives establish connection request after, according to establish connection request return connection response letter Breath, connection response information include: connection result information and monitored item list, monitored item list include: key, delay, The attributes such as lastlogsize, time.In this way, just establishing the communication connection between protected device, then, broker program Close TCP connection.
Above content has carried out brief introduction to network safety protective method of the invention, below to the tool being directed to Hold in vivo and describes in detail.
In an alternate embodiment of the present invention where, with reference to Fig. 3, step S206, by data on flows and security event data It is compared and analyzed with standard information, obtaining comparative analysis result includes:
Step S301 extracts data on flows sample using statistical analysis technique from data on flows and security event data;
There can be good detection effect for novel network attack means and internet worm by flow analysis, it can be with A possibility that substantially reducing due to not knowing about to attack means and failing to report finds attack source before generating serious destroy, Network losses are reduced to minimum.
Specifically, the partial data in the exchange data that quantity flow provides for interchanger, after obtaining exchange data, Using statistical analysis technique from exchange data (network security data i.e. of the invention, wherein include data on flows and safe thing Number of packages evidence) in extract data on flows sample.
Step S302 compares data on flows sample and the normal flow information in standard information;
Specifically, be compared according to the normal flow information in the distribution characteristics and standard information of data on flows sample, Judge whether that changes in flow rate has occurred.Common network protocol mainly has SMTP, FTP, ICMP etc..
Step S303, if data on flows sample matches with normal flow information, it is determined that anomalous event is not present;
Step S304, if data on flows sample and normal flow information mismatch, it is determined that there are anomalous events.
It carries out below apart from explanation, for example, the value range of normal flow information is 0.5, now continuous monitoring obtains flow Data sample value is more than 1, meets network flow characteristic when initial stage occurs in certain virus, that is, Traffic Anomaly has occurred, there are different Ordinary affair part;Conversely, anomalous event is not present.
In another alternative embodiment of the invention, with reference to Fig. 4, step S206, by data on flows and security incident number It is compared and analyzed according to standard information, obtaining comparative analysis result includes:
Step S401, extracted from data on flows and security event data using statistical analysis technique mac address information and/ Or IP address information;
Step S402 carries out the white list information in mac address information and/or IP address information and standard information pair Than, wherein white list information includes: Standard MAC address information and standard IP address information;
Step S403, if mac address information and/or IP address information match with white list information, it is determined that do not deposit In anomalous event;
Step S404, if mac address information and/or IP address information and white list information mismatch, it is determined that exist Anomalous event.
In an alternate embodiment of the present invention where, the communication of anomalous event block and include:
(1) network security data according to corresponding to anomalous event determines abnormal behaviour equipment;
For example, being determined by flow analysis there are after anomalous event, and then according to the corresponding data on flows of the anomalous event Screening sample goes out the flow number of each different IP addresses, according to statistical analysis technique and the biggish IP address of flow, determines abnormal Behavior equipment, the i.e. IP address of data on flows sample according to corresponding to anomalous event determine abnormal behaviour equipment;
For another example, if a MAC Address is not in white list, it is determined that there are anomalous events, then corresponding to the MAC Address Equipment be abnormal behaviour equipment.
(2) abnormal behaviour equipment is blocked.
Specifically, RST flag data packet is sent to target device, so that target device is closed according to RST flag data packet Destination communications link, wherein target device is the equipment communicated with abnormal behaviour equipment, and destination communications link is and exception The communication link that behavior equipment is communicated;
For example, for the Communication Block of anomalous event, one can be sent to target device by taking Transmission Control Protocol as an example and had RST flag data packet, including the source address of equipment, destination address and port numbers etc., target device receives RST conventional number After packet, it just will be considered that exception has occurred in destinations traffic opposite end, to close the communication link at once.
Alternatively,
Interchanger into protected device, which is sent, closes port information corresponding to abnormal behaviour equipment, so that interchanger Communication link between cutting and abnormal behaviour equipment.
As can be seen from the above description, a kind of mode blocked for link of above two mode, a kind of side for interface disabling Formula, the present invention is to above-mentioned implementation without concrete restriction.
The characteristics of the present invention is based on electric power monitoring systems has developed a set of network security protection towards electric power monitoring system Device is disposed according to the tri-level logic framework of itself perception, independent acquisition, the unified control of distribution process, and emphasis is included in pair The active safety of user behavior monitors that effectively perceive network illegal external connection and illegality equipment access etc., are a kind of safety of high-order Preventive means compensates for an important ring for Security Countermeasure for Information Network of Electric Power Enterprise.
Embodiment two:
The embodiment of the invention also provides a kind of network security protection device, which is mainly used for holding Network safety protective method provided by row above content of the embodiment of the present invention below pacifies network provided in an embodiment of the present invention Full protection device does specific introduction.
Fig. 5 is a kind of schematic diagram of network security protection device according to an embodiment of the present invention, as shown in figure 5, the network Safety guard mainly includes sending module 10, receiving module 20, comparative analysis module 30 and exception processing module 40, In:
Sending module, for sending data harvesting request to protected device, wherein carried in data harvesting request to Acquire the information of network security data;
Receiving module, the data response message returned for receiving protected device according to data harvesting request, wherein number It include: the network security data and responsive state information of protected device acquisition according to response message, network security data includes: stream Measure data and security event data;
Comparative analysis module is obtained for comparing and analyzing data on flows and security event data with standard information Comparative analysis result;
Exception processing module, for when comparative analysis result be there are when anomalous event, then to the communication of anomalous event into Row blocks, wherein anomalous event includes at least: network illegal external connection event, illegality equipment access events.
In embodiments of the present invention, network security protection device can active transmission data harvesting request to being set by protection It is standby, and then receive the data response message that protected device is returned according to data harvesting request;Then by data on flows therein It is compared and analyzed with security event data and standard information, obtains comparative analysis result;And comparative analysis result be exist When anomalous event, the communication of anomalous event is blocked.As can be seen from the above description, in example in real time of the invention, network peace Full protection device actively can send data harvesting request to protected device, that is, be capable of the carry out data acquisition of active, Without the additional program of the safety in protected device, the burden of protected device is alleviated, is rung in addition, returning to obtained data It answers in information comprising data on flows, Traffic Anomaly can be monitored, improve the precision of monitoring, meanwhile, determining To there are when anomalous event, the communication of anomalous event can be blocked, alleviate existing network security protection mode only Data can passively be received, the technical issues of rate of false alarm is high and lacks security protection.
Optionally, device further include: link block is established, for the communication connection between foundation and protected device.
Optionally, establish link block to be also used to: transmission establishes connection request to protected device;Receive protected device According to the connection response information for establishing connection request return.
Optionally, comparative analysis module is also used to: using statistical analysis technique from data on flows and security event data Extract data on flows sample;Data on flows sample and the normal flow information in standard information are compared;If flow number Match according to sample and normal flow information, it is determined that anomalous event is not present;If data on flows sample and normal flow are believed Breath mismatches, it is determined that there are anomalous events.
Optionally, comparative analysis module is also used to: using statistical analysis technique from data on flows and security event data Extract mac address information and/or IP address information;By the white name in mac address information and/or IP address information and standard information Single information compares, wherein white list information includes: Standard MAC address information and standard IP address information;If MAC Location information and/or IP address information match with white list information, it is determined that anomalous event is not present;If mac address information And/or IP address information and white list information mismatch, it is determined that there are anomalous events.
Optionally, exception processing module is also used to: the network security data according to corresponding to anomalous event determines abnormal row For equipment;Abnormal behaviour equipment is blocked.
Optionally, exception processing module is also used to: RST flag data packet is sent to target device, so that target device root Destination communications link is closed according to RST flag data packet, wherein target device is the equipment communicated with abnormal behaviour equipment, Destination communications link is the communication link communicated with abnormal behaviour equipment;Alternatively, the interchanger into protected device is sent out It send and closes port information corresponding to abnormal behaviour equipment, so that the communication chain between interchanger cutting and abnormal behaviour equipment Road.
The technical effect and preceding method embodiment phase of device provided by the embodiment of the present invention, realization principle and generation Together, to briefly describe, Installation practice part does not refer to place, can refer to corresponding contents in preceding method embodiment.
In another embodiment of the present invention, a kind of computer storage medium is additionally provided, computer is stored thereon with The step of program, computer executes the method for above method embodiment when running computer program.
In another embodiment of the present invention, a kind of computer program is additionally provided, which can store Beyond the clouds or on local storage medium.It is of the invention real for executing when the computer program is run by computer or processor The corresponding steps of the method for example are applied, and for realizing the phase in network security protection device according to an embodiment of the present invention Answer module.
In addition, in the description of the embodiment of the present invention unless specifically defined or limited otherwise, term " installation ", " phase Even ", " connection " shall be understood in a broad sense, for example, it may be being fixedly connected, may be a detachable connection, or be integrally connected;It can To be mechanical connection, it is also possible to be electrically connected;It can be directly connected, can also can be indirectly connected through an intermediary Connection inside two elements.For the ordinary skill in the art, above-mentioned term can be understood at this with concrete condition Concrete meaning in invention.
In the description of the present invention, it should be noted that term " center ", "upper", "lower", "left", "right", "vertical", The orientation or positional relationship of the instructions such as "horizontal", "inner", "outside" be based on the orientation or positional relationship shown in the drawings, merely to Convenient for description the present invention and simplify description, rather than the device or element of indication or suggestion meaning must have a particular orientation, It is constructed and operated in a specific orientation, therefore is not considered as limiting the invention.In addition, term " first ", " second ", " third " is used for descriptive purposes only and cannot be understood as indicating or suggesting relative importance.
It is apparent to those skilled in the art that for convenience and simplicity of description, the system of foregoing description, The specific work process of device and unit, can refer to corresponding processes in the foregoing method embodiment, and details are not described herein.
In several embodiments provided herein, it should be understood that disclosed systems, devices and methods, it can be with It realizes by another way.The apparatus embodiments described above are merely exemplary, for example, the division of the unit, Only a kind of logical function partition, there may be another division manner in actual implementation, in another example, multiple units or components can To combine or be desirably integrated into another system, or some features can be ignored or not executed.Another point, it is shown or beg for The mutual coupling, direct-coupling or communication connection of opinion can be through some communication interfaces, device or unit it is indirect Coupling or communication connection can be electrical property, mechanical or other forms.
The unit as illustrated by the separation member may or may not be physically separated, aobvious as unit The component shown may or may not be physical unit, it can and it is in one place, or may be distributed over multiple In network unit.It can select some or all of unit therein according to the actual needs to realize the mesh of this embodiment scheme 's.
It, can also be in addition, each functional unit in each embodiment of the present invention can integrate in an analytical unit It is that each unit physically exists alone, can also be integrated in one unit with two or more units.
It, can be with if the function is realized in the form of SFU software functional unit and when sold or used as an independent product It is stored in the executable non-volatile computer-readable storage medium of an analyzer.Based on this understanding, of the invention Technical solution substantially the part of the part that contributes to existing technology or the technical solution can be with software in other words The form of product embodies, which is stored in a storage medium, including some instructions use so that One computer equipment (can be personal computer, server or the network equipment etc.) executes each embodiment institute of the present invention State all or part of the steps of method.And storage medium above-mentioned includes: USB flash disk, mobile hard disk, read-only memory (ROM, Read- Only Memory), random access memory (RAM, Random Access Memory), magnetic or disk etc. are various can be with Store the medium of program code.
Finally, it should be noted that embodiment described above, only a specific embodiment of the invention, to illustrate the present invention Technical solution, rather than its limitations, scope of protection of the present invention is not limited thereto, although with reference to the foregoing embodiments to this hair It is bright to be described in detail, those skilled in the art should understand that: anyone skilled in the art In the technical scope disclosed by the present invention, it can still modify to technical solution documented by previous embodiment or can be light It is readily conceivable that variation or equivalent replacement of some of the technical features;And these modifications, variation or replacement, do not make The essence of corresponding technical solution is detached from the spirit and scope of technical solution of the embodiment of the present invention, should all cover in protection of the invention Within the scope of.Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims (10)

1. a kind of network safety protective method, which is characterized in that be applied to network security protection device, comprising:
Data harvesting request is sent to protected device, wherein network security to be collected is carried in the data harvesting request The information of data;
Receive the data response message that the protected device is returned according to the data harvesting request, wherein the data are rung Answering information includes: the network security data and responsive state information of the protected device acquisition, the network security data packet It includes: data on flows and security event data;
The data on flows and the security event data are compared and analyzed with standard information, obtain comparative analysis result;
When the comparative analysis result is then to block to the communication of the anomalous event, wherein institute there are when anomalous event It states anomalous event to include at least: network illegal external connection event, illegality equipment access events.
2. network safety protective method according to claim 1, which is characterized in that extremely protected sending data harvesting request It protects before equipment, the method also includes:
Establish the communication connection between the protected device.
3. network safety protective method according to claim 2, which is characterized in that establish between the protected device Communication connection include:
Transmission establishes connection request to the protected device;
The protected device is received according to the connection response information for establishing connection request return.
4. network safety protective method according to claim 1, which is characterized in that by the data on flows and the safety Event data is compared and analyzed with standard information, is obtained comparative analysis result and is included:
Data on flows sample is extracted from the data on flows and the security event data using statistical analysis technique;
The data on flows sample and the normal flow information in the standard information are compared;
If the data on flows sample matches with the normal flow information, it is determined that anomalous event is not present;
If the data on flows sample and the normal flow information mismatch, it is determined that there are anomalous events.
5. network safety protective method according to claim 1, which is characterized in that by the data on flows and the safety Event data is compared and analyzed with standard information, is obtained comparative analysis result and is included:
Mac address information and/or IP are extracted from the data on flows and the security event data using statistical analysis technique Address information;
The mac address information and/or IP address information are compared with the white list information in the standard information, In, the white list information includes: Standard MAC address information and standard IP address information;
If the mac address information and/or IP address information match with the white list information, it is determined that there is no abnormal Event;
If the mac address information and/or IP address information and the white list information mismatch, it is determined that there are abnormal things Part.
6. network safety protective method according to claim 1, which is characterized in that carried out to the communication of the anomalous event Blocking includes:
Abnormal behaviour equipment is determined according to network security data corresponding to the anomalous event;
The abnormal behaviour equipment is blocked.
7. network safety protective method according to claim 6, which is characterized in that hinder the abnormal behaviour equipment It is disconnected to include:
RST flag data packet is sent to target device, so that the target device closes target according to the RST flag data packet Communication link, wherein the target device is the equipment communicated with the abnormal behaviour equipment, the destination communications link For the communication link communicated with the abnormal behaviour equipment;
Alternatively,
Interchanger into the protected device, which is sent, closes port information corresponding to the abnormal behaviour equipment, so that institute State the communication link between interchanger cutting and the abnormal behaviour equipment.
8. a kind of network security protection device characterized by comprising
Sending module, for sending data harvesting request to protected device, wherein carried in the data harvesting request to Acquire the information of network security data;
Receiving module, the data response message returned for receiving the protected device according to the data harvesting request, In, the data response message includes: the network security data and responsive state information of the protected device acquisition, the net Network secure data includes: data on flows and security event data;
Comparative analysis module, for the data on flows and the security event data to be compared and analyzed with standard information, Obtain comparative analysis result;
Exception processing module, for when the comparative analysis result be there are when anomalous event, then the anomalous event is led to Letter is blocked, wherein the anomalous event includes at least: network illegal external connection event, illegality equipment access events.
9. network security protection device according to claim 8, which is characterized in that described device further include:
Link block is established, the communication connection for establishing between the protected device.
10. a kind of electronic equipment, which is characterized in that including memory, processor and be stored on the memory and can be in institute State the computer program run on processor, which is characterized in that the processor is realized above-mentioned when executing the computer program The step of method described in any one of claims 1 to 7.
CN201910025311.6A 2019-01-10 2019-01-10 Network safety protective method, device and electronic equipment Pending CN109462621A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910025311.6A CN109462621A (en) 2019-01-10 2019-01-10 Network safety protective method, device and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910025311.6A CN109462621A (en) 2019-01-10 2019-01-10 Network safety protective method, device and electronic equipment

Publications (1)

Publication Number Publication Date
CN109462621A true CN109462621A (en) 2019-03-12

Family

ID=65616354

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910025311.6A Pending CN109462621A (en) 2019-01-10 2019-01-10 Network safety protective method, device and electronic equipment

Country Status (1)

Country Link
CN (1) CN109462621A (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112235312A (en) * 2020-10-22 2021-01-15 新华三信息安全技术有限公司 Method and device for determining credibility of security event and electronic equipment
CN112383417A (en) * 2020-11-02 2021-02-19 杭州安恒信息安全技术有限公司 Terminal security external connection detection method, system, equipment and readable storage medium
CN114301669A (en) * 2021-12-28 2022-04-08 南方电网数字电网研究院有限公司 Security defense method, device, equipment and medium for power grid station host
CN114513334A (en) * 2022-01-13 2022-05-17 青岛海尔工业智能研究院有限公司 Risk management method and risk management device
CN114531345A (en) * 2020-11-06 2022-05-24 行吟信息科技(上海)有限公司 Method, device and equipment for storing flow comparison result and storage medium
CN115883215A (en) * 2022-11-30 2023-03-31 广西电网有限责任公司 Network security monitoring method and defense system based on monitoring method
CN116055217A (en) * 2023-03-06 2023-05-02 广州启宁信息科技有限公司 SD-WAN-based networking security management method, system, equipment and medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104753952A (en) * 2015-04-13 2015-07-01 成都双奥阳科技有限公司 Intrusion detection and analysis system on basis of service data flow of virtual machines
CN105743656A (en) * 2016-03-30 2016-07-06 国网山东省电力公司荣成市供电公司 Transformer substation monitoring system based on wireless sensor network
CN107493265A (en) * 2017-07-24 2017-12-19 南京南瑞集团公司 A kind of network security monitoring method towards industrial control system
CN107566200A (en) * 2016-06-30 2018-01-09 阿里巴巴集团控股有限公司 A kind of monitoring method, apparatus and system
KR20180039372A (en) * 2016-10-10 2018-04-18 주식회사 윈스 The Realtime Trail Data Collector apparatus about Network Intrusion Detection and method thereof
CN109120742A (en) * 2018-08-28 2019-01-01 云南电网有限责任公司电力科学研究院 A kind of power distribution network terminal collecting method and device based on UDP

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104753952A (en) * 2015-04-13 2015-07-01 成都双奥阳科技有限公司 Intrusion detection and analysis system on basis of service data flow of virtual machines
CN105743656A (en) * 2016-03-30 2016-07-06 国网山东省电力公司荣成市供电公司 Transformer substation monitoring system based on wireless sensor network
CN107566200A (en) * 2016-06-30 2018-01-09 阿里巴巴集团控股有限公司 A kind of monitoring method, apparatus and system
KR20180039372A (en) * 2016-10-10 2018-04-18 주식회사 윈스 The Realtime Trail Data Collector apparatus about Network Intrusion Detection and method thereof
CN107493265A (en) * 2017-07-24 2017-12-19 南京南瑞集团公司 A kind of network security monitoring method towards industrial control system
CN109120742A (en) * 2018-08-28 2019-01-01 云南电网有限责任公司电力科学研究院 A kind of power distribution network terminal collecting method and device based on UDP

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112235312A (en) * 2020-10-22 2021-01-15 新华三信息安全技术有限公司 Method and device for determining credibility of security event and electronic equipment
CN112235312B (en) * 2020-10-22 2022-04-26 新华三信息安全技术有限公司 Method and device for determining credibility of security event and electronic equipment
CN112383417A (en) * 2020-11-02 2021-02-19 杭州安恒信息安全技术有限公司 Terminal security external connection detection method, system, equipment and readable storage medium
CN114531345A (en) * 2020-11-06 2022-05-24 行吟信息科技(上海)有限公司 Method, device and equipment for storing flow comparison result and storage medium
CN114531345B (en) * 2020-11-06 2023-08-18 行吟信息科技(上海)有限公司 Flow comparison result storage method, device, equipment and storage medium
CN114301669A (en) * 2021-12-28 2022-04-08 南方电网数字电网研究院有限公司 Security defense method, device, equipment and medium for power grid station host
CN114513334A (en) * 2022-01-13 2022-05-17 青岛海尔工业智能研究院有限公司 Risk management method and risk management device
CN114513334B (en) * 2022-01-13 2023-11-28 卡奥斯工业智能研究院(青岛)有限公司 Risk management method and risk management device
CN115883215A (en) * 2022-11-30 2023-03-31 广西电网有限责任公司 Network security monitoring method and defense system based on monitoring method
CN116055217A (en) * 2023-03-06 2023-05-02 广州启宁信息科技有限公司 SD-WAN-based networking security management method, system, equipment and medium

Similar Documents

Publication Publication Date Title
CN109462621A (en) Network safety protective method, device and electronic equipment
Yu et al. An efficient SDN-based DDoS attack detection and rapid response platform in vehicular networks
CN110958262A (en) Ubiquitous Internet of things safety protection gateway system, method and deployment architecture in power industry
CN104506507A (en) Honey net safeguard system and honey net safeguard method for SDN (self-defending network)
CN107493265A (en) A kind of network security monitoring method towards industrial control system
CN111163115A (en) Internet of things safety monitoring method and system based on double engines
CN104509034A (en) Pattern consolidation to identify malicious activity
CN104468631A (en) Network intrusion identification method based on anomaly flow and black-white list library of IP terminal
CN109766695A (en) A kind of network security situational awareness method and system based on fusion decision
CN102546624A (en) Method and system for detecting and defending multichannel network intrusion
KR20110070189A (en) Malicious traffic isolation system using botnet infomation and malicious traffic isolation method using botnet infomation
CN106161395A (en) A kind of prevent the method for Brute Force, Apparatus and system
US20170134400A1 (en) Method for detecting malicious activity on an aircraft network
CN102594620A (en) Linkable distributed network intrusion detection method based on behavior description
CN108696531A (en) A kind of security strategy adaptive analysis and big data Visualization Platform system
Pan et al. Anomaly based intrusion detection for building automation and control networks
Neu et al. Lightweight IPS for port scan in OpenFlow SDN networks
CN102625312A (en) Sensor network safety system based on delaminated intrusion detection
CN107911244A (en) The multi-user's honey jar terminal system and its implementation that a kind of cloud net combines
CN107819633A (en) It is a kind of quickly to find and handle the system and its processing method of network failure
CN108965210A (en) Safety test platform based on scene-type attacking and defending simulation
KR101281456B1 (en) Apparatus and method for anomaly detection in SCADA network using self-similarity
CN106209902A (en) A kind of network safety system being applied to intellectual property operation platform and detection method
CN111224973A (en) Network attack rapid detection system based on industrial cloud
CN108833415A (en) A kind of security solution method and video monitoring system of video monitoring system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20190312

RJ01 Rejection of invention patent application after publication