CN110351274A - A kind of method, server and the system of the tracking of network attack face - Google Patents
A kind of method, server and the system of the tracking of network attack face Download PDFInfo
- Publication number
- CN110351274A CN110351274A CN201910626345.0A CN201910626345A CN110351274A CN 110351274 A CN110351274 A CN 110351274A CN 201910626345 A CN201910626345 A CN 201910626345A CN 110351274 A CN110351274 A CN 110351274A
- Authority
- CN
- China
- Prior art keywords
- data
- network node
- server
- attack
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/30—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Technology Law (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses method, server and the systems of a kind of tracking of network attack face, it first passes through each network node oneself and checks data slot, extract the vector of attack that can be utilized, regather the data slot copy on each network node, it is merged with history big data, data slot is analyzed with the presence or absence of abnormal, it whether there is logic association between multiple abnormal data segments, thereby determine that and mark abnormal point and approach point, the security breaches for potentially attacking track and network node are obtained, to realize the purpose in the pursuit attack face in a large amount of network nodes.
Description
Technical field
A kind of tracked this application involves technical field of network security more particularly to network attack face method, server and
System.
Background technique
Current network communication faces more and more hidden safety problem, and many attacks are from hidden, fragmentation shape
Formula, the loophole point and attack link of individual node can constitute multiple attack faces, and the method for existing guarding network attack can fail.
Especially present network usually has a large amount of network nodes, and segment can be dispersed in each different network node by attacker
On, it is found to escape.Be badly in need of it is a kind of being capable of the node method that checks loophole, the network monitor attack for tracking segment link.
Summary of the invention
The purpose of the present invention is to provide a kind of methods, devices and systems of network attack face tracking, first pass through each net
Network node oneself checks data slot, extracts the vector of attack that can be utilized, regathers the data slot on each network node
Whether copy merges it with history big data, and analysis data slot whether there is exception, deposit between multiple abnormal data segments
In logic association, abnormal point and approach point are thereby determined that and marked, obtains the safety leakage for potentially attacking track and network node
Hole, solving the problems, such as in the prior art can not pursuit attack face.
In a first aspect, the application provides a kind of method of network attack face tracking, which comprises
Network side server sends to each network node and instructs, and described instruction is for ordering each network node local
Data slot is uploaded onto the server;
After each network node receives instruction, several numbers will be split as via the data flow of network node local
According to segment copy, the vector of attack that can be utilized therefrom is extracted;
Each network node first calls local policy to scan the data slot copy, checks whether comprising can be sharp
Vector of attack, then the vector of attack being utilized and data slot copy are packaged, it is sealed in business processing gap
It loads onto and is transmitted to server;The encapsulation, which is included in data slot copy, is inserted into data originator's mark;
After the server receives the data slot copy after encapsulation, by the data slot and server local after parsing
Historical data segment merge;The merging includes according to belonging network node, affiliated transmission terminal, data type, corresponding visit
Ask that at least one of behavior standard merges;
The server analyzes the combined data slot using analysis model, finds wherein that may be present
Network node belonging to several abnormal data segments or terminal are labeled as abnormal point by abnormal data segment, and if analysis
It whether there is logic association between dry abnormal data segment;
If there are logic association between several described abnormal data segments, before the abnormal point corresponding to it is established
Incidence relation afterwards, an approach point being labeled as in potential attack track;If between several described abnormal data segments not
There are logic associations, then disconnect the forward-backward correlation relationship between its corresponding abnormal point, delete it in potential attack track
Approach point;
The vector of attack that can be utilized described in the server inspection, judges whether there is security breaches;If there is peace
Full loophole then calls relative strategy to execute the movement for eliminating security breaches;If there is no security breaches, then corresponding network is notified
Security breaches are not present in node;
The server is by the forward-backward correlation relationship, the transit point, the potential attack track, the security breaches
Pass to display processing unit;
The server is according to the forward-backward correlation relationship, the abnormal data segment training analysis model;
The display processing unit receives the forward-backward correlation relationship, the transit point, the potential attack track, institute
After stating security breaches, by transit point label on the network node architecture figure of mapable, marked on each node in figure
Its corresponding forward-backward correlation relationship draws potential attack track, and the security breaches of each node of mark, by putting and attacking rail
One width network attack face of mark railway superstructures, is shown on large screen.
With reference to first aspect, in a first possible implementation of that first aspect, each network node data
Stream, which is split as several data slots, to determine the length split according to type of service, access movement.
With reference to first aspect, in a second possible implementation of that first aspect, the network side server fixed week
Phase sends to each network node and instructs.
With reference to first aspect, in first aspect in the third possible implementation, the network node is in business processing
Gap upload data slot copy include: priority processing business datum, when do not have business datum need handle or transmit when, just to
Server uploads data slot copy.
Second aspect, the application provide a kind of device of network attack face tracking, are applied on network node, execute whole
Or partial method, described device include:
Instruction receiving unit, the instruction sent for receiving network side server to each network node, described instruction are used
It uploads onto the server in each network node local data segment of order;
Data processing unit, for several data slots will to be split as via the data flow of network node local, therefrom
It extracts the vector of attack that can be utilized, and local policy is called to scan the data slot copy, check whether comprising can
The vector of attack being utilized;
Data transmission unit, for the vector of attack being utilized and data slot copy to be packaged, in business
The encapsulation of processing gap is uploaded to server;The encapsulation, which is included in data slot copy, is inserted into data originator's mark.
The third aspect, the application provide a kind of server of network attack face tracking, are located at network side, execute whole or portion
The method divided, the server include:
Instruction sending unit is instructed for sending to each network node, and described instruction is for ordering each network node
Local data segment is uploaded onto the server;
Data combination unit, after receiving the data slot copy after encapsulating, by the data slot and clothes after parsing
The historical data segment of business device local merges;The merging includes according to belonging network node, affiliated transmission terminal, data class
At least one of type, corresponding access behavior standard merge;
Anomaly unit is analyzed, for analyzing using analysis model the combined data slot, searching wherein may be used
Network node belonging to several abnormal data segments or terminal are labeled as abnormal point by abnormal data segment existing for energy, with
And it analyzes between several abnormal data segments with the presence or absence of logic association;
If there are logic association between several described abnormal data segments, before the abnormal point corresponding to it is established
Incidence relation afterwards, an approach point being labeled as in potential attack track;If between several described abnormal data segments not
There are logic associations, then disconnect the forward-backward correlation relationship between its corresponding abnormal point, delete it in potential attack track
Approach point;
Loophole inspection unit judges whether there is security breaches for checking the vector of attack that can be utilized;If
There are security breaches, then relative strategy is called to execute the movement for eliminating security breaches;If there is no security breaches, then notice pair
Answering network node, there is no security breaches;
Transfer unit is used for the forward-backward correlation relationship, the transit point, the potential attack track, the safety
Loophole passes to display processing unit;
Model training unit, for according to the forward-backward correlation relationship, the abnormal data segment training analysis mould
Type.
Fourth aspect, the application provide a kind of system of network attack face tracking, and the system comprises applications just like second
Multiple network nodes of aspect described device, and server and display processing unit as described in the third aspect.
The present invention provides a kind of methods, devices and systems of network attack face tracking, first passes through each network node oneself
Check data slot, extract the vector of attack that can be utilized, regather the data slot copy on each network node, by its with
History big data merges, and analysis data slot whether there is exception, whether there is logic association between multiple abnormal data segments,
Abnormal point and approach point are thereby determined that and marked, the security breaches for potentially attacking track and network node are obtained, to realize
The purpose in pursuit attack face in a large amount of network nodes.
Detailed description of the invention
It to describe the technical solutions in the embodiments of the present invention more clearly, below will be to needed in the embodiment
Attached drawing is briefly described, it should be apparent that, for those of ordinary skills, before not making the creative labor
It puts, is also possible to obtain other drawings based on these drawings.
Fig. 1 is the flow chart for the method that inventive network attacks face tracking;
Fig. 2 is the internal structure chart for the device that inventive network attacks face tracking;
Fig. 3 is the internal structure chart for the server that inventive network attacks face tracking;
Fig. 4 is the architecture diagram for the system that inventive network attacks face tracking.
Specific embodiment
The preferred embodiment of the present invention is described in detail with reference to the accompanying drawing, so that advantages and features of the invention energy
It is easier to be readily appreciated by one skilled in the art, so as to make a clearer definition of the protection scope of the present invention.
Fig. 1 is the flow chart of the method for network attack face provided by the present application tracking, which comprises
Network side server sends to each network node and instructs, and described instruction is for ordering each network node local
Data slot is uploaded onto the server;
After each network node receives instruction, several numbers will be split as via the data flow of network node local
According to segment copy, the vector of attack that can be utilized therefrom is extracted;
Each network node first calls local policy to scan the data slot copy, checks whether comprising can be sharp
Vector of attack, then the vector of attack being utilized and data slot copy are packaged, it is sealed in business processing gap
It loads onto and is transmitted to server;The encapsulation, which is included in data slot copy, is inserted into data originator's mark;
After the server receives the data slot copy after encapsulation, by the data slot and server local after parsing
Historical data segment merge;The merging includes according to belonging network node, affiliated transmission terminal, data type, corresponding visit
Ask that at least one of behavior standard merges;
The server analyzes the combined data slot using analysis model, finds wherein that may be present
Network node belonging to several abnormal data segments or terminal are labeled as abnormal point by abnormal data segment, and if analysis
It whether there is logic association between dry abnormal data segment;
If there are logic association between several described abnormal data segments, before the abnormal point corresponding to it is established
Incidence relation afterwards, an approach point being labeled as in potential attack track;If between several described abnormal data segments not
There are logic associations, then disconnect the forward-backward correlation relationship between its corresponding abnormal point, delete it in potential attack track
Approach point;
The vector of attack that can be utilized described in the server inspection, judges whether there is security breaches;If there is peace
Full loophole then calls relative strategy to execute the movement for eliminating security breaches;If there is no security breaches, then corresponding network is notified
Security breaches are not present in node;
The server is by the forward-backward correlation relationship, the transit point, the potential attack track, the security breaches
Pass to display processing unit;
The server is according to the forward-backward correlation relationship, the abnormal data segment training analysis model;
The display processing unit receives the forward-backward correlation relationship, the transit point, the potential attack track, institute
After stating security breaches, by transit point label on the network node architecture figure of mapable, marked on each node in figure
Its corresponding forward-backward correlation relationship draws potential attack track, and the security breaches of each node of mark, by putting and attacking rail
One width network attack face of mark railway superstructures, is shown on large screen.
In some preferred embodiments, each network node data flow be split as several data slots can basis
Type of service, access movement determine the length split.
In some preferred embodiments, the network side server fixed cycle sends instruction shelves to each network node.
In some preferred embodiments, it includes: excellent that the network node, which uploads data slot copy in business processing gap,
First processing business data just upload data slot copy to server when not having business datum to need to handle or transmit.
Fig. 2 is the internal structure chart of the device of network attack face provided by the present application tracking, and described device includes:
Instruction receiving unit, the instruction sent for receiving network side server to each network node, described instruction are used
It uploads onto the server in each network node local data segment of order;
Data processing unit, for several data slots will to be split as via the data flow of network node local, therefrom
It extracts the vector of attack that can be utilized, and local policy is called to scan the data slot copy, check whether comprising can
The vector of attack being utilized;
Data transmission unit, for the vector of attack being utilized and data slot copy to be packaged, in business
The encapsulation of processing gap is uploaded to server;The encapsulation, which is included in data slot copy, is inserted into data originator's mark.
In some preferred embodiments, it includes: preferential place that described device, which uploads data slot copy in business processing gap,
Business datum is managed, when not having business datum to need to handle or transmit, just uploads data slot copy to server.
Fig. 3 is the internal structure chart of the server of network attack face provided by the present application tracking, and the server includes:
Instruction sending unit is instructed for sending to each network node, and described instruction is for ordering each network node
Local data segment is uploaded onto the server;
Data combination unit, after receiving the data slot copy after encapsulating, by the data slot and clothes after parsing
The historical data segment of business device local merges;The merging includes according to belonging network node, affiliated transmission terminal, data class
At least one of type, corresponding access behavior standard merge;
Anomaly unit is analyzed, for analyzing using analysis model the combined data slot, searching wherein may be used
Network node belonging to several abnormal data segments or terminal are labeled as abnormal point by abnormal data segment existing for energy, with
And it analyzes between several abnormal data segments with the presence or absence of logic association;
If there are logic association between several described abnormal data segments, before the abnormal point corresponding to it is established
Incidence relation afterwards, an approach point being labeled as in potential attack track;If between several described abnormal data segments not
There are logic associations, then disconnect the forward-backward correlation relationship between its corresponding abnormal point, delete it in potential attack track
Approach point;
Loophole inspection unit judges whether there is security breaches for checking the vector of attack that can be utilized;If
There are security breaches, then relative strategy is called to execute the movement for eliminating security breaches;If there is no security breaches, then notice pair
Answering network node, there is no security breaches;
Transfer unit is used for the forward-backward correlation relationship, the transit point, the potential attack track, the safety
Loophole passes to display processing unit;
Model training unit, for according to the forward-backward correlation relationship, the abnormal data segment training analysis mould
Type.
In some preferred embodiments, the network side server is cluster server.
In some preferred embodiments, the network side server fixed cycle sends instruction shelves to each network node.
Fig. 4 is the architecture diagram of the system of network attack face provided by the present application tracking, and the system comprises applications just like Fig. 2
Multiple network nodes of shown device and server and display processing unit as shown in Figure 3.
In the specific implementation, the present invention also provides a kind of computer storage mediums, wherein the computer storage medium can deposit
Program is contained, which may include step some or all of in each embodiment of the present invention when executing.The storage medium
It can be magnetic disk, CD, read-only memory (referred to as: ROM) or random access memory (referred to as: RAM) etc..
It is required that those skilled in the art can be understood that the technology in the embodiment of the present invention can add by software
The mode of general hardware platform realize.Based on this understanding, the technical solution in the embodiment of the present invention substantially or
The part that contributes to existing technology can be embodied in the form of software products, which can store
In storage medium, such as ROM/RAM, magnetic disk, CD, including some instructions use is so that a computer equipment (can be
Personal computer, server or network equipment etc.) it executes described in certain parts of each embodiment of the present invention or embodiment
Method.
The same or similar parts between the embodiments can be referred to each other for this specification.For embodiment,
Since it is substantially similar to the method embodiment, so being described relatively simple, related place is referring to the explanation in embodiment of the method
?.
Invention described above embodiment is not intended to limit the scope of the present invention..
Claims (7)
1. a kind of method of network attack face tracking characterized by comprising
Network side server sends to each network node and instructs, and described instruction is for ordering each network node local data
Segment is uploaded onto the server;
After each network node receives instruction, several data slices will be split as via the data flow of network node local
Section copy, therefrom extracts the vector of attack that can be utilized;
Each network node first calls local policy to scan the data slot copy, checks whether to include that can be utilized
Vector of attack, then the vector of attack being utilized and data slot copy are packaged, in the encapsulation of business processing gap
It is transmitted to server;The encapsulation, which is included in data slot copy, is inserted into data originator's mark;
After the server receives the data slot copy after encapsulation, by after parsing data slot and server local go through
History data slot merges;The merging includes according to belonging network node, affiliated transmission terminal, data type, corresponding access row
For at least one of standard merge;
The server analyzes the combined data slot using analysis model, finds wherein exception that may be present
Network node belonging to several abnormal data segments or terminal are labeled as abnormal point, and analyze several by data slot
It whether there is logic association between abnormal data segment;
If there are logic associations between several described abnormal data segments, the abnormal point corresponding to it is established into front and back pass
Connection relationship, an approach point being labeled as in potential attack track;If be not present between several described abnormal data segments
Logic association then disconnects the forward-backward correlation relationship between its corresponding abnormal point, deletes its approach in potential attack track
Point;
The vector of attack that can be utilized described in the server inspection, judges whether there is security breaches;It is leaked if there is safety
Hole then calls relative strategy to execute the movement for eliminating security breaches;If there is no security breaches, then corresponding network node is notified
There is no security breaches;
The server transmits the forward-backward correlation relationship, the transit point, the potential attack track, the security breaches
To display processing unit;
The server is according to the forward-backward correlation relationship, the abnormal data segment training analysis model;
The display processing unit receives the forward-backward correlation relationship, the transit point, the potential attack track, the peace
After full loophole, by transit point label on the network node architecture figure of mapable, mark its right on each node in figure
The forward-backward correlation relationship answered draws potential attack track, and the security breaches of each node of mark, by putting and attacking trajectory line
Road constitutes a width network attack face, is shown on large screen.
2. the method according to claim 1, wherein each network node data flow is split as several
Data slot can determine the length split according to type of service, access movement.
3. method according to claim 1 to 2, which is characterized in that the network side server fixed cycle is to each
Network node sends instruction.
4. method according to claim 1 to 3, which is characterized in that the network node uploads in business processing gap
Data slot copy includes: priority processing business datum, when not having business datum to need to handle or transmit, just on server
Pass data slot copy.
5. a kind of device of network attack face tracking, is applied on network node, executes according to any one of claims 1-4
Method characterized by comprising
Instruction receiving unit, the instruction sent for receiving network side server to each network node, described instruction is for ordering
Each network node local data segment is enabled to upload onto the server;
Data processing unit is therefrom extracted for will be split as several data slots via the data flow of network node local
The vector of attack that can be utilized out, and local policy is called to scan the data slot copy is checked whether comprising can be sharp
Vector of attack;
Data transmission unit, for the vector of attack being utilized and data slot copy to be packaged, in business processing
Gap encapsulation is uploaded to server;The encapsulation, which is included in data slot copy, is inserted into data originator's mark.
6. a kind of server of network attack face tracking, is located at network side, executes side according to any one of claims 1-4
Method characterized by comprising
Instruction sending unit is instructed for sending to each network node, and described instruction is for ordering each network node sheet
Ground data slot is uploaded onto the server;
Data combination unit, after receiving the data slot copy after encapsulating, by the data slot and server after parsing
Local historical data segment merges;The merging includes according to belonging network node, affiliated transmission terminal, data type, right
At least one of behavior standard should be accessed to merge;
Anomaly unit is analyzed, for analyzing using analysis model the combined data slot, searching may wherein be deposited
Abnormal data segment, network node belonging to several abnormal data segments or terminal are labeled as abnormal point, Yi Jifen
It analyses between several abnormal data segments with the presence or absence of logic association;
If there are logic associations between several described abnormal data segments, the abnormal point corresponding to it is established into front and back pass
Connection relationship, an approach point being labeled as in potential attack track;If be not present between several described abnormal data segments
Logic association then disconnects the forward-backward correlation relationship between its corresponding abnormal point, deletes its approach in potential attack track
Point;
Loophole inspection unit judges whether there is security breaches for checking the vector of attack that can be utilized;If there is
Security breaches then call relative strategy to execute the movement for eliminating security breaches;If there is no security breaches, then corresponding net is notified
Security breaches are not present in network node;
Transfer unit is used for the forward-backward correlation relationship, the transit point, the potential attack track, the security breaches
Pass to display processing unit;
Model training unit, for according to the forward-backward correlation relationship, the abnormal data segment training analysis model.
7. a kind of system of network attack face tracking, which is characterized in that the system comprises applications dress as claimed in claim 5
The multiple network nodes set, server and display processing unit as claimed in claim 6.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910626345.0A CN110351274B (en) | 2019-07-11 | 2019-07-11 | Network attack surface tracking method, server and system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910626345.0A CN110351274B (en) | 2019-07-11 | 2019-07-11 | Network attack surface tracking method, server and system |
Publications (2)
Publication Number | Publication Date |
---|---|
CN110351274A true CN110351274A (en) | 2019-10-18 |
CN110351274B CN110351274B (en) | 2021-11-26 |
Family
ID=68175055
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910626345.0A Active CN110351274B (en) | 2019-07-11 | 2019-07-11 | Network attack surface tracking method, server and system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110351274B (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111787002A (en) * | 2020-06-30 | 2020-10-16 | 北京赋云安运营科技有限公司 | Method and system for analyzing service data network security |
CN112417462A (en) * | 2020-12-10 | 2021-02-26 | 中国农业科学院农业信息研究所 | Network security vulnerability tracking method and system |
Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20100318852A1 (en) * | 2009-06-16 | 2010-12-16 | Microsoft Corporation | Visualization tool for system tracing infrastructure events |
CN104539626A (en) * | 2015-01-14 | 2015-04-22 | 中国人民解放军信息工程大学 | Network attack scene generating method based on multi-source alarm logs |
CN104731816A (en) * | 2013-12-23 | 2015-06-24 | 阿里巴巴集团控股有限公司 | Method and device for processing abnormal business data |
CN105208000A (en) * | 2015-08-21 | 2015-12-30 | 深信服网络科技(深圳)有限公司 | Network attack retrospective analysis method and network security equipment |
CN105763529A (en) * | 2015-12-12 | 2016-07-13 | 哈尔滨安天科技股份有限公司 | Attack chain obtaining method and system in network environment |
US20170302691A1 (en) * | 2016-04-18 | 2017-10-19 | Acalvio Technologies, Inc. | Systems and Methods for Detecting and Tracking Adversary Trajectory |
US20180020022A1 (en) * | 2015-06-08 | 2018-01-18 | Illusive Networks Ltd. | Predicting and preventing an attacker's next actions in a breached network |
CN109067815A (en) * | 2018-11-06 | 2018-12-21 | 深信服科技股份有限公司 | Attack Source Tracing method, system, user equipment and storage medium |
CN109587174A (en) * | 2019-01-10 | 2019-04-05 | 广东电网有限责任公司信息中心 | Composite defense method and system for network protection |
-
2019
- 2019-07-11 CN CN201910626345.0A patent/CN110351274B/en active Active
Patent Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20100318852A1 (en) * | 2009-06-16 | 2010-12-16 | Microsoft Corporation | Visualization tool for system tracing infrastructure events |
CN104731816A (en) * | 2013-12-23 | 2015-06-24 | 阿里巴巴集团控股有限公司 | Method and device for processing abnormal business data |
CN104539626A (en) * | 2015-01-14 | 2015-04-22 | 中国人民解放军信息工程大学 | Network attack scene generating method based on multi-source alarm logs |
US20180020022A1 (en) * | 2015-06-08 | 2018-01-18 | Illusive Networks Ltd. | Predicting and preventing an attacker's next actions in a breached network |
CN105208000A (en) * | 2015-08-21 | 2015-12-30 | 深信服网络科技(深圳)有限公司 | Network attack retrospective analysis method and network security equipment |
CN105763529A (en) * | 2015-12-12 | 2016-07-13 | 哈尔滨安天科技股份有限公司 | Attack chain obtaining method and system in network environment |
US20170302691A1 (en) * | 2016-04-18 | 2017-10-19 | Acalvio Technologies, Inc. | Systems and Methods for Detecting and Tracking Adversary Trajectory |
CN109067815A (en) * | 2018-11-06 | 2018-12-21 | 深信服科技股份有限公司 | Attack Source Tracing method, system, user equipment and storage medium |
CN109587174A (en) * | 2019-01-10 | 2019-04-05 | 广东电网有限责任公司信息中心 | Composite defense method and system for network protection |
Non-Patent Citations (1)
Title |
---|
李秋霞: "基于地图的网络攻击可视化***设计与实现", 《中国优秀硕士学位论文全文数据库》 * |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111787002A (en) * | 2020-06-30 | 2020-10-16 | 北京赋云安运营科技有限公司 | Method and system for analyzing service data network security |
CN111787002B (en) * | 2020-06-30 | 2022-05-20 | 安全能力生态聚合(北京)运营科技有限公司 | Method and system for analyzing safety of service data network |
CN112417462A (en) * | 2020-12-10 | 2021-02-26 | 中国农业科学院农业信息研究所 | Network security vulnerability tracking method and system |
CN112417462B (en) * | 2020-12-10 | 2024-02-02 | 中国农业科学院农业信息研究所 | Network security vulnerability tracking method and system |
Also Published As
Publication number | Publication date |
---|---|
CN110351274B (en) | 2021-11-26 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN104219316B (en) | A kind of call request processing method and processing device in distributed system | |
CN103023906B (en) | Method and system aiming at remote procedure calling conventions to perform status tracking | |
CN110505241A (en) | A kind of network attack face detection method and system | |
CN107465651A (en) | Network attack detecting method and device | |
CN110365674A (en) | A kind of method, server and system for predicting network attack face | |
CN105939311A (en) | Method and device for determining network attack behavior | |
CN105493060A (en) | Honeyport active network security | |
CN206686205U (en) | The multiple-protection network architecture | |
CN110351274A (en) | A kind of method, server and the system of the tracking of network attack face | |
CN110381047A (en) | A kind of method, server and the system of the tracking of network attack face | |
Gugelmann et al. | Hviz: HTTP (S) traffic aggregation and visualization for network forensics | |
CN109413016A (en) | A kind of rule-based message detecting method and device | |
CN112738095A (en) | Method, device, system, storage medium and equipment for detecting illegal external connection | |
CN109361574A (en) | NAT detection method, system, medium and equipment based on JavaScript script | |
CN106209487A (en) | For detecting the method and device of the security breaches of webpage in website | |
CN106506630A (en) | A kind of hostile network behavior based on HTTP content consistencies finds method | |
CN110365673A (en) | Method, server and the system in a kind of isolation network attack face | |
JP2023550974A (en) | Image-based malicious code detection method and device and artificial intelligence-based endpoint threat detection and response system using the same | |
CN107979845A (en) | The indicating risk method and apparatus of wireless access point | |
CN110351273A (en) | A kind of methods, devices and systems of network trace reel chain attack | |
CN110213301A (en) | A kind of method, server and system shifting network attack face | |
EP3789890A1 (en) | Fully qualified domain name (fqdn) determination | |
CN109691158A (en) | Mobile flow Redirectional system | |
KR102541888B1 (en) | Image-based malicious code analysis method and apparatus and artificial intelligence-based endpoint detection and response system using the same | |
CN106657054B (en) | A kind of network security defence method based on virtual machine service jump |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |