CN113206761A - Application connection detection method and device, electronic equipment and storage medium - Google Patents

Application connection detection method and device, electronic equipment and storage medium Download PDF

Info

Publication number
CN113206761A
CN113206761A CN202110486230.3A CN202110486230A CN113206761A CN 113206761 A CN113206761 A CN 113206761A CN 202110486230 A CN202110486230 A CN 202110486230A CN 113206761 A CN113206761 A CN 113206761A
Authority
CN
China
Prior art keywords
application
connection
application connection
information
topology
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110486230.3A
Other languages
Chinese (zh)
Other versions
CN113206761B (en
Inventor
吴孟尧
马梦雨
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sangfor Technologies Co Ltd
Original Assignee
Sangfor Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sangfor Technologies Co Ltd filed Critical Sangfor Technologies Co Ltd
Priority to CN202110486230.3A priority Critical patent/CN113206761B/en
Publication of CN113206761A publication Critical patent/CN113206761A/en
Application granted granted Critical
Publication of CN113206761B publication Critical patent/CN113206761B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0805Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters by checking availability
    • H04L43/0811Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters by checking availability by checking connectivity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0631Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0654Management of faults, events, alarms or notifications using network fault recovery
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0677Localisation of faults
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/04Processing captured monitoring data, e.g. for logfile generation
    • H04L43/045Processing captured monitoring data, e.g. for logfile generation for graphical visualisation of monitoring data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Environmental & Geological Engineering (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The application discloses an application connection detection method, which comprises the following steps: receiving application connection information of at least one terminal device, and generating an application connection topology according to the application connection information; the application connection information comprises an application program connection relation which accords with a preset rule; sampling the application connection topology to obtain characteristic information, and determining a service connection safety baseline by using the characteristic information; and detecting the application connection by utilizing the service connection safety baseline. The method and the device can detect abnormal application connection in the network, and improve the safety of the network. The application also discloses an application connection detection device, an electronic device and a storage medium, which have the beneficial effects.

Description

Application connection detection method and device, electronic equipment and storage medium
Technical Field
The present application relates to the field of network management technologies, and in particular, to an application connection detection method and apparatus, an electronic device, and a storage medium.
Background
Current network management is mainly implemented by manually configuring network parameters and firewall rules by an administrator to determine which network segments have connected IP and ports. In the conventional network management mode, a large-scale service network is equivalent to a black box system, a network administrator cannot clearly know the connection state of each application program in the network, and a vulnerability or malicious traffic in the network is difficult to discover, so that a large loss is finally caused.
Therefore, how to detect abnormal application connection in the network and improve the security of the network is a technical problem that needs to be solved by those skilled in the art at present.
Disclosure of Invention
The application connection detection method and device, the electronic device and the storage medium can detect abnormal application connection in a network and improve the safety of the network.
In order to solve the above technical problem, the present application provides an application connection detection method, including:
receiving application connection information of at least one terminal device, and generating an application connection topology according to the application connection information; the application connection information comprises an application program connection relation which accords with a preset rule;
sampling the application connection topology to obtain characteristic information, and determining a service connection safety baseline by using the characteristic information;
and detecting the application connection by utilizing the service connection safety baseline.
Optionally, the receiving the application connection information of at least one terminal device and generating an application connection topology according to the application connection information includes:
receiving application connection information of at least one terminal device reported by a terminal monitor device;
and dividing the application connection information according to service groups to obtain the application connection topology.
Optionally, determining a service connection security baseline by using the feature information includes:
and inputting the characteristic information as a training sample into a machine learning model for training to obtain the service connection safety baseline.
Optionally, the service connection security baseline includes a first constraint rule and/or a second constraint rule; the first constraint rule comprises the corresponding relation of the application programs which keep the communication connection, and the second constraint rule comprises the corresponding relation of the application programs which do not establish the communication connection.
Optionally, detecting the application connection by using the service connection security baseline includes:
determining an application program pair corresponding to the connection of the application to be detected;
if the application program in the application program pair does not accord with the first constraint rule, judging that the abnormal application connection is detected;
and if the application program in the application program pair does not accord with the second constraint rule, judging that the abnormal application connection is detected.
Optionally, detecting the application connection by using the service connection security baseline includes:
and determining the application connection to be detected corresponding to the application connection information generated by the terminal equipment at the current moment, and detecting whether the application connection to be detected is the abnormal application connection or not by utilizing the service connection safety baseline.
Optionally, the application connection information includes application program parameters; wherein the application parameters include any one or a combination of any of digital signatures, protocols, and version numbers;
correspondingly, after receiving the application connection information of at least one terminal device, the method further includes:
judging whether a target application exists according to the application program parameters; wherein the target application comprises an application with a vulnerability and/or an illegal application;
if the application with the bug is detected, issuing a corresponding security patch so as to repair the bug;
and if the illegal application is detected, displaying alarm information corresponding to the illegal application on a graphical interface.
Optionally, after detecting the application connection by using the service connection security baseline, the method further includes:
and if the abnormal application connection is detected, adding an alarm identifier to the equipment icon of the terminal equipment corresponding to the abnormal application connection on a graphical interface, and issuing a firewall rule to a distributed firewall of the terminal equipment corresponding to the abnormal application connection so as to block the network flow corresponding to the abnormal application connection.
Optionally, after generating the application connection topology according to the application connection information, the method further includes:
when the application connection interruption is detected, determining a fault point and a fault reason according to the application connection topology;
and adding an interruption identifier to an equipment icon of the terminal equipment corresponding to the fault point on a graphical interface, and performing fault repair on the fault point according to the fault reason.
Optionally, the method further includes:
counting the application connection topology in a preset time period, and generating a service optimization suggestion according to a counting result; wherein the statistical result comprises a ranking of network traffic generated by the application connection.
Optionally, after generating the application connection topology according to the application connection information, the method further includes:
displaying a topological graph corresponding to the application connection topology to a graphical interface;
and receiving the adjustment information of the user on the topological graph in the image interface, and updating the application connection topology according to the adjustment information so as to modify the network configuration and the firewall rule.
The application also provides an application connection detection device, the device includes:
the topology generation module is used for receiving application connection information of at least one terminal device and generating an application connection topology according to the application connection information; the application connection information comprises an application program connection relation which accords with a preset rule;
the safety baseline generation module is used for sampling the application connection topology to obtain characteristic information and determining a service connection safety baseline by utilizing the characteristic information;
and the anomaly detection module is used for detecting the application connection by utilizing the service connection safety baseline.
The application also provides a storage medium, on which a computer program is stored, which when executed implements the steps performed by the above application connection detection method.
The application also provides an electronic device, which comprises a memory and a processor, wherein the memory stores a computer program, and the processor realizes the steps executed by the application connection detection method when calling the computer program in the memory.
The application provides an application connection detection method, which comprises the following steps: receiving application connection information of at least one terminal device, and generating an application connection topology according to the application connection information; the application connection information comprises an application program connection relation which accords with a preset rule; sampling the application connection topology to obtain characteristic information, and determining a service connection safety baseline by using the characteristic information; and detecting the application connection by utilizing the service connection safety baseline.
According to the application connection topology generation method and the application connection topology generation device, the application connection topology is generated according to the application connection information of the application equipment, and the application connection information comprises the application program connection relation which accords with the preset rule, so that the state of communication connection between the application program of each terminal equipment and other application programs in a network can be determined under the normal condition based on the application connection topology. According to the method and the device, the service connection safety baseline under normal conditions can be obtained according to the characteristic information of the application connection topology, so that abnormal application connection in the network is detected by using the service connection safety baseline. According to the method and the device, the service connection safety baseline for evaluating whether the application connection relation is normal is generated according to the application connection information under the normal condition, abnormal application connection in the network can be detected, and the safety of the network is improved. This application still provides an application connection detection device, an electronic equipment and a storage medium simultaneously, has above-mentioned beneficial effect, and it is no longer repeated here.
Drawings
In order to more clearly illustrate the embodiments of the present application, the drawings needed for the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings can be obtained by those skilled in the art without inventive effort.
Fig. 1 is a flowchart of an application connection detection method according to an embodiment of the present application;
fig. 2 is a flowchart of a method for processing an exception application according to an embodiment of the present application;
fig. 3 is an overall architecture diagram of a management system for application connectivity according to an embodiment of the present application;
fig. 4 is a flowchart of a management method for application connectivity according to an embodiment of the present application;
fig. 5 is a generation manner of an application connection topological graph according to an embodiment of the present application;
FIG. 6 is a graphical interface display diagram of an application connection topology provided by an embodiment of the present application;
fig. 7 is a schematic structural diagram of an application connection detection apparatus according to an embodiment of the present application;
fig. 8 is a block diagram of an electronic device according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
Referring to fig. 1, fig. 1 is a flowchart of an application connection detection method according to an embodiment of the present disclosure.
The specific steps may include:
s101: receiving application connection information of at least one terminal device, and generating an application connection topology according to the application connection information;
the embodiment can be applied to a network management device (Manager) of a network management center, and the network management device can set network parameters and firewall rules of each terminal device in a network. The application connection information may only include an application connection relationship that meets a preset rule, that is, the application connection information obtained in this step is information describing that the application in the terminal device establishes communication connection with the application of another terminal device under a normal condition. As a possible implementation manner, the present embodiment may use, as the application connection information, the application connection information within a preset time (for example, a previous month) after the terminal device is started for the first time. The application connection information is used to describe a connection relationship between the application and the application, for example, the application connection information may include information that "server xx-VMxx-APPxx" establishes communication with "host xx-VMxx-APPxx", that is: whether a communication connection is established between two applications can be determined according to the application connection information.
The embodiment can receive the application connection information between any number of terminal devices, generate the application connection topology by combining all the application connection information, and determine the application connection state of any two terminal devices in the network according to the application connection topology. Specifically, the embodiment may receive application connection information between the terminal devices, which is reported by the terminal monitor device. The terminal Monitor (EM) is a lightweight terminal deployed on a terminal device, and is used for capturing application connection information. The network management equipment samples and analyzes the service network application connection topology which stably runs in a period of time, and an application connection safety baseline is drawn. When a vulnerability is discovered, a security patch can be automatically installed for vulnerability repair. When malicious traffic exists, analysis is carried out based on application connection topology, illegal connection is quickly positioned and then blocked, and danger diffusion is avoided. When a network fails, a fault point and a fault reason are quickly positioned based on the application connection topology, and alarming and automatic fault repair are carried out.
As a feasible implementation manner, the application connection information in this embodiment may include information such as IP addresses and ports used when the two applications establish communication connection, and this embodiment may abstract the application connection information, and generate the application connection topology by using a relatively intuitive label (such as a device name, a device type, and a service type). For example, the present embodiment may divide the application connection information according to service packets to obtain the application connection topology. In addition, after the application connection topology is generated according to the application connection information, a topology diagram corresponding to the application connection topology can be displayed to a Graphical User Interface (GUI).
S102: sampling the application connection topology to obtain characteristic information, and determining a service connection safety baseline by using the characteristic information;
the application connection information used for constructing the application connection topology in this embodiment includes an application program connection relationship that meets a preset rule, so that the connection relationship of each terminal device in the application connection topology obtained in this embodiment meets a relevant security provision. The characteristic information obtained by sampling the application connection topology can reflect the communication connection characteristics of each terminal device in the network under normal conditions. The normal condition refers to a condition that the network has no abnormal application connection.
Using the characteristic information, a service connection security baseline may be determined, which may include constraints for establishing a communication connection between applications. For example, if the business connection security baseline stipulates that research and development office equipment must be connected with a research and development server, and the research and development office equipment cannot be connected with a financial database; if the research and development office equipment is disconnected with the research and development server, judging that the connection state of the research and development office equipment and the research and development server does not accord with the service connection safety baseline; and if the research and development office equipment is connected with the financial database, judging that the connection state of the research and development office equipment and the financial database does not accord with the service connection safety baseline. As a possible implementation manner, the embodiment may input the feature information as a training sample into a machine learning model for training, so as to obtain a service connection security baseline.
S103: and detecting the application connection by utilizing the service connection safety baseline.
After the service connection security baseline is obtained, the embodiment may evaluate whether each application connection is legal by using the service connection security baseline, determine that an abnormal application connection is detected if the application connection is not legal, and determine that a normal application connection is detected if the application connection is legal. As a feasible implementation manner, when detecting an abnormal application connection, the embodiment may first determine an application program that needs to be detected, determine whether connection relationships between the application program and other application programs all conform to a service connection security baseline, and if not, determine that the application program has an abnormal application connection.
Specifically, in this embodiment, after the service connection security baseline is established, the service connection security baseline may be used to detect the application connection in the network in real time, for example, to-be-detected application connection corresponding to the application connection information generated by the terminal device at the current time may be determined, and the service connection security baseline may be used to detect whether the to-be-detected application connection is the abnormal application connection.
In this embodiment, an application connection topology is generated according to application connection information of the application device, where the application connection information includes an application program connection relationship that meets a preset rule, so that a state of communication connection between an application program of each terminal device in a network and other application programs can be determined under a normal condition based on the application connection topology. According to the embodiment, the service connection safety baseline under normal conditions can be obtained according to the characteristic information of the application connection topology, so that abnormal application connection in the network is detected by using the service connection safety baseline. According to the embodiment, the service connection safety baseline for evaluating whether the application connection relation is normal is generated according to the application connection information under the normal condition, abnormal application connection in the network can be detected, and the safety of the network is improved.
As further described in the embodiment corresponding to fig. 1, after an abnormal application connection is detected by using the service connection security baseline, an alarm identifier may be added to a device icon of a terminal device corresponding to the abnormal application connection on a graphical interface, and a firewall rule is issued to a distributed firewall of the terminal device corresponding to the abnormal application connection, so as to block a network traffic corresponding to the abnormal application connection.
Specifically, in the operation process of the service network, when there is an internal person performing malicious activities or suffering from external attacks, abnormal network traffic will be generated. The embodiment can perform security analysis on the application connection topology in the current state, identify the application connections violating the security baseline, display the malicious connections by alarming on the GUI, and issue firewall rules to DFWs (Distributed Firewalls) of corresponding devices so as to block abnormal network traffic. After the firewall rule is issued, the embodiment can also continue to collect new application connection information, if the abnormal network flow is successfully blocked, the alarm on the GUI is eliminated, otherwise, the administrator is notified to perform manual processing.
Under large-scale service environment, equipment failure often can take place, when network failure appears in traditional network management mode, often need the administrator to carry out manual elimination with the help of ping, packet capturing tool etc. wastes time and energy. As a further introduction to the embodiment corresponding to fig. 1, on the basis of generating an application connection topology according to the application connection information, if an application connection interruption is detected, a failure point and a failure cause may be determined according to the application connection topology, and then an interruption identifier is added to an equipment icon of a terminal equipment corresponding to the failure point on a graphical interface, and the failure point is repaired according to the failure cause. According to the embodiment, the fault point and the fault reason can be quickly located by analyzing the application connection topology, and automatic repair is attempted. If the automatic repair is not possible, the point of occurrence of the fault and the possible cause of the fault may be presented on a GUI and an alarm may be raised to prompt an administrator to manually repair the fault.
As further described with respect to the corresponding embodiment in fig. 1, the above-mentioned service connection security baseline may include a first constraint rule, may include a second constraint rule, and may also include both the first constraint rule and the second constraint rule. The first constraint rule includes a correspondence relationship between applications that maintain communication connection, and the second constraint rule includes a correspondence relationship between applications that do not establish communication connection. Specifically, the first constraint rule is a rule that defines that two applications must maintain a communication connection, and the second constraint rule is a rule that prohibits the two applications from establishing a communication connection.
If the service connection safety baseline only comprises a first constraint rule, if the connection information of the two application programs accords with the first constraint rule, judging that the application connection is normal; and if the connection information of the two application programs does not accord with the first constraint rule, judging that abnormal application connection is detected. Similarly, if the service connection security baseline only includes the second constraint rule, if the connection information of the two application programs conforms to the second constraint rule, the application connection is determined to be normal; and if the connection information of the two application programs does not accord with the second constraint rule, judging that abnormal application connection is detected.
The application further provides an abnormal application connection detection scheme: the method comprises the steps of firstly determining an application program pair corresponding to application connection to be detected, detecting abnormal application connection by utilizing a first constraint rule and a second constraint rule in sequence, and detecting abnormal application connection by utilizing the second constraint rule and the first constraint rule in sequence. The application pair refers to two applications corresponding to one piece of application connection information. If the application program in the application program pair does not accord with the first constraint rule, judging that the abnormal application connection is detected; and if the application program in the application program pair does not accord with the second constraint rule, judging that the abnormal application connection is detected. And if the application programs in the application program pair simultaneously accord with the first constraint rule and the second constraint rule, judging that the application connection is normal.
Referring to fig. 2, fig. 2 is a flowchart of a processing method for an abnormal application according to an embodiment of the present application, where the embodiment is implemented on the basis of receiving application connection information in the embodiment corresponding to fig. 1, and a further embodiment may be obtained by combining the embodiment with the embodiment corresponding to fig. 1. The application connection information includes application parameters, where the application parameters may include any one or a combination of a digital signature, a protocol, and a version number, and this embodiment may include the following steps:
s201: judging whether a target application exists according to the application program parameters;
the target application includes an application with a vulnerability, may include an illegal application, and may also include an application with a vulnerability and an illegal application.
S202: if the application with the bug is detected, issuing a corresponding security patch so as to repair the bug;
s203: and if the illegal application is detected, displaying alarm information corresponding to the illegal application on a graphical interface.
As a feasible implementation manner, the present embodiment may maintain an application vulnerability database, where the application vulnerability database includes an identifier of an application having a vulnerability (for example, information such as a digital signature, a protocol, and a version number of the application), and the identifier is used to perform vulnerability detection. The embodiment can also judge whether the application program parameters are complete or correct so as to detect illegal application. If the application with the vulnerability (such as low-version application) is detected, the corresponding security patch can be searched and issued for repair, and meanwhile, an alarm is given in an application connection topological graph displayed on the image interface. And subsequently, continuously acquiring the application connection information of the vulnerability application, eliminating the alarm on the GUI if the vulnerability is repaired, and informing an administrator to perform manual processing if the vulnerability is repaired.
If the illegal application is detected, the alarm information corresponding to the illegal application can be generated, the network flow transmitted and received by the illegal application can be blocked, and the state of the illegal application can be monitored. The illegal application may be an application that fails related authentication or verification.
The flow described in the above embodiment is explained below by an embodiment in practical use.
To accommodate the automatic orchestration feature of a data center Network, the present embodiment may perform solution design based on an SDN (Software Defined Network) architecture. Referring to fig. 3, fig. 3 is an overall architecture diagram of a management system for application connectivity according to an embodiment of the present disclosure, and as shown in fig. 3, main modules of the architecture include a management device mgr (manager), a lightweight terminal EM (Endpoint Monitor) deployed in a virtual machine, and a graphical interface GUI provided for a user.
The EM can be deployed in various network assets, collect application connection information of the device and report the application connection information to the Mgr. Mgr calculates the connection topology of the application after gathering, and displays the connection topology to the user through GUI. Mgr can also perform security analysis based on application connections, and automatically handle vulnerabilities or risks when discovered. When the service changes, a user can inform the Mgr of a new service intention through the GUI, the Mgr automatically translates the service intention and generates new network configuration by combining the application connection topology, the new application connection is fed back to the Mgr after the network configuration is issued to take effect, the Mgr can adaptively adjust and optimize the network, and the new application connection topology is displayed on the GUI to determine whether the service intention of the user is met.
Referring to fig. 4, fig. 4 is a flowchart of a management method for application connectivity according to an embodiment of the present application, where the embodiment may include the following implementation operations:
1. the generation and imaging display process of the connection topology is applied:
the EM collects application connection information and reports the application connection information to the Mgr, the Mgr collects the application connection information, and specific application connection relations are calculated, for example, communication is established between the server xx-VMxx-APPxx and the host xx-VMxx-APPxx. Specifically, the Mgr can automatically learn the services of the user, group-manage the assets in the service network according to the label information of "location-environment-role-application" and the like, divide the application connections according to the services, and finally form a visual application connection topological graph to clearly show the interaction relationship between the specific services.
Referring to fig. 5, fig. 5 is a generating manner of an application connection topology diagram according to an embodiment of the present disclosure, where an EM collects application connection information of a virtual machine VM, an Mgr collects the application connection information to draw an application connection topology, and the application connection topology diagram is displayed through a GUI. In the application connection topology shown in fig. 5, the solid line is the application connection state in the normal state. In the stable operation process of a service network, sampling is carried out on application connection topology, characteristic values of 'position-environment-service-role' and the like are used as training samples of machine learning, a service connection safety baseline under normal conditions is drawn, and the service connection safety baseline is stored in a database. In the subsequent network operation process, when the application connection topology changes, the service connection safety baseline is used for analyzing whether the current application connection relationship is legal or not. As shown in fig. 5, if the business connection security baseline allows the research and development office device to be connected to the code library, the research and development server, and the financial office device, the financial office device is also allowed to be connected to the financial database, but the research and development office device is allowed to be connected to the financial database, so that the abnormal application connection can be determined according to the business connection security baseline when the research and development office device is detected to be connected to the financial database. The process of drawing the application connection topological graph is as follows: acquiring application connection information of the virtual machine through EM and reporting the application connection information to a management center Mgr; the Mgr analyzes the application connection information, can determine which two virtual machines are in communication according to the local IP and the target IP connected by the network, can draw icons of the two virtual machines on the GUI, and draws a curve to connect the two icons; clicking on the connection curve may display more detailed application connection information: such as ports, network protocols, connection status, applications, etc.
Referring to fig. 6, fig. 6 is a graphical interface display diagram of an application connection topology provided in an embodiment of the present application, where the application connection topology is obtained by abstracting each terminal device according to a department or function to which the device belongs. As shown in fig. 6, the application of the device in the front-end development department (e.g., the research and development office device 001 and the research and development office device 002) may establish a connection with the application of the device in the back-end development department (e.g., the research and development office device 003 and the research and development office device 004), the application of the device in the front-end development department and the back-end development department may establish a connection with the application of the business database server, the application of the device in the financial department (e.g., the financial office device 001 and the financial office device 002) may establish a connection with the application of the financial data server, and the application of the network administrator device in the network security department may establish a connection with the applications of the device in the front-end development department, the back-end development department, and the financial department, respectively.
2. And (3) vulnerability application detection process:
after the application connection information is obtained, whether the vulnerability application exists in the application connection information can be utilized, and if the vulnerability application exists, whether automatic repair can be performed is judged. If the repair can be automatically performed, the repair is performed by installing a security patch. If the automatic repair is not possible, an alarm is given on the GUI so that the subject administrator can perform manual repair.
3. Abnormal application connection detection process:
during the service operation process, the Mgr can perform security analysis on the application connection topology based on the service connection security baseline, identify abnormal application connection detection violating the security baseline, and mark traffic corresponding to the abnormal application connection detection as malicious traffic. And if the malicious traffic exists, blocking the malicious traffic and giving an alarm on the GUI for prompting.
4. And (3) network fault detection process:
according to the embodiment, the application connection topology in the network can be monitored in real time, when the application connection is interrupted due to a fault, the Mgr can quickly locate the fault point and the fault reason by analyzing the application connection topology, and tries to automatically repair. If the fault cannot be automatically handled, the point of occurrence of the fault and a possible cause of the fault are presented on the GUI, and an administrator is prompted to manually fix the fault. If the handling is automatic, the failure is automatically repaired and the application connection topology is visually presented on the GUI.
5. And (3) service information statistical analysis process:
the embodiment can count the application connection topology in a preset time period, and generate a service optimization suggestion according to the statistical result; wherein the statistical result comprises a ranking of network traffic generated by the application connection. Mgr performs some statistical analysis when summarizing and constructing the application connection topology, and stores relevant statistical data into a database. And providing some service analysis options for a user on a GUI (graphical user interface), checking service statistical information in a period of time, and giving a network optimization suggestion to help the user identify hot spot services and better optimize the services. Specifically, in this embodiment, the terminal device with the larger traffic may be determined according to the ranking of the network traffic generated by the application connection, and then more storage space may be allocated to the terminal device with the larger traffic.
The embodiment manages the service network based on the application connectivity, reduces the complexity of network management and operation and maintenance through the visual capability, and reduces the task of manual configuration of a network administrator. The embodiment can also automatically discover and dispose risk loopholes in the service network, automatically position the network fault reason, improve the safety of the service network and realize the self-adaptive management of the application connectivity. The embodiment can reduce the network management complexity of the data center, enhance the visual capability of the network application connectivity, maintain the safety of the service network and improve the automation degree of network operation and maintenance.
After the application connection topology is generated according to the application connection information, a topological graph corresponding to the application connection topology can be displayed to a graphical interface (GUI). The user can modify the network configuration and the firewall rules through a graphical interface (GUI), and the network management equipment can receive the adjustment information of the user on the topological graph in the image interface and update the application connection topology according to the adjustment information so as to modify the network configuration and the firewall rules. Specifically, each icon in the application connection topology map corresponds to a UUID identifier of an object instance managed by the background. The instance may be a physical host, a virtual machine, or some application on a virtual machine. When a user clicks the two icons and selects to establish connection, the Mgr inquires the host or virtual machine IP corresponding to the instance from the background, the network protocol used by the corresponding application program, and then issues an access control rule to the distributed firewall to allow the communication between the IPs corresponding to the two instances. When the user adjusts the service policy, the network administrator can modify the network configuration by applying the connection topology map on the GUI, without manually configuring specific IP, port, and firewall rules, and only needs to click some services (or finer-grained servers, virtual machines, and applications) in the topology map and select to establish a connection. Mgr will automatically modify the corresponding network configuration and firewall rules to allow or disallow communication between applications based on user adjustments in the application connection topology. After the network administrator operation takes effect, the Mgr may collect and expose the new application connection topology to confirm that the user's intent is met.
In the process, the Mgr collects the application connection information to calculate a detailed application connection relation, constructs the application connection topology of the service network, and visually displays the application connection topology on the GUI to clearly depict the service operation state. When a user modifies a business strategy, an application connection topological graph is clicked on a GUI (graphical user interface) for visual operation, Mgr automatically converts the user intention into network configuration and issues the network configuration to take effect, and then the application connection topology is updated to immediately feed back the changed business running state to the user.
Referring to fig. 7, fig. 7 is a schematic structural diagram of an application connection detection apparatus according to an embodiment of the present application, where the apparatus may include:
a topology generating module 701, configured to receive application connection information of at least one terminal device, and generate an application connection topology according to the application connection information; the application connection information comprises an application program connection relation which accords with a preset rule;
a security baseline generation module 702, configured to sample the application connection topology to obtain feature information, and determine a service connection security baseline by using the feature information;
an anomaly detection module 703, configured to detect an application connection using the service connection security baseline.
In this embodiment, an application connection topology is generated according to application connection information of the application device, where the application connection information includes an application program connection relationship that meets a preset rule, so that a state of communication connection between an application program of each terminal device in a network and other application programs can be determined under a normal condition based on the application connection topology. According to the embodiment, the service connection safety baseline under normal conditions can be obtained according to the characteristic information of the application connection topology, so that abnormal application connection in the network is detected by using the service connection safety baseline. According to the embodiment, the service connection safety baseline for evaluating whether the application connection relation is normal is generated according to the application connection information under the normal condition, abnormal application connection in the network can be detected, and the safety of the network is improved.
Further, the topology generating module 701 is configured to receive application connection information of at least one terminal device reported by the terminal monitor device; and the application connection topology is obtained by dividing the application connection information according to service groups.
Further, the safety baseline generation module 702 is configured to input the feature information as a training sample into a machine learning model for training, so as to obtain the service connection safety baseline.
Further, the business connection security baseline comprises a first constraint rule and/or a second constraint rule; the first constraint rule comprises the corresponding relation of the application programs which keep the communication connection, and the second constraint rule comprises the corresponding relation of the application programs which do not establish the communication connection.
Further, the anomaly detection module 703 is configured to determine an application program pair corresponding to the connection of the application to be detected; the application program pair is also used for judging that the abnormal application connection is detected if the application program in the application program pair does not accord with the first constraint rule; and the application program is also used for judging that the abnormal application connection is detected if the application program in the application program pair does not conform to the second constraint rule.
Further, the anomaly detection module 703 is configured to determine an application connection to be detected corresponding to application connection information generated by the terminal device at the current time, and detect whether the application connection to be detected is the anomalous application connection by using the service connection security baseline.
Further, the application connection information includes application program parameters; wherein the application parameters include any one or a combination of any of digital signatures, protocols, and version numbers;
correspondingly, the method also comprises the following steps:
the target application detection module is used for judging whether a target application exists according to the application program parameters after receiving the application connection information of at least one terminal device; wherein the target application comprises an application with a vulnerability and/or an illegal application; if the application with the bug is detected, issuing a corresponding security patch so as to repair the bug; and if the illegal application is detected, displaying alarm information corresponding to the illegal application on a graphical interface.
Further, the method also comprises the following steps:
and the flow blocking module is used for adding an alarm identifier to the equipment icon of the terminal equipment corresponding to the abnormal application connection on a graphical interface and issuing a firewall rule to the distributed firewall of the terminal equipment corresponding to the abnormal application connection if the abnormal application connection is detected after the application connection is detected by using the service connection safety baseline so as to block the network flow corresponding to the abnormal application connection.
Further, the method also comprises the following steps:
the fault processing module is used for determining a fault point and a fault reason according to the application connection topology when detecting that the application connection is interrupted after generating the application connection topology according to the application connection information; and adding an interruption identifier to an equipment icon of the terminal equipment corresponding to the fault point on a graphical interface, and performing fault repair on the fault point according to the fault reason.
Further, the method also comprises the following steps:
the statistical module is used for counting the application connection topology in a preset time period and generating a service optimization suggestion according to a statistical result; wherein the statistical result comprises a ranking of network traffic generated by the application connection.
Further, the method also comprises the following steps:
the topology adjusting module is used for displaying a topological graph corresponding to the application connection topology to a graphical interface after the application connection topology is generated according to the application connection information; and the device is also used for receiving the adjustment information of the user on the topological graph at the image interface and updating the application connection topology according to the adjustment information so as to modify the network configuration and the firewall rules.
In the embodiment, the application connection information is collected by the lightweight terminal deployed in the virtual machine, and is uniformly reported to the management center for calculation, so that the application connection topology of the service network is generated and displayed on the graphical interface. In this embodiment, the application connection topology is sampled during a period of stable operation of the service network, and a machine learning algorithm is used to perform intelligent analysis, so as to depict the application connection state during the safe and stable operation of the service network. Network troubleshooting, risk control, vulnerability disposal and the like are automatically carried out based on the application connection topology. The embodiment can help the user to clearly know the operation state of the service network, reduce the management complexity of the service network through the visual capability and improve the stability and the safety of the service network.
Since the embodiments of the apparatus portion and the method portion correspond to each other, please refer to the description of the embodiments of the method portion for the embodiments of the apparatus portion, which is not repeated here.
The present application also provides a storage medium having a computer program stored thereon, which when executed, may implement the steps provided by the above-described embodiments. The storage medium may include: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
The present application further provides an electronic device, and referring to fig. 8, fig. 8 is a block diagram of an electronic device provided in an embodiment of the present application, and the electronic device may include a processor 810 and a memory 820.
Processor 810 may include one or more processing cores, such as a 4-core processor, an 8-core processor, and so forth. The processor 810 may be implemented in at least one hardware form of a DSP (Digital Signal Processing), an FPGA (Field-Programmable Gate Array), and a PLA (Programmable Logic Array). Processor 810 may also include a main processor and a coprocessor, where the main processor is a processor, also called a Central Processing Unit (CPU), for Processing data in the wake state; a coprocessor is a low power processor for processing data in a standby state. In some embodiments, the processor 810 may be integrated with a GPU (Graphics Processing Unit) that is responsible for rendering and drawing the content that the display screen needs to display. In some embodiments, the processor 810 may further include an AI (Artificial Intelligence) processor for processing computing operations related to machine learning.
Memory 820 may include one or more computer-readable storage media, which may be non-transitory. Memory 820 may also include high speed random access memory, as well as non-volatile memory, such as one or more magnetic disk storage devices, flash memory storage devices. In this embodiment, the memory 820 is at least used for storing a computer program 821, wherein after being loaded and executed by the processor 810, the computer program can implement relevant steps in application connection detection disclosed in any of the foregoing embodiments. In addition, the resources stored by the memory 820 may also include an operating system 822, data 823, and the like, and the storage may be transient storage or permanent storage. The operating system 822 may include Windows, Linux, Android, and the like.
In some embodiments, the electronic device may also include a display screen 830, an input-output interface 840, a communication interface 850, sensors 860, a power source 870, and a communication bus 880.
Of course, the structure of the electronic device shown in fig. 8 does not constitute a limitation of the electronic device in the embodiment of the present application, and the electronic device may include more or less components than those shown in fig. 8 or some components in combination in practical applications.
The embodiments are described in a progressive manner in the specification, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description. It should be noted that, for those skilled in the art, it is possible to make several improvements and modifications to the present application without departing from the principle of the present application, and such improvements and modifications also fall within the scope of the claims of the present application.
It is further noted that, in the present specification, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.

Claims (14)

1. An application connection detection method, comprising:
receiving application connection information of at least one terminal device, and generating an application connection topology according to the application connection information; the application connection information comprises an application program connection relation which accords with a preset rule;
sampling the application connection topology to obtain characteristic information, and determining a service connection safety baseline by using the characteristic information;
and detecting the application connection by utilizing the service connection safety baseline.
2. The method according to claim 1, wherein the receiving application connection information of at least one terminal device and generating an application connection topology according to the application connection information comprises:
receiving application connection information of at least one terminal device reported by a terminal monitor device;
and dividing the application connection information according to service groups to obtain the application connection topology.
3. The application connection detection method of claim 1, wherein determining a service connection security baseline using the characteristic information comprises:
and inputting the characteristic information as a training sample into a machine learning model for training to obtain the service connection safety baseline.
4. The application connection detection method according to claim 1, wherein the traffic connection security baseline comprises a first constraint rule and/or a second constraint rule; the first constraint rule comprises the corresponding relation of the application programs which keep the communication connection, and the second constraint rule comprises the corresponding relation of the application programs which do not establish the communication connection.
5. The method of claim 4, wherein detecting the application connection using the service connection security baseline comprises:
determining an application program pair corresponding to the connection of the application to be detected;
if the application program in the application program pair does not accord with the first constraint rule, judging that the abnormal application connection is detected;
and if the application program in the application program pair does not accord with the second constraint rule, judging that the abnormal application connection is detected.
6. The method of claim 1, wherein detecting the application connection using the service connection security baseline comprises:
and determining the application connection to be detected corresponding to the application connection information generated by the terminal equipment at the current moment, and detecting whether the application connection to be detected is the abnormal application connection or not by utilizing the service connection safety baseline.
7. The application connection detection method of claim 1, wherein the application connection information includes application program parameters; wherein the application parameters include any one or a combination of any of digital signatures, protocols, and version numbers;
correspondingly, after receiving the application connection information of at least one terminal device, the method further includes:
judging whether a target application exists according to the application program parameters; wherein the target application comprises an application with a vulnerability and/or an illegal application;
if the application with the bug is detected, issuing a corresponding security patch so as to repair the bug;
and if the illegal application is detected, displaying alarm information corresponding to the illegal application on a graphical interface.
8. The application connection detection method of claim 1, further comprising, after detecting an application connection using the traffic connection security baseline:
and if the abnormal application connection is detected, adding an alarm identifier to the equipment icon of the terminal equipment corresponding to the abnormal application connection on a graphical interface, and issuing a firewall rule to a distributed firewall of the terminal equipment corresponding to the abnormal application connection so as to block the network flow corresponding to the abnormal application connection.
9. The application connection detection method according to claim 1, further comprising, after generating an application connection topology from the application connection information:
when the application connection interruption is detected, determining a fault point and a fault reason according to the application connection topology;
and adding an interruption identifier to an equipment icon of the terminal equipment corresponding to the fault point on a graphical interface, and performing fault repair on the fault point according to the fault reason.
10. The application connection detection method according to claim 1, further comprising:
counting the application connection topology in a preset time period, and generating a service optimization suggestion according to a counting result; wherein the statistical result comprises a ranking of network traffic generated by the application connection.
11. The application connection detection method according to any one of claims 1 to 10, further comprising, after generating an application connection topology from the application connection information:
displaying a topological graph corresponding to the application connection topology to a graphical interface;
and receiving the adjustment information of the user on the topological graph in the image interface, and updating the application connection topology according to the adjustment information so as to modify the network configuration and the firewall rule.
12. An application connection detection apparatus, comprising:
the topology generation module is used for receiving application connection information of at least one terminal device and generating an application connection topology according to the application connection information; the application connection information comprises an application program connection relation which accords with a preset rule;
the safety baseline generation module is used for sampling the application connection topology to obtain characteristic information and determining a service connection safety baseline by utilizing the characteristic information;
and the anomaly detection module is used for detecting the application connection by utilizing the service connection safety baseline.
13. An electronic device, comprising a memory in which a computer program is stored and a processor which, when calling the computer program in the memory, implements the steps of applying the connection detection method according to any one of claims 1 to 11.
14. A storage medium having stored thereon computer-executable instructions which, when loaded and executed by a processor, carry out the steps of the application connection detection method according to any one of claims 1 to 11.
CN202110486230.3A 2021-04-30 2021-04-30 Application connection detection method and device, electronic equipment and storage medium Active CN113206761B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110486230.3A CN113206761B (en) 2021-04-30 2021-04-30 Application connection detection method and device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110486230.3A CN113206761B (en) 2021-04-30 2021-04-30 Application connection detection method and device, electronic equipment and storage medium

Publications (2)

Publication Number Publication Date
CN113206761A true CN113206761A (en) 2021-08-03
CN113206761B CN113206761B (en) 2022-11-22

Family

ID=77028592

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110486230.3A Active CN113206761B (en) 2021-04-30 2021-04-30 Application connection detection method and device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN113206761B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113904921A (en) * 2021-10-21 2022-01-07 上海观安信息技术股份有限公司 Dynamic network topological graph generating method, system, processing equipment and storage medium based on log and graph
CN116582367A (en) * 2023-07-13 2023-08-11 北京立思辰安科技术有限公司 Data processing system for blocking firewall network communication

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080109890A1 (en) * 2006-11-03 2008-05-08 Microsoft Corporation Selective auto-revocation of firewall security settings
CN101383820A (en) * 2008-07-07 2009-03-11 上海安融信息***有限公司 Design and implementing method for SSL connection and data monitoring
CN106060087A (en) * 2016-07-26 2016-10-26 中国南方电网有限责任公司信息中心 Multi-factor host security access control system and method
CN111181978A (en) * 2019-12-31 2020-05-19 深信服科技股份有限公司 Abnormal network traffic detection method and device, electronic equipment and storage medium
CN111600865A (en) * 2020-05-11 2020-08-28 杭州安恒信息技术股份有限公司 Abnormal communication detection method and device, electronic equipment and storage medium

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080109890A1 (en) * 2006-11-03 2008-05-08 Microsoft Corporation Selective auto-revocation of firewall security settings
CN101383820A (en) * 2008-07-07 2009-03-11 上海安融信息***有限公司 Design and implementing method for SSL connection and data monitoring
CN106060087A (en) * 2016-07-26 2016-10-26 中国南方电网有限责任公司信息中心 Multi-factor host security access control system and method
CN111181978A (en) * 2019-12-31 2020-05-19 深信服科技股份有限公司 Abnormal network traffic detection method and device, electronic equipment and storage medium
CN111600865A (en) * 2020-05-11 2020-08-28 杭州安恒信息技术股份有限公司 Abnormal communication detection method and device, electronic equipment and storage medium

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113904921A (en) * 2021-10-21 2022-01-07 上海观安信息技术股份有限公司 Dynamic network topological graph generating method, system, processing equipment and storage medium based on log and graph
CN113904921B (en) * 2021-10-21 2024-04-30 上海观安信息技术股份有限公司 Dynamic network topology graph generation method, system, processing equipment and storage medium based on log and graph
CN116582367A (en) * 2023-07-13 2023-08-11 北京立思辰安科技术有限公司 Data processing system for blocking firewall network communication
CN116582367B (en) * 2023-07-13 2023-09-22 北京立思辰安科技术有限公司 Data processing system for blocking firewall network communication

Also Published As

Publication number Publication date
CN113206761B (en) 2022-11-22

Similar Documents

Publication Publication Date Title
US10986120B2 (en) Selecting actions responsive to computing environment incidents based on action impact information
RU2677378C2 (en) Systems and methods for network analysis and reporting
US11729193B2 (en) Intrusion detection system enrichment based on system lifecycle
KR101883400B1 (en) detecting methods and systems of security vulnerability using agentless
US7472421B2 (en) Computer model of security risks
CA2464402C (en) A method and system for modeling, analysis and display of network security events
RU2679179C1 (en) Systems and methods for creating and modifying access lists
US20130096980A1 (en) User-defined countermeasures
US10671723B2 (en) Intrusion detection system enrichment based on system lifecycle
CN110113350B (en) Internet of things system security threat monitoring and defense system and method
CN113206761B (en) Application connection detection method and device, electronic equipment and storage medium
US11223643B2 (en) Managing a segmentation policy based on attack pattern detection
CN111181978B (en) Abnormal network traffic detection method and device, electronic equipment and storage medium
US20220210202A1 (en) Advanced cybersecurity threat mitigation using software supply chain analysis
CN114598506A (en) Industrial control network security risk tracing method and device, electronic equipment and storage medium
WO2021028060A1 (en) Security automation system
JP7396371B2 (en) Analytical equipment, analytical methods and analytical programs
George et al. A graph-based decision support model for vulnerability analysis in IoT networks
US20220141256A1 (en) Method and system for performing security management automation in cloud-based security services
US20220309171A1 (en) Endpoint Security using an Action Prediction Model
JP2018137500A (en) Security management plan design device, security management plan evaluation device, security management plan design method and security management plan evaluation method
CN113301040A (en) Firewall strategy optimization method, device, equipment and storage medium
WO2019113492A1 (en) Detecting and mitigating forged authentication object attacks using an advanced cyber decision platform
Alamanni OSSIM: A careful, free and always available guardian for your network
US20210081523A1 (en) Securely managing authentication information for automated incident responses

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant