CN114726766B - Fingerprint early warning implementation method, system, medium and equipment based on FTP service monitoring - Google Patents

Fingerprint early warning implementation method, system, medium and equipment based on FTP service monitoring Download PDF

Info

Publication number
CN114726766B
CN114726766B CN202210530480.7A CN202210530480A CN114726766B CN 114726766 B CN114726766 B CN 114726766B CN 202210530480 A CN202210530480 A CN 202210530480A CN 114726766 B CN114726766 B CN 114726766B
Authority
CN
China
Prior art keywords
ftp
fingerprint
module
packet data
network packet
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210530480.7A
Other languages
Chinese (zh)
Other versions
CN114726766A (en
Inventor
蔡文锋
张大伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Unita Information Technology Co ltd
Original Assignee
Beijing Unita Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Unita Information Technology Co ltd filed Critical Beijing Unita Information Technology Co ltd
Priority to CN202210530480.7A priority Critical patent/CN114726766B/en
Publication of CN114726766A publication Critical patent/CN114726766A/en
Application granted granted Critical
Publication of CN114726766B publication Critical patent/CN114726766B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/12Network monitoring probes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0681Configuration of triggering conditions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/06Generation of reports
    • H04L43/062Generation of reports related to network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/16Threshold monitoring
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/06Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a fingerprint early warning method, a system, a medium and equipment based on FTP service monitoring, wherein the system comprises a sniffing module, a network packet data analysis module, a comprehensive management module and an alarm module; the comprehensive management module is respectively in communication connection with the sniffing module, the network packet data analysis module and the alarm module, and the sniffing module is in communication connection with the network packet data analysis module; the client is in communication connection with the FTP server through a network card, and the sniffing module is in communication connection with the network card. The invention realizes the complete decoupling of protection and the existing system by sniffing and analyzing the network packet data generated in the FTP interaction process, the operations of installation, upgrading, unloading and the like of the early warning system are not influenced by the FTP system, and the subsequent maintenance cost is greatly reduced.

Description

Fingerprint early warning implementation method, system, medium and equipment based on FTP service monitoring
Technical Field
The invention relates to the technical field of data processing. In particular to a method, a system, a medium and a device for implementing fingerprint early warning based on FTP service monitoring.
Background
For scenes with low safety factor requirements, if no little safety precaution measure is available, the method is easy to be utilized by attackers. However, too tight security measures increase the workload and cost overhead. For people in cross-fields, professional maintenance cost is too high, a complex maintenance system needs professional knowledge, too tight protection greatly limits flexibility of the system, more maintenance cost needs to be invested for adding and deleting each new function, modification and upgrading are very troublesome, and the coupling with the existing system is serious, so that more additional work and expenditure cost are brought. The existing professional protection equipment of the FTP system has the problems of high cost, high maintenance cost, troublesome and tedious management, high possibility of errors and the like.
Disclosure of Invention
Therefore, the technical problem to be solved by the present invention is to provide a method, a system, a medium and a device for implementing fingerprint early warning based on FTP service monitoring, which implement complete decoupling of protection and the existing system by sniffing and analyzing the network packet data generated in the FTP interaction process, and greatly reduce the subsequent maintenance cost, wherein operations such as installation, upgrade and uninstallation of the early warning system do not affect the FTP system.
In order to solve the technical problems, the invention provides the following technical scheme:
the fingerprint early warning method based on FTP service monitoring comprises the following steps:
s1) sniffing network packet data generated in the operation of an FTP interaction process by using a sniffing module and sending the sniffed network packet data to a network packet data analysis module;
s2) the network packet data analysis module analyzes the received network packet data and sends an analysis result to the comprehensive management module, and the method specifically comprises the following steps:
s2-1) the packet analysis unit analyzes the network packet data from the sniffing module and generates an analysis report;
s2-2) the task allocation unit allocates the network packet data to a corresponding FTP operation subunit in the fingerprint giving unit according to the analysis report generated in the step S2-1);
s2-3) the FTP operation subunit of the fingerprint giving unit gives corresponding fingerprint information to the network packet data according to the corresponding network packet data and the corresponding analysis report generated in the step S2-1);
s2-4) the analysis and statistics unit matches the fingerprint information given in the step S2-3) and FTP operation fingerprint information prestored in the fingerprint database, performs statistics on information related to FTP operation according to a matching result, generates a strategy according to a preset report, outputs a statistical report and sends the statistical report as an analysis result to the comprehensive management module;
and S3) judging whether to send alarm information or not by using the comprehensive management module according to the analysis result obtained in the step S2) and the operation early warning threshold value in the FTP interaction process, and when a certain index of a certain operation in the analysis result is larger than the early warning threshold value of the operation on the index, generating the alarm information by using the comprehensive management module and sending an alarm through the alarm module.
In the method for implementing fingerprint early warning based on FTP service monitoring, in step S1), the sniffing strategy of the sniffing module is set and modified through the comprehensive management module.
The fingerprint early warning method based on FTP service monitoring sets and changes the operation early warning threshold value in the step S3) through the comprehensive management module.
According to the fingerprint early warning method based on FTP service monitoring, the FTP operation subunit comprises an FTP login subunit, an FTP attribute subunit, an FTP inquiry subunit, an FTP uploading subunit, an FTP downloading subunit and an FTP deletion subunit.
A fingerprint early warning system based on FTP service monitoring implementation comprises:
the sniffing module is used for sniffing the network packet data generated in the operation of the FTP interaction process and collecting the corresponding network packet data according to a sniffing strategy;
the network packet data analysis module is used for analyzing the received network packet data and generating an analysis result; the network packet data module comprises a packet analysis unit, a task allocation unit, a fingerprint giving unit and an analysis and statistics unit, wherein the packet analysis unit is in communication connection with the task allocation unit, the task allocation unit is in communication connection with the fingerprint giving unit, and the fingerprint giving unit is in communication connection with the analysis and statistics unit; the packet analysis unit is used for analyzing the network packet data from the sniffing module and generating an analysis report; the task allocation unit is used for allocating the network packet data to the corresponding FTP operation subunit in the fingerprint giving unit according to the analysis report; the FTP operation subunit of the fingerprint giving unit gives corresponding fingerprint information to the network packet data according to the corresponding network packet data and the corresponding analysis report; the analysis and statistics unit is used for matching according to the given fingerprint information and FTP operation fingerprint information prestored in the fingerprint database, performing statistics on information related to FTP operation according to a matching result, and then generating a strategy output statistical report according to a preset report;
the comprehensive management module is used for judging whether to send alarm information or not according to the analysis result and an operation early warning threshold value in the FTP interaction process and managing the system;
the alarm module is used for receiving the alarm information sent by the comprehensive management module and sending the alarm information to a user;
the comprehensive management module is respectively in communication connection with the sniffing module, the network packet data analysis module and the alarm module, and the sniffing module is in communication connection with the network packet data analysis module; the client is in communication connection with the FTP server through a network card, and the sniffing module is in communication connection with the network card.
The fingerprint early warning system based on FTP service monitoring is characterized in that a sniffing strategy of the sniffing module is set and modified through the comprehensive management module.
According to the fingerprint early warning system based on FTP service monitoring, the FTP operation subunit comprises an FTP login subunit, an FTP attribute subunit, an FTP inquiry subunit, an FTP uploading subunit, an FTP downloading subunit and an FTP deletion subunit.
A computer-readable storage medium, on which a computer program is stored, which, when executed by a processor, implements the above-described FTP-service-monitoring-based fingerprint early warning method.
A computer device comprising a readable storage medium, a processor, and a computer program stored on the readable storage medium and executable on the processor, the computer program, when executed by the processor, implementing the FTP service monitoring based fingerprint early warning method as described above.
The technical scheme of the invention achieves the following beneficial technical effects:
1. the fingerprint early warning system based on FTP service monitoring and implementation and the existing FTP system are completely decoupled, namely, no coupling part exists between the fingerprint early warning system and the existing FTP system, so that the operation of the existing FTP system is not influenced.
2. The fingerprint early warning system based on FTP service monitoring is simple to deploy, non-professionals can complete deployment, a common user can deploy only by simple documents, and meanwhile, remote deployment is feasible, dependence on a system environment is low, and compatibility is good.
3. The fingerprint early warning system based on FTP service monitoring has lower cost, the invention adopts a pure soft scheme, the software and the hardware of the system are not so critical, and the subsequent upgrading can not have higher requirements on various compatibilities.
4. The management and maintenance are very practical, the rules are not so many and the rules are not dependent, the understanding and the operation of non-professionals are greatly reduced, the difficulty of problem tracing caused by configuration errors is avoided, and the complex learning process needs to be carried out for the maintenance.
5. The invention can not damage the flow of the existing system, because the invention is based on the network packet sniffing technology, the invention has no influence on the flow of the existing system, and the packet sniffing mode only focuses on sensitive packet data, thereby greatly reducing the encroachment on system resources and reducing the resource preemption with other processes on the server.
Drawings
FIG. 1 is a schematic diagram of the operation of an FTP-based fingerprint early warning system;
FIG. 2 is a flow chart of a fingerprint early warning method implemented based on FTP service monitoring in the present invention;
FIG. 3 is a schematic diagram of a computer device capable of performing FTP-based service monitoring and fingerprint early warning in the present invention;
FIG. 4 is a flowchart of FTP login fingerprint early warning in the present invention;
FIG. 5 is a flow chart of FTP query fingerprint early warning in the present invention;
FIG. 6 is a flowchart of FTP upload fingerprint early warning in the present invention;
FIG. 7 is a flowchart of FTP download fingerprint early warning in the present invention;
fig. 8 is a flowchart of FTP deletion fingerprint early warning in the present invention.
Detailed Description
The invention is further illustrated below with reference to examples.
As shown in fig. 1, the fingerprint early warning system based on FTP service monitoring in the present invention includes:
the sniffing module is used for sniffing the network packet data generated in the FTP interaction process and collecting the corresponding network packet data according to the sniffing strategy;
the network packet data analysis module is used for analyzing the received network packet data and generating an analysis result; the network packet data module comprises a packet analysis unit, a task allocation unit, a fingerprint giving unit and an analysis and statistics unit, wherein the packet analysis unit is in communication connection with the task allocation unit, the task allocation unit is in communication connection with the fingerprint giving unit, and the fingerprint giving unit is in communication connection with the analysis and statistics unit; the packet analysis unit is used for analyzing the network packet data from the sniffing module and generating an analysis report; the task allocation unit is used for allocating the network packet data to the corresponding FTP operation subunit in the fingerprint giving unit according to the analysis report; the FTP operation subunit of the fingerprint giving unit gives corresponding fingerprint information to the network packet data according to the corresponding network packet data and the corresponding analysis report; the analysis and statistics unit is used for matching according to the given fingerprint information and FTP operation fingerprint information prestored in the fingerprint database, performing statistics on information related to FTP operation according to a matching result, and then generating a strategy output statistical report according to a preset report; the FTP operation subunit comprises an FTP login subunit, an FTP attribute subunit, an FTP inquiry subunit, an FTP uploading subunit, an FTP downloading subunit and an FTP deletion subunit;
the comprehensive management module is used for judging whether to send alarm information or not according to the statistical report and an operation early warning threshold value in the FTP interaction process and managing the system;
the alarm module is used for receiving the alarm information sent by the comprehensive management module and sending the alarm information to a user;
the comprehensive management module is respectively in communication connection with the sniffing module, the network packet data analysis module and the alarm module, and the sniffing module is in communication connection with the network packet data analysis module; the client is in communication connection with the FTP server through a network card, and the sniffing module is in communication connection with the network card.
The sniffing strategy when the sniffing module executes sniffing can be modified or adjusted through the comprehensive management module.
As shown in fig. 2, after the FTP service monitoring implementation fingerprint early warning system is accessed to an FTP system, the FTP service monitoring implementation fingerprint early warning system can be used to implement fingerprint early warning, and the specific steps are as follows:
s1) sniffing network packet data generated in the operation of the FTP interaction process by using a sniffing module and transmitting the sniffed network packet data to a network packet data analysis module;
s2) the network packet data analysis module analyzes the received network packet data and sends an analysis result to the comprehensive management module, and the method specifically comprises the following steps:
s2-1) the packet analysis unit analyzes the network packet data from the sniffing module and generates an analysis report;
s2-2) the task allocation unit allocates the network packet data to a corresponding FTP operation subunit in the fingerprint giving unit according to the analysis report generated in the step S2-1);
s2-3) the FTP operation subunit of the fingerprint giving unit gives corresponding fingerprint information to the network packet data according to the corresponding network packet data and the corresponding analysis report generated in the step S2-1);
s2-4) the analysis and statistics unit matches the fingerprint information given in the step S2-3) and FTP operation fingerprint information prestored in the fingerprint database, performs statistics on information related to FTP operation according to a matching result, generates a strategy according to a preset report, outputs a statistical report and sends the statistical report as an analysis result to the comprehensive management module;
s3) judging whether to send alarm information or not by using the comprehensive management module according to the analysis result obtained in the step S2) and the operation early warning threshold value in the FTP interaction process, and when a certain index of a certain operation in the analysis result is larger than the early warning threshold value of the operation on the index, generating the alarm information by using the comprehensive management module and sending an alarm through the alarm module; the operation early warning threshold value can be set and changed through the comprehensive management module.
Based on the method for implementing fingerprint early warning based on FTP service monitoring, correspondingly, the embodiment further provides a computer readable storage medium storing a computer program, and when the computer program is executed by a processor, the following steps are implemented: collecting network packet data generated in the operation of the FTP interaction process by sniffing, analyzing, counting the network packet data, counting abnormal operations and reporting the abnormal operations to a user.
As shown in fig. 3, based on the method, system and computer-readable storage medium for implementing fingerprint early warning based on FTP service monitoring, in this embodiment, a computer device is further provided, which includes a readable storage medium, a processor and a computer program stored on the readable storage medium and executable on the processor, where the readable storage medium and the processor are both disposed on a bus, and when the processor executes the computer program, the following steps are implemented: collecting network packet data generated in the operation of the FTP interaction process by sniffing, analyzing, counting the network packet data, and reporting abnormal operation statistics to a user.
During specific application, an address and a port of a local FTP server are configured in a sniffing module, then a sniffing module is utilized to sniff network packet data generated in the interaction process of a user and the FTP, and specifically implementation can be carried out based on a pcap to carry out polling and sniffing on the specified address and port. And then delivering the network packet data collected by the sniffing to a packet analysis unit of a network packet data analysis module to analyze the FTP packet and generate an analysis report, after the analysis is finished, distributing the corresponding network packet data to different FTP operation subunits under a fingerprint endowing unit by a task distribution unit according to the FTP operation type corresponding to the FTP instruction in the analysis report for further processing, endowing the network packet data with fingerprint information operation by the FTP operation subunits under the fingerprint endowing unit according to the analysis report, counting information related to the FTP operation by an analysis and statistics unit according to a matching result between the fingerprint information and FTP operation fingerprint information prestored in a fingerprint database, generating a statistic report according to a preset report, outputting the statistic report as an analysis result and sending the statistic report to a comprehensive management module.
The operation early warning threshold values adopted for different FTP packet processing are different, and the method specifically comprises the following steps:
as shown in fig. 4, for the FTP user login, the task allocation unit determines that the FTP login operation is the FTP login according to the FTP instruction of the FTP login operation in the packet data, and then sends the packet data to the FTP login sub-unit for fingerprinting. The FTP login subunit endows corresponding network packet data with FTP login fingerprint information, wherein the FTP login fingerprint information comprises information such as an account number and a password of a user, login time, login IP and the like; then, the analysis and statistics unit reads the local fingerprint database to inquire the login fingerprint information of the user, if the user has corresponding fingerprint information, the user is simply regarded as a credible user in the first step, otherwise, the login fingerprint information is generated, and meanwhile, the comprehensive management module pushes one piece of alarm information to the alarm module; if the account frequently changes the IP information in a short time, the comprehensive management module generates alarm information and pushes the alarm module; if the user frequently logs in a very short time, the comprehensive management module generates an account cracking attack alarm and pushes the alarm to the alarm module.
As shown in fig. 5, for the FTP query instruction, the task allocation unit will first determine that the FTP query operation is the FTP query according to the FTP instruction of the FTP query operation in the packet data, and then send the packet data to the FTP query subunit for fingerprinting; the FTP inquiry subunit gives corresponding network packet data and FTP inquiry fingerprint information, wherein the FTP inquiry fingerprint information comprises information such as an account number and a password of a user, an inquiry target, inquiry time and the like, the analysis and statistics unit records the inquiry times in unit time, if the inquiry command of the FTP is found to be in an inquiry state all the time and the inquired target objects are the same, the user is potentially at risk of attack, the comprehensive management module generates an alarm message to the alarm module, and the comprehensive management module performs corresponding fingerprint analysis on the high-frequency repeated inquiry according to the analysis result, for example, the inquiry target and the inquiry time period (namely the starting and stopping time of the high-frequency repeated inquiry) are analyzed, so that the time period of the potential attack can be determined, and whether the high-frequency repeated inquiry is an attack behavior or not can be judged more favorably; meanwhile, the comprehensive management module can also perform corresponding fingerprint analysis on the query frequency, that is, when the query frequency in a preset unit time exceeds an early warning threshold, the query operation in the period is performed with fingerprint analysis, for example, a query target, query time, query duration and the like are analyzed, if an FTP client continuously performs query instructions in a short time, although the query instructions are normal query processes, the behavior is considered to be unsafe, and the comprehensive management module generates warning information and delivers the warning information to the warning module.
As shown in fig. 6, for the FTP uploading instruction, the task allocating unit may determine that the FTP uploading operation is an FTP uploading operation according to an FTP instruction of the FTP uploading operation in the packet data, then send the packet data to the FTP uploading subunit for giving a fingerprint, where the FTP uploading subunit gives corresponding packet data with FTP uploading fingerprint information, where the FTP uploading fingerprint information includes information such as an account and a password of a user, an uploading file size, an uploading time, and an uploading file name, and then the information is tracked by the analysis and statistics unit, for example: if an FTP client end continuously transmits large files to the server, the integrated management module can generate alarm information and deliver the alarm information to the alarm module. If an FTP client continuously uploads 0 byte file to the server, the integrated management module will generate alarm message to the alarm module, if an FTP client uploads too long time, such as: the transmission is uninterrupted for one day, and the comprehensive management module can generate alarm information and deliver the alarm information to the alarm module; if an FTP client continuously and repeatedly transmits the same file list, the comprehensive management module can generate alarm information and send the alarm information to the alarm module, and can make fingerprint record on the uploading list and provide analysis;
as shown in fig. 7, for the FTP download instruction, the task allocation unit will first determine that the FTP download operation is the FTP download according to the FTP instruction of the FTP download operation in the network packet data, and then send the network packet data to the FTP download sub-unit for fingerprint giving, and the FTP download sub-unit gives the corresponding network packet data to download the fingerprint information by using the FTP, where the FTP download fingerprint information includes information such as an account and a password of the user, a download file size, a download time, and a download file name, and then the analysis and statistics unit monitors the download file abnormality, such as: and the same large file is continuously and repeatedly downloaded, at the moment, the analysis and statistics unit can know that the connection has attack risk through analysis and comparison according to the fingerprint information recorded by downloading, and the comprehensive management module can generate alarm information and deliver the alarm information to the alarm module. If a client downloads data in a large flow for a long time, it is indicated that an attack risk exists, the FTP downloading subunit generates corresponding fingerprint information for the operation, the fingerprint information contains the account number and the password of the user, the size of the downloaded data flow, the downloading duration and other related information, if the bandwidth occupied by the downloading flow is too large, it is indicated that the client may have the attack risk, and the comprehensive management module generates alarm information and sends the alarm information to the alarm module; if a client downloads for a long time without any sign of disconnection, the client can be judged to have an abnormal phenomenon according to the downloading time length fingerprint information, and conventional downloading can be completed within several hours generally. And for the possible attack risk of the user, the integrated management module can generate alarm information and deliver the alarm information to the alarm module.
As shown in fig. 8, for each time of deleting a record fingerprint that should be accurately recorded, some users may be set not to have a deletion right, if once the user is sniffed to violate a rule, the integrated management module generates alarm information and sends the alarm information to the alarm module, and the alarm module starts a firewall mechanism to prevent the user from logging in a server, so as to prevent the user from maliciously deleting files, thereby further reducing loss; and for the new user, executing the deleting action just after logging in the system, and starting an early warning mechanism.
It should be understood that the above examples are only for clarity of illustration and are not intended to limit the embodiments. Other variations and modifications will be apparent to persons skilled in the art in light of the above description. And are neither required nor exhaustive of all embodiments. And obvious variations or modifications derived therefrom are intended to be within the scope of the claims of this patent.

Claims (7)

1. The fingerprint early warning method based on FTP service monitoring is characterized by comprising the following steps:
s1) sniffing network packet data generated in the operation of an FTP interaction process by using a sniffing module and sending the sniffed network packet data to a network packet data analysis module;
s2) the network packet data analysis module analyzes the received network packet data and sends the analysis result to the comprehensive management module, and the method specifically comprises the following steps:
s2-1) the packet analysis unit analyzes the network packet data from the sniffing module and generates an analysis report;
s2-2) the task allocation unit allocates the network packet data to corresponding FTP operation subunits in the fingerprint giving unit according to the analysis report generated in the step S2-1);
s2-3) the FTP operation subunit of the fingerprint giving unit gives corresponding fingerprint information to the network packet data according to the corresponding network packet data and the corresponding analysis report generated in the step S2-1);
s2-4) matching the fingerprint information given in the step S2-3) and FTP operation fingerprint information prestored in a fingerprint database by an analysis statistical unit, performing statistics on information related to FTP operation according to a matching result, generating a strategy according to a preset report, outputting a statistical report, and sending the statistical report serving as an analysis result to a comprehensive management module; the FTP operation subunit comprises an FTP login subunit, an FTP attribute subunit, an FTP inquiry subunit, an FTP uploading subunit, an FTP downloading subunit and an FTP deletion subunit;
and S3) judging whether to send alarm information or not by using the comprehensive management module according to the analysis result obtained in the step S2) and the operation early warning threshold value in the FTP interaction process, and when a certain index of a certain operation in the analysis result is larger than the early warning threshold value of the operation on the index, generating the alarm information by using the comprehensive management module and sending an alarm through the alarm module.
2. The FTP service monitoring implementation fingerprint early warning method as claimed in claim 1, wherein in step S1), a sniffing policy of the sniffing module is set and modified through the integrated management module.
3. The FTP service monitoring-based fingerprint early warning method as claimed in claim 1, wherein the operation early warning threshold value in the step S3) is set and changed through an integrated management module.
4. A fingerprint early warning system based on FTP service monitoring implementation is characterized by comprising:
the sniffing module is used for sniffing the network packet data generated in the operation of the FTP interaction process and collecting the corresponding network packet data according to a sniffing strategy;
the network packet data analysis module is used for analyzing the received network packet data and generating an analysis result; the network packet data module comprises a packet analysis unit, a task allocation unit, a fingerprint giving unit and an analysis and statistics unit, wherein the packet analysis unit is in communication connection with the task allocation unit, the task allocation unit is in communication connection with the fingerprint giving unit, and the fingerprint giving unit is in communication connection with the analysis and statistics unit; the packet analysis unit is used for analyzing the network packet data from the sniffing module and generating an analysis report; the task allocation unit is used for allocating the network packet data to the corresponding FTP operation subunit in the fingerprint giving unit according to the analysis report; the FTP operation subunit of the fingerprint giving unit gives corresponding fingerprint information to the network packet data according to the corresponding network packet data and the corresponding analysis report; the analysis and statistics unit is used for matching according to the given fingerprint information and FTP operation fingerprint information prestored in the fingerprint database, performing statistics on information related to FTP operation according to a matching result, and then generating a strategy output statistical report according to a preset report; the FTP operation subunit comprises an FTP login subunit, an FTP attribute subunit, an FTP inquiry subunit, an FTP uploading subunit, an FTP downloading subunit and an FTP deletion subunit;
the comprehensive management module is used for judging whether to send alarm information or not according to the analysis result and an operation early warning threshold value in the FTP interaction process and managing the system;
the alarm module is used for receiving the alarm information sent by the comprehensive management module and sending the alarm information to a user;
the comprehensive management module is respectively in communication connection with the sniffing module, the network packet data analysis module and the alarm module, and the sniffing module is in communication connection with the network packet data analysis module; the client is in communication connection with the FTP server through a network card, and the sniffing module is in communication connection with the network card.
5. The FTP service-based monitoring fingerprint early warning system as claimed in claim 4, wherein a sniffing strategy of the sniffing module is set and modified by the integrated management module.
6. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, implements the FTP service monitoring based fingerprint early warning method of any one of claims 1 to 3.
7. A computer arrangement comprising a readable storage medium, a processor and a computer program stored on the readable storage medium and executable on the processor, wherein the computer program, when executed by the processor, implements the FTP service monitoring implemented fingerprint alerting method of any one of claims 1 to 3.
CN202210530480.7A 2022-05-16 2022-05-16 Fingerprint early warning implementation method, system, medium and equipment based on FTP service monitoring Active CN114726766B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210530480.7A CN114726766B (en) 2022-05-16 2022-05-16 Fingerprint early warning implementation method, system, medium and equipment based on FTP service monitoring

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210530480.7A CN114726766B (en) 2022-05-16 2022-05-16 Fingerprint early warning implementation method, system, medium and equipment based on FTP service monitoring

Publications (2)

Publication Number Publication Date
CN114726766A CN114726766A (en) 2022-07-08
CN114726766B true CN114726766B (en) 2023-01-06

Family

ID=82230902

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210530480.7A Active CN114726766B (en) 2022-05-16 2022-05-16 Fingerprint early warning implementation method, system, medium and equipment based on FTP service monitoring

Country Status (1)

Country Link
CN (1) CN114726766B (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107454109A (en) * 2017-09-22 2017-12-08 杭州安恒信息技术有限公司 A kind of network based on HTTP flow analyses is stolen secret information behavioral value method
CN110417578A (en) * 2019-06-20 2019-11-05 国网辽宁省电力有限公司信息通信分公司 A kind of exception FTP connection alert processing method
CN110958233A (en) * 2019-11-22 2020-04-03 上海交通大学 Encryption type malicious flow detection system and method based on deep learning

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11734152B2 (en) * 2020-06-05 2023-08-22 Nanjing University Of Posts And Telecommunications Method and system for detecting GPU-related factors of multi-mode distributed cluster

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107454109A (en) * 2017-09-22 2017-12-08 杭州安恒信息技术有限公司 A kind of network based on HTTP flow analyses is stolen secret information behavioral value method
CN110417578A (en) * 2019-06-20 2019-11-05 国网辽宁省电力有限公司信息通信分公司 A kind of exception FTP connection alert processing method
CN110958233A (en) * 2019-11-22 2020-04-03 上海交通大学 Encryption type malicious flow detection system and method based on deep learning

Also Published As

Publication number Publication date
CN114726766A (en) 2022-07-08

Similar Documents

Publication Publication Date Title
CN116488939B (en) Computer information security monitoring method, system and storage medium
US8156553B1 (en) Systems and methods for correlating log messages into actionable security incidents and managing human responses
US9875353B2 (en) Log information generation apparatus and recording medium, and log information extraction apparatus and recording medium
CN107273748B (en) Method for realizing android system vulnerability detection based on vulnerability poc
EP2860657A1 (en) Determining a security status of potentially malicious files
US7779113B1 (en) Audit management system for networks
CN113225339B (en) Network security monitoring method and device, computer equipment and storage medium
CN112052227A (en) Data change log processing method and device and electronic equipment
CN116389130A (en) Large-scale network security defense system based on knowledge graph
CN115001967A (en) Data acquisition method and device, electronic equipment and storage medium
CN113946559A (en) Data processing method, target database system and data processing system
CN111327588A (en) Network access security detection method, system, terminal and readable storage medium
CN114710353A (en) Risk management and control system based on AIoT intelligent edge gateway
CN115712646A (en) Alarm strategy generation method, device and storage medium
CN114726766B (en) Fingerprint early warning implementation method, system, medium and equipment based on FTP service monitoring
US7783752B2 (en) Automated role based usage determination for software system
CN114338221B (en) Network detection system based on big data analysis
CN113778709B (en) Interface calling method, device, server and storage medium
CN114760083B (en) Method, device and storage medium for issuing attack detection file
CN111209171B (en) Closed loop handling method and device for security risk and storage medium
CN113536381A (en) Big data analysis processing method and system based on terminal
CN111259383A (en) Safety management center system
CN113032054A (en) Service execution method, device, storage medium and electronic device
JP2003099295A (en) Processing method for communication log, computer software program for implementing the same method on computer system and communication log processing system
CN114598536B (en) Cloud platform virtualized data traffic safety monitoring method, system and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant