CN114500038B - Network security detection method, device, electronic device and readable storage medium - Google Patents
Network security detection method, device, electronic device and readable storage medium Download PDFInfo
- Publication number
- CN114500038B CN114500038B CN202210081681.3A CN202210081681A CN114500038B CN 114500038 B CN114500038 B CN 114500038B CN 202210081681 A CN202210081681 A CN 202210081681A CN 114500038 B CN114500038 B CN 114500038B
- Authority
- CN
- China
- Prior art keywords
- detection
- task
- detection result
- network security
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 421
- 230000008030 elimination Effects 0.000 claims description 29
- 238000003379 elimination reaction Methods 0.000 claims description 29
- 230000003993 interaction Effects 0.000 claims description 12
- 238000004590 computer program Methods 0.000 claims description 10
- 238000004458 analytical method Methods 0.000 claims description 9
- 238000000605 extraction Methods 0.000 claims description 9
- 238000012545 processing Methods 0.000 claims description 9
- 238000000034 method Methods 0.000 abstract description 24
- 238000011895 specific detection Methods 0.000 abstract description 3
- 238000012098 association analyses Methods 0.000 description 17
- 238000013519 translation Methods 0.000 description 13
- 230000009467 reduction Effects 0.000 description 11
- 238000004364 calculation method Methods 0.000 description 10
- 238000012544 monitoring process Methods 0.000 description 10
- 230000005856 abnormality Effects 0.000 description 8
- 238000012790 confirmation Methods 0.000 description 8
- 230000000875 corresponding effect Effects 0.000 description 8
- 230000008569 process Effects 0.000 description 8
- 238000004891 communication Methods 0.000 description 7
- 238000001914 filtration Methods 0.000 description 6
- 238000007781 pre-processing Methods 0.000 description 5
- 230000009471 action Effects 0.000 description 4
- 238000006243 chemical reaction Methods 0.000 description 4
- 238000010586 diagram Methods 0.000 description 4
- 238000004806 packaging method and process Methods 0.000 description 4
- 230000002085 persistent effect Effects 0.000 description 4
- 230000005236 sound signal Effects 0.000 description 4
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000004422 calculation algorithm Methods 0.000 description 2
- 230000008859 change Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000002045 lasting effect Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 238000012805 post-processing Methods 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- KLDZYURQCUYZBL-UHFFFAOYSA-N 2-[3-[(2-hydroxyphenyl)methylideneamino]propyliminomethyl]phenol Chemical compound OC1=CC=CC=C1C=NCCCN=CC1=CC=CC=C1O KLDZYURQCUYZBL-UHFFFAOYSA-N 0.000 description 1
- 238000007792 addition Methods 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000002596 correlated effect Effects 0.000 description 1
- 238000010219 correlation analysis Methods 0.000 description 1
- 238000013135 deep learning Methods 0.000 description 1
- 201000001098 delayed sleep phase syndrome Diseases 0.000 description 1
- 208000033921 delayed sleep phase type circadian rhythm sleep disease Diseases 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005538 encapsulation Methods 0.000 description 1
- 238000011156 evaluation Methods 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
- 230000001105 regulatory effect Effects 0.000 description 1
- 239000013589 supplement Substances 0.000 description 1
- 230000008685 targeting Effects 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
本申请公开了一种网络安全检测方法、装置、电子设备及计算机可读存储介质,该方法包括:获取若干个预设检测规则;获取规则选择指令,并根据规则选择指令在预设检测规则中确定目标检测规则;获取待测数据;基于目标检测规则,对待测数据进行安全检测,得到网络安全检测结果;该方法通过设置多个预设检测规则,并根据规则选择指令从中选择具体使用的检测规则的方式,可以灵活且快速地修改使用的网络安全检测规则,能够及时应对各种攻击方式。
The present application discloses a network security detection method, device, electronic device and computer-readable storage medium. The method comprises: obtaining a plurality of preset detection rules; obtaining a rule selection instruction, and determining a target detection rule in the preset detection rules according to the rule selection instruction; obtaining data to be tested; and performing security detection on the data to be tested based on the target detection rule to obtain a network security detection result. The method can flexibly and quickly modify the network security detection rules to be used by setting a plurality of preset detection rules and selecting a specific detection rule to be used from them according to the rule selection instruction, and can respond to various attack methods in a timely manner.
Description
Technical Field
The present application relates to the field of computer technologies, and in particular, to a network security detection method, a network security detection device, an electronic device, and a computer readable storage medium.
Background
With popularization of internet technology and development of enterprises, network environments of the enterprises are expanding, and network security problems are increasingly prominent. According to the technical scheme of traditional network attack detection implementation, firstly, security researchers are required to analyze network attack characteristics, write a network security detection model (namely detection rules), then the network security detection model is delivered to software developers for coding, and finally attack detection is realized by means of software delivery person deployment programs. The method needs a plurality of personnel to cooperate and is complex in the online process of the network attack detection rule, the online period is long, flexible modification of the network security detection rule cannot be realized, and the attack modes continuously changed by an intruder cannot be timely dealt with.
Disclosure of Invention
In view of the above, an object of the present application is to provide a network security detection method, a network security detection device, an electronic apparatus, and a computer-readable storage medium, which can flexibly and rapidly modify a network security detection rule used.
In order to solve the technical problems, the application provides a network security detection method, which comprises the following steps:
Acquiring a plurality of preset detection rules;
Acquiring a rule selection instruction, and determining a target detection rule in the preset detection rules according to the rule selection instruction;
acquiring data to be tested;
And carrying out security detection on the data to be detected based on the target detection rule to obtain a network security detection result.
Optionally, the acquiring rule selection instruction includes:
And monitoring a data interaction channel between the terminal and the terminal in real time, and acquiring the rule selection instruction sent by the terminal from the data interaction channel.
Optionally, based on the target detection rule, performing security detection on the data to be detected to obtain a network security detection result, including:
performing feature extraction processing on the data to be detected to obtain features to be detected;
And generating a detection task based on the target detection rule, and executing the detection task by utilizing the feature to be detected to obtain the network security detection result.
Optionally, the detection task includes an initial detection task and an association analysis task;
the step of executing the detection task by using the feature to be detected to obtain the network security detection result comprises the following steps:
determining corresponding target features to be detected based on the initial detection tasks respectively;
respectively executing each initial detection task by utilizing the target feature to be detected to obtain a first detection result;
and executing the association analysis task by using the first detection result to obtain the network security detection result.
Optionally, the detection task includes an initial detection task and an alarm elimination task;
the step of executing the detection task by using the feature to be detected to obtain the network security detection result comprises the following steps:
Executing the initial detection task by utilizing the feature to be detected to obtain a second detection result;
executing the alarm elimination task by using the second detection result to obtain an elimination detection result;
If the elimination detection result is hit, determining that the network security detection result is security;
and if the elimination detection result is a miss, determining that the network security detection result is the second detection result.
Optionally, the detection task includes an initial detection task and a history association task;
the step of executing the detection task by using the feature to be detected to obtain the network security detection result comprises the following steps:
executing the initial detection task by utilizing the feature to be detected to obtain a third detection result;
acquiring a history detection result corresponding to history data, wherein the history data is context data of the data to be detected;
And executing the history related task by using the third detection result and the history detection result to obtain the network security detection result.
Optionally, the method further comprises:
acquiring a code packet sent by a terminal, and generating a custom security detection task by utilizing the code packet;
and executing the self-defined security detection task by using the data to be detected to obtain a self-defined network security detection result.
The application also provides a network security detection device, which comprises:
The rule acquisition module is used for acquiring a plurality of preset detection rules;
The target determining module is used for acquiring a rule selection instruction and determining a target detection rule in the preset detection rules according to the rule selection instruction;
the data acquisition module is used for acquiring data to be detected;
And the security detection module is used for carrying out security detection on the data to be detected based on the target detection rule to obtain a network security detection result.
The application also provides an electronic device comprising a memory and a processor, wherein:
the memory is used for storing a computer program;
The processor is configured to execute the computer program to implement the network security detection method described above.
The application also provides a computer readable storage medium for storing a computer program, wherein the computer program is executed by a processor to implement the network security detection method.
The network security detection method provided by the application comprises the steps of obtaining a plurality of preset detection rules, obtaining a rule selection instruction, determining a target detection rule in the preset detection rules according to the rule selection instruction, obtaining data to be detected, and carrying out security detection on the data to be detected based on the target detection rule to obtain a network security detection result.
Therefore, the method presets a plurality of preset detection rules in advance, and different detection rules have different factors such as detection modes, angles and the like for network security. The target detection rule can be determined by acquiring the rule selection instruction, and then the safety detection is carried out on the data to be detected by utilizing the target detection rule, so that a Wanluo safety detection result is obtained. By setting a plurality of preset detection rules and selecting a specific detection rule from the detection rules according to a rule selection instruction, the used network security detection rules can be flexibly and rapidly modified, and various attack modes can be timely dealt with.
In addition, the application also provides a network security detection device, electronic equipment and a computer readable storage medium, which have the same beneficial effects.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the related art, the drawings that are required to be used in the embodiments or the related technical descriptions will be briefly described, and it is apparent that the drawings in the following description are only embodiments of the present application, and other drawings may be obtained according to the provided drawings without inventive effort for those skilled in the art.
Fig. 1 is a flowchart of a network security detection method according to an embodiment of the present application;
Fig. 2 is a flowchart of a specific network security detection method according to an embodiment of the present application;
fig. 3 is a schematic structural diagram of a network security detection device according to an embodiment of the present application;
Fig. 4 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present application more apparent, the technical solutions of the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present application, and it is apparent that the described embodiments are only some embodiments of the present application, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
Referring to fig. 1, fig. 1 is a flowchart of a network security detection method according to an embodiment of the present application.
The method comprises the following steps:
s101, acquiring a plurality of preset detection rules.
It should be noted that, each step in the present application may be executed by a specific electronic device, for example, a server with a relatively strong computing capability, and the specific number is not limited, and may be executed by one electronic device alone, or a plurality of electronic devices cooperate to complete, that is, different electronic devices execute different steps, and all electronic devices can finally execute all steps.
The preset detection rule may be referred to as a network security detection model, which refers to a preset rule for detecting data to be detected to determine whether a network attack exists, and a specific form is not limited. In the application, in order to timely and flexibly replace the applicable detection rules, a plurality of preset detection rules can be obtained in advance and stored to finish the advanced deployment of the preset detection rules, and the preset detection rules can be directly invoked when needed so as to realize the flexible configuration and management of the rules.
The embodiment is not limited to a specific acquisition mode of the preset detection rule, for example, the preset detection rule may be obtained by performing data interaction with a specified electronic device, where the specified electronic device may be a device logged in by a user, or may be an electronic device having a specified network address or physical address.
It should be noted that this step may be performed one or more times, for example, may be performed once during the initialization of the server, or may be performed again during the operation, so as to supplement or modify the preset detection rules.
S102, acquiring a rule selection instruction, and determining a target detection rule in preset detection rules according to the rule selection instruction.
Rule selection instruction refers to an instruction for determining a currently used target detection rule from preset detection rules. Specifically, the rule selection instruction may include unique identification information of the target detection rule, and the unique identification information may be used to indicate the identity of the target detection rule, and specifically may be in a form of a serial number, a name, or the like. In general, the number of target detection rules is one, and may be plural in a special scenario.
The rule selection instruction may be sent by a device such as a terminal operated by a user to an electronic device as an execution subject, and the generation process is not limited, for example, the user may perform man-machine interaction with the device such as the terminal through an interaction component of the device such as the terminal, and the device such as the terminal obtains the unique identification information of the target detection rule through man-machine interaction, and encapsulates the unique identification information according to a preset message format to obtain the rule selection instruction.
By acquiring the rule selection instruction, the target detection rule can be flexibly and rapidly selected, the hot loading of the target detection rule is realized, deployment is not required during modification, and further the attack mode of the transformation of an intruder is timely dealt with. In one embodiment, in order to increase the replacement speed of the target detection rule, a data interaction channel with the terminal may be monitored in real time, and a rule selection instruction sent by the terminal may be obtained from the data interaction channel. The terminal is the terminal operated by the user.
S103, obtaining data to be tested.
The data to be measured refers to data to be detected by the target detection rule, the specific type of the data to be detected is not limited, for example, the data can be network data, working state data, log data and the like, and one or more types of data can be set as the data to be measured according to the requirement. The data to be measured may be obtained locally or may be obtained from other electronic devices, for example from the terminal described above.
The execution timing of the step S103 is not limited, and may be executed in parallel with the step S101, or may be executed after the step S102 is executed, and may be specifically set as needed.
S104, based on the target detection rule, carrying out security detection on the data to be detected to obtain a network security detection result.
After the target detection is determined, the target detection is utilized to carry out security detection on the data to be detected, and the obtained detection result is the network security detection result. It will be appreciated that the security detection procedure may be different depending on the target detection rules, and the type and content of the network security detection results obtained may be different. Specifically, the feature extraction processing is performed on the data to be detected to obtain the feature to be detected, and the specific process of the feature extraction processing is not limited, and may be, for example, statistical feature extraction, data format encapsulation, invalid data filtering and the like. And generating a detection task based on the target detection rule, and executing the detection task by utilizing the feature to be detected to obtain a network security detection result. Namely, each security detection of the data to be detected is completed by executing a detection task, wherein the task can be specifically content such as numerical judgment, condition matching and the like, and the number and the priority relation among the tasks are not limited. The generation process of the detection task may refer to the related art.
In a first embodiment, the detection tasks include a plurality of initial detection tasks and an associated analysis task. In this case, the corresponding target feature to be detected may be determined based on each initial detection task, where the target feature to be detected refers to a feature to be detected corresponding to the initial detection task, and each initial detection task is executed by using the target feature to be detected to obtain a first detection result, where each initial detection task corresponds to one first detection result, and the form and content of the first detection result may be different according to the type of the initial detection task. In this embodiment, the association analysis task may be performed using the first detection result, to obtain a network security detection result. Specifically, each initial detection task has an association relationship, the association relationship can be a priority relationship or other logic relationships, and when safety detection is performed, the association relationship is utilized to process the first detection result, so that overall evaluation can be performed on network safety by integrating each first detection result, and the accuracy and reliability of the network safety detection result are improved.
In a second embodiment, for some anomalies that have been detected a sufficient number of times, or recorded in a white list, it may be unnecessary to alert or record them, increasing the proportion of information available for alerting or recording. Specifically, the detection task may include an initial detection task and an alarm elimination task, in which case the initial detection task may be performed by using the feature to be detected to obtain a second detection result, where the second detection result may be the first detection result in the first embodiment, or may be the network security detection result in the first embodiment. And executing an alarm elimination task by using the second detection result to obtain an elimination detection result. The alarm elimination task refers to a task of judging whether to ignore the abnormality, specifically, when the abnormality of the second detection result is detected, whether the abnormality of the same type has been detected or is alarmed a sufficient number of times after the detection is detected may be judged, or whether the abnormality of the type is recorded in a white list may be judged. If the elimination detection result is hit, the detection result of the network safety is determined to be safe because the elimination detection result needs to ignore the abnormality, and if the elimination detection result is miss, the detection result of the network safety is determined to be a second detection result because the elimination detection result does not detect the abnormality or does not need to ignore the abnormality.
In the third embodiment, in order to improve accuracy and reliability of the network security detection result, the present detection may be correlated with the previous detection result, and whether or not there is an abnormality may be determined from a larger detection dimension. In particular, the detection tasks may include an initial detection task and a history-associated task. And executing an initial detection task by utilizing the feature to be detected to obtain a third detection result. And acquiring a history detection result corresponding to the history data, wherein the history data is the context data of the data to be detected, and therefore, the history associated task can be also called as a context associated task. And executing a history association task by using the third detection result and the history detection result to obtain a network security detection result.
In another embodiment, to further improve the flexibility of selecting the security detection, a code packet sent by the terminal may be obtained, and a custom security detection task may be generated using the code packet. The code packet comprises a self-defined detection rule, and the self-defined detection rule is processed according to a preset task generation mode, so that a self-defined security detection task can be obtained, and the specific type of the self-defined security detection task is not limited. And executing a self-defined security detection task by using the data to be detected to obtain a self-defined network security detection result. By means of the method of the up-passage code package, the user is allowed to customize the detection rules, and the flexibility of safety detection is improved.
After the network security detection result is obtained or the self-defined network security detection result is obtained, the network security detection result can be output, and the data form can be an alarm or a log record and the like.
Referring to fig. 2, fig. 2 is a flowchart of a specific network security detection method according to an embodiment of the present application. The network security detection system based on the stream processing comprises a network security detection model configuration and display subsystem, a translation subsystem, a data access subsystem, a stream computing subsystem, a secondary detection subsystem, a correlation analysis subsystem, a result confirmation subsystem, an alarm reduction subsystem, a context correlation subsystem, an alarm output subsystem and a monitoring subsystem. The network security detection model configuration and display subsystem can store the network security detection model (namely preset detection rules) configured by a user on a webpage in a lasting mode; the translation subsystem translates the network security detection model into tasks executable by the streaming computing subsystem by monitoring the persistent storage and specifying the file directory or packages user-defined code (i.e., code packages) into tasks for registration with the streaming computing subsystem; the data access subsystem can orderly read an original log and an alarm log submitted by the secondary detection subsystem in real time, convert the original log and the alarm log submitted by the secondary detection subsystem into events (namely data to be detected) and send the events to the streaming computing subsystem after preprocessing the two events, the streaming computing subsystem can calculate the data submitted by the data access subsystem by loading tasks and code packages submitted by the translation subsystem and send the detection result (primary result) to the secondary detection subsystem and the association analysis subsystem, the secondary detection subsystem packages the primary calculation result of the streaming computing subsystem into the alarm log and sends the alarm log to the data access subsystem, the association analysis subsystem can carry out association analysis on the primary result according to the association analysis configuration of a network security detection model and generate a secondary result and send the secondary result to the result confirmation subsystem, the result confirmation subsystem can carry out attack effect judgment on the secondary result according to the result analysis configuration of the network security detection model and generate a tertiary result, the alarm subsystem can carry out subtraction on the tertiary calculation according to the alarm configuration and white configuration of the network security detection model and generate a subtraction result according to the subtraction result, and the association analysis subsystem can describe a network security configuration list of the network security detection result The system comprises a translation subsystem, a data access subsystem, a stream computing subsystem, a secondary detection subsystem, an association analysis subsystem, a result confirmation subsystem, an alarm reduction subsystem, a context association subsystem and an alarm output subsystem, wherein the alarm output subsystem packages the five-level result into an alarm and outputs the alarm, and the monitoring subsystem can monitor the running conditions of the translation subsystem, the data access subsystem, the stream computing subsystem, the secondary detection subsystem, the association analysis subsystem, the result confirmation subsystem, the alarm reduction subsystem, the context association subsystem and the alarm output subsystem in real time and regulate and control the task submission of the translation subsystem and the log reading of the data access subsystem.
Specifically, the network security detection rule configuration and display subsystem comprises a model display module, a model configuration module and a model storage module. The model display module comprises a series of operation interfaces for displaying network security detection models set by users, operation records of the network security detection models, built-in data filtering operators and operator sets. Further, the network security detection model comprises association analysis configuration, result analysis configuration, alarm reduction configuration, white list configuration, alarm description configuration and detection rule configuration. Further, the operation records of the network security detection model include, but are not limited to, record numbers, actions, operators and time. Further, the built-in data filtering operator includes, but is not limited to, a digital operator, a string operator, a boolean value operator, a set operator, an IP operator, an asset operator, a certificate operator, a machine learning operator, a deep learning operator, a new occurrence operator, a rareness operator, and the built-in data filtering operator supports expansion. Further, the operator set is a preset combination of built-in data filtering operators commonly used in the process of configuring the detection rules of the network security detection model. The model configuration module is used for realizing the addition, modification, deletion and deleted network security model recovery of the network security detection model. The model storage module is used for carrying out persistent storage on the network security detection model set by the user. Further, the persistent storage includes, but is not limited to, file systems, databases, and network storage. Based on the network security detection rule configuration and display subsystem, a user can configure a network security detection model in an operation interface, namely, initiate a rule selection instruction to select a target detection rule (or called a target network security detection model), so as to realize the configuration of the network security detection model in a code-free mode.
The translation subsystem comprises a model acquisition module, a semantic conversion module, a translation expansion module and a task submission module. The model acquisition module is used for acquiring the network security detection model to be translated, and the model acquisition mode comprises, but is not limited to, acquiring the network security detection model stored in a lasting mode from a model storage module of a network security detection model configuration and display subsystem rule, and acquiring the network security detection model from a preset file catalog. The model acquisition module monitors a change instruction (namely a rule selection instruction) for selecting the network security detection model in the persistent storage or the file catalog in real time in a monitoring mode, submits the network security detection model appointed by the change instruction to the semantic conversion module in real time, and achieves hot loading of the network security detection model. The semantic conversion module translates the network security detection model into a semantic format recognizable by the streaming computing engine subsystem and sends the translated network security detection model to the task submission module. The translation expansion module is used for realizing the calculation logic of the streaming calculation subsystem by the user-defined code, packaging the user-defined code into a code packet which can be identified by the streaming calculation subsystem and sending the code packet to the task submission module, and realizing the low-code configuration of the network security detection model. The task submission module is responsible for receiving the translated network security detection model and the code package submitted by the semantic conversion module and the translation extension module and packaging them into a task submission to the streaming computing subsystem.
The data access subsystem comprises a connection module, a data reading module, a data preprocessing module and a data sending module. The connection module is used for establishing connection with the data sources, and can be simultaneously accessed into logs of various data sources, wherein the data sources comprise, but are not limited to Kafka, elasticsearch, mongoDB, a file system, a secondary detection subsystem and the data sources are accessed into a configurable and pluggable mode. The data reading module reads the original log and the alarm log from the data source in real time in order and sends the original log and the alarm log to the data preprocessing module. Further, the original log includes, but is not limited to, network traffic log, terminal operation log, and security log. The data preprocessing module analyzes and expands the log to generate an event, and supports user-defined coding so as to realize user-defined original log analysis and expansion logic. And the data sending module packages the event generated by the data preprocessing module and sends the event to the streaming computing subsystem.
The streaming computing subsystem comprises a streaming computing engine module and a result collecting module. The flow type calculation engine module is used for loading tasks submitted by the translation subsystem, calculating events submitted by the data access subsystem and generating primary results. Further, the streaming computing engine module includes, but is not limited to Siddhi, flink, storm, SPARK STREAMING, esper and supports engine plug. The result collection module is used for collecting the calculation result of the lapse calculation engine module and sending the primary calculation result to the secondary detection subsystem and the association analysis subsystem.
The secondary detection subsystem is used for receiving the primary result of the stream computing subsystem, storing the primary result, packaging the primary result into an alarm log and sending the alarm log to the data access subsystem.
The association analysis subsystem is used for analyzing the association analysis configuration of the network security detection model into association rules comprising association relations, association fields and time limits, wherein the association relations comprise any, a sequence, scoring and all association fields comprise a domain name, an IP address, a user name and an asset ID, the association calculation is carried out on the primary results according to the association relations and the association fields within the time limits of the association rules, and the secondary results are sent to the result confirmation subsystem.
The result confirmation subsystem is used for further judging and marking the credibility, attack stage and attack state of the secondary result according to the result analysis configuration of the network security detection model, generating a tertiary result and sending the tertiary result to the alarm reduction subsystem.
The alarm reduction subsystem is used for reducing and filtering the three-level result according to the alarm reduction configuration and the white list configuration of the network security detection model. An alarm reduction policy and an alarm update rule can be set in the alarm reduction configuration. The white list configuration may be configured with a white list that does not generate alarms, and the white list content includes, but is not limited to, domain name, IP address, user name, asset ID.
The context association subsystem is used for tracing and analyzing a four-level result generated by the alarm reduction subsystem according to the alarm description configuration of the network security detection model, and adding evidence information and associated alarm information to the four-level result.
The alarm output subsystem comprises an alarm post-processing module and an output source connecting module. The alarm post-processing module is used for receiving the five-level results generated by the context correlation subsystem and packaging the five-level results into alarms according to an alarm format configured by a user. The output source connection module is used for establishing connection with the external middleware and outputting an alarm. Further, the external middleware includes, but is not limited to Rabbitmq, elasticsearch, mysql, file systems.
The monitoring subsystem is used for monitoring the detailed operation conditions of the translation subsystem, the data access subsystem, the stream computing subsystem, the secondary detection subsystem, the association analysis subsystem, the result confirmation subsystem, the alarm reduction subsystem, the context association subsystem and the alarm output subsystem in real time, counting the detection conditions of the network security detection model, the data distribution conditions and the data quantity of the original log and the alarm log, the CPU and the memory occupation of each subsystem in real time, calculating the negative pressure condition of each subsystem in real time according to the user configuration, regulating the task submission of the translation subsystem and the log reading of the data access subsystem, and ensuring the stable operation of each subsystem.
By applying the network security detection method provided by the embodiment of the application, a plurality of preset detection rules are preset in advance, and different detection rules have different factors such as detection modes, angles and the like for network security. The target detection rule can be determined by acquiring the rule selection instruction, and then the safety detection is carried out on the data to be detected by utilizing the target detection rule, so that a Wanluo safety detection result is obtained. By setting a plurality of preset detection rules and selecting a specific detection rule from the detection rules according to a rule selection instruction, the used network security detection rules can be flexibly and rapidly modified, and various attack modes can be timely dealt with.
The following describes a network security detection device provided by an embodiment of the present application, and the network security detection device described below and the network security detection method described above may be referred to correspondingly.
Referring to fig. 3, fig. 3 is a schematic structural diagram of a network security detection device according to an embodiment of the present application, including:
the rule acquisition module 110 is configured to acquire a plurality of preset detection rules;
The target determining module 120 is configured to obtain a rule selection instruction, and determine a target detection rule in a preset detection rule according to the rule selection instruction;
a data acquisition module 130, configured to acquire data to be measured;
the security detection module 140 is configured to perform security detection on the data to be detected based on the target detection rule, so as to obtain a network security detection result.
Optionally, the targeting module 120 includes:
The real-time monitoring unit is used for monitoring the data interaction channel between the terminal and the real-time monitoring unit and acquiring the rule selection instruction sent by the terminal from the data interaction channel.
Optionally, the security detection module 140 includes:
the feature extraction unit is used for carrying out feature extraction processing on the data to be detected to obtain features to be detected;
And the detection unit is used for generating a detection task based on the target detection rule, and executing the detection task by utilizing the feature to be detected to obtain a network security detection result.
Optionally, the detection tasks include an initial detection task and an association analysis task;
A detection unit comprising:
the target data determining subunit is used for determining corresponding target to-be-detected characteristics based on each initial detection task respectively;
The first initial detection subunit is used for respectively executing each initial detection task by utilizing the target feature to be detected to obtain a first detection result;
and the association detection subunit is used for executing an association analysis task by using the first detection result to obtain a network security detection result.
Optionally, the detection tasks include an initial detection task and an alarm elimination task;
A detection unit comprising:
the second initial detection subunit is used for executing an initial detection task by utilizing the feature to be detected to obtain a second detection result;
The elimination detection subunit is used for executing an alarm elimination task by utilizing the second detection result to obtain an elimination detection result;
The first result determining subunit is configured to determine that the network security detection result is secure if the elimination detection result is hit;
And the second result determining subunit is configured to determine that the network security detection result is the second detection result if the elimination detection result is a miss.
Optionally, the detection tasks include an initial detection task and a history association task;
A detection unit comprising:
the third initial detection subunit is used for executing an initial detection task by utilizing the feature to be detected to obtain a third detection result;
The history acquisition subunit is used for acquiring a history detection result corresponding to the history data, wherein the history data is context data of the data to be detected;
And the history association detection subunit is used for executing a history association task by using the third detection result and the history detection result to obtain a network security detection result.
Optionally, the method further comprises:
The self-defined task generating module is used for acquiring a code packet sent by the terminal and generating a self-defined security detection task by utilizing the code packet;
the self-defined detection module is used for executing self-defined security detection tasks by utilizing the data to be detected to obtain a self-defined network security detection result.
The electronic device provided by the embodiment of the application is introduced below, and the electronic device described below and the network security detection method described above can be referred to correspondingly.
Referring to fig. 4, fig. 4 is a schematic structural diagram of an electronic device according to an embodiment of the present application. Wherein the electronic device 100 may include a processor 101 and a memory 102, and may further include one or more of a multimedia component 103, an information input/information output (I/O) interface 104, and a communication component 105.
Wherein the processor 101 is configured to control the overall operation of the electronic device 100 to perform all or part of the steps of the network security detection method described above, and the memory 102 is configured to store various types of data to support operation at the electronic device 100, such data may include, for example, instructions for any application or method operating on the electronic device 100, as well as application-related data. The Memory 102 may be implemented by any type or combination of volatile or non-volatile Memory devices, such as one or more of static random access Memory (Static Random Access Memory, SRAM), electrically erasable programmable Read-Only Memory (ELECTRICALLY ERASABLE PROGRAMMABLE READ-Only Memory, EEPROM), erasable programmable Read-Only Memory (Erasable Programmable Read-Only Memory, EPROM), programmable Read-Only Memory (Programmable Read-Only Memory, PROM), read-Only Memory (ROM), magnetic Memory, flash Memory, magnetic disk, or optical disk.
The multimedia component 103 may include a screen and an audio component. Wherein the screen may be, for example, a touch screen, the audio component being for outputting and/or inputting audio signals. For example, the audio component may include a microphone for receiving external audio signals. The received audio signals may be further stored in the memory 102 or transmitted through the communication component 105. The audio assembly further comprises at least one speaker for outputting audio signals. The I/O interface 104 provides an interface between the processor 101 and other interface modules, which may be a keyboard, mouse, buttons, etc. These buttons may be virtual buttons or physical buttons. The communication component 105 is used for wired or wireless communication between the electronic device 100 and other devices. Wireless Communication, such as Wi-Fi, bluetooth, near Field Communication (NFC), 2G, 3G, or 4G, or a combination of one or more thereof, so that the corresponding Communication component 105 may include Wi-Fi components, bluetooth components, NFC components.
The electronic device 100 may be implemented by one or more Application Specific Integrated Circuits (ASIC), digital signal Processor (DIGITAL SIGNAL Processor, DSP), digital signal processing device (DIGITAL SIGNAL Processing Device, DSPD), programmable logic device (Programmable Logic Device, PLD), field programmable gate array (Field Programmable GATE ARRAY, FPGA), controller, microcontroller, microprocessor or other electronic components for performing the network security detection method according to the above embodiment.
The following describes a computer readable storage medium provided in an embodiment of the present application, where the computer readable storage medium described below and the network security detection method described above may be referred to correspondingly.
The application also provides a computer readable storage medium, wherein the computer readable storage medium stores a computer program, and the computer program realizes the steps of the network security detection method when being executed by a processor.
The computer readable storage medium may include a U disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a magnetic disk or an optical disk, etc. various media that can store program codes.
In this specification, each embodiment is described in a progressive manner, and each embodiment is mainly described in a different point from other embodiments, so that the same or similar parts between the embodiments are referred to each other. For the device disclosed in the embodiment, since it corresponds to the method disclosed in the embodiment, the description is relatively simple, and the relevant points refer to the description of the method section.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative elements and steps are described above generally in terms of functionality in order to clearly illustrate the interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Those skilled in the art may implement the described functionality using different approaches for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. The software modules may be disposed in Random Access Memory (RAM), memory, read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
Finally, it is further noted that, in this document, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms include, comprise, or any other variation is intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus.
While the principles and embodiments of the present application have been described in detail in this application, the foregoing embodiments are provided to facilitate understanding of the principles and concepts of the application and are further provided by one of ordinary skill in the art to which the application pertains.
Claims (6)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210081681.3A CN114500038B (en) | 2022-01-24 | 2022-01-24 | Network security detection method, device, electronic device and readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210081681.3A CN114500038B (en) | 2022-01-24 | 2022-01-24 | Network security detection method, device, electronic device and readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114500038A CN114500038A (en) | 2022-05-13 |
| CN114500038B true CN114500038B (en) | 2024-12-03 |
Family
ID=81473776
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210081681.3A Active CN114500038B (en) | 2022-01-24 | 2022-01-24 | Network security detection method, device, electronic device and readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114500038B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116074217B (en) * | 2023-01-29 | 2024-08-27 | 北京有竹居网络技术有限公司 | Network detection method, system, storage medium and electronic equipment |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105376245A (en) * | 2015-11-27 | 2016-03-02 | 杭州安恒信息技术有限公司 | Rule-based detection method of ATP attack behavior |
| CN105871571A (en) * | 2015-01-20 | 2016-08-17 | 中国科学院上海高等研究院 | Method and system for managing sensor network |
| CN111414619A (en) * | 2020-03-17 | 2020-07-14 | 深信服科技股份有限公司 | Data security detection method, device, equipment and readable storage medium |
| CN113179271A (en) * | 2021-04-28 | 2021-07-27 | 深圳前海微众银行股份有限公司 | Intranet security policy detection method and device |
Family Cites Families (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7408458B1 (en) * | 2005-12-29 | 2008-08-05 | At&T Corp. | Method and apparatus for suppressing duplicate alarms |
| JP2009140455A (en) * | 2007-12-11 | 2009-06-25 | Yazaki Corp | Operation history collection device and abnormality cause analysis support system |
| CN108765362B (en) * | 2017-04-20 | 2023-04-11 | 优信数享(北京)信息技术有限公司 | Vehicle detection method and device |
| US10419468B2 (en) * | 2017-07-11 | 2019-09-17 | The Boeing Company | Cyber security system with adaptive machine learning features |
| CN109841210B (en) * | 2017-11-27 | 2024-02-20 | 西安中兴新软件有限责任公司 | Intelligent control implementation method and device and computer readable storage medium |
| US11080394B2 (en) * | 2019-03-27 | 2021-08-03 | Webroot Inc. | Behavioral threat detection virtual machine |
| CN110334119B (en) * | 2019-06-21 | 2024-06-11 | 腾讯科技(深圳)有限公司 | Data association processing method, device, equipment and medium |
| CN111126622B (en) * | 2019-12-19 | 2023-11-03 | 中国银联股份有限公司 | A data anomaly detection method and device |
| CN113343228B (en) * | 2021-06-30 | 2023-11-10 | 北京天融信网络安全技术有限公司 | Event credibility analysis method and device, electronic equipment and readable storage medium |
-
2022
- 2022-01-24 CN CN202210081681.3A patent/CN114500038B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105871571A (en) * | 2015-01-20 | 2016-08-17 | 中国科学院上海高等研究院 | Method and system for managing sensor network |
| CN105376245A (en) * | 2015-11-27 | 2016-03-02 | 杭州安恒信息技术有限公司 | Rule-based detection method of ATP attack behavior |
| CN111414619A (en) * | 2020-03-17 | 2020-07-14 | 深信服科技股份有限公司 | Data security detection method, device, equipment and readable storage medium |
| CN113179271A (en) * | 2021-04-28 | 2021-07-27 | 深圳前海微众银行股份有限公司 | Intranet security policy detection method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114500038A (en) | 2022-05-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11811805B1 (en) | Detecting fraud by correlating user behavior biometrics with other data sources | |
| CN110321371A (en) | Daily record data method for detecting abnormality, device, terminal and medium | |
| US9600393B2 (en) | Testing of application service versions on live data | |
| CN107241296B (en) | Webshell detection method and device | |
| US11886939B2 (en) | System, device, method and datastack for managing applications that manage operation of assets | |
| CN108108288A (en) | A kind of daily record data analytic method, device and equipment | |
| CN104424094A (en) | Method and device for obtaining abnormal information and intelligent terminal device | |
| CN113489713A (en) | Network attack detection method, device, equipment and storage medium | |
| US20150006961A1 (en) | Capturing trace information using annotated trace output | |
| CN111885210A (en) | Cloud computing network monitoring system based on end user environment | |
| CN111414619B (en) | Data security detection method, device, equipment and readable storage medium | |
| CN113242267A (en) | Situation perception method based on brain-like calculation | |
| CN104881483B (en) | Automatic detection evidence collecting method for the attack of Hadoop platform leaking data | |
| WO2020199905A1 (en) | Command detection method and device, computer apparatus, and storage medium | |
| CN114500038B (en) | Network security detection method, device, electronic device and readable storage medium | |
| CN114595127B (en) | Log exception processing method, device, equipment and storage medium | |
| Katilu et al. | Challenges of data provenance for cloud forensic investigations | |
| CN115982049A (en) | Abnormal detection method, device and computer equipment in performance testing | |
| CN114461864A (en) | An alarm tracing method and device | |
| CN113836539A (en) | Full-process disposal system and method for loopholes in power industrial control system based on accurate testing | |
| CN115225470B (en) | A business abnormality monitoring method, device, electronic equipment and storage medium | |
| CN111475375A (en) | Data state updating method and equipment | |
| CN111651760A (en) | A method and computer-readable storage medium for comprehensive analysis of equipment security status | |
| WO2024109132A1 (en) | Manipulator state determination method and apparatus, and storage medium | |
| CN106685970B (en) | Method and device for detecting reversely connected rear door |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |