[go: up one dir, main page]

CN117896166A - Method, device, equipment and storage medium for monitoring computer network - Google Patents

Method, device, equipment and storage medium for monitoring computer network Download PDF

Info

Publication number
CN117896166A
CN117896166A CN202410123978.0A CN202410123978A CN117896166A CN 117896166 A CN117896166 A CN 117896166A CN 202410123978 A CN202410123978 A CN 202410123978A CN 117896166 A CN117896166 A CN 117896166A
Authority
CN
China
Prior art keywords
computer network
monitoring
data
network
security
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202410123978.0A
Other languages
Chinese (zh)
Inventor
庞浩
刘光
黎德靖
练皓琳
陈榆凯
杨江枫
孙亚红
袁皓
黄晴川
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Telecom Corp Ltd
Original Assignee
China Telecom Corp Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Telecom Corp Ltd filed Critical China Telecom Corp Ltd
Priority to CN202410123978.0A priority Critical patent/CN117896166A/en
Publication of CN117896166A publication Critical patent/CN117896166A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/30Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
    • H04L63/306Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information intercepting packet switched data communications, e.g. Web, Internet or IMS communications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/60Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Technology Law (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the invention provides a method, a device, equipment and a storage medium for monitoring a computer network, wherein the method comprises the following steps: acquiring and storing monitoring data of a computer network from a network security monitoring system; the monitoring data is a data packet transmitted between the computer network and the Internet through real-time interception by the network safety monitoring system, and the data packet transmitted in the computer network, an effective threshold value for monitoring the computer network is extracted from the data packet, and after the data packet is recombined to obtain a recombined data packet, the recombined data packet and the effective threshold value are used as the monitoring data of the computer network; and responding to the monitoring data checking request sent by the monitoring terminal aiming at the computer network, acquiring the monitoring data of the computer network, and sending the monitoring data to the monitoring terminal so as to realize the monitoring of the computer network. The embodiment of the invention can ensure the safety of the computer network.

Description

Method, device, equipment and storage medium for monitoring computer network
Technical Field
Embodiments of the present invention relate to the field of computer technologies, and in particular, to a method and an apparatus for monitoring a computer network, an electronic device, and a storage medium.
Background
Network security generally refers to the security of a computer network (computer communication network), in practice, may also refer to the security of a computer network, where a plurality of computers with independent functions are interconnected through communication devices and transmission media, and under the support of communication software, information transmission and exchange between the computers are implemented, whereas a computer network refers to a system in which a plurality of independent computer systems, terminal devices and data devices that are relatively dispersed in regions are connected by using communication means for the purpose of sharing resources, and data exchange is performed under the control of a protocol, where the root purpose of the computer network is resource sharing, and the communication network is a way of implementing network resource sharing, so that the computer network is secure, and the corresponding computer network must also be secure, and should be capable of implementing information exchange and resource sharing for network users.
With the rapid development of information technology, computer network technology is widely applied in life, and various large enterprises are gradually managing the enterprises by using the computer technology; although this greatly improves the management efficiency of the enterprise and saves the management cost of the enterprise, there are problems that many lawbreakers propagate viruses on the computer network of the enterprise by using the computer network technology, which seriously threatens the security and stability of the computer network of the enterprise, and there is a risk of invading the management system of the enterprise to steal the internal business information, which may bring huge loss to the enterprise.
Disclosure of Invention
The embodiment of the invention provides a monitoring method of a computer network, which aims to solve the problems that the monitoring data of the computer network cannot be obtained in time, so that potential network security threats in the computer network cannot be found and processed in time, and the security of the computer network cannot be ensured.
Correspondingly, the embodiment of the invention also provides a monitoring device of the computer network, an electronic device and a storage medium, which are used for ensuring the realization and the application of the method.
In order to solve the above problems, an embodiment of the present invention discloses a method for monitoring a computer network, which is applied to a server in a computer network, where the server is in communication connection with a network security monitoring system of the computer network, or the network security monitoring system is deployed on the server, and the method includes:
acquiring and storing monitoring data of the computer network from the network security monitoring system; the monitoring data are data packets transmitted between the computer network and the Internet through real-time interception by the network safety monitoring system, and the data packets transmitted in the computer network, wherein an effective domain value for monitoring the computer network is extracted from the data packets, and after the data packets are recombined to obtain recombined data packets, the recombined data packets and the effective domain value are used as the monitoring data of the computer network;
And responding to a monitoring data checking request sent by the monitoring terminal for the computer network, acquiring the monitoring data of the computer network, and sending the monitoring data to the monitoring terminal so as to realize the monitoring of the computer network.
Optionally, a proxy server is further included in the computer network, the proxy server is located between the server and a client of the internet, and the proxy server is used for blocking data communication between the client and the server.
Optionally, the server supports the use of different operating systems, and the server provides corresponding data viewing modes for the different operating systems; the security policy used by the network security monitoring system at least comprises: performing risk assessment on appointed terminal equipment in a computer network by adopting a vulnerability scanning technology; constructing a defense system by adopting a safety technology; real-time response and recovery to network attack; and establishing a hierarchical management and each level of security management center.
Optionally, after the monitoring data of the computer network is obtained in response to the monitoring data viewing request for the computer network sent by the monitoring terminal, and the monitoring data is sent to the monitoring terminal to realize monitoring of the computer network, the method further includes:
Acquiring detection data from the network security monitoring system; the detection data are obtained by collecting preset intrusion detection tasks executed by the network security monitoring system;
the detection data is analyzed to determine if there is a behavior of the user violating the security policy or a sign of the computer network encountering an attack.
Optionally, the intrusion detection task includes at least monitoring and analyzing activities of users of the computer network and the computer network; auditing the construction and vulnerability of the computer network; identifying an attack pattern for the computer network and alerting; statistical analysis of abnormal behavior patterns of the computer network; evaluating the integrity of the computer network and data files in the computer network; and performing audit trail management on the computer network and identifying the behavior of the user of the computer network, which violates the security policy.
Optionally, the network security monitoring system provides a secure network service, and the secure network service at least comprises: authentication of a communication partner; access control; encrypting data; analyzing and protecting the service flow; data integrity protection; signing; wherein the data encryption includes data encryption of data stored in the computer network and data encryption of data transmitted in the computer network.
Optionally, after the monitoring data of the computer network is obtained in response to the monitoring data viewing request for the computer network sent by the monitoring terminal, and the monitoring data is sent to the monitoring terminal to realize monitoring of the computer network, the method further includes:
collecting network information of the computer network; wherein the network information at least includes: the number of times of attack, the number of viruses and the virus searching and killing speed of the computer network in a preset time period;
and evaluating the security level of the computer network according to the network information of the computer network.
The embodiment of the invention also discloses a monitoring device of the computer network, which is applied to a server in the computer network, wherein the server is in communication connection with a network security monitoring system of the computer network, or the network security monitoring system is deployed on the server, and the device comprises:
the monitoring data acquisition module is used for acquiring and storing the monitoring data of the computer network from the network safety monitoring system; the monitoring data are data packets transmitted between the computer network and the Internet through real-time interception by the network safety monitoring system, and the data packets transmitted in the computer network, wherein an effective domain value for monitoring the computer network is extracted from the data packets, and after the data packets are recombined to obtain recombined data packets, the recombined data packets and the effective domain value are used as the monitoring data of the computer network;
And the monitoring data checking module is used for responding to the monitoring data checking request sent by the monitoring terminal and aiming at the computer network, acquiring the monitoring data of the computer network and sending the monitoring data to the monitoring terminal so as to monitor the computer network.
Optionally, a proxy server is further included in the computer network, the proxy server is located between the server and a client of the internet, and the proxy server is used for blocking data communication between the client and the server.
Optionally, the server supports the use of different operating systems, and the server provides corresponding data viewing modes for the different operating systems; the security policy used by the network security monitoring system at least comprises: performing risk assessment on appointed terminal equipment in a computer network by adopting a vulnerability scanning technology; constructing a defense system by adopting a safety technology; real-time response and recovery to network attack; and establishing a hierarchical management and each level of security management center.
Optionally, the apparatus further comprises: intrusion detection analysis module for:
acquiring detection data from the network security monitoring system; the detection data are obtained by collecting preset intrusion detection tasks executed by the network security monitoring system;
The detection data is analyzed to determine if there is a behavior of the user violating the security policy or a sign of the computer network encountering an attack.
Optionally, the intrusion detection task includes at least monitoring and analyzing activities of users of the computer network and the computer network; auditing the construction and vulnerability of the computer network; identifying an attack pattern for the computer network and alerting; statistical analysis of abnormal behavior patterns of the computer network; evaluating the integrity of the computer network and data files in the computer network; and performing audit trail management on the computer network and identifying the behavior of the user of the computer network, which violates the security policy.
Optionally, the network security monitoring system provides a secure network service, and the secure network service at least comprises: authentication of a communication partner; access control; encrypting data; analyzing and protecting the service flow; data integrity protection; signing; wherein the data encryption includes data encryption of data stored in the computer network and data encryption of data transmitted in the computer network.
Optionally, the apparatus further comprises: a security level evaluation module for:
collecting network information of the computer network; wherein the network information at least includes: the number of times of attack, the number of viruses and the virus searching and killing speed of the computer network in a preset time period;
and evaluating the security level of the computer network according to the network information of the computer network.
The embodiment of the invention also discloses an electronic device, which comprises: a processor; and a memory having executable code stored thereon that, when executed, causes the processor to perform a method of monitoring a computer network as described in one or more of the embodiments of the present invention.
Embodiments of the present invention also disclose one or more machine readable media having executable code stored thereon that, when executed, cause a processor to perform a method of monitoring a computer network as described in one or more of the embodiments of the present invention.
Compared with the prior art, the embodiment of the invention has the following advantages:
in the embodiment of the invention, a server in a computer network is in communication connection with a network security monitoring system of the computer network or the network security monitoring system is deployed in the server, monitoring data of the computer network is obtained and stored from the network security monitoring system, wherein the monitoring data is obtained by the network security monitoring system through intercepting a data packet transmitted between the computer network and the Internet in real time, an effective threshold value for monitoring the computer network is extracted from the data packet, after the data packet is recombined to obtain the recombined data packet, the recombined data packet and the effective threshold value are taken as the monitoring data of the computer network, and then, the monitoring data of the computer network can be obtained in response to a monitoring data checking request for the computer network sent by the monitoring terminal, and the monitoring data is sent to the monitoring terminal so as to realize the monitoring of the computer network and ensure the security of the computer network. The network security monitoring system of the embodiment of the invention can acquire and store the monitoring data of the computer network, the monitoring data is obtained by intercepting the data packet transmitted between the computer network and the Internet in real time, the network security monitoring system analyzes and processes the monitoring data, extracts an effective threshold value, and stores the effective threshold value and the recombined data packet together as the monitoring data, so that when a related person needs to check the monitoring data of the computer network, the monitoring data of the computer network can be acquired in real time, and the efficiency is higher when the related person checks the monitoring data of the computer network because the monitoring data comprises the extracted effective threshold value, the monitoring capability of the computer network can be effectively improved, and the related person can conveniently discover and process potential network security threats in the computer network in time, thereby ensuring the security of the computer network.
Drawings
FIG. 1 is a flow chart of steps of an embodiment of a method of monitoring a computer network in accordance with the present invention;
FIG. 2 is a schematic illustration of an application environment of the present invention;
FIG. 3 is a block diagram of yet another embodiment of a monitoring device for a computer network in accordance with the present invention;
fig. 4 is a schematic structural diagram of an apparatus according to an embodiment of the present invention.
Detailed Description
In order that the above-recited objects, features and advantages of the present invention will become more readily apparent, a more particular description of the invention will be rendered by reference to the appended drawings and appended detailed description.
Referring to fig. 1, which is a flowchart illustrating steps of an embodiment of a method for monitoring a computer network according to the present invention, the method is applied to a server in a computer network, where the server is communicatively connected to a network security monitoring system of the computer network, or the network security monitoring system is deployed on the server, and the method includes the steps of:
step 101, acquiring and storing monitoring data of the computer network from the network safety monitoring system; the monitoring data are data packets transmitted between the computer network and the Internet through real-time interception by the network security monitoring system, the data packets transmitted in the computer network, effective domain values for monitoring the computer network are extracted from the data packets, and after the data packets are recombined to obtain recombined data packets, the recombined data packets and the effective domain values are used as the monitoring data of the computer network.
The computer network may be a local area network (private network) of an enterprise, in which one or more servers may be disposed, and the servers may be communicatively connected to the network security monitoring system, or the network security monitoring system may be disposed in a server of the computer network. The network security monitoring system is a system for monitoring and protecting the security of a computer network, and the network security monitoring system can intercept data packets transmitted between the computer network and the internet (public network) in real time, and data packets transmitted inside the computer network, for example, data packets transmitted between terminal devices in the computer network and terminal devices in the internet, and data packets transmitted between terminal devices in the computer network, where the terminal devices may include devices such as a computer and a tablet computer.
In a specific implementation, each data packet intercepted by the network security monitoring system may include a data frame, usually more data is included in the data packet, and not all data in the data packet can be effectively used for monitoring a computer network, so if all intercepted data packets are acquired and provided to related personnel for monitoring the computer network, the data volume is relatively large, but the computer network may not be effectively monitored in time, so after the data packet is acquired, the network security monitoring system in the embodiment of the present invention may extract an effective threshold value for monitoring the computer network from the data packet by using a known media access control protocol (Media Access Control, MAC), where the effective threshold value may include a source address of a transmitting data packet, a target address of a receiving data packet, and the like, and the related personnel can determine the security state of the computer network based on the effective threshold value extracted from the data packet.
In addition, in order to be convenient for relevant personnel to browse the intercepted data packets comprehensively and quickly, after the effective threshold value is extracted from the data packets, each intercepted data packet is marked with a time stamp (a time stamp) at the same time, a serial number (used for representing the transmission sequence of the data packets) is marked, then the data packets can be recombined based on the time stamp and the serial number to obtain recombined data packets, then the recombined data packets and the effective threshold value can be used as monitoring data of a computer network and stored in a server, and then the relevant personnel can check the monitoring data stored in the server through a monitoring terminal.
In one embodiment of the present invention, a proxy server is further disposed in the computer network, the proxy server being located between the server and clients of the internet, the proxy server being configured to block data communication between the clients and the server.
In the embodiment of the invention, the client is used for using the data in the server, which can be terminal equipment in the Internet, and the proxy server is deployed between the client of the Internet and the server of the computer network, and can transfer and control the data communication between the client and the server, thereby ensuring the data security of the computer network.
Step 102, responding to a monitoring data checking request sent by the monitoring terminal for the computer network, acquiring the monitoring data of the computer network, and sending the monitoring data to the monitoring terminal to monitor the computer network.
The monitoring device may be a terminal device or a client in a computer network, and specifically, the monitoring device may include a computer, a tablet computer, and other devices. In the embodiment of the invention, when the related personnel want to check the monitoring data of the computer network, the monitoring terminal can send a monitoring data checking request to the server, the server can acquire the monitoring data of the computer network in response to the request, and then the monitoring data can be sent to the monitoring terminal for displaying, so that the monitoring of the computer network is realized.
The embodiment of the invention provides a monitoring method of a computer network, which realizes real-time monitoring of network communication conditions of the computer network, information acquisition, address analysis of each site on the network and site type analysis through a network security monitoring system of the computer network and provides a monitoring means for security maintenance of the computer network. Referring to fig. 2, which is a schematic diagram of an application environment provided in an embodiment of the present invention, a network security monitoring system may include an information interception unit, an information analysis unit, and an information reorganization unit, where the network security monitoring system is communicatively connected to a server in a computer network or is disposed in the server, and the server is indirectly communicatively connected to a client through a proxy server, and a security monitoring process based on the network security monitoring system on the computer network may include:
The information interception unit adopts a multi-process and multi-thread technology to complete the real-time interception of the data packet;
the information analysis unit is in communication connection with the information interception unit, extracts effective domain values in data frames from intercepted data packets by using a known media access control protocol, marks a time mark for each intercepted data packet and marks a serial number;
the information reorganization unit is in communication connection with the information analysis unit, and reorganization of the analyzed effective domain value and the data packet is realized through the information reorganization unit, so that monitoring data of a computer network are obtained;
the server is in communication connection with the information reorganization unit and is used for storing and calling the monitoring data;
the client is used for using the data in the server;
the proxy server is positioned between the client and the server and used for blocking data communication between the client and the server;
the monitoring terminal is used for checking monitoring data in the server.
In the above method for monitoring a computer network, a server in the computer network is in communication connection with a network security monitoring system of the computer network or the network security monitoring system is deployed in the server, monitoring data of the computer network is obtained and stored from the network security monitoring system, wherein the monitoring data is obtained by the network security monitoring system through capturing a data packet transmitted between the computer network and the internet in real time, extracting an effective threshold value for monitoring the computer network from the data packet, recombining the data packet to obtain a recombined data packet, using the recombined data packet and the effective threshold value together as the monitoring data of the computer network, and then responding to a monitoring data checking request sent by the monitoring terminal for the computer network, obtaining the monitoring data of the computer network, and sending the monitoring data to the monitoring terminal so as to realize monitoring of the computer network and ensure the security of the computer network. The network security monitoring system of the embodiment of the invention can acquire and store the monitoring data of the computer network, the monitoring data is obtained by intercepting the data packet transmitted between the computer network and the Internet in real time, the network security monitoring system analyzes and processes the monitoring data, extracts an effective threshold value, and stores the effective threshold value and the recombined data packet together as the monitoring data, so that when a related person needs to check the monitoring data of the computer network, the monitoring data of the computer network can be acquired in real time, and the efficiency is higher when the related person checks the monitoring data of the computer network because the monitoring data comprises the extracted effective threshold value, the monitoring capability of the computer network can be effectively improved, and the related person can conveniently discover and process potential network security threats in the computer network in time, thereby ensuring the security of the computer network.
In one embodiment of the invention, the server supports the use of different operating systems, and the server provides corresponding data viewing modes for the different operating systems
In the embodiment of the invention, the monitoring terminal is used for checking the monitoring data in the server, and the checking mode of the hardware information and the monitoring data of the server is specifically as follows for various operating systems such as a Linux system, a Windows system and the like:
viewing server hardware information: looking through BIOS (Basic Input/Output System): and opening the server, entering a BIOS setting interface, and checking by moving a cursor. Looking up through the Linux system: in Linux systems, hardware information is viewed using a command line tool. In a Windows system, viewing hardware information through a device manager;
viewing the monitored data in the server: viewing the monitored data stored in the server: in a Linux system, a command line tool top or htop is used for checking monitoring data stored in a server in real time; in a Windows system, a task manager is used for checking monitoring data stored in a server in real time; viewing a system log: in a Linux system, using cat and tail commands to view log file files; in Windows systems, an event viewer is used to view system log files; viewing the network state: in a Linux system, using an ifconfig or ip command to view state information of a network interface, and in a Windows system, using a network and a sharing center to view network state; checking the use condition of the disk: in a Linux system, using df commands to check the use condition of a disk; in Windows systems, disk management is used to view disk usage.
In one embodiment of the present invention, the network security monitoring system may secure a computer network with some security policies, specifically, the security policies used by the network security monitoring system include at least: performing risk assessment on appointed terminal equipment in a computer network by adopting a vulnerability scanning technology; constructing a defense system by adopting a safety technology; real-time response and recovery to network attack; and establishing a hierarchical management and each level of security management center.
The performing risk assessment on the designated terminal device in the computer network by adopting the vulnerability scanning technology may specifically include: the appointed terminal equipment can be some equipment storing enterprise important data, the appointed terminal equipment of the computer network is scanned through a vulnerability scanning technology, the risk level of the terminal equipment after risk assessment is determined, if the risk level is higher, security vulnerabilities existing in the appointed terminal equipment can be repaired in time, the security and defending capability of the computer network are improved, and malicious network attacks by people using the vulnerabilities are prevented.
The construction of the defense system by adopting the safety technology specifically comprises the following steps: firewall technology: the method comprises the steps of performing access control on an external interface of a computer network by adopting a firewall technology and a network layer; NAT (Network Address Translation ) technology: hiding internal network information of the computer network; VPN (Virtual Private Network ): connecting a remote user, a company branch office, a company business partner and a company enterprise network through a safe data channel to form an extended company enterprise network; network encryption technology: encrypting and packaging IP (Internet Protocol ) data packets transmitted in a public network by adopting a network encryption technology; and (3) authentication: providing identity-based authentication for a computer network and optionally used in various authentication mechanisms; real-time monitoring of the network: an intrusion detection system is adopted to monitor and early warn terminal equipment such as a host in a computer network.
The real-time response and recovery to the network attack may specifically include: when the network security monitoring system discovers the network attack, the network security monitoring system responds correspondingly to the network attack in real time or restores the computer network to a state before the network attack.
The establishing a hierarchical management and each level of security management center specifically may include: the hierarchical management and each level of security management center are established for the computer network, so that the cooperativity and efficiency of security management can be improved, and the monitored network attack can be effectively responded and managed.
It should be noted that, in the embodiment of the present invention, the use of user data may be involved, and in practical application, the user specific personal data may be used in the solution described herein within the scope allowed by the applicable legal regulations in the country under the condition of meeting the applicable legal regulations in the country (for example, the user explicitly agrees to the user to notify practically, etc.).
In one embodiment of the present invention, after the step 102 of obtaining the monitoring data of the computer network in response to the monitoring data viewing request for the computer network sent by the monitoring terminal, and sending the monitoring data to the monitoring terminal to implement monitoring of the computer network, the method further includes:
Acquiring detection data from the network security monitoring system; the detection data are obtained by collecting preset intrusion detection tasks executed by the network security monitoring system;
the detection data is analyzed to determine if there is a behavior of the user violating the security policy or a sign of the computer network encountering an attack.
The network security monitoring system performs an intrusion detection task for a computer network, wherein the intrusion detection task can be obtained by the network security monitoring system after acquiring and analyzing a data packet transmitted by the computer network. In particular, intrusion detection tasks may include at least monitoring and analyzing activities of users of the computer network and the computer network; auditing the construction and vulnerability of the computer network; identifying an attack pattern for the computer network and alerting; statistical analysis of abnormal behavior patterns of the computer network; evaluating the integrity of the computer network and data files in the computer network; and performing audit trail management on the computer network and identifying the behavior of the user of the computer network, which violates the security policy.
In one embodiment of the invention, the network security monitoring system provides a secure network service comprising at least: authentication of a communication partner; access control; encrypting data; analyzing and protecting the service flow; data integrity protection; signing; wherein the data encryption includes data encryption of data stored in the computer network and data encryption of data transmitted in the computer network. Specifically, the method for encrypting the data in the storage may include: one-way hash encryption and symmetric encryption; asymmetric encryption; data encryption in transmission includes SSL (Secure Sockets Layer, secure socket layer)/TLS (Transport Layer Security ) encryption; VPN (Virtual Private Network ) encryption. Of course, the above-mentioned data encryption method is merely an example, and other data encryption manners may be selected according to specific requirements in practical applications, which is not limited in this embodiment of the present invention.
In one embodiment of the present invention, after the step 102 of obtaining the monitoring data of the computer network in response to the monitoring data viewing request for the computer network sent by the monitoring terminal, and sending the monitoring data to the monitoring terminal to implement monitoring of the computer network, the method further includes:
collecting network information of the computer network; wherein the network information at least includes: the number of times of attack, the number of viruses and the virus searching and killing speed of the computer network in a preset time period;
and evaluating the security level of the computer network according to the network information of the computer network.
The security level is an evaluation of the security condition of a computer network and is classified into different levels according to different degrees of security thereof, for example, the security level may be classified into a high security level, a medium and high security level, a low security level, and the like.
In the embodiment of the invention, the network security level of the computer network can be evaluated through the network security monitoring system, and the specific mode is as follows: after the network safety monitoring system is in communication connection with a computer network to be evaluated, data acquisition is carried out on the computer network to be evaluated to obtain network information, wherein the acquired network information at least can comprise attack times, virus quantity, virus searching and killing speed and other information in the preset duration of the computer network, and then the safety level of the computer network can be evaluated according to the network information of the computer network.
Compared with the prior art, the embodiment of the invention has at least the following beneficial effects: the method realizes the real-time monitoring of the network communication condition of the computer network, the acquisition of information, the address analysis of each site on the network and the site type analysis, and provides a monitoring means for the safety maintenance of the computer network; because there is no direct data channel between the external Internet and the internal server, the computer network inside the enterprise is difficult to be injured by the external malicious infringement, the security of the proxy server is higher, the detection and scanning can be carried out aiming at the application layer, and the intrusion and virus based on the application layer are very effective; the network encryption technology is adopted to encrypt and package the data packet transmitted in the public network, so that confidentiality and integrity of data transmission are realized, the problem of data transmission safety of the computer network in the public network can be solved, and the problem of safety of a remote user accessing the intranet can be solved; the method can monitor the computer network under the condition of not affecting the network performance, thereby providing real-time protection for internal attack, external attack and misoperation; personnel access is effectively supervised, the probability of illegal operation is reduced, data in a computer network is effectively protected, the opportunity for illegal molecules to invade while the computer network is on the machine is reduced, and therefore the computer network is correspondingly protected; in addition, the network security assessment analysis is more objective, and the accuracy of the security assessment of the computer network is improved.
It should be noted that, for simplicity of description, the method embodiments are shown as a series of acts, but it should be understood by those skilled in the art that the embodiments are not limited by the order of acts, as some steps may occur in other orders or concurrently in accordance with the embodiments. Further, those skilled in the art will appreciate that the embodiments described in the specification are presently preferred embodiments, and that the acts are not necessarily required by the embodiments of the invention.
On the basis of the above embodiment, the present embodiment further provides a monitoring device for a computer network, which is applied to electronic devices such as a terminal device and a server.
Referring to fig. 3, there is shown a block diagram of an embodiment of a monitoring device for a computer network, which is applied to a server in a computer network, where the server is communicatively connected to a network security monitoring system of the computer network, or where the network security monitoring system is deployed on the server, and the device may specifically include the following modules:
a monitoring data obtaining module 301, configured to obtain and store monitoring data of the computer network from the network security monitoring system; the monitoring data are data packets transmitted between the computer network and the Internet through real-time interception by the network safety monitoring system, and the data packets transmitted in the computer network, wherein an effective domain value for monitoring the computer network is extracted from the data packets, and after the data packets are recombined to obtain recombined data packets, the recombined data packets and the effective domain value are used as the monitoring data of the computer network;
The monitoring data checking module 302 is configured to respond to a monitoring data checking request sent by the monitoring terminal and directed against the computer network, obtain monitoring data of the computer network, and send the monitoring data to the monitoring terminal to realize monitoring of the computer network.
In one embodiment of the present invention, a proxy server is further included in the computer network, the proxy server being located between the server and clients of the internet, the proxy server being configured to block data communication between the clients and the server.
In one embodiment of the invention, the server supports the use of different operating systems, and the server provides corresponding data viewing modes for the different operating systems; the security policy used by the network security monitoring system at least comprises: performing risk assessment on appointed terminal equipment in a computer network by adopting a vulnerability scanning technology; constructing a defense system by adopting a safety technology; real-time response and recovery to network attack; and establishing a hierarchical management and each level of security management center.
In one embodiment of the invention, the apparatus further comprises: intrusion detection analysis module for:
Acquiring detection data from the network security monitoring system; the detection data are obtained by collecting preset intrusion detection tasks executed by the network security monitoring system;
the detection data is analyzed to determine if there is a behavior of the user violating the security policy or a sign of the computer network encountering an attack.
In one embodiment of the invention, the intrusion detection task includes at least monitoring and analyzing activities of users of the computer network and the computer network; auditing the construction and vulnerability of the computer network; identifying an attack pattern for the computer network and alerting; statistical analysis of abnormal behavior patterns of the computer network; evaluating the integrity of the computer network and data files in the computer network; and performing audit trail management on the computer network and identifying the behavior of the user of the computer network, which violates the security policy.
In one embodiment of the invention, the network security monitoring system provides a secure network service comprising at least: authentication of a communication partner; access control; encrypting data; analyzing and protecting the service flow; data integrity protection; signing; wherein the data encryption includes data encryption of data stored in the computer network and data encryption of data transmitted in the computer network.
In one embodiment of the invention, the apparatus further comprises: a security level evaluation module for:
collecting network information of the computer network; wherein the network information at least includes: the number of times of attack, the number of viruses and the virus searching and killing speed of the computer network in a preset time period;
and evaluating the security level of the computer network according to the network information of the computer network.
The network security monitoring system of the embodiment of the invention can acquire and store the monitoring data of the computer network, the monitoring data is obtained by intercepting the data packet transmitted between the computer network and the Internet in real time, the network security monitoring system analyzes and processes the monitoring data, extracts an effective threshold value, and stores the effective threshold value and the recombined data packet together as the monitoring data, so that when a related person needs to check the monitoring data of the computer network, the monitoring data of the computer network can be acquired in real time, and the efficiency is higher when the related person checks the monitoring data of the computer network because the monitoring data comprises the extracted effective threshold value, the monitoring capability of the computer network can be effectively improved, and the related person can conveniently discover and process potential network security threats in the computer network in time, thereby ensuring the security of the computer network.
For the device embodiments, since they are substantially similar to the method embodiments, the description is relatively simple, and reference is made to the description of the method embodiments for relevant points.
The embodiment of the invention also provides a non-volatile readable storage medium, in which one or more modules (programs) are stored, where the one or more modules are applied to a device, and the device can execute instructions (instructions) of each method step in the embodiment of the invention.
Embodiments of the invention provide one or more machine-readable media having instructions stored thereon that, when executed by one or more processors, cause an electronic device to perform a method as described in one or more of the above embodiments. In the embodiment of the invention, the electronic equipment comprises various types of equipment such as terminal equipment, servers (clusters) and the like.
Embodiments of the present disclosure may be implemented as an apparatus for performing a desired configuration using any suitable hardware, firmware, software, or any combination thereof, which may include electronic devices such as terminal devices, servers (clusters), etc. Fig. 4 schematically illustrates an exemplary apparatus 400 that may be used to implement various embodiments described in the present disclosure.
For one embodiment, FIG. 4 illustrates an example apparatus 400 having one or more processors 402, a control module (chipset) 404 coupled to at least one of the processor(s) 402, a memory 406 coupled to the control module 404, a non-volatile memory (NVM)/storage device 408 coupled to the control module 404, one or more input/output devices 410 coupled to the control module 404, and a network interface 412 coupled to the control module 404.
Processor 402 may include one or more single-core or multi-core processors, and processor 402 may include any combination of general-purpose or special-purpose processors (e.g., graphics processor, application processor, baseband processor, etc.). In some embodiments, the apparatus 400 can be used as a terminal device, a server (cluster), or the like in the embodiments of the present invention.
In some embodiments, the apparatus 400 can include one or more computer-readable media (e.g., memory 406 or NVM/storage 408) having instructions 414 and one or more processors 402 combined with the one or more computer-readable media configured to execute the instructions 414 to implement the modules to perform the actions described in this disclosure.
For one embodiment, the control module 404 may include any suitable interface controller to provide any suitable interface to at least one of the processor(s) 402 and/or any suitable device or component in communication with the control module 404.
The control module 404 may include a memory controller module to provide an interface to the memory 406. The memory controller modules may be hardware modules, software modules, and/or firmware modules.
Memory 406 may be used to load and store data and/or instructions 414 for apparatus 400, for example. For one embodiment, memory 406 may include any suitable volatile memory, such as, for example, a suitable DRAM. In some embodiments, memory 406 may comprise double data rate type four synchronous dynamic random access memory (DDR 4 SDRAM).
For one embodiment, control module 404 may include one or more input/output controllers to provide interfaces to NVM/storage 408 and input/output device(s) 410.
For example, NVM/storage 408 may be used to store data and/or instructions 414. NVM/storage 408 may include any suitable nonvolatile memory (e.g., flash memory) and/or may include any suitable nonvolatile storage device(s) (e.g., one or more Hard Disk Drives (HDDs), one or more Compact Disc (CD) drives, and/or one or more Digital Versatile Disc (DVD) drives).
NVM/storage 408 may include storage resources physically part of the device on which apparatus 400 is installed or it may be accessible by the device without necessarily being part of the device. For example, NVM/storage 408 may be accessed over a network via input/output device(s) 410.
Input/output device(s) 410 may provide an interface for apparatus 400 to communicate with any other suitable device, input/output device 410 may include a communication component, an audio component, a sensor component, and the like. Network interface 412 may provide an interface for device 400 to communicate over one or more networks, and device 400 may communicate wirelessly with one or more components of a wireless network according to any of one or more wireless network standards and/or protocols, such as accessing a wireless network based on a communication standard, such as WiFi, 2G, 3G, 4G, 5G, etc., or a combination thereof.
For one embodiment, at least one of the processor(s) 402 may be packaged together with logic of one or more controllers (e.g., memory controller modules) of the control module 404. For one embodiment, at least one of the processor(s) 402 may be packaged together with logic of one or more controllers of the control module 404 to form a System In Package (SiP). For one embodiment, at least one of the processor(s) 402 may be integrated on the same die with logic of one or more controllers of the control module 404. For one embodiment, at least one of the processor(s) 402 may be integrated on the same die with logic of one or more controllers of the control module 404 to form a system on chip (SoC).
In various embodiments, the apparatus 400 may be, but is not limited to being: a server, a desktop computing device, or a mobile computing device (e.g., a laptop computing device, a handheld computing device, a tablet, a netbook, etc.), among other terminal devices. In various embodiments, the apparatus 400 may have more or fewer components and/or different architectures. For example, in some embodiments, the apparatus 400 includes one or more cameras, a keyboard, a Liquid Crystal Display (LCD) screen (including a touch screen display), a non-volatile memory port, multiple antennas, a graphics chip, an Application Specific Integrated Circuit (ASIC), and a speaker.
The detection device can adopt a main control chip as a processor or a control module, sensor data, position information and the like are stored in a memory or an NVM/storage device, a sensor group can be used as an input/output device, and a communication interface can comprise a network interface.
In this specification, each embodiment is described in a progressive manner, and each embodiment is mainly described by differences from other embodiments, and identical and similar parts between the embodiments are all enough to be referred to each other.
Embodiments of the present invention are described with reference to flowchart illustrations and/or block diagrams of methods, terminal devices (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable computer network monitor terminal device to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable computer network monitor terminal device, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable computer network monitor terminal device to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a monitoring terminal of a computer or other programmable computer network to cause a series of operational steps to be performed on the computer or other programmable terminal to produce a computer implemented process such that the instructions which execute on the computer or other programmable terminal provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While preferred embodiments of the present invention have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. It is therefore intended that the following claims be interpreted as including the preferred embodiment and all such alterations and modifications as fall within the scope of the embodiments of the invention.
Finally, it is further noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or terminal that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or terminal. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article or terminal device comprising the element.
The foregoing has described in detail the method and apparatus for monitoring a computer network, an electronic device and a storage medium, and specific examples have been provided herein to illustrate the principles and embodiments of the present invention, the above examples being provided only to assist in understanding the method and core idea of the present invention; meanwhile, as those skilled in the art will have variations in the specific embodiments and application scope in accordance with the ideas of the present invention, the present description should not be construed as limiting the present invention in view of the above.

Claims (10)

1. A method for monitoring a computer network, the method being applied to a server in a computer network, the server being communicatively connected to a network security monitoring system of the computer network, or the network security monitoring system being deployed on the server, the method comprising:
acquiring and storing monitoring data of the computer network from the network security monitoring system; the monitoring data are data packets transmitted between the computer network and the Internet through real-time interception by the network safety monitoring system, and the data packets transmitted in the computer network, wherein an effective domain value for monitoring the computer network is extracted from the data packets, and after the data packets are recombined to obtain recombined data packets, the recombined data packets and the effective domain value are used as the monitoring data of the computer network;
and responding to a monitoring data checking request sent by the monitoring terminal for the computer network, acquiring the monitoring data of the computer network, and sending the monitoring data to the monitoring terminal so as to realize the monitoring of the computer network.
2. The method of claim 1, further comprising a proxy server in the computer network, the proxy server being located between the server and a client of the internet, the proxy server being configured to block data traffic between the client and the server.
3. The method of claim 1, wherein the server supports the use of different operating systems, and wherein the server provides respective data viewing means for the different operating systems; the security policy used by the network security monitoring system at least comprises: performing risk assessment on appointed terminal equipment in a computer network by adopting a vulnerability scanning technology; constructing a defense system by adopting a safety technology; real-time response and recovery to network attack; and establishing a hierarchical management and each level of security management center.
4. The method of claim 1, wherein after the acquiring the monitoring data of the computer network in response to the monitoring data viewing request for the computer network sent by the monitoring terminal, and sending the monitoring data to the monitoring terminal to implement monitoring of the computer network, the method further comprises:
Acquiring detection data from the network security monitoring system; the detection data are obtained by collecting preset intrusion detection tasks executed by the network security monitoring system;
the detection data is analyzed to determine if there is a behavior of the user violating the security policy or a sign of the computer network encountering an attack.
5. The method of claim 4, wherein the intrusion detection task comprises at least monitoring and analyzing activities of users of the computer network and the computer network; auditing the construction and vulnerability of the computer network; identifying an attack pattern for the computer network and alerting; statistical analysis of abnormal behavior patterns of the computer network; evaluating the integrity of the computer network and data files in the computer network; and performing audit trail management on the computer network and identifying the behavior of the user of the computer network, which violates the security policy.
6. The method of claim 1, wherein the network security monitoring system provides secure network services, the secure network services comprising at least: authentication of a communication partner; access control; encrypting data; analyzing and protecting the service flow; data integrity protection; signing; wherein the data encryption includes data encryption of data stored in the computer network and data encryption of data transmitted in the computer network.
7. The method of claim 1, wherein after the acquiring the monitoring data of the computer network in response to the monitoring data viewing request for the computer network sent by the monitoring terminal, and sending the monitoring data to the monitoring terminal to implement monitoring of the computer network, the method further comprises:
collecting network information of the computer network; wherein the network information at least includes: the number of times of attack, the number of viruses and the virus searching and killing speed of the computer network in a preset time period;
and evaluating the security level of the computer network according to the network information of the computer network.
8. A monitoring device for a computer network, the device being applied to a server in the computer network, the server being communicatively connected to a network security monitoring system of the computer network, or the network security monitoring system being deployed on the server, the device comprising:
the monitoring data acquisition module is used for acquiring and storing the monitoring data of the computer network from the network safety monitoring system; the monitoring data are data packets transmitted between the computer network and the Internet through real-time interception by the network safety monitoring system, and the data packets transmitted in the computer network, wherein an effective domain value for monitoring the computer network is extracted from the data packets, and after the data packets are recombined to obtain recombined data packets, the recombined data packets and the effective domain value are used as the monitoring data of the computer network;
And the monitoring data checking module is used for responding to the monitoring data checking request sent by the monitoring terminal and aiming at the computer network, acquiring the monitoring data of the computer network and sending the monitoring data to the monitoring terminal so as to monitor the computer network.
9. An electronic device, comprising: a processor; and
a memory having executable code stored thereon that, when executed, causes the processor to perform the method of monitoring a computer network as claimed in any one of claims 1 to 7.
10. One or more machine readable media having executable code stored thereon that, when executed, causes a processor to perform the method of monitoring a computer network according to any of claims 1-7.
CN202410123978.0A 2024-01-29 2024-01-29 Method, device, equipment and storage medium for monitoring computer network Pending CN117896166A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202410123978.0A CN117896166A (en) 2024-01-29 2024-01-29 Method, device, equipment and storage medium for monitoring computer network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202410123978.0A CN117896166A (en) 2024-01-29 2024-01-29 Method, device, equipment and storage medium for monitoring computer network

Publications (1)

Publication Number Publication Date
CN117896166A true CN117896166A (en) 2024-04-16

Family

ID=90639406

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202410123978.0A Pending CN117896166A (en) 2024-01-29 2024-01-29 Method, device, equipment and storage medium for monitoring computer network

Country Status (1)

Country Link
CN (1) CN117896166A (en)

Similar Documents

Publication Publication Date Title
Ahmed et al. ECU-IoHT: A dataset for analyzing cyberattacks in Internet of Health Things
US12341814B2 (en) Implementing decoys in a network environment
Al-Masri et al. A fog-based digital forensics investigation framework for IoT systems
US9942270B2 (en) Database deception in directory services
KR101737726B1 (en) Rootkit detection by using hardware resources to detect inconsistencies in network traffic
US9769204B2 (en) Distributed system for Bot detection
US9854057B2 (en) Network data collection and response system
US20200351288A1 (en) System and method for detecting computer network intrusions
Detken et al. SIEM approach for a higher level of IT security in enterprise networks
US9306957B2 (en) Proactive security system for distributed computer networks
CA2968201A1 (en) Systems and methods for malicious code detection
US12255913B2 (en) Methods and systems for system vulnerability determination and utilization for threat mitigation
US12088618B2 (en) Methods and systems for asset risk determination and utilization for threat mitigation
Irfan et al. A framework for cloud forensics evidence collection and analysis using security information and event management
CN113411297A (en) Situation awareness defense method and system based on attribute access control
Ono et al. A proposal of port scan detection method based on Packet‐In Messages in OpenFlow networks and its evaluation
Zeinali Analysis of security information and event management (SIEM) evasion and detection methods
CN113660222A (en) Situation awareness defense method and system based on mandatory access control
Volarević et al. Network forensics
TW201633205A (en) Systems and methods for malicious code detection
Huang et al. Design and implementation of a distributed early warning system combined with intrusion detection system and honeypot
CN117896166A (en) Method, device, equipment and storage medium for monitoring computer network
Czekster et al. Requirements for designing mobile and flexible applications for online invasion detection and remote control
CN116684110A (en) Domain name server security detection method and device, electronic equipment and storage medium
Asokan et al. A Case Study Using National e-Government Portals to Investigate the Deployment of the Nmap Tool for Network Vulnerability Assessment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination