[go: up one dir, main page]

CN111049801B - A Firewall Policy Detection Method - Google Patents

A Firewall Policy Detection Method Download PDF

Info

Publication number
CN111049801B
CN111049801B CN201911121211.XA CN201911121211A CN111049801B CN 111049801 B CN111049801 B CN 111049801B CN 201911121211 A CN201911121211 A CN 201911121211A CN 111049801 B CN111049801 B CN 111049801B
Authority
CN
China
Prior art keywords
firewall
address
policy
numerical value
detection method
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201911121211.XA
Other languages
Chinese (zh)
Other versions
CN111049801A (en
Inventor
凌子文
刘翠媚
陆庭辉
吴毅良
郭凤婵
殷锦辉
郝霞
罗序良
李文祺
刘可欣
尹婕
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangdong Power Grid Co Ltd
Jiangmen Power Supply Bureau of Guangdong Power Grid Co Ltd
Original Assignee
Guangdong Power Grid Co Ltd
Jiangmen Power Supply Bureau of Guangdong Power Grid Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangdong Power Grid Co Ltd, Jiangmen Power Supply Bureau of Guangdong Power Grid Co Ltd filed Critical Guangdong Power Grid Co Ltd
Priority to CN201911121211.XA priority Critical patent/CN111049801B/en
Publication of CN111049801A publication Critical patent/CN111049801A/en
Application granted granted Critical
Publication of CN111049801B publication Critical patent/CN111049801B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/50Testing arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention relates to the technical field of information security, in particular to a firewall policy detection method, which comprises the following steps: s10, constructing a firewall policy database and a firewall log file, and analyzing the recording and displaying modes of address book information, policy configuration information and port information of a firewall visual page; s20, extracting the IP address configured in the strategy configuration information, converting the IP address into a specific numerical value or a numerical value range, and giving an alarm when an alarm rule is met; s30, analyzing the firewall log file recording mode in the step S10, analyzing the meaning of each field storage information in the firewall log file, classifying the fields, and writing the field classification into a firewall policy database; and S40, storing the firewall policy database in the terminal for displaying and inquiring policy configuration information. The method can quickly and comprehensively acquire the firewall policy configuration information, and can realize quick query; and converting the IP address into a specific numerical value, and improving the identification speed of the computer strategy by using numerical value comparison.

Description

Firewall strategy detection method
Technical Field
The invention relates to the technical field of information security, in particular to a firewall policy detection method.
Background
Currently, information security has attracted much attention, wherein data security is a very important link in information security, and lan security mainly relies on firewalls for management and control. In recent years, one of the key points of network information security protection is access control, and a firewall does not allow redundant policy to be reserved, does not allow an excessively wide address field to be configured, does not allow an excessively wide port to be configured, and completely blocks a high-risk port. In addition, the access strategies configured in the enterprise-level firewall account for hundreds, time and labor are consumed for manually detecting and checking the configuration condition of the strategies, and the conditions of wrong checking and omission are generated, so that the network stability and the safe operation of an information system are influenced.
At present, the following problems mainly exist in firewall policy detection and problem troubleshooting: (1) network access strategies configured and used in the firewall are hundreds, most firewalls require an administrator to name a source IP address and a destination IP address before configuring the access strategies, so that once the administrator needs to query the strategies according to the IP, the strategy naming and strategy configuration pages need to be repeatedly switched, the time and energy consumption is large, the labor cost is high, and errors are easy to occur when a plurality of addresses need to be checked; (2) the firewall can count the hit times by itself when the strategy is hit, and if a certain strategy fails, the number of strategy hits is displayed as zero; according to the information security requirement, the working personnel need to restart and switch the firewall every month; after switching and restarting, the strategy hit number of the firewall is cleared; effective strategies and failure strategies cannot be distinguished, and the access strategies are related to the operation of a global production network and have great influence; (3) each piece of log information output by the firewall log has more fields, the amount of information data generated every day is huge, and the log file is in a text document format and is not beneficial to query and analysis of the firewall log.
Disclosure of Invention
The invention aims to overcome the defects of the prior art and provides a firewall policy detection method, which can quickly acquire firewall configuration data, simultaneously acquire policy information and a policy hit number, can completely export the firewall information and can realize quick detection of firewall policy configuration.
In order to solve the technical problems, the invention adopts the technical scheme that:
the firewall policy detection method comprises the following steps:
s10, constructing a firewall policy database and a firewall log file, analyzing the recording and displaying modes of address book information, policy configuration information and port information of a firewall visual page, and establishing a firewall data extraction mode;
s20, extracting the IP address configured in the strategy configuration information by using a crawler tool and the matching function of the firewall strategy database in the step S10, converting the IP address into a specific numerical value or a numerical value range, and giving an alarm when the specific numerical value or the numerical value range meets an alarm rule;
s30, analyzing the firewall log file recording mode in the step S10, analyzing the meaning of each field storage information in the firewall log file, classifying the fields, and writing the field classification into a firewall policy database;
and S40, storing the firewall policy database in the terminal for displaying and inquiring policy configuration information.
The firewall policy detection method can quickly and comprehensively acquire firewall configuration data such as policy ID, number of hits, source address name, source address IP, source port, destination address name, destination address IP, destination port and the like, is completely presented on a table after automatic matching, and can realize quick query through any information; and converting the IP address into a specific numerical value or a numerical value range, and comparing the numerical values, thereby improving the identification speed of the computer strategy.
Preferably, step S10 is performed as follows: regularly logging in a firewall by using a crawler technology to capture firewall data, wherein the firewall data comprises a strategy ID, a number of hits, a source address name, a source address IP, a source interface, a destination address name, a destination address IP and a destination port; and matching the firewall data with each other, displaying the matched firewall data on a table and exporting the matched firewall data.
Preferably, step S20 is performed as follows:
s21, extracting the IP address configured in the strategy configuration information, and judging the IP address: if the address is a single IP address, directly calculating; if the address field is the IP address field, extracting the minimum value and the maximum value in the IP address field;
s22, calculating and extracting numerical values of the IP addresses, and numbering the numerical values;
s23, summing and converting the numerical values in the step S22 to obtain an IP conversion value;
s24, traversing all IP addresses to convert the IP addresses to obtain a conversion value N, and converting the conversion values N of any two IP addresses1、N2Comparing, and alarming if the following rules are satisfied: when N is present1、N2When it is a single address, if N is satisfied1=N2Then an alarm is given; when N is present1As a single address, N2When it is an address field, if N is satisfied2min≤N1≤N2maxThen an alarm is given; when N is present1、N2When all are address fields, if all are satisfied
Figure GDA0003372384380000021
Or
Figure GDA0003372384380000022
An alarm is given.
Preferably, in step S22, according to the characteristics of IPV4 addresses, each IPV4 address is 4 bytes, 32-bit binary, and is divided into ". quadrature.", then IPV4 ═ is expressed as (P1.P2.P3.P4), and decimal numbers converted from 4 groups of 8-bit binary are extracted by way of de-dotting extraction, and the extracted numerical values are respectively expressed as P1, P2, P3, and P4, and 0 ≦ P1, P2, P3, and P4 ≦ 256.
Preferably, in step S22, bit number i is set for the 4 sets of values P1, P2, P3, P4 calculated in the first step, and is respectively expressed as: i (P1) is 0, i (P2) is 1, i (P3) is 2, and i (P4) is 3.
Preferably, in step S23, the values are summed and converted to obtain an IP conversion value according to the following formula: sigma N-P/256X 2563-iN is a conversion value, P is an IP address extraction value, and i is an address extraction value number.
Preferably, step S30 is performed as follows: and importing a firewall log file, splitting log fields, and storing the log fields in a firewall policy database according to field category collection.
Preferably, the firewall log files are sorted by field using scripts.
Preferably, the field types include a value type, a character string type and a date type, and can be divided into a date field, an src field, a dst field, a Sport field and a smac field.
Preferably, in step S40, when querying the policy configuration information, the query is performed by matching keywords.
Compared with the prior art, the invention has the beneficial effects that:
the firewall policy detection method can quickly and comprehensively acquire firewall configuration data such as policy ID, number of hits, source address name, source address IP, source port, destination address name, destination address IP, destination port and the like, is completely presented on a table after automatic matching, and can realize quick query through any information; the invention converts the IP address into a special numerical value or a numerical value range, and judges the alarm condition by using numerical value comparison, thereby improving the strategy identification speed.
Drawings
FIG. 1 is a flow diagram of firewall policy capture detection;
fig. 2 is a flow chart of firewall log file query.
Detailed Description
The present invention will be further described with reference to the following embodiments.
Examples
Fig. 1 to fig. 2 show an embodiment of a firewall policy detection method according to the present invention, which includes the following steps:
s10, constructing a firewall policy database and a firewall log file, analyzing the recording and displaying modes of address book information, policy configuration information and port information of a firewall visual page, and establishing a firewall data extraction mode;
s20, extracting the IP address configured in the strategy configuration information by using a crawler tool and the matching function of the firewall strategy database in the step S10, converting the IP address into a specific numerical value or a numerical value range, and giving an alarm when the specific numerical value or the numerical value range meets the alarm rule;
s30, analyzing the firewall log file recording mode in the step S10, analyzing the meaning of each field storage information in the firewall log file, classifying the fields, and writing the field classification into a firewall policy database;
and S40, storing the firewall policy database in the terminal for displaying and inquiring policy configuration information.
Wherein, step S10 is performed according to the following steps: regularly logging in a firewall by using a crawler technology to capture firewall data, wherein the firewall data comprises a strategy ID, a number of hits, a source address name, a source address IP, a source interface, a destination address name, a destination address IP and a destination port; and matching the firewall data with each other, displaying the matched firewall data on a table and exporting the matched firewall data.
Step S20 is performed as follows:
s21, extracting the IP address configured in the strategy configuration information, and judging the IP address: if the address is a single IP address, directly calculating; if the address field is the IP address field, extracting the minimum value and the maximum value in the IP address field;
s22, calculating and extracting numerical values of the IP addresses, and numbering the numerical values;
s23, summing and converting the numerical values in the step S22 to obtain an IP conversion value;
s24, traversing all IP addresses to convert the IP addresses to obtain a conversion value N, and converting the conversion values N of any two IP addresses1、N2And comparing, and giving an alarm if the following rules are met: when N is present1、N2When it is a single address, if it is satisfiedN1=N2Then an alarm is given; when N is present1As a single address, N2When it is an address field, if N is satisfied2min≤N1≤N2maxThen an alarm is given; when N is present1、N2When all are address fields, if all are satisfied
Figure GDA0003372384380000041
Or
Figure GDA0003372384380000042
An alarm is given.
In step S22, according to the characteristics of IPV4 addresses, each IPV4 address is 4 bytes, a 32-bit binary system is divided into "·", and IPV4 ═ is expressed as (p1.p2.p3.p4), and a decimal number converted from 4 groups of 8-bit binary systems is extracted by way of dotting extraction, and the implementation code is: the extracted values are represented as P1, P2, P3 and P4, and 0 ≦ P1, P2, P3 and P4 ≦ 256.
In step S22, digit number i is set for the 4 sets of values P1, P2, P3, and P4 calculated in the first step, and is respectively expressed as: i (P1) is 0, i (P2) is 1, i (P3) is 2, and i (P4) is 3.
In step S23, the values are summed and converted according to the following formula to obtain an IP conversion value: sigma N-P/256X 2563-iN is a conversion value, P is an IP address extraction value, and i is an address extraction value number. The core code to implement this formula on C # is:
Figure GDA0003372384380000043
Figure GDA0003372384380000051
step S30 is performed as follows: and importing a firewall log file, splitting log fields, and storing the log fields in a firewall policy database according to field category collection. The firewall log files are classified according to fields by using scripts; the field types comprise a numerical value type, a character string type and a date type and can be divided into a date field, an src field, a dst field, a Sport field and a smac field.
In step S40, when policy configuration information is queried, a matching keyword is used for query. Those skilled in the art can develop a desktop tool based on c #/winform, and when the tool is opened on a desktop, inquiry and display of firewall information can be conveniently realized.
Through the steps, the firewall configuration data can be rapidly acquired, the strategy information and the strategy number of hits are acquired, the firewall information can be completely exported, and the firewall strategy configuration can be rapidly detected.
It should be understood that the above-described embodiments of the present invention are merely examples for clearly illustrating the present invention, and are not intended to limit the embodiments of the present invention. Other variations and modifications will be apparent to persons skilled in the art in light of the above description. And are neither required nor exhaustive of all embodiments. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present invention should be included in the protection scope of the claims of the present invention.

Claims (9)

1.一种防火墙策略检测方法,其特征在于,包括以下步骤:1. a firewall policy detection method, is characterized in that, comprises the following steps: S10.构建防火墙策略数据库和防火墙日志文件,分析防火墙可视化页面的地址簿信息、策略配置信息以及端口信息的记录和显示方式,建立防火墙数据提取模式;S10. Build a firewall policy database and a firewall log file, analyze the address book information, policy configuration information, and the recording and display method of port information on the firewall visualization page, and establish a firewall data extraction mode; S20.利用爬虫工具和步骤S10中所述防火墙策略数据库的匹配功能,提取所述策略配置信息中配置的IP地址,并将IP地址转化为特有数值或数值范围,在所述特有数值或数值范围满足告警规则时告警;S20. Utilize the matching function of the crawler tool and the firewall policy database described in step S10, extract the IP address configured in the policy configuration information, and convert the IP address into a unique numerical value or numerical value range, in the unique numerical value or numerical value range Alarm when the alarm rules are met; S30.分析步骤S10中所述防火墙日志文件记录方式,分析防火墙日志文件中每个字段存储信息的含义并进行分类,将字段分类写入防火墙策略数据库中;S30. Analyze the firewall log file recording mode described in step S10, analyze the meaning of each field storage information in the firewall log file and classify, and write the field classification into the firewall policy database; S40.将防火墙策略数据库存储于终端,以用于显示和查询策略配置信息;S40. Store the firewall policy database in the terminal for displaying and querying policy configuration information; 步骤S20按以下步骤进行:Step S20 is performed according to the following steps: S21.提取所述策略配置信息中配置的IP地址,并对所述IP地址进行判断:若为单个IP地址,则直接进行计算;若为IP地址段,则提取IP地址段中的最小值与最大值;S21. Extract the IP address configured in the policy configuration information, and judge the IP address: if it is a single IP address, directly calculate; if it is an IP address segment, extract the minimum value in the IP address segment and maximum value; S22.计算提取所述IP地址的数值,并对所述数值进行编号;S22. Calculate and extract the numerical value of the IP address, and number the numerical value; S23.对步骤S22中所述数值进行求和转化得到IP转化值;S23. The numerical value described in the step S22 is summed and transformed to obtain the IP transformation value; S24.遍历所有IP地址,进行IP地址转化得到转化值N,将任意两IP地址的转化值N1、N2进行比对,若满足下列规则则告警:当N1、N2为单个地址时,若满足N1=N2则告警;当N1为单个地址、N2为地址段时,若满足N2min≤N1≤N2max则告警;当N1、N2均为地址段时,若满足
Figure FDA0003372384370000011
Figure FDA0003372384370000012
则告警。S24. Traverse all IP addresses, convert the IP addresses to obtain the conversion value N, compare the conversion values N 1 and N 2 of any two IP addresses, and generate an alarm if the following rules are met: when N 1 and N 2 are a single address , if N 1 =N 2 is satisfied, an alarm will be issued; when N 1 is a single address and N 2 is an address segment, an alarm will be issued if N 2min ≤N 1 ≤N 2max is satisfied; when N 1 and N 2 are both address segments, if satisfied
Figure FDA0003372384370000011
or
Figure FDA0003372384370000012
alarm. 2.根据权利要求1所述的防火墙策略检测方法,其特征在于,步骤S10按以下步骤进行:利用爬虫技术定时登录防火墙抓取防火墙数据,所述防火墙数据包括策略ID、命中数、源地址名称、源地址IP、源接口、目的地址名称、目的地址IP以及目的端口;将所述防火墙数据相互匹配后显示于一张表格上并导出。2. firewall policy detection method according to claim 1, is characterized in that, step S10 is carried out according to the following steps: utilize crawler technology to log in firewall regularly to grab firewall data, and described firewall data comprises policy ID, hit number, source address name , source address IP, source interface, destination address name, destination address IP and destination port; after matching the firewall data with each other, display on a table and export. 3.根据权利要求1所述的防火墙策略检测方法,其特征在于,步骤S22中,根据IPV4地址的特征,每一个IPV4地址为4字节,32位二进制,以“.”进行分割,则表示为IPV4=(P1.P2.P3.P4),通过去点提取的方式提取出4组8位二进制数转化而来的十进制数字,提取的数值分别表示为P1、P2、P3、P4,且0≤P1、P2、P3、P4≤256。3. firewall policy detection method according to claim 1, is characterized in that, in step S22, according to the feature of IPV4 address, each IPV4 address is 4 bytes, 32-bit binary, divides with ".", then represents It is IPV4=(P1.P2.P3.P4), and 4 groups of decimal numbers converted from 8-bit binary numbers are extracted by de-point extraction. The extracted values are expressed as P1, P2, P3, P4, and 0 ≤P1, P2, P3, P4≤256. 4.根据权利要求3所述的防火墙策略检测方法,其特征在于,步骤S22中,为第一步计算出来的4组数值P1、P2、P3、P4设置位数值编号i,分别表示为:i(P1)=0,i(P2)=1,i(P3)=2,i(P4)=3。4. firewall policy detection method according to claim 3, is characterized in that, in step S22, for the 4 groups of numerical values P1, P2, P3, P4 that the first step calculates, set the number of digits i, respectively expressed as: i (P1)=0, i(P2)=1, i(P3)=2, i(P4)=3. 5.根据权利要求4所述的防火墙策略检测方法,其特征在于,步骤S23中,按以下公式对所述数值进行求和转化得到IP转化值:∑N=P/256×2563-i,N为转化值,P为IP地址提取值,i为地址提取值编号。5. The firewall policy detection method according to claim 4, characterized in that, in step S23, the numerical value is summed and transformed to obtain an IP transformation value according to the following formula: ∑N=P/256×256 3-i , N is the conversion value, P is the IP address extraction value, and i is the address extraction value number. 6.根据权利要求1至5任一项所述的防火墙策略检测方法,其特征在于,步骤S30按以下步骤进行:导入防火墙日志文件,拆分日志字段,按照字段类别归集存储于防火墙策略数据库中。6. The firewall policy detection method according to any one of claims 1 to 5, wherein step S30 is carried out according to the following steps: importing a firewall log file, splitting log fields, and collecting and storing in the firewall policy database according to field categories middle. 7.根据权利要求6所述的防火墙策略检测方法,其特征在于,利用脚本对防火墙日志文件按照字段分类。7 . The firewall policy detection method according to claim 6 , wherein the firewall log file is classified according to fields by using a script. 8 . 8.根据权利要求7所述的防火墙策略检测方法,其特征在于,所述字段类别包括数值类别、字符串类别及日期类别。8 . The firewall policy detection method according to claim 7 , wherein the field categories include numeric value categories, character string categories and date categories. 9 . 9.根据权利要求7所述的防火墙策略检测方法,其特征在于,步骤S40中,在查询策略配置信息时,采用匹配关键字的方式查询。9 . The firewall policy detection method according to claim 7 , wherein in step S40 , when querying the policy configuration information, the method of matching keywords is used to query. 10 .
CN201911121211.XA 2019-11-15 2019-11-15 A Firewall Policy Detection Method Active CN111049801B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911121211.XA CN111049801B (en) 2019-11-15 2019-11-15 A Firewall Policy Detection Method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911121211.XA CN111049801B (en) 2019-11-15 2019-11-15 A Firewall Policy Detection Method

Publications (2)

Publication Number Publication Date
CN111049801A CN111049801A (en) 2020-04-21
CN111049801B true CN111049801B (en) 2022-02-11

Family

ID=70232105

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911121211.XA Active CN111049801B (en) 2019-11-15 2019-11-15 A Firewall Policy Detection Method

Country Status (1)

Country Link
CN (1) CN111049801B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111970275B (en) * 2020-08-14 2022-10-11 中国工商银行股份有限公司 Data processing method, device, computing equipment and medium
CN114780572B (en) * 2022-03-17 2025-11-25 深信服科技股份有限公司 Data query methods, devices, equipment and storage media

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103577307A (en) * 2013-11-07 2014-02-12 浙江中烟工业有限责任公司 Method for automatically extracting and analyzing firewall logs based on XML rule model
CN104270384A (en) * 2014-10-20 2015-01-07 山石网科通信技术有限公司 Fire wall policy redundancy detection method and device
CN105721188A (en) * 2014-12-04 2016-06-29 北京神州泰岳信息安全技术有限公司 Firewall strategy check method and system
CN110430159A (en) * 2019-06-20 2019-11-08 国网辽宁省电力有限公司信息通信分公司 An early warning method for an excessively large opening range of a platform server firewall policy

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8370894B2 (en) * 2006-12-29 2013-02-05 Telecom Italia S.P.A. Method and system for enforcing security polices in MANETs
US8365272B2 (en) * 2007-05-30 2013-01-29 Yoggie Security Systems Ltd. System and method for providing network and computer firewall protection with dynamic address isolation to a device

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103577307A (en) * 2013-11-07 2014-02-12 浙江中烟工业有限责任公司 Method for automatically extracting and analyzing firewall logs based on XML rule model
CN104270384A (en) * 2014-10-20 2015-01-07 山石网科通信技术有限公司 Fire wall policy redundancy detection method and device
CN105721188A (en) * 2014-12-04 2016-06-29 北京神州泰岳信息安全技术有限公司 Firewall strategy check method and system
CN110430159A (en) * 2019-06-20 2019-11-08 国网辽宁省电力有限公司信息通信分公司 An early warning method for an excessively large opening range of a platform server firewall policy

Also Published As

Publication number Publication date
CN111049801A (en) 2020-04-21

Similar Documents

Publication Publication Date Title
CN110336827B (en) A Fuzzing Test Method for Modbus TCP Protocol Based on Exception Field Location
CN108874927B (en) Intrusion Detection Method Based on Hypergraph and Random Forest
CN105577679A (en) Method for detecting anomaly traffic based on feature selection and density peak clustering
CN108280130A (en) A method of finding sensitive data in text big data
CN107645503A (en) A kind of detection method of the affiliated DGA families of rule-based malice domain name
CN112685738B (en) Malicious confusion script static detection method based on multi-stage voting mechanism
CN107070897B (en) Network log storage method based on multi-attribute hash deduplication in intrusion detection system
CN106375339A (en) Attack Pattern Detection Method Based on Event Sliding Window
CN113422763B (en) Alarm correlation analysis method based on attack scenario construction
CN111400500B (en) LCS-based Chameleon real-time log clustering method
CN111049801B (en) A Firewall Policy Detection Method
CN104573024A (en) Self-adaptive extracting method and system for heterogeneous security log information under complex network system
CN111274218A (en) A method for processing multi-source log data of power information system
CN114386100A (en) Public cloud user sensitive data management method
CN110246033A (en) Credit risk monitoring method, device, equipment and storage medium
CN105824837A (en) A log processing method and device
CN113420802A (en) Alarm data fusion method based on improved spectral clustering
CN109088903A (en) A kind of exception flow of network detection method based on streaming
CN117453646A (en) Kernel log joint compression and query method integrating semantics and deep neural network
CN1223941C (en) Hierarchial invasion detection system based on related characteristic cluster
CN114024701A (en) Domain name detection method, device and communication system
CN115396169A (en) Method and system for TTP-based multi-step attack detection and scene restoration
Harbola et al. Improved intrusion detection in DDoS applying feature selection using rank & score of attributes in KDD-99 data set
CN110381015A (en) A kind of clustering method based on intruding detection system warning message
CN102521378A (en) Real-time intrusion detection method based on data mining

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant