[go: up one dir, main page]

CN111935074A - Integrated network security detection method and device - Google Patents

Integrated network security detection method and device Download PDF

Info

Publication number
CN111935074A
CN111935074A CN202010571991.4A CN202010571991A CN111935074A CN 111935074 A CN111935074 A CN 111935074A CN 202010571991 A CN202010571991 A CN 202010571991A CN 111935074 A CN111935074 A CN 111935074A
Authority
CN
China
Prior art keywords
alarm
security
network
threat
detection
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010571991.4A
Other languages
Chinese (zh)
Other versions
CN111935074B (en
Inventor
李洁
沈伟
于晓文
林学峰
崔洁
廖鹏
李唱
高鹏
蒋甜
葛国栋
王建宽
陈亮
张国强
殷博
林永峰
石伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
State Grid Tianjin Electric Power Co Ltd
Electric Power Research Institute of State Grid Tianjin Electric Power Co Ltd
NARI Information and Communication Technology Co
State Grid Electric Power Research Institute
State Grid Corp of China SGCC
Original Assignee
State Grid Tianjin Electric Power Co Ltd
Electric Power Research Institute of State Grid Tianjin Electric Power Co Ltd
NARI Information and Communication Technology Co
State Grid Electric Power Research Institute
State Grid Corp of China SGCC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by State Grid Tianjin Electric Power Co Ltd, Electric Power Research Institute of State Grid Tianjin Electric Power Co Ltd, NARI Information and Communication Technology Co, State Grid Electric Power Research Institute, State Grid Corp of China SGCC filed Critical State Grid Tianjin Electric Power Co Ltd
Priority to CN202010571991.4A priority Critical patent/CN111935074B/en
Publication of CN111935074A publication Critical patent/CN111935074A/en
Application granted granted Critical
Publication of CN111935074B publication Critical patent/CN111935074B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明公开了一种一体化网络安全检测方法及装置,该方法包括:使用虚拟技术,建立安全应用虚拟容器;采集被检测网络流量,将不同类型协议的网络流量进行解析、还原和分离,然后分发给指定的安全应用虚拟容器;安全应用虚拟容器对流量进行分析检测生成威胁分析日志;对不同安全应用虚拟容器发送的威胁分析日志进行关联、分析,基于决策规则产生异常告警或威胁告警;根据预定义的响应规则将异常告警或威胁告警的告警源IP下发给对应的防火墙或终端检测与响应系统,进行联动防御;本发明一体化地完成完整的基于流量的安全检测和响应流程,提高了网络安全检测的精准性,降低自动化响应的时间,全方位提升网络安全防护水平。

Figure 202010571991

The invention discloses an integrated network security detection method and device. The method includes: using virtual technology to establish a security application virtual container; collecting detected network traffic, analyzing, restoring and separating network traffic of different types of protocols, and then Distribute to the specified security application virtual container; the security application virtual container analyzes and detects traffic to generate threat analysis logs; correlates and analyzes the threat analysis logs sent by different security application virtual containers, and generates abnormal alarms or threat alarms based on decision rules; The predefined response rule sends the alarm source IP of abnormal alarm or threat alarm to the corresponding firewall or terminal detection and response system for linkage defense; the present invention integrally completes the complete flow-based security detection and response process, improving the performance of the system. It improves the accuracy of network security detection, reduces the time of automatic response, and improves the level of network security protection in an all-round way.

Figure 202010571991

Description

一种一体化网络安全检测方法及装置An integrated network security detection method and device

技术领域technical field

本发明涉及信息安全技术领域,尤其涉及一种一体化网络安全检测方法及装置。The invention relates to the technical field of information security, in particular to an integrated network security detection method and device.

背景技术Background technique

随着中国经济的快速发展以及信息技术的不断创新,政府机关、军工企业、重点院校等国家重点单位在信息化投入越来越多,促使上述机构对互联网以及信息技术的依赖程度越来越高,而这些单位的信息监管成为保障信息安全、国家利益的重要手段。伴随这种需求网络安全监管设备层出不穷。但实际运行过程中发现存在安全设备堆叠、网络流量镜像资源匮乏、网络流量镜像数据过大、设备之间联动效果差、自动化程度低等问题 。With the rapid development of China's economy and the continuous innovation of information technology, government agencies, military enterprises, key universities and other national key units have invested more and more in informatization, which has prompted the above institutions to rely more and more on the Internet and information technology. The information supervision of these units has become an important means to ensure information security and national interests. With this demand, network security monitoring equipment emerges in an endless stream. However, in the actual operation process, it is found that there are problems such as stacking of security devices, lack of network traffic mirroring resources, excessive network traffic mirroring data, poor linkage effect between devices, and low degree of automation.

综上所述,传统的项目建设方法较为僵化,容易产生资源浪费和大量的漏报、误报,且防御响应方式较为单一、滞后,不利于安全事件的全面检测和及时处理。To sum up, the traditional project construction method is relatively rigid, which is prone to waste of resources and a large number of false negatives and false positives, and the defense response method is relatively single and lag, which is not conducive to the comprehensive detection and timely processing of security incidents.

发明内容SUMMARY OF THE INVENTION

为解决上述问题,本发明提供一种一体化网络安全检测方法及装置,首先将网络安全设备引擎化、容器化,然后将网络流量解析还原后按照需求下发给相应的安全应用容器,安全应用容器基于网络流量检测攻击威胁情况,接着对不同安全应用容器产生的威胁分析日志进行对比、关联分析,根据告警规则生成告警,最后基于告警数据生成联动防御策略下发到指定的响应组件,对异常或攻击源IP进行封禁或阻断。本方法能够降低漏报率、误报率和响应时间,实现自动化安全检测和响应全过程。In order to solve the above problems, the present invention provides an integrated network security detection method and device, firstly, the network security equipment is engineized and containerized, and then the network traffic is parsed and restored, and then distributed to the corresponding security application container according to the requirements. The container detects attack threats based on network traffic, then compares and correlates the threat analysis logs generated by different security application containers, generates alarms according to alarm rules, and finally generates a linkage defense strategy based on the alarm data and sends it to the designated response component. Or the attack source IP is blocked or blocked. The method can reduce the false alarm rate, the false alarm rate and the response time, and realize the whole process of automatic security detection and response.

本发明采用的技术方案具体如下:The technical scheme adopted in the present invention is as follows:

一方面,本发明提供一种一体化网络安全检测方法,包括:On the one hand, the present invention provides an integrated network security detection method, comprising:

将网络安全设备的安全检测功能进行拆分,放置于各独立的虚拟容器中,形成安全应用虚拟容器;The security detection function of the network security device is split and placed in each independent virtual container to form a security application virtual container;

将采集到的实时网络流量分发至对应的安全应用虚拟容器,生成威胁分析日志;Distribute the collected real-time network traffic to the corresponding security application virtual container to generate threat analysis logs;

根据威胁分析日志产生告警;Generate alerts based on threat analysis logs;

发送所述告警的告警源IP。The alarm source IP that sends the alarm.

进一步的,所述将网络安全设备的安全检测功能进行拆分,放置于各独立的虚拟容器中,形成安全应用虚拟容器,包括:Further, the security detection function of the network security device is split and placed in each independent virtual container to form a security application virtual container, including:

将各厂商网络安全设备提供的安全检测功能进行应用化和接口化,封装成基于不同安装检测功能的应用;以及使用虚拟技术,建立与封装的应用相同数量的虚拟容器;Apply and interface the security detection functions provided by the network security equipment of various manufacturers, and package them into applications based on different installation detection functions; and use virtual technology to create the same number of virtual containers as the packaged applications;

将不同安装检测功能的应用放置于各独立的虚拟容器中,形成安全应用虚拟容器;所述安全应用虚拟容器向外提供调用接口。The applications with different installation detection functions are placed in each independent virtual container to form a security application virtual container; the security application virtual container provides a calling interface to the outside.

进一步的,所述将采集到的实时网络流量分发至对应的安全应用虚拟容器,包括:Further, distributing the collected real-time network traffic to the corresponding security application virtual container includes:

接收实时网络镜像流量;Receive real-time network mirroring traffic;

对接收的网络镜像流量进行解析还原和分片重组,并识别协议类型;Analyze, restore and reassemble the received network mirroring traffic, and identify the protocol type;

基于协议类型对分片重组后的网络镜像流量进行分发,将不同协议类型的流量分发给对应的安全应用虚拟容器;Distribute the network mirror traffic after fragmentation and reorganization based on the protocol type, and distribute the traffic of different protocol types to the corresponding security application virtual container;

对接收到的网络镜像流量基于预设的规则进行安全分析和威胁检测,生成威胁分析日志。Perform security analysis and threat detection on the received network mirroring traffic based on preset rules, and generate threat analysis logs.

进一步的,所述根据威胁分析日志产生告警,包括:Further, generating an alarm according to the threat analysis log includes:

接收不同安全应用虚拟容器发送的威胁分析日志;Receive threat analysis logs sent by different security application virtual containers;

对威胁分析日志进行范式化处理并进行分类;Normalize and classify threat analysis logs;

基于实时计算处理规则对分类后的威胁分析日志进行关联,根据告警规则生成异常告警或威胁告警。Correlate the classified threat analysis logs based on real-time computing and processing rules, and generate abnormal alarms or threat alarms according to the alarm rules.

进一步的,所述对威胁分析日志进行范式化处理并进行分类,包括:Further, the normalization and classification of the threat analysis log includes:

对不同类型的威胁分析日志进行解析和匹配,归并成同一的json格式,存入Elasticsearch数据库。Parse and match different types of threat analysis logs, merge them into the same json format, and store them in the Elasticsearch database.

进一步的,所述发送所述告警的告警源IP,包括:Further, the alarm source IP for sending the alarm includes:

接收异常告警或威胁告警数据,并根据告警类型查询预定义的响应规则;Receive abnormal alarm or threat alarm data, and query the predefined response rules according to the alarm type;

基于查询到的响应规则生成包含响应对象和响应动作参数的防御策略;Generate defense policies including response objects and response action parameters based on the queried response rules;

将防御策略下发给防火墙或终端检测与响应系统;Send defense policies to firewalls or terminal detection and response systems;

防火墙或终端检测与响应系统接收防护策略并执行,对告警进行联动防御。The firewall or terminal detection and response system receives and executes the protection policy, and performs coordinated defense against alarms.

另一方面,本发明提供一种一体化网络安全检测装置,包括:On the other hand, the present invention provides an integrated network security detection device, comprising:

虚拟化容器引擎,用于将网络安全设备的安全检测功能拆分,放置于各独立的虚拟容器中,形成安全应用虚拟容器;The virtualized container engine is used to split the security detection function of the network security device and place it in each independent virtual container to form a security application virtual container;

网络流量处理引擎,用于将采集到的实时网络流量分发至安全应用虚拟容器,生成威胁分析日志;The network traffic processing engine is used to distribute the collected real-time network traffic to the security application virtual container and generate threat analysis logs;

实时事件处理引擎,用于根据威胁分析日志产生告警;Real-time event processing engine for generating alarms based on threat analysis logs;

自动化响应引擎,用于发送所述告警的告警源IP。An automatic response engine, used for sending the alarm source IP of the alarm.

进一步的,所述虚拟化容器引擎具体用于,Further, the virtualized container engine is specifically used to:

将各厂商网络安全设备提供的安全检测功能进行应用化和接口化,封装成基于不同安装检测功能的应用;以及使用虚拟技术,建立与封装的应用相同数量的虚拟容器;Apply and interface the security detection functions provided by the network security equipment of various manufacturers, and package them into applications based on different installation detection functions; and use virtual technology to create the same number of virtual containers as the packaged applications;

将不同安装检测功能的应用放置于各独立的虚拟容器中,形成安全应用虚拟容器;所述安全应用虚拟容器向外提供调用接口。The applications with different installation detection functions are placed in each independent virtual container to form a security application virtual container; the security application virtual container provides a calling interface to the outside.

进一步的,所述网络流量处理引擎具体用于,Further, the network traffic processing engine is specifically used for,

接收实时网络镜像流量;Receive real-time network mirroring traffic;

对接收的网络镜像流量进行解析还原和分片重组,并识别协议类型;Analyze, restore and reassemble the received network mirroring traffic, and identify the protocol type;

基于协议类型对分片重组后的网络镜像流量进行分发,将不同协议类型的流量分发给对应的安全应用虚拟容器;Distribute the network mirror traffic after fragmentation and reorganization based on the protocol type, and distribute the traffic of different protocol types to the corresponding security application virtual container;

对接收到的网络镜像流量基于预设的规则进行安全分析和威胁检测,生成威胁分析日志。Perform security analysis and threat detection on the received network mirroring traffic based on preset rules, and generate threat analysis logs.

进一步的,所述自动化响应引擎具体用于,Further, the automatic response engine is specifically used for,

接收异常告警或威胁告警数据,并根据告警类型查询预定义的响应规则;Receive abnormal alarm or threat alarm data, and query the predefined response rules according to the alarm type;

基于查询到的响应规则生成包含响应对象和响应动作参数的防御策略;Generate defense policies including response objects and response action parameters based on the queried response rules;

将防御策略下发给防火墙或终端检测与响应系统;Send defense policies to firewalls or terminal detection and response systems;

防火墙或终端检测与响应系统接收防护策略并执行,对告警进行联动防御。The firewall or terminal detection and response system receives and executes the protection policy, and performs coordinated defense against alarms.

本发明所达到的有益效果为:The beneficial effects achieved by the present invention are:

本发明通过对网络安全设备的安全检测功能进行拆分,对各类安全应用产生威胁进行分析,决策出异常告警或威胁告警,并将异常或攻击源IP进行封禁和阻断,提高了威胁检测的准确性和响应处置的自动化水平。By splitting the security detection function of the network security device, the invention analyzes the threats generated by various security applications, decides to generate an abnormal alarm or a threat alarm, and blocks and blocks the abnormal or attack source IP, thereby improving the threat detection. accuracy and level of automation in response disposition.

附图说明Description of drawings

图1为本发明的一体化网络安全检测方法流程图。FIG. 1 is a flow chart of the integrated network security detection method of the present invention.

具体实施方式Detailed ways

下面对本发明作进一步描述。以下实施例仅用于更加清楚地说明本发明的技术方案,而不能以此来限制本发明的保护范围。The present invention is further described below. The following examples are only used to illustrate the technical solutions of the present invention more clearly, and cannot be used to limit the protection scope of the present invention.

参见图1,本发明一方面提供一种一体化网络安全检测方法,包括:Referring to FIG. 1, one aspect of the present invention provides an integrated network security detection method, including:

步骤一,利用虚拟化技术将传统的网络安全设备的安全检测功能拆分,放置于各独立的虚拟容器中,形成安全应用虚拟容器;Step 1, using the virtualization technology to split the security detection function of the traditional network security device, and place them in each independent virtual container to form a security application virtual container;

进一步的,包括:Further, including:

11)将各厂商网络安全设备提供的安全检测功能进行应用化和接口化,封装成基于不同安装检测功能的应用;11) Apply and interface the security detection functions provided by the network security equipment of various manufacturers, and package them into applications based on different installation detection functions;

12)使用虚拟技术,建立与封装的应用相同数量的虚拟容器。12) Using virtualization technology, create the same number of virtual containers as the packaged application.

13)将不同安装检测功能的应用放置于各独立的虚拟容器中,形成安全应用虚拟容器;13) Place applications with different installation detection functions in separate virtual containers to form virtual containers for security applications;

进一步的,根据不同的安全检测功能或者自定义的检测规则,封装成不同的安全应用虚拟容器。Further, according to different security detection functions or self-defined detection rules, different security application virtual containers are encapsulated.

14)安全应用虚拟容器向外提供调用接口,可供其它功能或应用调用。14) The security application virtual container provides a calling interface to the outside, which can be called by other functions or applications.

步骤二,将采集到的实时网络流量进行解析还原,识别流量的协议类型后根据查询到的预定义的转发规则,将已解析识别的网络流量转发给对应的安全应用虚拟容器进行安全分析和检测;Step 2: Analyze and restore the collected real-time network traffic, identify the protocol type of the traffic, and forward the parsed and identified network traffic to the corresponding security application virtual container for security analysis and detection according to the queried predefined forwarding rules. ;

进一步的,包括:Further, including:

21)利用网络流量采集模块,接收发送的网络镜像流量;21) Use the network traffic collection module to receive and send the network mirror traffic;

22)调用流量处理模块,对接收的网络镜像流量进行解析还原,分片重组,并识别协议类型;22) Invoke the traffic processing module to parse and restore the received network mirror traffic, reorganize fragments, and identify the protocol type;

23)网络流量分发模块查询转发规则,基于不同协议类型的转发规则对已处理的网络流量进行分发,将不同协议类型的流量分发给对应的安全应用虚拟容器。23) The network traffic distribution module queries the forwarding rules, distributes the processed network traffic based on the forwarding rules of different protocol types, and distributes the traffic of different protocol types to the corresponding security application virtual containers.

本发明实施例中预定义的转发规则即指定http协议类型的流量转发至http类检测容器,ftp协议流量转发至ftp类检测容器,转发规则都是按需配置的。The predefined forwarding rules in the embodiment of the present invention are that traffic of the specified http protocol type is forwarded to the http detection container, and the ftp protocol traffic is forwarded to the ftp detection container, and the forwarding rules are all configured on demand.

步骤三,安全应用虚拟容器接收到指定的网络流量数据后,根据预设的规则和功能进行安全分析和威胁检测,产生威胁分析日志;Step 3: After the security application virtual container receives the specified network traffic data, it performs security analysis and threat detection according to preset rules and functions, and generates a threat analysis log;

步骤四,根据安全分析和规则对不同安全应用虚拟容器发送的威胁分析日志进行关联、分析,基于决策规则产生异常告警或威胁告警;Step 4: Correlate and analyze the threat analysis logs sent by different security application virtual containers according to the security analysis and rules, and generate abnormal alarms or threat alarms based on the decision rules;

进一步的,包括:Further, including:

41)接收安全应用虚拟容器发送的威胁分析日志,加载实时计算处理规则语句,如Flink CEP等;41) Receive the threat analysis log sent by the virtual container of the security application, and load the real-time computing processing rule statement, such as Flink CEP;

42)对威胁分析日志进行范式化处理并分类;42) Normalize and classify threat analysis logs;

进一步的,进行范式化处理并分类是指,对不同类型的威胁分析日志进行解析,匹配,归并成同一的json格式,存入 Elasticsearch数据库。Further, normalizing and classifying means that different types of threat analysis logs are parsed, matched, and merged into the same json format and stored in the Elasticsearch database.

43)基于实时计算处理规则对分类后威胁分析日志,进行关联、分析、计算,根据决策规则生成异常告警或威胁告警。43) Based on the real-time calculation processing rules, the classified threat analysis logs are correlated, analyzed and calculated, and abnormal alarms or threat alarms are generated according to the decision rules.

关联是指根据实际接入的数据和检测的类型进行扩展,Association refers to the expansion according to the actual access data and the type of detection,

例如:1、不同设备产生同源同目的相同高危的告警;For example: 1. Different devices generate the same high-risk alarms of the same source and the same purpose;

2、某时间窗口内同源同目的发生的有时序的高危告警;2. Time-sequential high-risk alarms that occur with the same source and the same purpose within a certain time window;

3、计算后最终判断攻击行为以及前后相关工资动作。3. After the calculation, the attack behavior and the related salary actions before and after are finally judged.

进一步的,决策规则指的是产生告警的规则,例如:某段时间窗口内2个以上的不同设备发现同源同目的高危的数据信息,程序根据此规则对数据进行关联、匹配,能匹配到此规则的生成告警。Further, decision rules refer to the rules that generate alarms. For example, within a certain time window, two or more different devices find high-risk data information of the same source and the same purpose. The program correlates and matches the data according to this rule, and can match Generated alerts for this rule.

步骤五,根据预定义的响应规则将异常告警或威胁告警的告警源IP下发给对应的防火墙或终端检测与响应系统,进行封禁或阻断,完成对告警的联动防御;Step 5, according to the predefined response rules, deliver the alarm source IP of the abnormal alarm or the threat alarm to the corresponding firewall or terminal detection and response system to ban or block, and complete the linkage defense of the alarm;

进一步的,包括:Further, including:

51)接收异常告警或威胁告警数据;51) Receive abnormal alarm or threat alarm data;

52)根据告警类型查询预定义的响应规则;52) Query the predefined response rules according to the alarm type;

53)基于查询到的响应规则生成包含响应对象和响应动作等参数的防御策略;53) Based on the queried response rules, generate a defense strategy including parameters such as response objects and response actions;

54)将防御策略下发给防火墙或终端检测与响应系统;54) Issue the defense strategy to the firewall or terminal detection and response system;

55)防火墙或终端检测与响应系统接收防护策略并执行,实现对告警的联动防御。55) The firewall or terminal detection and response system receives the protection policy and executes it to realize the linkage defense of the alarm.

本发明另一方面还提供一种一体化网络安全检测装置,包括:Another aspect of the present invention also provides an integrated network security detection device, comprising:

虚拟化容器引擎,用于将网络安全设备的安全检测功能拆分,放置于各独立的虚拟容器中,形成安全应用虚拟容器;The virtualized container engine is used to split the security detection function of the network security device and place it in each independent virtual container to form a security application virtual container;

网络流量处理引擎,用于将采集到的实时网络流量分发至安全应用虚拟容器,生成威胁分析日志;The network traffic processing engine is used to distribute the collected real-time network traffic to the security application virtual container and generate threat analysis logs;

实时事件处理引擎,用于根据威胁分析日志产生异常告警或威胁告警;The real-time event processing engine is used to generate abnormal alarms or threat alarms according to the threat analysis log;

自动化响应引擎,用于将异常告警或威胁告警的告警源IP下发给对应的防火墙或终端检测与响应系统,进行联动防御。The automatic response engine is used to deliver the alarm source IP of abnormal alarm or threat alarm to the corresponding firewall or terminal detection and response system for linkage defense.

进一步的,所述虚拟化容器引擎具体用于,Further, the virtualized container engine is specifically used to:

将各厂商网络安全设备提供的安全检测功能进行应用化和接口化,封装成基于不同安装检测功能的应用;以及使用虚拟技术,建立与封装的应用相同数量的虚拟容器;Apply and interface the security detection functions provided by the network security equipment of various manufacturers, and package them into applications based on different installation detection functions; and use virtual technology to create the same number of virtual containers as the packaged applications;

将不同安装检测功能的应用放置于各独立的虚拟容器中,形成安全应用虚拟容器;所述安全应用虚拟容器向外提供调用接口。The applications with different installation detection functions are placed in each independent virtual container to form a security application virtual container; the security application virtual container provides a calling interface to the outside.

进一步的,所述网络流量处理引擎具体用于,Further, the network traffic processing engine is specifically used for,

接收实时网络镜像流量;Receive real-time network mirroring traffic;

对接收的网络镜像流量进行解析还原和分片重组,并识别协议类型;Analyze, restore and reassemble the received network mirroring traffic, and identify the protocol type;

基于协议类型对分片重组后的网络镜像流量进行分发,将不同协议类型的流量分发给对应的安全应用虚拟容器;Distribute the network mirror traffic after fragmentation and reorganization based on the protocol type, and distribute the traffic of different protocol types to the corresponding security application virtual container;

对接收到的网络镜像流量基于预设的规则进行安全分析和威胁检测,生成威胁分析日志。Perform security analysis and threat detection on the received network mirroring traffic based on preset rules, and generate threat analysis logs.

进一步的,所述自动化响应引擎具体用于,Further, the automatic response engine is specifically used for,

接收异常告警或威胁告警数据,并根据告警类型查询预定义的响应规则;Receive abnormal alarm or threat alarm data, and query the predefined response rules according to the alarm type;

基于查询到的响应规则生成包含响应对象和响应动作参数的防御策略;Generate defense policies including response objects and response action parameters based on the queried response rules;

将防御策略下发给防火墙或终端检测与响应系统;Send defense policies to firewalls or terminal detection and response systems;

防火墙或终端检测与响应系统接收防护策略并执行,对告警进行联动防御。The firewall or terminal detection and response system receives and executes the protection policy, and performs coordinated defense against alarms.

本发明采用旁路部署的接入方式,在不影响正常的业务流量的情况下,对网络进行安全检测。一旦发现网络安全威胁攻击则自动采取相应的措施。本发明采用自适应安全架构的思想,监控网络的运行,降低人为干预,提高防御效率。The present invention adopts the access mode of bypass deployment to perform security detection on the network without affecting the normal service flow. Once a network security threat attack is detected, corresponding measures are automatically taken. The invention adopts the idea of self-adaptive security architecture, monitors the operation of the network, reduces human intervention, and improves defense efficiency.

值得指出的是,该装置实施例是与上述方法实施例对应的,上述方法实施例的实现方式均适用于该装置实施例中,并能达到相同或相似的技术效果,故不在此赘述。It is worth noting that this apparatus embodiment corresponds to the foregoing method embodiment, and the implementation manners of the foregoing method embodiment are all applicable to this apparatus embodiment, and can achieve the same or similar technical effects, so they are not repeated here.

本领域内的技术人员应明白,本申请的实施例可提供为方法、系统、或计算机程序产品。因此,本申请可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且,本申请可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。As will be appreciated by those skilled in the art, the embodiments of the present application may be provided as a method, a system, or a computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.

本申请是参照根据本申请实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the present application. It will be understood that each flow and/or block in the flowcharts and/or block diagrams, and combinations of flows and/or blocks in the flowcharts and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to the processor of a general purpose computer, special purpose computer, embedded processor or other programmable data processing device to produce a machine such that the instructions executed by the processor of the computer or other programmable data processing device produce Means for implementing the functions specified in one or more of the flowcharts and/or one or more blocks of the block diagrams.

这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。These computer program instructions may also be stored in a computer-readable memory capable of directing a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory result in an article of manufacture comprising instruction means, the instructions An apparatus implements the functions specified in a flow or flows of the flowcharts and/or a block or blocks of the block diagrams.

这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions can also be loaded on a computer or other programmable data processing device to cause a series of operational steps to be performed on the computer or other programmable device to produce a computer-implemented process such that The instructions provide steps for implementing the functions specified in one or more of the flowcharts and/or one or more blocks of the block diagrams.

最后应当说明的是:以上实施例仅用以说明本发明的技术方案而非对其限制,尽管参照上述实施例对本发明进行了详细的说明,所属领域的普通技术人员应当理解:依然可以对本发明的具体实施方式进行修改或者等同替换,而未脱离本发明精神和范围的任何修改或者等同替换,其均应涵盖在本发明的权利要求保护范围之内。Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention and not to limit them. Although the present invention has been described in detail with reference to the above embodiments, those of ordinary skill in the art should understand that: the present invention can still be Modifications or equivalent replacements are made to the specific embodiments of the present invention, and any modifications or equivalent replacements that do not depart from the spirit and scope of the present invention shall be included within the protection scope of the claims of the present invention.

Claims (10)

1. An integrated network security detection method is characterized by comprising the following steps:
splitting a safety detection function of the network safety equipment, and placing the split safety detection function in each independent virtual container to form a safety application virtual container;
distributing the acquired real-time network traffic to corresponding security application virtual containers to generate threat analysis logs;
generating an alarm according to the threat analysis log;
and sending the alarm source IP of the alarm.
2. The integrated network security detection method according to claim 1, wherein the splitting the security detection function of the network security device and placing the split security detection function in each independent virtual container to form a secure application virtual container comprises:
the safety detection function provided by the network safety equipment of each manufacturer is applied and interfaced, and is packaged into application based on different installation detection functions; and establishing the same number of virtual containers as the packaged applications using a virtual technique;
placing the applications with different installation detection functions into each independent virtual container to form a safe application virtual container; the secure application virtual container provides a call interface to the outside.
3. The integrated network security detection method of claim 1, wherein the distributing the collected real-time network traffic to the corresponding security application virtual containers to generate a threat analysis log comprises:
receiving real-time network mirror image flow;
analyzing, restoring and fragmenting and recombining the received network mirror image flow, and identifying the protocol type;
distributing the network mirror image flow after the fragmentation recombination based on the protocol type, and distributing the flow of different protocol types to corresponding safe application virtual containers;
and carrying out security analysis and threat detection on the received network mirror flow based on a preset rule to generate a threat analysis log.
4. The integrated network security detection method of claim 1, wherein the generating an alarm according to the threat analysis log comprises:
receiving threat analysis logs sent by different security application virtual containers;
performing canonicalization processing on the threat analysis log and classifying;
and associating the classified threat analysis logs based on the real-time calculation processing rule, and generating an abnormal alarm or a threat alarm according to the alarm rule.
5. The integrated network security detection method of claim 4, wherein the normalizing the threat analysis log and classifying the threat analysis log comprises:
and analyzing and matching the threat analysis logs of different types, merging the threat analysis logs into the same json format, and storing the json format into an Elasticissearch database.
6. The integrated network security detection method of claim 1, wherein the sending the alert source IP of the alert comprises:
receiving abnormal alarm or threat alarm data, and inquiring a predefined response rule according to the alarm type;
generating a defense strategy containing response objects and response action parameters based on the inquired response rules;
issuing the defense strategy to a firewall or a terminal detection and response system;
and the firewall or the terminal detection and response system receives and executes the protection strategy and performs linkage defense on the alarm.
7. An integrated network security detection device, comprising:
the virtualization container engine is used for splitting the security detection function of the network security equipment and placing the split security detection function into each independent virtual container to form a security application virtual container;
the network flow processing engine is used for distributing the acquired real-time network flow to the security application virtual container to generate a threat analysis log;
the real-time event processing engine is used for generating an alarm according to the threat analysis log;
and the automatic response engine is used for sending the alarm source IP of the alarm.
8. The integrated network security detection apparatus of claim 7, wherein the virtualized container engine is specifically configured to,
the safety detection function provided by the network safety equipment of each manufacturer is applied and interfaced, and is packaged into application based on different installation detection functions; and establishing the same number of virtual containers as the packaged applications using a virtual technique;
placing the applications with different installation detection functions into each independent virtual container to form a safe application virtual container; the secure application virtual container provides a call interface to the outside.
9. The integrated network security detection apparatus of claim 7, wherein the network traffic processing engine is specifically configured to,
receiving real-time network mirror image flow;
analyzing, restoring and fragmenting and recombining the received network mirror image flow, and identifying the protocol type;
distributing the network mirror image flow after the fragmentation recombination based on the protocol type, and distributing the flow of different protocol types to corresponding safe application virtual containers;
and carrying out security analysis and threat detection on the received network mirror flow based on a preset rule to generate a threat analysis log.
10. The integrated network security detection device of claim 7, wherein the automated response engine is specifically configured to,
receiving abnormal alarm or threat alarm data, and inquiring a predefined response rule according to the alarm type;
generating a defense strategy containing response objects and response action parameters based on the inquired response rules;
issuing the defense strategy to a firewall or a terminal detection and response system;
and the firewall or the terminal detection and response system receives and executes the protection strategy and performs linkage defense on the alarm.
CN202010571991.4A 2020-06-22 2020-06-22 An integrated network security detection method and device Active CN111935074B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010571991.4A CN111935074B (en) 2020-06-22 2020-06-22 An integrated network security detection method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010571991.4A CN111935074B (en) 2020-06-22 2020-06-22 An integrated network security detection method and device

Publications (2)

Publication Number Publication Date
CN111935074A true CN111935074A (en) 2020-11-13
CN111935074B CN111935074B (en) 2023-09-05

Family

ID=73316446

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010571991.4A Active CN111935074B (en) 2020-06-22 2020-06-22 An integrated network security detection method and device

Country Status (1)

Country Link
CN (1) CN111935074B (en)

Cited By (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113259176A (en) * 2021-06-11 2021-08-13 长扬科技(北京)有限公司 Alarm event analysis method and device
CN113596048A (en) * 2021-08-04 2021-11-02 荆亮 Method and device for maintaining network by firewall
CN113596028A (en) * 2021-07-29 2021-11-02 南京南瑞信息通信科技有限公司 Method and device for handling network abnormal behaviors
CN114070608A (en) * 2021-11-12 2022-02-18 北京天融信网络安全技术有限公司 Asset optimization method and device based on flow analysis
CN114465871A (en) * 2021-12-20 2022-05-10 中盈优创资讯科技有限公司 5G alarm processing system mirroring distributed cloud-up implementation method and device
CN115694880A (en) * 2022-09-06 2023-02-03 中电云数智科技有限公司 AI detection self-adaption method and system based on cloud protogenesis
CN115766079A (en) * 2022-10-10 2023-03-07 北京明朝万达科技股份有限公司 Flow data processing method and device, electronic equipment and readable storage medium
CN115913738A (en) * 2022-11-30 2023-04-04 广西电网有限责任公司 Network security incident handling system, method, electronic equipment and storage medium
CN115967530A (en) * 2022-11-18 2023-04-14 杭州安恒信息技术股份有限公司 Network security response method, device, equipment and storage medium
CN116032568A (en) * 2022-12-15 2023-04-28 贵州电网有限责任公司遵义供电局 Method for detecting device blocking result according to front and back stream fraction data of network security defense device
CN116366327A (en) * 2023-03-27 2023-06-30 中国华能集团有限公司北京招标分公司 Network traffic restoration and monitoring method
CN117040829A (en) * 2023-08-07 2023-11-10 中通服咨询设计研究院有限公司 Container threat monitoring system and method based on complex event processing
CN118869321A (en) * 2024-08-05 2024-10-29 中国人民解放军61660部队 A heterogeneous network traffic analysis engine integration system
CN119094241A (en) * 2024-10-24 2024-12-06 南京中新赛克科技有限责任公司 Domestic Industrial Internet Security Hardware Device
CN119728127A (en) * 2023-09-26 2025-03-28 奇安信科技集团股份有限公司 Threat detection method, system, storage medium and cloud platform for container cluster
CN120378225A (en) * 2025-06-25 2025-07-25 浙江无界矩阵科技有限责任公司 Security protection method and system based on container technology and readable storage medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060129810A1 (en) * 2004-12-14 2006-06-15 Electronics And Telecommunications Research Institute Method and apparatus for evaluating security of subscriber network
CN105871787A (en) * 2015-01-22 2016-08-17 中国移动通信集团公司 Intrusion prevention method applied to cloud virtual network, device, network device and system
US20180026995A1 (en) * 2016-07-20 2018-01-25 Webroot Inc. Dynamic sensors
US20190372937A1 (en) * 2018-05-31 2019-12-05 Symantec Corporation Systems and methods for split network tunneling based on traffic inspection
CN110572364A (en) * 2019-08-06 2019-12-13 苏州浪潮智能科技有限公司 A method for realizing threat warning in virtualized environment
CN110661795A (en) * 2019-09-20 2020-01-07 哈尔滨安天科技集团股份有限公司 Vector-level threat information automatic production and distribution system and method

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060129810A1 (en) * 2004-12-14 2006-06-15 Electronics And Telecommunications Research Institute Method and apparatus for evaluating security of subscriber network
CN105871787A (en) * 2015-01-22 2016-08-17 中国移动通信集团公司 Intrusion prevention method applied to cloud virtual network, device, network device and system
US20180026995A1 (en) * 2016-07-20 2018-01-25 Webroot Inc. Dynamic sensors
US20190372937A1 (en) * 2018-05-31 2019-12-05 Symantec Corporation Systems and methods for split network tunneling based on traffic inspection
CN110572364A (en) * 2019-08-06 2019-12-13 苏州浪潮智能科技有限公司 A method for realizing threat warning in virtualized environment
CN110661795A (en) * 2019-09-20 2020-01-07 哈尔滨安天科技集团股份有限公司 Vector-level threat information automatic production and distribution system and method

Cited By (22)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113259176B (en) * 2021-06-11 2021-10-08 长扬科技(北京)有限公司 Alarm event analysis method and device
CN113259176A (en) * 2021-06-11 2021-08-13 长扬科技(北京)有限公司 Alarm event analysis method and device
CN113596028B (en) * 2021-07-29 2023-06-30 南京南瑞信息通信科技有限公司 Method and device for handling network abnormal behaviors
CN113596028A (en) * 2021-07-29 2021-11-02 南京南瑞信息通信科技有限公司 Method and device for handling network abnormal behaviors
CN113596048A (en) * 2021-08-04 2021-11-02 荆亮 Method and device for maintaining network by firewall
CN114070608A (en) * 2021-11-12 2022-02-18 北京天融信网络安全技术有限公司 Asset optimization method and device based on flow analysis
CN114465871A (en) * 2021-12-20 2022-05-10 中盈优创资讯科技有限公司 5G alarm processing system mirroring distributed cloud-up implementation method and device
CN115694880A (en) * 2022-09-06 2023-02-03 中电云数智科技有限公司 AI detection self-adaption method and system based on cloud protogenesis
CN115766079A (en) * 2022-10-10 2023-03-07 北京明朝万达科技股份有限公司 Flow data processing method and device, electronic equipment and readable storage medium
CN115766079B (en) * 2022-10-10 2023-12-05 北京明朝万达科技股份有限公司 Traffic data processing method and device, electronic equipment and readable storage medium
CN115967530A (en) * 2022-11-18 2023-04-14 杭州安恒信息技术股份有限公司 Network security response method, device, equipment and storage medium
CN115913738A (en) * 2022-11-30 2023-04-04 广西电网有限责任公司 Network security incident handling system, method, electronic equipment and storage medium
CN116032568A (en) * 2022-12-15 2023-04-28 贵州电网有限责任公司遵义供电局 Method for detecting device blocking result according to front and back stream fraction data of network security defense device
CN116366327A (en) * 2023-03-27 2023-06-30 中国华能集团有限公司北京招标分公司 Network traffic restoration and monitoring method
CN117040829A (en) * 2023-08-07 2023-11-10 中通服咨询设计研究院有限公司 Container threat monitoring system and method based on complex event processing
CN117040829B (en) * 2023-08-07 2025-07-25 中通服咨询设计研究院有限公司 Container threat monitoring system and method based on complex event processing
CN119728127A (en) * 2023-09-26 2025-03-28 奇安信科技集团股份有限公司 Threat detection method, system, storage medium and cloud platform for container cluster
CN119728127B (en) * 2023-09-26 2025-11-28 奇安信科技集团股份有限公司 Threat detection method and system for container cluster, storage medium and cloud platform
CN118869321A (en) * 2024-08-05 2024-10-29 中国人民解放军61660部队 A heterogeneous network traffic analysis engine integration system
CN119094241A (en) * 2024-10-24 2024-12-06 南京中新赛克科技有限责任公司 Domestic Industrial Internet Security Hardware Device
CN119094241B (en) * 2024-10-24 2025-04-22 南京中新赛克科技有限责任公司 Domestic industrial internet safety hardware device
CN120378225A (en) * 2025-06-25 2025-07-25 浙江无界矩阵科技有限责任公司 Security protection method and system based on container technology and readable storage medium

Also Published As

Publication number Publication date
CN111935074B (en) 2023-09-05

Similar Documents

Publication Publication Date Title
CN111935074B (en) An integrated network security detection method and device
CN110535855B (en) Network event monitoring and analyzing method and system and information data processing terminal
CN104811452A (en) Data mining based intrusion detection system with self-learning and classified early warning functions
US9961047B2 (en) Network security management
CN112887268B (en) Network security guarantee method and system based on comprehensive detection and identification
CN107302534A (en) A kind of DDoS network attack detecting methods and device based on big data platform
CN113381980B (en) Information security defense method and system, electronic device and storage medium
Landress A hybrid approach to reducing the false positive rate in unsupervised machine learning intrusion detection
CN115801458B (en) Real-time attack scene reconstruction method, system and equipment aiming at multi-step attack
CN111786986B (en) Numerical control system network intrusion prevention system and method
CN112910728A (en) Data security monitoring method and device
CN113904829B (en) Application firewall system based on machine learning
Tang et al. PeakSAX: Real-time monitoring and mitigation system for LDoS attack in SDN
CN113645233A (en) Wind control intelligent decision method and device for flow data, electronic equipment and medium
CN105069158A (en) Data mining method and system
Liu et al. A framework for database auditing
CN115208690A (en) Screening processing system based on data classification and classification
CN112437070B (en) Operation-based spanning tree state machine integrity verification calculation method and system
CN112995111B (en) Block chain-based Internet of things security detection method, equipment, system and medium
Revathi et al. Detecting denial of service attack using principal component analysis with random forest classifier
CN108833383A (en) Linkage defense system based on deep learning and agent
CN116506216B (en) Lightweight malicious flow detection and evidence-storage method, device, equipment and medium
CN112769847A (en) Safety protection method, device, equipment and storage medium for Internet of things equipment
Saiyed et al. An Intelligent Intent-Aware System for DDoS Attacks Detection and Mitigation in IoT Networks
CN116032534A (en) Network Security Processing System Based on Cooperative Intrusion Detection

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant