CN112311815A - Monitoring, auditing and anti-cheating method and system under training competition - Google Patents
Monitoring, auditing and anti-cheating method and system under training competition Download PDFInfo
- Publication number
- CN112311815A CN112311815A CN202011612679.1A CN202011612679A CN112311815A CN 112311815 A CN112311815 A CN 112311815A CN 202011612679 A CN202011612679 A CN 202011612679A CN 112311815 A CN112311815 A CN 112311815A
- Authority
- CN
- China
- Prior art keywords
- data
- host
- flow
- result
- acquiring
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a monitoring auditing anti-cheating method and system under training competition, belongs to the technical field of network security, and can solve the problems of higher complexity of overall competition monitoring deployment and higher operation and maintenance deployment difficulty in the conventional computer competition system. The method comprises the following steps: acquiring result data submitted by an attacker from a host, and judging whether the result data is correct or not; acquiring operation behavior data of an attacker on a host and flow data of the host and a switch port, and judging whether the operation behavior data and the flow data are normal or not; when the operation behavior data and the flow data are normal and the result data are correct, acquiring an attack and defense data link result according to the operation behavior data, the flow data and the result data; and when the result of the attack and defense data chain is abnormal, sending out alarm information. The invention is used for monitoring and auditing under the computer training competition.
Description
Technical Field
The invention relates to a monitoring, auditing and cheating-preventing method and system under practical training competition, and belongs to the technical field of network security.
Background
With the rapid development of industrial informatization and internet of things technology, industrial control systems are more and more opened, more and more industrial control systems are exposed on the internet, and data exchange is generated between the industrial control systems and an intranet, even the internet. Security threats such as viruses, trojans, intrusion attacks, denial of service and the like faced by the conventional information network are spreading to the industrial control system.
In the face of such situations, the industrial control network security industry in China needs to improve the safety awareness and the knowledge and skill level of relevant post personnel through safety training besides carrying out overall safety protection construction. This has led to the need to conduct various martial arts competitions in the network security industry to verify levels of personnel involved. The competition environment construction and the monitoring of the competition process are rapid and reliable, the competition process and the repeated competition process can be displayed, the training process can be evaluated in an all-round mode, and data support is provided for improving the level of security personnel.
In the prior art, audit monitoring can be constructed from the real environment of the current network environment, and enterprise-level monitoring requires a powerful IT operation and maintenance team, and a large amount of personnel are required to implement and deploy, so that the implementation cost is too high, and the method is not suitable for being used in the training and competition process. In addition, whether attack operation and protective measures of players are real and effective or not needs to be judged in a short time in the competition process, whether related players really and effectively submit scores or not is judged, and whether cheating exists or not is judged to provide technical data support.
Disclosure of Invention
The invention provides a monitoring auditing anti-cheating method and a monitoring auditing anti-cheating system under training competition, which can solve the problems of higher complexity of overall competition monitoring deployment and higher difficulty of operation and maintenance deployment in the conventional computer competition system.
In one aspect, the invention provides a monitoring, auditing and cheating-preventing method under a practical training competition, which comprises the following steps: acquiring result data submitted by an attacker from a host, and judging whether the result data is correct or not; acquiring operation behavior data of an attacker on a host and flow data of the host and a switch port, and judging whether the operation behavior data and the flow data are normal or not; when the operation behavior data and the flow data are normal and the result data are correct, acquiring an attack and defense data chain result according to the operation behavior data, the flow data and the result data; when the attack and defense data link is abnormal in result display, warning information is sent out; before the obtaining of the operational behavior data of the attacker on the host and the traffic data of the host and the switch port, the method further includes: deploying dynamic probes on the host and the switch; the acquiring of the operation behavior data of the attacker on the host and the traffic data of the host and the switch port specifically includes: and acquiring the operation behavior data of the attacker on the host and the flow data of the host and the switch port by using the dynamic probe.
Optionally, the method further includes: and when the operation behavior data is judged to be abnormal, sending out alarm information.
Optionally, the method includes: and when the flow data is judged to be abnormal, sending out alarm information.
Optionally, the obtaining traffic data of the host and the switch port, and determining whether the traffic data is normal specifically includes: performing mirror image setting on the host port flow and the switch port flow to obtain mirror image flow; carrying out data analysis on the mirror image flow; and judging whether the flow data is normal or not according to the data analysis result.
Optionally, the data analysis of the mirror image traffic includes: and carrying out protocol analysis and flow monitoring analysis on the mirror flow.
Optionally, after obtaining the operation behavior data of the attacker on the host, the method further includes: and storing the operation behavior data.
Optionally, after sending the alarm information, the method further includes: and resetting the state of the host.
Optionally, the operation behavior data includes login behavior data and operation process data of an attacker.
In another aspect, the present invention provides a monitoring, auditing and anti-cheating system under a training competition, wherein the system comprises: the flow auditing unit is used for acquiring flow data of the host and the port of the switch and judging whether the flow data is normal or not; the host behavior auditing unit is used for acquiring operation behavior data of an attacker on the host and judging whether the operation behavior data is normal or not; the comprehensive auditing unit is used for acquiring result data submitted by an attacker from the host and judging whether the result data is correct or not; when the operation behavior data and the flow data are normal and the result data are correct, acquiring an attack and defense data chain result according to the operation behavior data, the flow data and the result data; the comprehensive audit unit is also used for sending alarm information when the attack and defense data link result is abnormal; the system further comprises: the probe deployment unit is used for deploying dynamic probes on the host and the switch; the flow auditing unit is specifically configured to: acquiring flow data of the host and the port of the switch by using the dynamic probe; the host behavior auditing unit is specifically configured to: and acquiring the operation behavior data of the attacker on the host by using the dynamic probe.
The invention can produce the beneficial effects that:
the monitoring auditing anti-cheating method under the training competition can solve the problem of deployment complexity of the whole competition monitoring process in the existing computer competition system, reduce operation and maintenance deployment difficulty, and quickly construct a system for training. In the competition process, machines in the competition process are monitored in a flow monitoring mode, a built-in audit mode and an external checking host service mode. The match scene is constructed in a minute level according to needs, the operation and maintenance burden is reduced, and multiple matches can be repeatedly utilized. Meanwhile, data in the competition process are monitored in the whole process, the burden of operation and referees is reduced, and powerful and effective data chain support is provided for the final judgment of the referees.
Drawings
FIG. 1 is a flowchart of a method for monitoring audit anti-cheating according to an embodiment of the present invention;
FIG. 2 is a diagram of a monitoring audit anti-cheating system architecture provided by an embodiment of the present invention;
FIG. 3 is a schematic diagram of a process for constructing a monitoring audit anti-cheating system according to an embodiment of the present invention;
FIG. 4 is a flow chart of monitoring audit anti-cheating provided by an embodiment of the present invention;
fig. 5 is a block diagram of a monitoring audit anti-cheating system according to an embodiment of the present invention.
Detailed Description
The present invention will be described in detail with reference to examples, but the present invention is not limited to these examples.
In order to reduce maintenance workload and provide reliable monitoring and effective data support for result judgment, an embodiment of the present invention provides a monitoring, auditing and anti-cheating method under a training competition, which is used for monitoring the state, performance and behavior of a host in a system, and as shown in fig. 1 and fig. 2, the method includes:
and step 11, acquiring result data submitted by the attacker from the host, and judging whether the result data is correct.
And step 12, acquiring the operation behavior data of the attacker on the host and the traffic data of the host and the switch port, and judging whether the operation behavior data and the traffic data are normal.
And flow audit collects flow data of the host and the port of the switch, performs flow analysis by comparing the data in the competition process, and judges behaviors performed by an attacker. For example, scanning detection by an attacker, DDOS attack, etc.; when attacking some virus trojans and the like, the process can be displayed in flow analysis and is used for tool teaching and replication and judging whether the behavior of the attack process is abnormal or not; if the relevant user does not scan, directly attacks the relevant designated port, and can also successfully attack once, which basically belongs to problem behaviors.
The host audits and collects the operation behavior data of the attacker on the host, and records the operation process on the relevant host, such as user login behavior, user operation behavior and the like; the attacker needs to have the relevant operation records on the target system, and the submitted result is valid. The host auditing function records the operation behavior of the host in real time according to the dynamically injected probe, and uploads the data to the auditing host, and the auditing host records and analyzes the related behavior.
And step 13, when the operation behavior data and the flow data are normal and the result data are correct, obtaining an attack and defense data link result according to the operation behavior data, the flow data and the result data.
And (4) carrying out flow and behavior evidence chain analysis on the conclusion of the data submitted by the user, and comparing the reasonability and the compliance of the data submitted by the user.
In practical application, when the operation behavior data is judged to be abnormal, alarm information can be sent out. When the flow data is judged to be abnormal, alarm information can be sent out. When the data is judged to be wrong, the judgment is directly finished.
And 14, sending alarm information when the result of the attack and defense data chain is abnormal.
Comprehensive audit refers to the duplication of time-series evidence on submitted data, and judges the legality and validity of user operation according to flow analysis and behavior audit, so that the conformity and validity of operation in the result process are judged, dynamic monitoring and cheating prevention are achieved, and reliable evidence chain support is provided for final judgment. By alarming the abnormal condition, the related competition process can be judged quickly and accurately, and the support of a real-time monitoring technology data chain is provided for the whole competition process.
The invention can solve the problem of deployment complexity of the whole process of competition monitoring in the existing computer competition system, reduce the difficulty of operation and maintenance deployment, and quickly construct a system for training. In the competition process, machines in the competition process are monitored in a flow monitoring mode, a built-in audit mode and an external checking host service mode. The match scene is constructed in a minute level according to needs, the operation and maintenance burden is reduced, and multiple matches can be repeatedly utilized. Meanwhile, data in the competition process are monitored in the whole process, the burden of operation and referees is reduced, and powerful and effective data chain support is provided for the final judgment of the referees.
Further, before obtaining the operational behavior data of the attacker on the host and the traffic data of the host and the switch port, the method further comprises: deploying dynamic probes on the host and the switch; the obtaining of the operation behavior data of the attacker on the host and the traffic data of the host and the switch port specifically includes: and acquiring the operation behavior data of the attacker on the host and the traffic data of the host and the switch port by using the dynamic probe.
The dynamic probe deployment scheme mainly comprises probe host audit function deployment in physical host and virtualization environments. Therefore, the dynamic scene port flow can be collected, and the operation behavior of the attacker on the host can be collected dynamically, so that the flow behavior is analyzed.
As shown in fig. 2, the virtual machine of the present invention dynamically injects probes for different hosts, collects flows under physical and virtualization platforms during a competition, and collects host behaviors of a virtual host and a physical host. Auditing the flow behavior record in the flow audit, and auditing the operation behavior of the host in the host audit; and auditing the whole attack flow in the comprehensive audit, and judging whether the behaviors of competition personnel are in compliance or not through the comprehensive audit of different audit component functions. The scheme of dynamic deployment and dynamic monitoring of the computer competition system can monitor the whole competition process and provide evidence support on a data chain for competition organizers.
In the embodiment of the present invention, acquiring traffic data of a host and a switch port, and determining whether the traffic data is normal specifically includes: performing mirror image setting on the host port flow and the switch port flow to obtain mirror image flow; carrying out data analysis on the mirror image flow; and judging whether the flow data is normal or not according to the data analysis result. Further, data analysis is performed on the mirror image flow, specifically: and carrying out protocol analysis and flow monitoring analysis on the mirror flow.
Performing data analysis on the mirror image flow by mirroring the physical network flow and the port flow under the cloud platform; the system carries out protocol analysis and flow monitoring analysis in a mirror image mode to find attack and defense behaviors between the operating host and the target host, whether the received and sent message data meet normal step behaviors in a competition process or not is judged, when an attack condition occurs, data statistics analysis is carried out in a log display center, flow audit can analyze behavior actions of related flows, and support is provided for judging the operation behaviors and result validity of a subsequent competition on the target drone through a time track of flow forwarding. And flow audit carries out flow data analysis, and when the abnormal condition of the protocol port data transmitted and received by the target host is found, an abnormal alarm is output in the control center.
Further, after obtaining the operation behavior data of the attacker on the host, the method further comprises: storing the operational behavior data.
According to the training requirements, probes are dynamically deployed in the environment loading process, the preset inoperable behavior of a target host is monitored, and the operation process data of both attacking and defending parties is audited; meanwhile, related audit data are stored at the end of the inspection host, and the related inspection host alarms the abnormal operation; normal operating behavior may enable operational history playback. The deployment process is fully automated and process data collection can be stored at an audit trail center.
Further, after sending the alarm information, the method further includes: and resetting the state of the host. When the state of the target machine is monitored, after the alarm is given for the abnormal condition, the state of the host machine can be reset.
Another embodiment of the present invention provides a monitoring, auditing and anti-cheating system under a training competition, as shown in fig. 5, the system includes:
a flow auditing unit 51, configured to obtain flow data of the host and the switch port, and determine whether the flow data is normal;
the host behavior auditing unit 52 is used for acquiring the operation behavior data of the attacker on the host and judging whether the operation behavior data is normal;
the comprehensive auditing unit 53 is used for acquiring result data submitted by an attacker from the host computer and judging whether the result data is correct; when the operation behavior data and the flow data are normal and the result data are correct, acquiring an attack and defense data link result according to the operation behavior data, the flow data and the result data;
the comprehensive auditing unit 53 is also used for sending out warning information when the result of the attack and defense data chain is abnormal;
the system further comprises: the probe deployment unit is used for deploying dynamic probes on the host and the switch;
the flow auditing unit 51 is specifically configured to: acquiring flow data of the host and the port of the switch by using the dynamic probe;
the host behavior auditing unit 52 is specifically configured to: and acquiring the operation behavior data of the attacker on the host by using the dynamic probe.
The method dynamically displays the attack and operation processes through process data, and is used for training and judging the attack effectiveness of operators and the reasonability of the execution of the training outline; referring to fig. 4, the main flow of the closed-loop monitoring of the whole system includes: according to the attack result submitted by the user, combining with flow analysis and user behavior analysis, proving the compliance rationality of user operation, really attacking and acquiring the data value, but not acquiring the data value by other third party means, auditing the legal compliance of the operation of related personnel, and checking that a control center outputs the result of the whole attack flow feedback attack and defense data chain; the competition process auditing system audits the whole competition process according to the flow auditing and host behavior auditing results; the control center is linked with a host auditing system deployed on a host and a network flow auditing system for auditing results, and identifies the operation behaviors of both sides of the attack and defense competition; the control center is respectively communicated with the network flow auditing system and the host auditing system and is used for forwarding fusion analysis of information between the network flow auditing system and the host auditing system.
Although the present application has been described with reference to a few embodiments, it should be understood that various changes, substitutions and alterations can be made herein without departing from the spirit and scope of the application as defined by the appended claims.
Claims (9)
1. A monitoring, auditing and anti-cheating method under training competition is characterized by comprising the following steps:
acquiring result data submitted by an attacker from a host, and judging whether the result data is correct or not;
acquiring operation behavior data of an attacker on a host and flow data of the host and a switch port, and judging whether the operation behavior data and the flow data are normal or not;
when the operation behavior data and the flow data are normal and the result data are correct, acquiring an attack and defense data chain result according to the operation behavior data, the flow data and the result data;
when the attack and defense data link is abnormal in result display, warning information is sent out;
before the obtaining of the operational behavior data of the attacker on the host and the traffic data of the host and the switch port, the method further includes:
deploying dynamic probes on the host and the switch;
the acquiring of the operation behavior data of the attacker on the host and the traffic data of the host and the switch port specifically includes:
and acquiring the operation behavior data of the attacker on the host and the flow data of the host and the switch port by using the dynamic probe.
2. The method of claim 1, further comprising:
and when the operation behavior data is judged to be abnormal, sending out alarm information.
3. The method according to claim 1, characterized in that it comprises:
and when the flow data is judged to be abnormal, sending out alarm information.
4. The method according to claim 1, wherein the obtaining traffic data of the host and the switch port and determining whether the traffic data is normal includes:
performing mirror image setting on the host port flow and the switch port flow to obtain mirror image flow;
carrying out data analysis on the mirror image flow;
and judging whether the flow data is normal or not according to the data analysis result.
5. The method according to claim 4, wherein the data analysis of the mirror traffic is specifically:
and carrying out protocol analysis and flow monitoring analysis on the mirror flow.
6. The method of claim 1, wherein after the obtaining operational behavior data of the attacker on the host, the method further comprises:
and storing the operation behavior data.
7. The method of claim 1, wherein after issuing the alert message, the method further comprises: and resetting the state of the host.
8. The method of claim 1, wherein the operational behavior data comprises login behavior data and operational procedure data of an attacker.
9. A monitoring, auditing and anti-cheating system under practical training competition is characterized by comprising:
the flow auditing unit is used for acquiring flow data of the host and the port of the switch and judging whether the flow data is normal or not;
the host behavior auditing unit is used for acquiring operation behavior data of an attacker on the host and judging whether the operation behavior data is normal or not;
the comprehensive auditing unit is used for acquiring result data submitted by an attacker from the host and judging whether the result data is correct or not; when the operation behavior data and the flow data are normal and the result data are correct, acquiring an attack and defense data chain result according to the operation behavior data, the flow data and the result data;
the comprehensive audit unit is also used for sending alarm information when the attack and defense data link result is abnormal;
the system further comprises:
the probe deployment unit is used for deploying dynamic probes on the host and the switch;
the flow auditing unit is specifically configured to: acquiring flow data of the host and the port of the switch by using the dynamic probe;
the host behavior auditing unit is specifically configured to: and acquiring the operation behavior data of the attacker on the host by using the dynamic probe.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011612679.1A CN112311815A (en) | 2020-12-31 | 2020-12-31 | Monitoring, auditing and anti-cheating method and system under training competition |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011612679.1A CN112311815A (en) | 2020-12-31 | 2020-12-31 | Monitoring, auditing and anti-cheating method and system under training competition |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112311815A true CN112311815A (en) | 2021-02-02 |
Family
ID=74487661
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011612679.1A Pending CN112311815A (en) | 2020-12-31 | 2020-12-31 | Monitoring, auditing and anti-cheating method and system under training competition |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112311815A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114760094A (en) * | 2022-03-09 | 2022-07-15 | 中国人民解放军63891部队 | Computer network attack and defense experiment platform monitoring audit device system |
| CN120263519A (en) * | 2025-04-29 | 2025-07-04 | 湖北易康思科技有限公司 | A method and system for preventing cheating in network security competition |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105376110A (en) * | 2015-10-26 | 2016-03-02 | 上海华讯网络系统有限公司 | Network data packet analysis method and system in big data stream technology |
| CN107172127A (en) * | 2017-04-21 | 2017-09-15 | 北京理工大学 | Based on the information security technology contest course monitoring method acted on behalf of more |
| US10777093B1 (en) * | 2008-02-19 | 2020-09-15 | Architecture Technology Corporation | Automated execution and evaluation of network-based training exercises |
-
2020
- 2020-12-31 CN CN202011612679.1A patent/CN112311815A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10777093B1 (en) * | 2008-02-19 | 2020-09-15 | Architecture Technology Corporation | Automated execution and evaluation of network-based training exercises |
| CN105376110A (en) * | 2015-10-26 | 2016-03-02 | 上海华讯网络系统有限公司 | Network data packet analysis method and system in big data stream technology |
| CN107172127A (en) * | 2017-04-21 | 2017-09-15 | 北京理工大学 | Based on the information security technology contest course monitoring method acted on behalf of more |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114760094A (en) * | 2022-03-09 | 2022-07-15 | 中国人民解放军63891部队 | Computer network attack and defense experiment platform monitoring audit device system |
| CN120263519A (en) * | 2025-04-29 | 2025-07-04 | 湖北易康思科技有限公司 | A method and system for preventing cheating in network security competition |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109818985B (en) | Industrial control system vulnerability trend analysis and early warning method and system | |
| CN112291280A (en) | Network flow monitoring and auditing method and system | |
| Wang et al. | Security analysis of SITAR intrusion tolerance system | |
| KR101534194B1 (en) | cybersecurity practical training system and method that reflects the intruder behavior patterns | |
| KR102381277B1 (en) | Method And Apparatus for Providing Security for Defending Cyber Attack | |
| CN101803337A (en) | Intrusion detection method and system | |
| CN117527412B (en) | Data security monitoring method and device | |
| CN107172127A (en) | Based on the information security technology contest course monitoring method acted on behalf of more | |
| CN112311815A (en) | Monitoring, auditing and anti-cheating method and system under training competition | |
| CN119544381A (en) | A large-scale network security defense system based on collaborative intrusion detection | |
| Suo et al. | Research on the application of honeypot technology in intrusion detection system | |
| CN105871775B (en) | A security protection method and DPMA protection model | |
| CN116866078A (en) | Network security evaluation method | |
| CN116668166A (en) | Software and hardware cooperated data security monitoring system | |
| CN115834109A (en) | Method and device for realizing SSH brute force cracking defense through log analysis | |
| CN117857121B (en) | A scenario-based self-learning method and system for detecting malicious requests | |
| CN119299242A (en) | A network security digital stand-in protection method and system | |
| CN112287347A (en) | Target machine behavior auditing method and system | |
| TWI738078B (en) | Penetration test monitoring server and system | |
| CN117560205A (en) | Substation vulnerability assessment methods, devices, electronic equipment and storage media | |
| US11108800B1 (en) | Penetration test monitoring server and system | |
| CN117220940A (en) | A method of situational awareness of IoT network based on Wazuh's ThingsBoard | |
| CN112104674B (en) | Attack detection recall rate automatic test method, device and storage medium | |
| CN114760094A (en) | Computer network attack and defense experiment platform monitoring audit device system | |
| TWI663523B (en) | Management system for information security offensive and defensive planning |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210202 |