[go: up one dir, main page]

CN112350864B - Protection method, device, equipment and computer readable storage medium for domain control terminal - Google Patents

Protection method, device, equipment and computer readable storage medium for domain control terminal Download PDF

Info

Publication number
CN112350864B
CN112350864B CN202011189940.1A CN202011189940A CN112350864B CN 112350864 B CN112350864 B CN 112350864B CN 202011189940 A CN202011189940 A CN 202011189940A CN 112350864 B CN112350864 B CN 112350864B
Authority
CN
China
Prior art keywords
information
classification result
log information
processing rule
preset
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202011189940.1A
Other languages
Chinese (zh)
Other versions
CN112350864A (en
Inventor
龚子倬
范渊
吴卓群
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
DBAPPSecurity Co Ltd
Original Assignee
DBAPPSecurity Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by DBAPPSecurity Co Ltd filed Critical DBAPPSecurity Co Ltd
Priority to CN202011189940.1A priority Critical patent/CN112350864B/en
Publication of CN112350864A publication Critical patent/CN112350864A/en
Application granted granted Critical
Publication of CN112350864B publication Critical patent/CN112350864B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0631Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/069Management of faults, events, alarms or notifications using logs of notifications; Post-processing of notifications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer And Data Communications (AREA)

Abstract

本申请涉及一种域控终端的保护方法、装置、设备和计算机可读存储介质。其中,该域控终端的保护方法包括:获取域控终端的日志信息和流量信息;确定日志信息的第一漏洞特征信息,以及流量信息的第二漏洞特征信息;根据第一预设分类规则,对第一漏洞特征信息进行分类,得到第一分类结果,以及根据第二预设分类规则,对第二漏洞特征信息进行分类,得到第二分类结果;获取与第一分类结果对应的第一预设处理规则对日志信息进行处理,以及获取与第二分类结果对应的第二预设处理规则对流量信息进行处理。通过本申请,解决了相关技术中Windows域内相关信息分析时间长的问题,减少了Windows域内相关信息分析时间。

Figure 202011189940

The present application relates to a method, apparatus, device and computer-readable storage medium for protecting a domain control terminal. The protection method of the domain control terminal includes: acquiring log information and traffic information of the domain control terminal; determining first vulnerability feature information of the log information and second vulnerability feature information of the traffic information; according to the first preset classification rule, Classify the first vulnerability feature information to obtain a first classification result, and classify the second vulnerability feature information according to a second preset classification rule to obtain a second classification result; and obtain a first classification result corresponding to the first classification result. A processing rule is set to process the log information, and a second preset processing rule corresponding to the second classification result is acquired to process the traffic information. Through the present application, the problem of long time for analyzing related information in the Windows domain in the related art is solved, and the time for analyzing the related information in the Windows domain is reduced.

Figure 202011189940

Description

域控终端的保护方法、装置、设备和计算机可读存储介质Domain control terminal protection method, device, device and computer-readable storage medium

技术领域technical field

本申请涉及网络安全领域,特别是涉及域控终端的保护方法、装置、设备和计算机可读存储介质。The present application relates to the field of network security, and in particular, to a method, apparatus, device, and computer-readable storage medium for protecting a domain control terminal.

背景技术Background technique

随着计算机在社会生活中的普遍应用,大部分企业都会有属于自身内部网络。由于Windows操作系统的普遍使用,在内部网络统一化管理上大部分也是采用Windows域来进行管理。而在Windows域中,域控终端的地位也变得越来越重要,其拥有管理域内的所有机器、用户以及域控终端内关系的权限。所以在Windows域内,域控终端的安全就是整个Windows域内的安全重心,也是安全中心。虽然Windows域对于企业内部管理来说,给网管人员带来了极大的方便,但是在带来便捷的同时也带来了许多安全问题,因为Windows域内相关信息太多,如果只通过Windows域自带的日志系统进行人工分析,需要人工花费大量时间进行分析。With the widespread application of computers in social life, most enterprises will have their own internal network. Due to the widespread use of the Windows operating system, most of the unified management of the internal network is managed by the Windows domain. In a Windows domain, the status of the domain controller terminal is becoming more and more important. It has the authority to manage all machines, users and relationships within the domain controller terminal in the domain. Therefore, in a Windows domain, the security of the domain controller terminal is the security focus and security center of the entire Windows domain. Although the Windows domain brings great convenience to the network administrators for the internal management of the enterprise, it also brings many security problems, because there is too much related information in the Windows domain. It takes a lot of time to manually analyze the log system with the log system.

目前针对相关技术中Windows域内相关信息分析时间长的问题,尚未提出有效的解决方案。Currently, no effective solution has been proposed for the problem of long time for analyzing relevant information in the Windows domain in the related art.

发明内容SUMMARY OF THE INVENTION

本申请实施例中提供了一种域控终端的保护方法、装置、设备和计算机可读存储介质,以至少解决相关技术中Windows域内相关信息分析时间长的问题。Embodiments of the present application provide a method, apparatus, device, and computer-readable storage medium for protecting a domain control terminal, so as to at least solve the problem of long time for analyzing related information in the Windows domain in the related art.

第一方面,本申请实施例中提供了一种域控终端的保护方法,包括:In a first aspect, an embodiment of the present application provides a method for protecting a domain control terminal, including:

获取域控终端的日志信息和流量信息;Obtain the log information and traffic information of the domain controller terminal;

确定所述日志信息的第一漏洞特征信息,以及所述流量信息的第二漏洞特征信息;determining the first vulnerability feature information of the log information and the second vulnerability feature information of the traffic information;

根据第一预设分类规则,对所述第一漏洞特征信息进行分类,得到第一分类结果,以及根据第二预设分类规则,对所述第二漏洞特征信息进行分类,得到第二分类结果,其中,所述第一分类结果包括以下之一:正常日志信息、可疑日志信息、恶意日志信息,所述第二分类结果包括以下之一:正常流量信息、可疑流量信息、恶意流量信息;Classify the first vulnerability feature information according to a first preset classification rule to obtain a first classification result, and classify the second vulnerability feature information according to a second preset classification rule to obtain a second classification result , wherein the first classification result includes one of the following: normal log information, suspicious log information, and malicious log information, and the second classification result includes one of the following: normal traffic information, suspicious traffic information, and malicious traffic information;

获取与所述第一分类结果对应的第一预设处理规则对所述日志信息进行处理,以及获取与所述第二分类结果对应的第二预设处理规则对所述流量信息进行处理。A first preset processing rule corresponding to the first classification result is acquired to process the log information, and a second preset processing rule corresponding to the second classification result is acquired to process the traffic information.

在其中一些实施例中,获取域控终端的日志信息和流量信息之后,所述方法还包括:In some of the embodiments, after acquiring the log information and traffic information of the domain control terminal, the method further includes:

将所述日志信息和所述流量信息分别缓存至Redis数据库。The log information and the traffic information are respectively cached in the Redis database.

在其中一些实施例中,根据第一预设分类规则,对所述第一漏洞特征信息进行分类,得到第一分类结果,以及根据第二预设分类规则,对所述第二漏洞特征信息进行分类,得到第二分类结果之后,所述方法还包括:In some of the embodiments, the first vulnerability feature information is classified according to a first preset classification rule to obtain a first classification result, and the second vulnerability feature information is classified according to a second preset classification rule After the second classification result is obtained, the method further includes:

对所述第一分类结果和所述第二分类结果进行缓存。The first classification result and the second classification result are cached.

在其中一些实施例中,所述第一分类结果包括:可疑日志信息,所述第二分类结果包括:可疑流量信息;获取与所述第一分类结果对应的第一预设处理规则对所述日志信息进行处理,获取与所述第二分类结果对应的第二预设处理规则对所述流量信息进行处理包括:In some of the embodiments, the first classification result includes: suspicious log information, and the second classification result includes: suspicious traffic information; obtaining a first preset processing rule corresponding to the first classification result Processing the log information, obtaining a second preset processing rule corresponding to the second classification result, and processing the traffic information includes:

对所述可疑日志信息进行告警,以及对所述可疑流量信息进行告警,其中,所述第一预设处理规则和所述第二预设处理规则均包括:告警处理。The suspicious log information is alerted, and the suspicious traffic information is alerted, wherein both the first preset processing rule and the second preset processing rule include: alarm processing.

在其中一些实施例中,所述第一分类结果包括:恶意日志信息,所述第二分类结果包括:恶意流量信息;获取与所述第一分类结果对应的第一预设处理规则对所述日志信息进行处理,获取与所述第二分类结果对应的第二预设处理规则对所述流量信息进行处理包括:In some of these embodiments, the first classification result includes: malicious log information, and the second classification result includes: malicious traffic information; obtaining a first preset processing rule corresponding to the first classification result Processing the log information, obtaining a second preset processing rule corresponding to the second classification result, and processing the traffic information includes:

获取所述恶意日志信息的第一操作地址和所述恶意流量信息的第二操作地址;Obtain the first operation address of the malicious log information and the second operation address of the malicious traffic information;

对所述第一操作地址和所述第二操作地址进行封禁,其中,所述第一预设处理规则和所述第二预设处理规则均包括:封禁处理。Banning the first operation address and the second operation address, wherein the first preset processing rule and the second preset processing rule both include: banning processing.

在其中一些实施例中,所述第一分类结果包括:恶意日志信息,所述第二分类结果包括:恶意流量信息;获取与所述第一分类结果对应的第一预设处理规则对所述日志信息进行处理,获取与所述第二分类结果对应的第二预设处理规则对所述流量信息进行处理包括:In some of these embodiments, the first classification result includes: malicious log information, and the second classification result includes: malicious traffic information; obtaining a first preset processing rule corresponding to the first classification result Processing the log information, obtaining a second preset processing rule corresponding to the second classification result, and processing the traffic information includes:

可视化所述恶意日志信息和所述恶意流量信息,其中,所述第一预设处理规则和所述第二预设处理规则均包括:可视化处理。Visualizing the malicious log information and the malicious traffic information, wherein the first preset processing rule and the second preset processing rule both include: visualization processing.

在其中一些实施例中,所述第一分类结果包括:正常日志信息,所述第二分类结果包括:正常流量信息;获取与所述第一分类结果对应的第一预设处理规则对所述日志信息进行处理,获取与所述第二分类结果对应的第二预设处理规则对所述流量信息进行处理包括:In some of the embodiments, the first classification result includes: normal log information, and the second classification result includes: normal traffic information; obtaining a first preset processing rule corresponding to the first classification result Processing the log information, obtaining a second preset processing rule corresponding to the second classification result, and processing the traffic information includes:

对所述正常日志信息和所述正常流量信息进行标志,并对所述正常日志信息和所述正常流量信息放行,其中,所述第一预设处理规则和所述第二预设处理规则均包括:放行处理。Mark the normal log information and the normal traffic information, and release the normal log information and the normal traffic information, wherein both the first preset processing rule and the second preset processing rule are Including: release processing.

第二方面,本申请实施例还提供了一种域控终端的保护装置,包括:In a second aspect, an embodiment of the present application further provides a protection device for a domain control terminal, including:

获取模块,用于获取域控终端的日志信息和流量信息;The acquisition module is used to acquire the log information and traffic information of the domain control terminal;

确定模块,用于确定所述日志信息的第一漏洞特征信息,以及所述流量信息的第二漏洞特征信息;a determining module, configured to determine the first vulnerability feature information of the log information and the second vulnerability feature information of the traffic information;

分类模块,用于根据第一预设分类规则,对所述第一漏洞特征信息进行分类,得到第一分类结果,以及根据第二预设分类规则,对所述第二漏洞特征信息进行分类,得到第二分类结果,其中,所述第一分类结果包括以下之一:正常日志信息、可疑日志信息、恶意日志信息,所述第二分类结果包括以下之一:正常流量信息、可疑流量信息、恶意流量信息;a classification module, configured to classify the first vulnerability feature information according to a first preset classification rule to obtain a first classification result, and classify the second vulnerability feature information according to a second preset classification rule, A second classification result is obtained, wherein the first classification result includes one of the following: normal log information, suspicious log information, and malicious log information, and the second classification result includes one of the following: normal traffic information, suspicious traffic information, malicious traffic information;

处理模块,用于获取与所述第一分类结果对应的第一预设处理规则对所述日志信息进行处理,以及获取与所述第二分类结果对应的第二预设处理规则对所述流量信息进行处理。a processing module, configured to acquire a first preset processing rule corresponding to the first classification result to process the log information, and acquire a second preset processing rule corresponding to the second classification result to process the traffic information is processed.

第三方面,本申请实施例中提供了一种域控终端的保护设备,包括存储器、处理器以及存储在所述存储器上并可在所述处理器上运行的计算机程序,所述处理器执行所述计算机程序时实现如上述第一方面所述的域控终端的保护方法。In a third aspect, an embodiment of the present application provides a protection device for a domain control terminal, including a memory, a processor, and a computer program stored in the memory and executable on the processor, and the processor executes The computer program implements the method for protecting a domain control terminal according to the first aspect.

第四方面,本申请实施例中提供了一种计算机可读存储介质,其上存储有计算机程序,该程序被处理器执行时实现如上述第一方面所述的域控终端的保护方法。In a fourth aspect, an embodiment of the present application provides a computer-readable storage medium on which a computer program is stored, and when the program is executed by a processor, implements the method for protecting a domain control terminal as described in the first aspect above.

相比于相关技术,本申请实施例中提供的域控终端的保护方法、装置、设备和计算机可读存储介质,通过获取域控终端的日志信息和流量信息;确定日志信息的第一漏洞特征信息,以及流量信息的第二漏洞特征信息;根据第一预设分类规则,对第一漏洞特征信息进行分类,得到第一分类结果,以及根据第二预设分类规则,对第二漏洞特征信息进行分类,得到第二分类结果,其中,第一分类结果包括以下之一:正常日志信息、可疑日志信息、恶意日志信息,第二分类结果包括以下之一:正常流量信息、可疑流量信息、恶意流量信息;获取与第一分类结果对应的第一预设处理规则对日志信息进行处理,以及获取与第二分类结果对应的第二预设处理规则对流量信息进行处理的方式,解决了相关技术中Windows域内相关信息分析时间长的问题,减少了Windows域内相关信息分析时间。Compared with the related art, the protection method, device, device, and computer-readable storage medium for a domain control terminal provided in the embodiments of the present application obtain log information and traffic information of the domain control terminal; determine the first vulnerability feature of the log information. information, and the second vulnerability feature information of the traffic information; classify the first vulnerability feature information according to the first preset classification rule to obtain a first classification result, and classify the second vulnerability feature information according to the second preset classification rule Perform classification to obtain a second classification result, where the first classification result includes one of the following: normal log information, suspicious log information, and malicious log information, and the second classification result includes one of the following: normal traffic information, suspicious traffic information, malicious log information Traffic information; the method of acquiring the first preset processing rule corresponding to the first classification result to process the log information, and the method of acquiring the second preset processing rule corresponding to the second classification result to process the traffic information, solving the related art The problem that the analysis time of the relevant information in the Windows domain is long, which reduces the analysis time of the relevant information in the Windows domain.

本申请的一个或多个实施例的细节在以下附图和描述中提出,以使本申请的其他特征、目的和优点更加简明易懂。The details of one or more embodiments of the application are set forth in the accompanying drawings and the description below in order to make other features, objects and advantages of the application more apparent.

附图说明Description of drawings

此处所说明的附图用来提供对本申请的进一步理解,构成本申请的一部分,本申请的示意性实施例及其说明用于解释本申请,并不构成对本申请的不当限定。在附图中:The drawings described herein are used to provide further understanding of the present application and constitute a part of the present application. The schematic embodiments and descriptions of the present application are used to explain the present application and do not constitute an improper limitation of the present application. In the attached image:

图1是根据本申请实施例的域控终端的保护方法的终端的硬件结构框图;1 is a block diagram of a hardware structure of a terminal according to a method for protecting a domain control terminal according to an embodiment of the present application;

图2是根据本申请实施例的域控终端的保护方法的流程图;2 is a flowchart of a method for protecting a domain control terminal according to an embodiment of the present application;

图3是根据本申请优选实施例的域控终端的保护方法的流程图;3 is a flowchart of a method for protecting a domain control terminal according to a preferred embodiment of the present application;

图4是根据本申请优选实施例的域控终端的保护装置的结构框图;4 is a structural block diagram of a protection device for a domain control terminal according to a preferred embodiment of the present application;

图5是根据本申请实施例中数据存储模块操作流程的示意图;5 is a schematic diagram of an operation flow of a data storage module according to an embodiment of the present application;

图6是根据本申请实施例的域控终端的保护装置的结构框图。FIG. 6 is a structural block diagram of an apparatus for protecting a domain control terminal according to an embodiment of the present application.

具体实施方式Detailed ways

为了使本申请的目的、技术方案及优点更加清楚明白,以下结合附图及实施例,对本申请进行描述和说明。应当理解,此处所描述的具体实施例仅仅用以解释本申请,并不用于限定本申请。基于本申请提供的实施例,本领域普通技术人员在没有做出创造性劳动的前提下所获得的所有其他实施例,都属于本申请保护的范围。In order to make the objectives, technical solutions and advantages of the present application clearer, the present application will be described and illustrated below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are only used to explain the present application, but not to limit the present application. Based on the embodiments provided in this application, all other embodiments obtained by those of ordinary skill in the art without creative work fall within the protection scope of this application.

显而易见地,下面描述中的附图仅仅是本申请的一些示例或实施例,对于本领域的普通技术人员而言,在不付出创造性劳动的前提下,还可以根据这些附图将本申请应用于其他类似情景。此外,还可以理解的是,虽然这种开发过程中所做出的努力可能是复杂并且冗长的,然而对于与本申请公开的内容相关的本领域的普通技术人员而言,在本申请揭露的技术内容的基础上进行的一些设计,制造或者生产等变更只是常规的技术手段,不应当理解为本申请公开的内容不充分。Obviously, the accompanying drawings in the following description are only some examples or embodiments of the present application. For those of ordinary skill in the art, the present application can also be applied to the present application according to these drawings without any creative effort. other similar situations. In addition, it will also be appreciated that while such development efforts may be complex and lengthy, for those of ordinary skill in the art pertaining to the present disclosure, the Some changes in design, manufacture or production based on the technical content are just conventional technical means, and it should not be understood that the content disclosed in this application is not sufficient.

在本申请中提及“实施例”意味着,结合实施例描述的特定特征、结构或特性可以包含在本申请的至少一个实施例中。在说明书中的各个位置出现该短语并不一定均是指相同的实施例,也不是与其它实施例互斥的独立的或备选的实施例。本领域普通技术人员显式地和隐式地理解的是,本申请所描述的实施例在不冲突的情况下,可以与其它实施例相结合。Reference in this application to an "embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the application. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor a separate or alternative embodiment that is mutually exclusive of other embodiments. It is explicitly and implicitly understood by those of ordinary skill in the art that the embodiments described in this application may be combined with other embodiments without conflict.

除非另作定义,本申请所涉及的技术术语或者科学术语应当为本申请所属技术领域内具有一般技能的人士所理解的通常意义。本申请所涉及的“一”、“一个”、“一种”、“该”等类似词语并不表示数量限制,可表示单数或复数。本申请所涉及的术语“包括”、“包含”、“具有”以及它们任何变形,意图在于覆盖不排他的包含;例如包含了一系列步骤或模块(单元)的过程、方法、系统、产品或设备没有限定于已列出的步骤或单元,而是可以还包括没有列出的步骤或单元,或可以还包括对于这些过程、方法、产品或设备固有的其它步骤或单元。本申请所涉及的“连接”、“相连”、“耦接”等类似的词语并非限定于物理的或者机械的连接,而是可以包括电气的连接,不管是直接的还是间接的。本申请所涉及的“多个”是指两个或两个以上。“和/或”描述关联对象的关联关系,表示可以存在三种关系,例如,“A和/或B”可以表示:单独存在A,同时存在A和B,单独存在B这三种情况。字符“/”一般表示前后关联对象是一种“或”的关系。本申请所涉及的术语“第一”、“第二”、“第三”等仅仅是区别类似的对象,不代表针对对象的特定排序。Unless otherwise defined, the technical or scientific terms involved in this application shall have the usual meanings understood by those with ordinary skill in the technical field to which this application belongs. Words such as "a", "an", "an", "the" and the like mentioned in this application do not denote a quantitative limitation, and may denote the singular or the plural. The terms "comprising", "comprising", "having" and any of their variants referred to in this application are intended to cover non-exclusive inclusion; for example, a process, method, system, product or process comprising a series of steps or modules (units) The apparatus is not limited to the steps or units listed, but may further include steps or units not listed, or may further include other steps or units inherent to the process, method, product or apparatus. Words like "connected," "connected," "coupled," and the like referred to in this application are not limited to physical or mechanical connections, but may include electrical connections, whether direct or indirect. The "plurality" referred to in this application refers to two or more. "And/or" describes the association relationship between associated objects, indicating that there can be three kinds of relationships. For example, "A and/or B" can mean that A exists alone, A and B exist at the same time, and B exists alone. The character "/" generally indicates that the associated objects are an "or" relationship. The terms "first", "second", "third", etc. involved in this application are only to distinguish similar objects, and do not represent a specific order for the objects.

本实施例提供的方法实施例可以在终端、计算机或者类似的运算装置中执行。以运行在终端上为例,图1是本申请实施例的域控终端的保护方法的终端的硬件结构框图。如图1所示,终端可以包括一个或多个(图1中仅示出一个)处理器102(处理器102可以包括但不限于微处理器MCU或可编程逻辑器件FPGA等的处理装置)和用于存储数据的存储器104,可选地,上述终端还可以包括用于通信功能的传输设备106以及输入输出设备108。本领域普通技术人员可以理解,图1所示的结构仅为示意,其并不对上述终端的结构造成限定。例如,终端还可包括比图1中所示更多或者更少的组件,或者具有与图1所示不同的配置。The method embodiments provided in this embodiment may be executed in a terminal, a computer or a similar computing device. Taking running on a terminal as an example, FIG. 1 is a hardware structural block diagram of a terminal according to a method for protecting a domain control terminal according to an embodiment of the present application. As shown in FIG. 1 , the terminal may include one or more (only one is shown in FIG. 1 ) processor 102 (the processor 102 may include, but is not limited to, a processing device such as a microprocessor MCU or a programmable logic device FPGA) and The memory 104 for storing data, optionally, the above-mentioned terminal may further include a transmission device 106 and an input and output device 108 for communication functions. Those of ordinary skill in the art can understand that the structure shown in FIG. 1 is only for illustration, which does not limit the structure of the above-mentioned terminal. For example, the terminal may also include more or fewer components than shown in FIG. 1 , or have a different configuration than that shown in FIG. 1 .

存储器104可用于存储计算机程序,例如,应用软件的软件程序以及模块,如本发明实施例中的域控终端的保护方法对应的计算机程序,处理器102通过运行存储在存储器104内的计算机程序,从而执行各种功能应用以及数据处理,即实现上述的方法。存储器104可包括高速随机存储器,还可包括非易失性存储器,如一个或者多个磁性存储装置、闪存、或者其他非易失性固态存储器。在一些实例中,存储器104可进一步包括相对于处理器102远程设置的存储器,这些远程存储器可以通过网络连接至终端。上述网络的实例包括但不限于互联网、企业内部网、局域网、移动通信网及其组合。The memory 104 can be used to store computer programs, for example, software programs and modules of application software, such as a computer program corresponding to the method for protecting a domain control terminal in the embodiment of the present invention, the processor 102 runs the computer program stored in the memory 104, Thereby, various functional applications and data processing are performed, that is, the above-mentioned method is realized. Memory 104 may include high-speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some instances, memory 104 may further include memory located remotely from processor 102, and these remote memories may be connected to the terminal through a network. Examples of such networks include, but are not limited to, the Internet, an intranet, a local area network, a mobile communication network, and combinations thereof.

传输设备106用于经由一个网络接收或者发送数据。上述的网络具体实例可包括终端的通信供应商提供的无线网络。在一个实例中,传输设备106包括一个网络适配器(Network Interface Controller,简称为NIC),其可通过基站与其他网络设备相连从而可与互联网进行通讯。在一个实例中,传输设备106可以为射频(Radio Frequency,简称为RF)模块,其用于通过无线方式与互联网进行通讯。Transmission device 106 is used to receive or transmit data via a network. The specific example of the above-mentioned network may include a wireless network provided by a communication provider of the terminal. In one example, the transmission device 106 includes a network adapter (Network Interface Controller, NIC for short), which can be connected to other network devices through a base station so as to communicate with the Internet. In one example, the transmission device 106 may be a radio frequency (Radio Frequency, RF for short) module, which is used to communicate with the Internet in a wireless manner.

本实施例还提供了一种域控终端的保护方法。图2是根据本申请实施例的域控终端的保护方法的流程图,如图2所示,该流程包括如下步骤:This embodiment also provides a method for protecting a domain control terminal. FIG. 2 is a flowchart of a method for protecting a domain control terminal according to an embodiment of the present application. As shown in FIG. 2 , the flowchart includes the following steps:

步骤S201,获取域控终端的日志信息和流量信息。In step S201, log information and traffic information of the domain control terminal are acquired.

在本步骤中,可以预先在域控终端配置日志信息上报模块和流量信息上报模块,进而通过日志信息上报模块上报日志信息,以及通过流量信息上报流量信息的方式,实现对日志信息和流量信息的获取。其中,获取到的日志信息和流量信息均可以携带有自身的漏洞特征、攻击特征、行为特征等。In this step, a log information reporting module and a traffic information reporting module may be pre-configured on the domain control terminal, and then log information is reported by the log information reporting module, and traffic information is reported by the traffic information, so as to realize the log information and traffic information. Obtain. The obtained log information and traffic information may carry their own vulnerability characteristics, attack characteristics, behavior characteristics, and the like.

需要说明的是,域控终端的日志信息上报模块可以但不限于依据微软开发的监控程序(Sysmon)来进行日志搜集和分析,以用于搜集微软视窗操作系统(Windows)域对应的日志标识(ID)、来源地址(IP)、请求时间和日志的详细信息等等。域控终端的流量信息上报模块可以但不限于依据Wireshark来进行流量搜集和分析,以用于过滤Kerberos、LDAP、SMB等协议流量信息。It should be noted that the log information reporting module of the domain controller terminal can, but is not limited to, collect and analyze logs based on the monitoring program (Sysmon) developed by Microsoft, so as to collect log identifiers ( ID), source address (IP), request time and log details, etc. The traffic information reporting module of the domain control terminal can, but is not limited to, collect and analyze traffic based on Wireshark to filter traffic information of protocols such as Kerberos, LDAP, and SMB.

步骤S202,确定日志信息的第一漏洞特征信息,以及流量信息的第二漏洞特征信息。Step S202, determining the first vulnerability feature information of the log information and the second vulnerability feature information of the traffic information.

在本步骤中,可以根据日志信息和流量信息自身携带的漏洞特征,来确定第一漏洞特征信息和第二漏洞特征信息,例如,在日志信息中检测第一漏洞特征信息,以及在流量信息中检测第二漏洞特征信息。In this step, the first vulnerability feature information and the second vulnerability feature information may be determined according to the vulnerability features carried by the log information and the traffic information. For example, the first vulnerability feature information is detected in the log information, and the first vulnerability feature information is detected in the traffic information. The second vulnerability feature information is detected.

步骤S203,根据第一预设分类规则,对第一漏洞特征信息进行分类,得到第一分类结果,以及根据第二预设分类规则,对第二漏洞特征信息进行分类,得到第二分类结果,其中,第一分类结果包括以下之一:正常日志信息、可疑日志信息、恶意日志信息,第二分类结果包括以下之一:正常流量信息、可疑流量信息、恶意流量信息。Step S203, classifying the first vulnerability feature information according to the first preset classification rule to obtain a first classification result, and classifying the second vulnerability feature information according to the second preset classification rule to obtain a second classification result, The first classification result includes one of the following: normal log information, suspicious log information, and malicious log information, and the second classification result includes one of the following: normal traffic information, suspicious traffic information, and malicious traffic information.

在本步骤中,用户可以预先配置第一预设分类规则用于对日志信息对应的漏洞特征信息进行分类,以及还可以预先配置第二预设分类规则用于对流量信息对应的漏洞特征进行分类。In this step, the user may preconfigure a first preset classification rule for classifying the vulnerability feature information corresponding to the log information, and may also preconfigure a second preset classification rule for classifying the vulnerability feature corresponding to the traffic information .

例如,可疑流量信息可以根据但不限于该流量信息对应的IP之前的操作日志进行分析得到,分析出之前未存在的高危操作(例如登录域管理员、枚举LDAP信息、枚举DNS(域名系统)信息等)。恶意流量信息可以根据但不限于流量信息对应的漏洞特征进行分析得到。可疑日志信息可以根据但不限于该日志信息对应的IP之前的操作日志进行分析得到,分析出之前未存在的高危操作(例如登录域管理员、枚举LDAP信息、枚举DNS信息等)。恶意日志信息可以根据但不限于日志信息对应的漏洞特征进行分析得到。本申请实施例的分类方式并不局限于上述方式,用户也可以根据实际场景进行设置。For example, suspicious traffic information can be obtained by analyzing, but not limited to, the operation log before the IP corresponding to the traffic information, and analyzing high-risk operations that did not exist before (such as logging in to a domain administrator, enumerating LDAP information, enumerating DNS (Domain Name System) ) information, etc.). The malicious traffic information can be obtained by analyzing but not limited to the vulnerability characteristics corresponding to the traffic information. Suspicious log information can be obtained by analyzing, but not limited to, the operation log before the IP corresponding to the log information, and analyzing high-risk operations that did not exist before (such as logging in to a domain administrator, enumerating LDAP information, enumerating DNS information, etc.). The malicious log information can be obtained by analyzing but not limited to the vulnerability characteristics corresponding to the log information. The classification manner in the embodiment of the present application is not limited to the foregoing manner, and the user may also set it according to the actual scene.

需要说明的是,第一预设分类规则可以是用于根据日志信息的漏洞特征信息,将日志信息分类为正常日志信息、可疑日志信息或恶意日志信息的规则;第二预设分类规则可以是用于根据流量信息的漏洞特征信息,将流量信息分类为正常流量信息、可疑流量信息或恶意流量信息的规则。It should be noted that the first preset classification rule may be a rule for classifying log information into normal log information, suspicious log information or malicious log information according to vulnerability feature information of the log information; the second preset classification rule may be A rule for classifying traffic information into normal traffic information, suspicious traffic information or malicious traffic information based on the vulnerability characteristic information of the traffic information.

步骤S204,获取与第一分类结果对应的第一预设处理规则对日志信息进行处理,以及获取与第二分类结果对应的第二预设处理规则对流量信息进行处理。Step S204: Obtain a first preset processing rule corresponding to the first classification result to process the log information, and obtain a second preset processing rule corresponding to the second classification result to process the traffic information.

在本步骤中,可以预先配置第一预设处理规则和第二预设处理规则,可以用于根据分类结果对应的处理规则对流量信息和日志信息进行处理。In this step, the first preset processing rule and the second preset processing rule may be pre-configured, which may be used to process traffic information and log information according to the processing rule corresponding to the classification result.

基于上述步骤S201至步骤S204,本申请实施例通过提取日志信息和流量信息对应的漏洞特征信息,并根据其对应的漏洞特征信息来确定日志信息和流量信息的分类,最后再根据对应的分类结果对日志信息和流量信息进行相应的处理,无需要将Windows域内相关信息均进行分析,只需根据日志信息和流量信息对应的漏洞特征信息进行分析即可,解决了相关技术中Windows域内相关信息分析时间长的问题,减少了Windows域内相关信息分析时间。Based on the above steps S201 to S204, the embodiment of the present application extracts the vulnerability feature information corresponding to the log information and the traffic information, determines the classification of the log information and the traffic information according to the corresponding vulnerability feature information, and finally determines the classification of the log information and the traffic information according to the corresponding classification result. Corresponding processing of log information and traffic information does not need to analyze all relevant information in the Windows domain, but only needs to analyze the vulnerability feature information corresponding to the log information and traffic information, which solves the problem of related information analysis in the Windows domain in related technologies. The problem of long time reduces the analysis time of relevant information in the Windows domain.

同时在本申请实施例中通过预设分类规则和预设处理规则来实现对日志信息和流量信息的分类和处理,无需人工操作进行分析,减少了人工操作的流程,进一步减少了Windows域内相关信息分析时间。At the same time, in the embodiment of the present application, the classification and processing of log information and traffic information are realized by using preset classification rules and preset processing rules, and no manual operation is required for analysis, which reduces the manual operation process and further reduces the relevant information in the Windows domain. Analysis time.

在一些实施例中,获取域控终端的日志信息和流量信息之后,还实施如下步骤将日志信息和流量信息分别缓存至Redis数据库。In some embodiments, after acquiring the log information and traffic information of the domain control terminal, the following steps are further implemented to cache the log information and the traffic information in the Redis database respectively.

需要说明的是,因为在实际应用中,Windows域内的流量信息和日志信息可能是大量的,为了不让漏过相应的信息,可以将日志信息和流量信息保持在Redis数据库中进行缓存,通过本实例中的该方式,可以实现对日志信息和流量信息的保存以及避免日志信息和流量信息的遗漏。It should be noted that in practical applications, there may be a large amount of traffic information and log information in the Windows domain. In order not to miss the corresponding information, the log information and traffic information can be kept in the Redis database for caching. In this manner in the example, the log information and the traffic information can be saved and the omission of the log information and the traffic information can be avoided.

在其中一些实施例中,在根据第一预设分类规则,对第一漏洞特征信息进行分类,得到第一分类结果,以及根据第二预设分类规则,对第二漏洞特征信息进行分类,得到第二分类结果之后,还实施如下步骤:对第一分类结果和第二分类结果进行缓存。In some of the embodiments, the first vulnerability feature information is classified according to the first preset classification rule to obtain a first classification result, and the second vulnerability feature information is classified according to the second preset classification rule to obtain After the second classification result, the following step is further implemented: caching the first classification result and the second classification result.

通过上述步骤对第一分类结果和第二分类结果进行缓存,可以便于后续用户对第一分类结果和第二分类结果进行查看,以及便于后续用户对第一分类结果对应的日志信息和第二分类结果对应的流量信息进行相应的操作。By caching the first classification result and the second classification result through the above steps, it is convenient for subsequent users to view the first classification result and the second classification result, and it is convenient for subsequent users to view the log information and the second classification corresponding to the first classification result. Perform corresponding operations on the traffic information corresponding to the result.

在其中一些实施例中,第一分类结果包括:可疑日志信息,第二分类结果包括:可疑流量信息;获取与第一分类结果对应的第一预设处理规则对日志信息进行处理,获取与第二分类结果对应的第二预设处理规则对流量信息进行处理包括如下步骤:对可疑日志信息进行告警,以及对可疑流量信息进行告警,其中,第一预设处理规则和第二预设处理规则均包括:告警处理。In some of these embodiments, the first classification result includes: suspicious log information, and the second classification result includes: suspicious traffic information; obtaining a first preset processing rule corresponding to the first classification result to process the log information, and obtaining a first preset processing rule corresponding to the first classification result. The processing of traffic information by the second preset processing rule corresponding to the second classification result includes the following steps: alerting suspicious log information and alerting suspicious traffic information, wherein the first preset processing rule and the second preset processing rule Both include: alarm handling.

通过上述步骤对可疑日志信息进行告警,以及对可疑流量信息进行告警,实现了对可疑流量信息或可疑日志信息进行告警。Through the above steps, the suspicious log information is alerted, and the suspicious traffic information is alerted, so that the suspicious traffic information or the suspicious log information is alerted.

同时,在其中一些可选实施方式中,还可以将可疑日志信息和/或可疑流量信息发送给预设用户终端。Meanwhile, in some optional implementation manners, suspicious log information and/or suspicious traffic information may also be sent to a preset user terminal.

在其中一些实施例中,第一分类结果包括:恶意日志信息,第二分类结果包括:恶意流量信息;获取与第一分类结果对应的第一预设处理规则对日志信息进行处理,获取与第二分类结果对应的第二预设处理规则对流量信息进行处理包括如下步骤:获取恶意日志信息的第一操作地址和恶意流量信息的第二操作地址;对第一操作地址和第二操作地址进行封禁,其中,第一预设处理规则和第二预设处理规则均包括:封禁处理。In some of the embodiments, the first classification result includes: malicious log information, and the second classification result includes: malicious traffic information; obtaining a first preset processing rule corresponding to the first classification result to process the log information, and obtaining a first preset processing rule corresponding to the first classification result. The processing of the traffic information by the second preset processing rule corresponding to the second classification result includes the following steps: obtaining the first operation address of the malicious log information and the second operation address of the malicious traffic information; Banning, wherein the first preset processing rule and the second preset processing rule both include: banning processing.

通过上述步骤获取恶意日志信息的第一操作地址和恶意流量信息的第二操作地址;对第一操作地址和第二操作地址进行封禁实现对恶意流量信息或恶意日志信息对应的操作地址进行封禁,避免该操作地址对应的操作对域控终端造成威胁,进而导致安全信息的泄露的问题,提高了域控终端的安全性。Obtain the first operation address of the malicious log information and the second operation address of the malicious traffic information through the above steps; banning the first operation address and the second operation address realizes banning the operation address corresponding to the malicious traffic information or the malicious log information, This avoids the problem that the operation corresponding to the operation address poses a threat to the domain control terminal, thereby leading to leakage of security information, and improves the security of the domain control terminal.

同时,在其中一些可选实施方式中,还可以将恶意日志信息和/或恶意流量信息发送给预设用户终端。Meanwhile, in some optional implementation manners, malicious log information and/or malicious traffic information may also be sent to a preset user terminal.

在其中一些实施例中,第一分类结果包括:恶意日志信息,第二分类结果包括:恶意流量信息;获取与第一分类结果对应的第一预设处理规则对日志信息进行处理,获取与第二分类结果对应的第二预设处理规则对流量信息进行处理包括如下步骤:可视化恶意日志信息和恶意流量信息,其中,第一预设处理规则和第二预设处理规则均包括:可视化处理。In some of the embodiments, the first classification result includes: malicious log information, and the second classification result includes: malicious traffic information; obtaining a first preset processing rule corresponding to the first classification result to process the log information, and obtaining a first preset processing rule corresponding to the first classification result. The processing of the traffic information by the second preset processing rule corresponding to the second classification result includes the following steps: visualizing malicious log information and malicious traffic information, wherein the first preset processing rule and the second preset processing rule both include: visual processing.

通过上述步骤可视化恶意日志信息和恶意流量信息,实现对恶意流量信息和恶意日志信息的可视化,以便实现用户对恶意流量信息和恶意日志信息的监视。The malicious log information and malicious traffic information are visualized through the above steps, so as to realize the visualization of malicious traffic information and malicious log information, so as to realize the user's monitoring of malicious traffic information and malicious log information.

在其中一些实施例中,第一分类结果包括:正常日志信息,第二分类结果包括:正常流量信息;获取与第一分类结果对应的第一预设处理规则对日志信息进行处理,获取与第二分类结果对应的第二预设处理规则对流量信息进行处理包括如下步骤:对正常日志信息和正常流量信息进行标志,并对正常日志信息和正常流量信息放行,其中,第一预设处理规则和第二预设处理规则均包括:放行处理。In some of the embodiments, the first classification result includes: normal log information, and the second classification result includes: normal traffic information; obtaining a first preset processing rule corresponding to the first classification result to process the log information, The processing of the traffic information by the second preset processing rule corresponding to the second classification result includes the following steps: marking normal log information and normal traffic information, and releasing the normal log information and normal traffic information, wherein the first preset processing rule and the second preset processing rule both include: release processing.

通过上述步骤对正常日志信息和正常流量信息进行标志,并对正常日志信息和正常流量信息放行,实现了对正常日志信息和正常流量信息的放行。Through the above steps, the normal log information and the normal traffic information are marked, and the normal log information and the normal traffic information are released, so that the normal log information and the normal traffic information are released.

需要说明的是,本实施例中的放行可以是只对该正常日志信息和/或正常流量信息对应的操作进行放行。It should be noted that the release in this embodiment may be to release only the operations corresponding to the normal log information and/or the normal traffic information.

需要说明的是,通过对可疑日志信息和可疑流量信息的告警,以便通知用户进行相应的操作;同时,通过对恶意日志信息和恶意流量信息对应的操作地址进行封禁,可以禁止该操作地址再次对域控终端进行相应的操作,提高了域控终端的安全性;再者,通过对恶意日志信息和恶意流量信息进行可视化展示,以便于用户对恶意日志信息和恶意流量信息进行监控。It should be noted that, by alerting suspicious log information and suspicious traffic information, users can be notified to perform corresponding operations; at the same time, by banning the operation address corresponding to malicious log information and malicious traffic information, the operation address can be prohibited from being used again. The domain control terminal performs corresponding operations, which improves the security of the domain control terminal; in addition, the malicious log information and malicious traffic information are visually displayed to facilitate users to monitor the malicious log information and malicious traffic information.

需要说明的是,本实施例中,还可以对恶意流量信息、可疑流量信息、恶意日志信息、可疑日志信息进行标志。It should be noted that, in this embodiment, malicious traffic information, suspicious traffic information, malicious log information, and suspicious log information may also be marked.

在本实施例中,还通过对获取到的日志信息和流量信息数据进行统一管理和处理,实现了网络管理人员对域控制器的安全管理使用和需求。In this embodiment, by uniformly managing and processing the acquired log information and traffic information data, the network administrator's use and requirements for the security management of the domain controller are realized.

下面通过优选实施例对本申请实施例进行描述和说明。The embodiments of the present application will be described and illustrated below through preferred embodiments.

图3是根据本申请优选实施例的域控终端的保护方法的流程图。如图3所示,该方法包括:FIG. 3 is a flowchart of a method for protecting a domain control terminal according to a preferred embodiment of the present application. As shown in Figure 3, the method includes:

步骤S301,获取域控终端的日志信息和流量信息;Step S301, acquiring log information and traffic information of the domain control terminal;

步骤S302,将日志信息和流量信息缓存至Redis数据库;Step S302, cache log information and traffic information to the Redis database;

在本步骤中,通过将日志信息和流量信息缓存至Redis数据库,可以实现数据的缓存,避免域控终端收集到的日志信息和流量信息太多。In this step, by caching the log information and traffic information in the Redis database, the data can be cached to avoid too much log information and traffic information collected by the domain control terminal.

需要说明的是,日志信息和流量信息可以分开存储,以便步骤S303中获取对应的信息。例如,Redis数据库中的子数据库A可以存储日志信息,子数据库B可以存储流量信息。It should be noted that the log information and the traffic information may be stored separately, so that corresponding information is obtained in step S303. For example, sub-database A in a Redis database can store log information, and sub-database B can store traffic information.

步骤S303,从Redis数据库中获取日志信息和流量信息。Step S303: Obtain log information and traffic information from the Redis database.

步骤S304,确定日志信息的第一漏洞特征信息,以及流量信息的第二漏洞特征信息。Step S304, determining the first vulnerability feature information of the log information and the second vulnerability feature information of the traffic information.

步骤S305,根据第一预设分类规则,对第一漏洞特征信息进行分类,得到第一分类结果,以及根据第二预设分类规则,对第二漏洞特征信息进行分类,得到第二分类结果。Step S305: Classify the first vulnerability feature information according to the first preset classification rule to obtain a first classification result, and classify the second vulnerability feature information according to the second preset classification rule to obtain a second classification result.

在本步骤中,根据第一预设分类规则,对第一漏洞特征信息进行分类可以包括以下步骤:In this step, according to the first preset classification rule, classifying the first vulnerability feature information may include the following steps:

步骤A,获取Windows域的日志信息对应的ID,并根据该日志信息对应的ID匹配到规则;Step A, obtains the ID corresponding to the log information of the Windows domain, and matches the rule according to the ID corresponding to the log information;

步骤B,获取到符合步骤A中规则所对应的账户/机器附近时间点的其他日志信息;Step B, obtain other log information that meets the time point near the account/machine corresponding to the rule in Step A;

步骤C,判断是否有其他日志信息符合对应的攻击规则流程;若是,则执行步骤D,若否,则执行步骤E;Step C, judging whether other log information complies with the corresponding attack rule flow; if so, execute step D, if not, execute step E;

步骤D,根据第一预设分类规则,对第一漏洞特征信息进行分类,并进行标记。Step D, according to the first preset classification rule, classify and mark the first vulnerability feature information.

步骤E,标记为正常日志信息。Step E, marked as normal log information.

在本步骤中,根据第二预设分类规则,对第二漏洞特征信息进行分类可以包括以下步骤:In this step, according to the second preset classification rule, classifying the second vulnerability feature information may include the following steps:

步骤F,获取Windows域的流量信息对应的ID,并根据该流量信息对应的ID匹配到规则;Step F, obtains the ID corresponding to the flow information of the Windows domain, and matches the rule according to the ID corresponding to the flow information;

步骤G,获取到符合步骤F中规则所对应的账户/机器附近时间点的其他相同协议的流量信息;In step G, the traffic information of other identical protocols at the time point near the account/machine corresponding to the rule in step F is obtained;

步骤H,判断是否有其他相同协议的流量信息符合对应的攻击规则流程;若是,则执行步骤I,若否,则执行步骤J;Step H, judge whether the flow information of other identical protocols meets the corresponding attack rule flow; if yes, then execute step I, if not, then execute step J;

步骤I,根据第二预设分类规则,对第二漏洞特征信息进行分类,并进行标记。Step 1: Classify and mark the second vulnerability feature information according to the second preset classification rule.

步骤J,将第二漏洞特征信息分类为正常流量信息,并标记为正常流量信息。Step J: Classify the second vulnerability feature information as normal traffic information, and mark it as normal traffic information.

需要说明的是,第一分类结果可以包括以下之一:正常日志信息、可疑日志信息、恶意日志信息,第二分类结果可以包括以下之一:正常流量信息、可疑流量信息、恶意流量信息。It should be noted that the first classification result may include one of the following: normal log information, suspicious log information, and malicious log information, and the second classification result may include one of the following: normal traffic information, suspicious traffic information, and malicious traffic information.

步骤S306,获取与第一分类结果对应的预设处理规则,对日志信息进行处理,获取与第二分类结果对应的预设处理规则,对流量信息进行处理。Step S306: Acquire a preset processing rule corresponding to the first classification result, process the log information, acquire a preset processing rule corresponding to the second classification result, and process the traffic information.

图4是根据本申请优选实施例的域控终端的保护装置的结构框图。如图4所示,该域控终端的保护装置包括:FIG. 4 is a structural block diagram of an apparatus for protecting a domain control terminal according to a preferred embodiment of the present application. As shown in Figure 4, the protection device of the domain control terminal includes:

域控终端41,该域控终端包括日志信息采集单元和流量信息采集模块。The domain control terminal 41 includes a log information collection unit and a flow information collection module.

日志信息采集单元用于采集日志信息,流量信息采集单元用于采集流量信息。其中,日志信息采集模块可以通过编写Windows驱动,然后由域控终端41加载该驱动后并Hook住Windows Event程序,最后获取到该Windows域的域控终端41相关的安全日志信息。流量信息采集模块可以通过npcap驱动来监控Windows域中的域控终端的网络流量,然后提取出对应的SMB流量、LDAP流量以及kerberos流量并保存。The log information collection unit is used for collecting log information, and the flow information collection unit is used for collecting flow information. The log information collection module can write a Windows driver, then the domain control terminal 41 loads the driver and hooks the Windows Event program, and finally obtains the security log information related to the domain control terminal 41 of the Windows domain. The traffic information collection module can monitor the network traffic of the domain controller terminal in the Windows domain through the npcap driver, and then extract and save the corresponding SMB traffic, LDAP traffic and kerberos traffic.

需要说明的是,相关的安全日志信息和对应的攻击方法可以由表一表示,如表一所示:It should be noted that the relevant security log information and corresponding attack methods can be represented by Table 1, as shown in Table 1:

Figure BDA0002752492950000111
Figure BDA0002752492950000111

Figure BDA0002752492950000121
Figure BDA0002752492950000121

表一日志信息与攻击方法的关联表Table 1. Association table between log information and attack method

数据处理模块42,其中,数据处理模块42包括Redis数据存储单元、日志信息分类单元、流量信息分类单元、日志信息匹配单元、流量信息匹配单元、日志信息分析存储单元、流量信息分析存储单元。The data processing module 42, wherein the data processing module 42 includes a Redis data storage unit, a log information classification unit, a flow information classification unit, a log information matching unit, a flow information matching unit, a log information analysis storage unit, and a flow information analysis storage unit.

Redis数据存储单元用于存储获取到的域控终端41中的日志信息和流量信息;日志信息分类单元用于确定Redis数据存储单元中的日志信息的漏洞特征信息,并进行分类;流量信息分类单元用于确定Redis数据存储单元中的流量信息对应的漏洞特征信息,并进行分类;日志信息匹配单元,用于根据日志信息分类结果匹配对应的处理规则并进行处理;流量信息匹配单元,用于根据流量信息分类结果匹配对应的处理规则并进行处理;日志信息分析存储单元用于存储分析日志信息的过程中所产生的操作日志;流量信息分析存储单元用于存储分析流量信息的过程中所产生的操作日志。The Redis data storage unit is used to store the acquired log information and traffic information in the domain control terminal 41; the log information classification unit is used to determine and classify the vulnerability feature information of the log information in the Redis data storage unit; the traffic information classification unit It is used to determine the vulnerability feature information corresponding to the traffic information in the Redis data storage unit, and classify it; the log information matching unit is used to match the corresponding processing rules according to the classification result of the log information and process it; the traffic information matching unit is used to The traffic information classification result matches the corresponding processing rules and processes them; the log information analysis and storage unit is used to store the operation logs generated in the process of analyzing the log information; the traffic information analysis and storage unit is used to store the operation logs generated in the process of analyzing the traffic information. Operation log.

数据存储模块43,该数据存储模块包括数据索引单元、数据告警单元、数据封禁单元。其中,该数据索引单元可以由Elasticsearch作为后端引擎,Elasticsearch支持进行分词搜索,用于根据存储和索引日志信息或流量信息的攻击者,并采用neo4j关系图形数据库展示跟描绘潜在攻击者的攻击路径跟攻击对应的关系图标,可以更直接的可视化。数据告警单元可以用于根据日志信息分类单元和流量信息分类单元的处理结果进行相应的告警操作。数据封禁单元可以用于根据日志信息分类单元和流量信息分类单元的处理结果进行相应的封禁操作。The data storage module 43 includes a data index unit, a data alarm unit, and a data ban unit. Among them, the data indexing unit can use Elasticsearch as the back-end engine. Elasticsearch supports word segmentation search for attackers who store and index log information or traffic information, and uses the neo4j relational graph database to display and describe the attack path of potential attackers The relationship icon corresponding to the attack can be visualized more directly. The data alarm unit may be configured to perform corresponding alarm operations according to the processing results of the log information classification unit and the traffic information classification unit. The data banning unit may be configured to perform corresponding banning operations according to the processing results of the log information classification unit and the traffic information classification unit.

需要说明的是,Elasticsearch是一个分布式、高扩展、高实时的搜索与数据分析引擎。它能很方便的使大量数据具有搜索、分析和探索的能力。充分利用Elasticsearch的水平伸缩性,能使数据在生产环境变得更有价值。Elasticsearch的实现原理主要分为以下几个步骤,首先用户将数据提交到Elasticsearch数据库中,再通过分词控制器去将对应的语句分词,将其权重和分词结果一并存入数据,当用户搜索数据时候,再根据权重将结果排名,打分,再将返回结果呈现给用户。It should be noted that Elasticsearch is a distributed, highly scalable, high real-time search and data analysis engine. It can easily make large amounts of data have the ability to search, analyze and explore. Taking full advantage of the horizontal scalability of Elasticsearch can make data more valuable in production environments. The implementation principle of Elasticsearch is mainly divided into the following steps. First, the user submits the data to the Elasticsearch database, and then the corresponding sentence is segmented through the word segmentation controller, and its weight and word segmentation results are stored in the data. When the user searches for data At the same time, the results are ranked and scored according to the weight, and then the returned results are presented to the user.

图5是根据本申请实施例中数据存储模块操作流程的示意图,如图5所示,首先可以获取数据处理单元中的处理结果,并通过Elasticsearch对处理结果对应的流量信息和日志信息进行索引,并通过neo4j关系图形数据库进行可视化。同时还可以将数据处理单元中的可疑流量信息和可疑日志信息发送给预设用户终端,以通知用户做相应的操作。还可以将数据处理中的恶意流量信息和恶意日志信息发送给域控终端,以使得控制终端对该恶意流量信息和恶意日志信息对应的终端或终端账户进行封禁,例如发送封禁信息;也可以将数据处理中的恶意流量信息和恶意日志信息发送给预设用户终端,以通知用户做相应的操作。FIG. 5 is a schematic diagram of an operation flow of a data storage module according to an embodiment of the present application. As shown in FIG. 5 , first, the processing result in the data processing unit can be obtained, and the traffic information and log information corresponding to the processing result can be indexed by Elasticsearch, And visualized through the neo4j relational graph database. At the same time, suspicious traffic information and suspicious log information in the data processing unit can also be sent to a preset user terminal, so as to notify the user to perform corresponding operations. The malicious traffic information and malicious log information in data processing can also be sent to the domain control terminal, so that the control terminal can ban the terminal or terminal account corresponding to the malicious traffic information and malicious log information, such as sending ban information; Malicious traffic information and malicious log information in data processing are sent to a preset user terminal to notify the user to perform corresponding operations.

需要说明的是发送给预设用户终端的方式可以是但不限于通过SMS、email等。It should be noted that the manner of sending to the preset user terminal may be, but not limited to, through SMS, email, and the like.

通过上述实施例,本申请实施例通过基于日志信息与流量信息,来实现对域控终端进行保护的方式,有效解决的相关技术中Windows域内环境存在多种漏洞和复杂的渗透攻击手法的问题。Through the above embodiments, the embodiments of the present application implement the method of protecting the domain controller terminal based on log information and traffic information, and effectively solve the problem of multiple loopholes and complex penetration attack methods in the Windows domain environment in the related art.

本申请实施例还提出了日志信息和流量信息关联的判断方法。结合Windows域内用户/机器相关的时刻的日志信息/流量信息来进行分析判断日志信息和流量信息对应的操作是否是恶意操作,以及还可以及时分析到恶意的攻击行为并且可以降低纯粹的规则匹配误判行为。The embodiment of the present application also proposes a method for judging the correlation between log information and traffic information. Combined with the log information/traffic information related to users/machines in the Windows domain at the moment to analyze and determine whether the operations corresponding to the log information and traffic information are malicious operations, and can also analyze malicious attack behaviors in time and reduce pure rule matching errors. judgement behavior.

本申请实施例还提出了Windows域内攻击方式的判定及可视化展示的方法。还可以通过Neo4j关系型数据库展示日志信息和流量信息对应的攻击者的攻击路径以及相关终端,让网络管理员可以直观看到攻击者对其内部网络的攻击路径,影响面积,攻击源头、攻击关键时间节点、攻陷机器等信息。The embodiment of the present application also proposes a method for judging and visualizing an attack mode in a Windows domain. The Neo4j relational database can also display the attacker's attack path and related terminals corresponding to log information and traffic information, so that network administrators can intuitively see the attacker's attack path, impact area, attack source, and attack key on their internal network. Time node, compromised machine and other information.

图6是根据本申请实施例的域控终端的保护装置的结构框图,如图6所示,该装置包括:FIG. 6 is a structural block diagram of an apparatus for protecting a domain control terminal according to an embodiment of the present application. As shown in FIG. 6 , the apparatus includes:

获取模块61,用于获取域控终端的日志信息和流量信息;an acquisition module 61, configured to acquire log information and traffic information of the domain control terminal;

确定模块62,耦合至获取模块61,用于确定所述日志信息的第一漏洞特征信息,以及所述流量信息的第二漏洞特征信息;a determining module 62, coupled to the acquiring module 61, for determining the first vulnerability feature information of the log information and the second vulnerability feature information of the traffic information;

分类模块63,耦合至确定模块62,用于根据第一预设分类规则,对所述第一漏洞特征信息进行分类,得到第一分类结果,以及根据第二预设分类规则,对所述第二漏洞特征信息进行分类,得到第二分类结果,其中,所述第一分类结果包括以下之一:正常日志信息、可疑日志信息、恶意日志信息,所述第二分类结果包括以下之一:正常流量信息、可疑流量信息、恶意流量信息;The classification module 63, coupled to the determination module 62, is used for classifying the first vulnerability feature information according to a first preset classification rule to obtain a first classification result, and according to a second preset classification rule, classifying the first vulnerability feature information Classify the vulnerability feature information to obtain a second classification result, wherein the first classification result includes one of the following: normal log information, suspicious log information, and malicious log information, and the second classification result includes one of the following: normal Traffic information, suspicious traffic information, malicious traffic information;

处理模块64,耦合至分类模块63,用于获取与所述第一分类结果对应的第一预设处理规则对所述日志信息进行处理,以及获取与所述第二分类结果对应的第二预设处理规则对所述流量信息进行处理。The processing module 64, coupled to the classification module 63, is configured to obtain a first preset processing rule corresponding to the first classification result to process the log information, and obtain a second preset processing rule corresponding to the second classification result. A processing rule is set to process the traffic information.

在其中一些实施例中,该装置还包括:第一缓存模块,用于将日志信息和流量信息分别缓存至Redis数据库。In some of the embodiments, the apparatus further includes: a first cache module, configured to cache the log information and the traffic information to the Redis database respectively.

在其中一些实施例中,该装置还包括第二缓存模块,用于对第一分类结果和第二分类结果进行缓存。In some of the embodiments, the apparatus further includes a second cache module, configured to cache the first classification result and the second classification result.

在其中一些实施例中,处理模块64包括:告警单元,用于对可疑日志信息进行告警,以及对可疑流量信息进行告警,其中,第一预设处理规则和第二预设处理规则均包括:告警处理。In some of the embodiments, the processing module 64 includes an alarm unit, configured to alarm suspicious log information and alarm suspicious traffic information, wherein the first preset processing rule and the second preset processing rule both include: Alarm handling.

在其中一些实施例中,处理模块64包括:获取单元,用于获取恶意日志信息的第一操作地址和恶意流量信息的第二操作地址;封禁单元,用于对第一操作地址和第二操作地址进行封禁,其中,第一预设处理规则和第二预设处理规则均包括:封禁处理。In some of the embodiments, the processing module 64 includes: an acquisition unit, configured to acquire the first operation address of the malicious log information and the second operation address of the malicious traffic information; a ban unit, used to obtain the first operation address and the second operation address of the malicious traffic information The address is banned, wherein the first preset processing rule and the second preset processing rule both include: ban processing.

在其中一些实施例中,处理模块64包括:可视化单元,用于可视化恶意日志信息和恶意流量信息,其中,第一预设处理规则和第二预设处理规则均包括:可视化处理。In some of the embodiments, the processing module 64 includes: a visualization unit, configured to visualize malicious log information and malicious traffic information, wherein both the first preset processing rule and the second preset processing rule include: visualization processing.

在其中一些实施例中,处理模块64包括:标志单元,用于对正常日志信息和正常流量信息进行标志;放行单元,用于对正常日志信息和正常流量信息放行,其中,第一预设处理规则和第二预设处理规则均包括:放行处理。In some of the embodiments, the processing module 64 includes: a marking unit for marking normal log information and normal flow information; a release unit for releasing normal log information and normal flow information, wherein the first preset processing Both the rule and the second preset processing rule include: release processing.

需要说明的是,上述各个模块可以是功能模块也可以是程序模块,既可以通过软件来实现,也可以通过硬件来实现。对于通过硬件来实现的模块而言,上述各个模块可以位于同一处理器中;或者上述各个模块还可以按照任意组合的形式分别位于不同的处理器中。It should be noted that each of the above modules may be functional modules or program modules, and may be implemented by software or hardware. For the modules implemented by hardware, the above-mentioned modules may be located in the same processor; or the above-mentioned modules may also be located in different processors in any combination.

另外,结合上述实施例中的域控终端的保护方法,本申请实施例可提供一种计算机可读存储介质来实现。该计算机可读存储介质上存储有计算机程序指令;该计算机程序指令被处理器执行时实现上述实施例中的任意一种域控终端的保护方法。In addition, in combination with the method for protecting a domain control terminal in the foregoing embodiment, the embodiment of the present application may provide a computer-readable storage medium for implementation. Computer program instructions are stored on the computer-readable storage medium; when the computer program instructions are executed by the processor, any method for protecting a domain control terminal in the foregoing embodiments is implemented.

以上所述实施例的各技术特征可以进行任意的组合,为使描述简洁,未对上述实施例中的各个技术特征所有可能的组合都进行描述,然而,只要这些技术特征的组合不存在矛盾,都应当认为是本说明书记载的范围。The technical features of the above-described embodiments can be combined arbitrarily. For the sake of brevity, all possible combinations of the technical features in the above-described embodiments are not described. However, as long as there is no contradiction between the combinations of these technical features, All should be regarded as the scope described in this specification.

以上所述实施例仅表达了本申请的几种实施方式,其描述较为具体和详细,但并不能因此而理解为对本申请专利范围的限制。应当指出的是,对于本领域的普通技术人员来说,在不脱离本申请构思的前提下,还可以做出若干变形和改进,这些都属于本申请的保护范围。因此,本申请专利的保护范围应以所附权利要求为准。The above-mentioned embodiments only represent several embodiments of the present application, and the descriptions thereof are relatively specific and detailed, but should not be construed as a limitation on the scope of the patent of the present application. It should be pointed out that for those skilled in the art, without departing from the concept of the present application, several modifications and improvements can be made, which all belong to the protection scope of the present application. Therefore, the scope of protection of the patent of the present application shall be subject to the appended claims.

Claims (10)

1. A protection method of a domain control terminal is characterized by comprising the following steps:
acquiring log information and flow information of a domain control terminal;
determining first vulnerability characteristic information of the log information and second vulnerability characteristic information of the flow information;
classifying the first vulnerability characteristic information according to a first preset classification rule to obtain a first classification result, and classifying the second vulnerability characteristic information according to a second preset classification rule to obtain a second classification result, wherein the first classification result comprises one of the following: normal log information, suspicious log information and malicious log information, wherein the second classification result comprises one of the following items: normal flow information, suspicious flow information and malicious flow information;
and acquiring a first preset processing rule corresponding to the first classification result to process the log information, and acquiring a second preset processing rule corresponding to the second classification result to process the flow information.
2. The method for protecting a domain-controlled terminal according to claim 1, wherein after acquiring the log information and the traffic information of the domain-controlled terminal, the method further comprises:
and caching the log information and the flow information to a Redis database respectively.
3. The method for protecting the domain control terminal according to claim 1, wherein the first vulnerability characteristic information is classified according to a first preset classification rule to obtain a first classification result, and the second vulnerability characteristic information is classified according to a second preset classification rule to obtain a second classification result, and after the method further comprises:
and caching the first classification result and the second classification result.
4. The method for protecting a domain-controlled terminal according to claim 1, wherein the first classification result comprises: suspicious log information, the second classification result comprising: suspicious traffic information; acquiring a first preset processing rule corresponding to the first classification result to process the log information, and acquiring a second preset processing rule corresponding to the second classification result to process the flow information, wherein the step of acquiring the second preset processing rule corresponding to the second classification result comprises the following steps:
and giving an alarm to the suspicious log information and giving an alarm to the suspicious traffic information, wherein the first preset processing rule and the second preset processing rule both comprise: and (5) alarm processing.
5. The method for protecting a domain-controlled terminal according to claim 1, wherein the first classification result comprises: malicious log information, the second classification result comprising: malicious traffic information; acquiring a first preset processing rule corresponding to the first classification result to process the log information, and acquiring a second preset processing rule corresponding to the second classification result to process the flow information, wherein the step of acquiring the second preset processing rule corresponding to the second classification result comprises the following steps:
acquiring a first operation address of the malicious log information and a second operation address of the malicious flow information;
and forbidding the first operation address and the second operation address, wherein the first preset processing rule and the second preset processing rule both comprise: and (6) blocking processing.
6. The method for protecting a domain-controlled terminal according to claim 1, wherein the first classification result comprises: malicious log information, the second classification result comprising: malicious traffic information; acquiring a first preset processing rule corresponding to the first classification result to process the log information, and acquiring a second preset processing rule corresponding to the second classification result to process the flow information, wherein the acquiring of the first preset processing rule corresponding to the first classification result includes:
visualizing the malicious log information and the malicious traffic information, wherein the first preset processing rule and the second preset processing rule both comprise: and (6) visualization processing.
7. The method for protecting a domain-controlled terminal according to claim 1, wherein the first classification result comprises: normal log information, and the second classification result includes: normal traffic information; acquiring a first preset processing rule corresponding to the first classification result to process the log information, and acquiring a second preset processing rule corresponding to the second classification result to process the flow information, wherein the acquiring of the first preset processing rule corresponding to the first classification result includes:
marking the normal log information and the normal traffic information, and releasing the normal log information and the normal traffic information, wherein the first preset processing rule and the second preset processing rule both comprise: and (5) releasing processing.
8. A protection device of a domain control terminal is characterized by comprising:
the acquisition module is used for acquiring the log information and the flow information of the domain control terminal;
the determining module is used for determining first vulnerability characteristic information of the log information and second vulnerability characteristic information of the flow information;
the classification module is used for classifying the first vulnerability characteristic information according to a first preset classification rule to obtain a first classification result, and classifying the second vulnerability characteristic information according to a second preset classification rule to obtain a second classification result, wherein the first classification result comprises one of the following: normal log information, suspicious log information and malicious log information, wherein the second classification result comprises one of the following items: normal traffic information, suspicious traffic information, and malicious traffic information;
and the processing module is used for acquiring a first preset processing rule corresponding to the first classification result to process the log information and acquiring a second preset processing rule corresponding to the second classification result to process the flow information.
9. A protection apparatus of a domain-controlled terminal, comprising a memory, a processor, and a computer program stored on the memory and running on the processor, wherein the processor implements the protection method of the domain-controlled terminal according to any one of claims 1 to 7 when executing the computer program.
10. A computer-readable storage medium on which a computer program is stored, the program implementing the protection method of a domain-controlled terminal according to any one of claims 1 to 7 when executed by a processor.
CN202011189940.1A 2020-10-30 2020-10-30 Protection method, device, equipment and computer readable storage medium for domain control terminal Active CN112350864B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011189940.1A CN112350864B (en) 2020-10-30 2020-10-30 Protection method, device, equipment and computer readable storage medium for domain control terminal

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011189940.1A CN112350864B (en) 2020-10-30 2020-10-30 Protection method, device, equipment and computer readable storage medium for domain control terminal

Publications (2)

Publication Number Publication Date
CN112350864A CN112350864A (en) 2021-02-09
CN112350864B true CN112350864B (en) 2022-07-22

Family

ID=74356739

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011189940.1A Active CN112350864B (en) 2020-10-30 2020-10-30 Protection method, device, equipment and computer readable storage medium for domain control terminal

Country Status (1)

Country Link
CN (1) CN112350864B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113014574B (en) * 2021-02-23 2023-07-14 深信服科技股份有限公司 Method and device for detecting intra-domain detection operation and electronic equipment
CN114282223A (en) * 2021-12-22 2022-04-05 杭州安恒信息技术股份有限公司 Method, defense system, device and medium for improving security of terminal equipment

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9467464B2 (en) * 2013-03-15 2016-10-11 Tenable Network Security, Inc. System and method for correlating log data to discover network vulnerabilities and assets
US9319421B2 (en) * 2013-10-14 2016-04-19 Ut-Battelle, Llc Real-time detection and classification of anomalous events in streaming data
US9923912B2 (en) * 2015-08-28 2018-03-20 Cisco Technology, Inc. Learning detector of malicious network traffic from weak labels
CN109361573B (en) * 2018-12-13 2022-02-18 武汉市硅丰科技发展有限责任公司 Flow log analysis method, system and computer readable storage medium

Also Published As

Publication number Publication date
CN112350864A (en) 2021-02-09

Similar Documents

Publication Publication Date Title
US10735455B2 (en) System for anonymously detecting and blocking threats within a telecommunications network
US10984010B2 (en) Query summary generation using row-column data storage
US20160164893A1 (en) Event management systems
CN110809010B (en) Threat information processing method, device, electronic equipment and medium
CN103026345B (en) For the dynamic multidimensional pattern of event monitoring priority
US10397329B2 (en) Methods and systems for distribution and retrieval of network traffic records
CN107733863B (en) Log debugging method and device under distributed hadoop environment
WO2020015092A1 (en) Instance monitoring method and apparatus, terminal device and medium
CN112350864B (en) Protection method, device, equipment and computer readable storage medium for domain control terminal
CN113691498B (en) Electric power internet of things terminal safety state evaluation method and device and storage medium
CN115225544A (en) Network flow counting and monitoring method, device, electronic equipment and medium
CN111104395A (en) Database auditing method, device, storage medium and device
CN119697086B (en) Network equipment discovery method
CN116015925A (en) A data transmission method, device, equipment and medium
CN118337403B (en) Attack path restoration method and device based on IOC, electronic equipment and medium
JP6501924B2 (en) Method and server for canceling alert
CN114697052A (en) Network protection method and device
CN117421640A (en) API asset identification method, device, equipment and storage medium
CN108197253A (en) The equipment query method, apparatus and equipment of a kind of cloud monitor supervision platform
CN115499202A (en) Network data processing method, device, system, processing equipment and storage medium
CN115168604A (en) A method and device for processing power monitoring system based on knowledge graph
CN110933064A (en) Method and system for determining user behavior track
CN104836797A (en) Network data packet processing method and system
US20250202940A1 (en) Cloud firewall configuration management using graph data model
CN110536305B (en) WiFi hotspot detection method, device, terminal equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
EE01 Entry into force of recordation of patent licensing contract

Application publication date: 20210209

Assignee: Hangzhou Anheng Information Security Technology Co.,Ltd.

Assignor: Dbappsecurity Co.,Ltd.

Contract record no.: X2024980043366

Denomination of invention: Protection methods, devices, equipment, and computer-readable storage media for domain control terminals

Granted publication date: 20220722

License type: Common License

Record date: 20241231

EE01 Entry into force of recordation of patent licensing contract