[go: up one dir, main page]

CN110061854A - A kind of non-boundary network intelligence operation management method and system - Google Patents

A kind of non-boundary network intelligence operation management method and system Download PDF

Info

Publication number
CN110061854A
CN110061854A CN201810047386.XA CN201810047386A CN110061854A CN 110061854 A CN110061854 A CN 110061854A CN 201810047386 A CN201810047386 A CN 201810047386A CN 110061854 A CN110061854 A CN 110061854A
Authority
CN
China
Prior art keywords
network
time
information
real
situation
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201810047386.XA
Other languages
Chinese (zh)
Inventor
华东明
徐慧
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to CN201810047386.XA priority Critical patent/CN110061854A/en
Publication of CN110061854A publication Critical patent/CN110061854A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses a kind of active, in real time, dynamic, accurately with systematically monitor mobile Internet, terminal, the availability of server and equipment, performance and the non-boundary of safety network intelligence operation management method and system in Internet of Things and computer network, including actively monitoring host availability, performance and safety;Caching, forwarding configuration and monitoring information;Study on Trend is carried out to terminal, server and device data, self study, detection and prediction network attack recall Attack Source;Real-time informing anomalous event;Response operation is executed in real time;Storage configuration, monitoring, alarm and log information;Centralized configuration shows host, monitoring and situation information.Using the present invention, it can construct and actively, in real time, dynamically, accurately ensure management system with the non-boundary network depth O&M of system, provide available, high-performance and safety a network environment for the network user.

Description

Boundary-free network intelligent operation and maintenance management method and system
Technical Field
The invention relates to the technical field of network and information security, in particular to a borderless network intelligent operation and maintenance management system under the environment of mobile internet, internet of things and computer network.
Background
With the rapid integration of computer networks, communication networks and internet of things and the rapid application of cloud computing technology, network structures are developing towards the borderless direction of cloud, pipe and terminal, a cloud environment can provide high-performance computing and large data storage and store financial, enterprise and personal information more and more, the importance of the cloud environment is increasingly remarkable, end nodes are closest to users and store transaction information and internet surfing behaviors of the users, more and more hackers stretch black hands to the nodes of the cloud and the terminal, and because the flow in the network is larger and larger, the flow and the information in the pipe are fragmented and the private information is encrypted, network monitoring and response are difficult to implement in the pipe.
The invention relates to a boundary-free network intelligent operation and maintenance management system, which mainly comprises the following components: the system comprises an active monitor, a situation analyzer, a real-time alarm, a real-time responder, a aggregator, a data storage and a manager.
The development of a network operation and maintenance management system has two directions, namely a situation analysis system based on big data; and the second is a threat detection system based on network abnormal behaviors. For situation analysis based on big data, the method has the advantages that the network behavior can be displayed in a full view, and the defects that the correlation analysis model is not accurate enough, the data volume is larger and larger, and the system performance is more and more difficult to bear; for the threat detection system based on the network abnormal behavior, the threat detection system has the advantages of being capable of detecting the network abnormal behavior and has the defect of high false alarm rate. The invention actively, real-time, accurately, dynamically and systematically monitors the availability, performance and safety of the terminal, the server and the equipment in the borderless network based on the initiative of management, the systematicness and accuracy of operation and maintenance, the dynamic property of safety and the real-time property of alarm response.
Disclosure of Invention
The core of the method of the invention is to overcome the defects of the existing network operation and maintenance management system, and provide a borderless network intelligent operation and maintenance management method and system, based on the initiative of management, the systematicness and accuracy of operation and maintenance, the safety dynamic and real-time of alarm response, and actively, real-time, dynamically, accurately and systematically monitor the availability, performance and safety of terminals, servers and equipment in the borderless network, effectively ensure the usability, performance and safety of hardware, system software and application software of the terminals, servers and equipment in the borderless network, and provide a usable, high-performance and safe network environment for network users.
The purpose of the invention is realized by the following technical scheme:
a boundary-free network intelligent operation and maintenance management method comprises the following steps:
A. the active monitor actively monitors the availability, performance and safety;
B. the aggregator caches, forwards configuration and monitoring information;
C. the situation analyzer performs situation analysis based on availability, performance and safety data of the terminal, the server and the equipment;
D. situation analyzer utilizationk-meansThe clustering algorithm self-learns the normal network behavior order and detects the network attack;
E. the situation analyzer predicts the network attack situation by using an exponential smoothing method and a threshold value;
F. the situation analyzer performs correlation analysis based on the time sequence, the behavior fingerprint and the network connection information, and backtracks the network attack source;
G. the real-time alarm informs operation and maintenance personnel of abnormal events in real time;
H. the real-time responder executes response operation in real time to solve the alarm problem;
I. storing configuration, monitoring, warning and log information by a data memory;
J. the manager performs centralized configuration, host display, monitoring and situation information.
Preferably, the step D includes:
d1, usek-meansThe clustering algorithm self-learns the network behavior information to obtain the network behavior order, the network behavior information comprises time, source IP address, destination IP address, source port, destination port, protocol number and behavior fingerprint,k-meansthe algorithm processing procedure is as follows: first, randomly fromnSelection among individual network behaviorskAs an initial clusterCThe center of each initial cluster is taken as a cluster; sequentially selecting the rest network behaviors, and assigning the network behaviors to the nearest cluster according to the similarity of the network behaviors and the centers of the clusters; then, recalculating the clustering center of each new cluster; repeating the process until the standard measure function converges; the timing of a final cluster corresponds to a normal network behavior order. The squared error is used as a standard measure function, which is defined as follows:
E=∑ k i=1 p∈Ci |p - m i | 2
Eis the sum of the squared errors of all network hosts,pis any one of the network behaviors that is,m i is a clusterC i The center of (a);
d2, detecting the network attack according to the normal network behavior order, and if the network behavior to be detected exists in the normal network behavior order, judging that the network behavior is safe; otherwise, the network behavior is judged to be the network attack.
Preferably, the step E includes:
e1, adopting the average value of the prior data as an initial value;
e2, selecting a smoothing coefficient α, taking a value of α between 0.05 and 0.20 when the network behavior sequence shows a relatively stable horizontal trend, taking a value of α between 0.1 and 0.4 when the network behavior sequence fluctuates but the long-term trend changes little, and selecting a value of α between 0.6 and 0.8 when the network behavior sequence fluctuates greatly, the long-term trend changes in a large amplitude and shows an obvious and rapid rising or falling trend;
e3, adopting an exponential smoothing method to predict the network situation, wherein the prediction formula is as follows
S t =αY t-1 + (1-α)S t-1
S t For the predicted value of the network situation at the time t,S t-1 is the predicted value of the network situation at the time t-1,Y t-1 is the actual value of the network situation at the moment t-1,αis a smoothing coefficient
E4, network situation prediction value at t-2, t-1 and t momentsS t-2 S t-1 S t If the network state is larger than the threshold value, the network state is a network attack state.
Preferably, the step F includes:
f1, performing similarity analysis on network attack behaviors on the target machine based on time and behavior fingerprints, and classifying the network attack behaviors with the same target IP address, the same target port and the different source IP addresses in a period of time, wherein the behavior fingerprints comprise database fingerprints, SSH fingerprints, Web fingerprints and mail fingerprints, and the Web fingerprints comprise SQL injection fingerprints, XSS fingerprints, directory traversal fingerprints, Webshell fingerprints and weak password guessed fingerprints;
f2, performing association analysis on the puppet machine based on the timing and network connection information, tracing back the IP address of the upper puppet machine, and repeating the above operation until the final source IP address, which is the attack source.
A borderless network intelligent operation and maintenance management system is characterized by comprising:
the active monitors comprise a local active monitor and a remote active monitor, and can perform availability monitoring, performance monitoring and safety monitoring, wherein the local active monitor can periodically acquire data or states of hardware, software and logs, and the remote active monitor can periodically acquire states of a host and network services;
the aggregator comprises an aggregator client and an aggregation server, and can cache and forward configuration and monitoring information, wherein the aggregation server caches the configuration information and the grouping aggregation monitoring data and forwards the grouping aggregation monitoring data across a network, and the aggregator client forwards the configuration information, classifies the data and stores the data into a data storage;
the situation analyzer can analyze the situations of availability, performance and safety data, the safety situation analysis comprises host safety analysis and network safety analysis, the host safety situation analysis comprises vulnerability analysis, software behavior analysis, user behavior analysis, attack behavior analysis and risk analysis, and the network safety situation analysis comprises self-learning of normal network behavior order, network attack detection, network attack situation prediction and network attack source backtracking;
the real-time alarm can inform the operation and maintenance personnel of abnormal events in a screen, short message and mail mode;
the real-time responder comprises a real-time response client and a real-time response server, wherein the real-time response client remotely sends an operation and response command, and the real-time response server executes operation and emergency response, and can perform software upgrading and unloading, backup and recovery, configuration change, policy reinforcement, Trojan horse process termination and malicious code deletion;
the data storage can store configuration information, monitoring information, alarm information and log information;
the manager comprises information display, alarm response management, configuration management and system management, and can be used for centrally inputting and displaying monitored host information, configuring, displaying monitoring and situation analysis information, wherein the information display comprises list display, graph display and association display.
Firstly, the manager configures information, monitoring information and response commands of a monitored host, and issues the monitoring information to an active monitor on the monitored host through an aggregator; then, the active monitor periodically acquires data or states of hardware, software, configuration files and logs and sends the data or states to the convergence server; the aggregation server side groups, summarizes and caches the monitoring data, and the aggregator client side periodically acquires the cached data, classifies the monitoring data and stores the monitoring data into the data storage; the situation analyzer reads monitoring data from the data storage periodically to perform threshold comparison and statistical analysis, induces the situation therein, and sends abnormal event information to the real-time alarm and the real-time responder client if the abnormal situation occurs; the real-time alarm informs the operation and maintenance personnel in a screen, short message and mail mode; the real-time responder client remotely sends a corresponding response command to a real-time responder server on the monitored host, and the real-time responder server executes the received command, including software upgrading and uninstalling, backup and recovery, configuration change, policy reinforcement, Trojan horse process termination and malicious code deletion; the manager periodically reads the monitoring data from the data storage to display in a list, a graph or an associated mode.
The system scheme provided by the invention can be seen that the invention overcomes the defects of the existing network operation and maintenance management system, and provides the boundary-free network intelligent operation and maintenance management method and the system, which actively, dynamically, accurately and systematically monitor the availability, performance and safety of the terminal, the server and the equipment in the boundary-free network based on the initiative of management, the systematicness and accuracy of operation and maintenance, the safety dynamicity and the real-time property of alarm response, so that the availability, performance and safety of the terminal, the server and the equipment can be accurately, quickly and systematically maintained, the usability, performance and safety of the terminal, the server and the equipment in the boundary-free network are effectively ensured, the usability, performance and safety of the hardware, the system software and the application software of the terminal, the server and the equipment in the boundary-free network are effectively ensured, and a usable, high-performance and safe network environment is provided for network users.
Drawings
FIG. 1 is a schematic diagram of a network organization of a boundless network intelligent operation and maintenance management system;
FIG. 2 is a schematic diagram of the system architecture of the process of the present invention;
FIG. 3 is a main flow diagram of the method of the present invention;
FIG. 4 is a flow chart of the method of the present invention for self-learning normal network behavior order and detecting network attacks;
FIG. 5 is a flow chart of a method of predicting a network attack situation of the present invention;
FIG. 6 is a flowchart of a backtracking network attack source of the method of the present invention.
Detailed Description
The core of the method of the invention is to overcome the defects of the existing network operation and maintenance management system, and provide a borderless network intelligent operation and maintenance management method and system, based on the initiative of management, the systematicness and accuracy of operation and maintenance, the safety dynamic and real-time of alarm response, and actively, real-time, dynamically, accurately and systematically monitor the availability, performance and safety of terminals, servers and equipment in the borderless network, effectively ensure the usability, performance and safety of hardware, system software and application software of the terminals, servers and equipment in the borderless network, and provide a usable, high-performance and safe network environment for network users.
The work flow of the borderless intelligent network operation and maintenance management system is as follows:
firstly, the manager configures information, monitoring information and response commands of a monitored host, and issues the monitoring information to an active monitor on the monitored host through an aggregator; then, the active monitor periodically acquires data or states of hardware, software, configuration files and logs and sends the data or states to the convergence server; the aggregation server side groups, summarizes and caches the monitoring data, and the aggregator client side periodically acquires the cached data, classifies the monitoring data and stores the monitoring data into the data storage; the situation analyzer reads monitoring data from the data storage periodically to perform threshold comparison and statistical analysis, induces the situation therein, and sends abnormal event information to the real-time alarm and the real-time responder client if the abnormal situation occurs; the real-time alarm informs the operation and maintenance personnel in a screen, short message and mail mode; the real-time responder client remotely sends a corresponding response command to a real-time responder server on the monitored host, and the real-time responder server executes the received command, including software upgrading and uninstalling, backup and recovery, configuration change, policy reinforcement, Trojan horse process termination and malicious code deletion; the manager periodically reads the monitoring data from the data storage to display in a list, a graph or an associated mode.
The network structure of the borderless network intelligent operation and maintenance management system is shown in fig. 1. Wherein,
a network environment comprising a terminal, an entity or a virtual server, an entity or a virtual device;
the borderless network intelligent operation and maintenance management system comprises an active monitor, a aggregator, a situation analyzer, a real-time alarm, a real-time responder, a manager and a data memory;
the internet, including routers and switches, may carry and route network traffic.
The system structure of the method of the present invention is described in detail below with reference to fig. 2:
the active monitors comprise a local active monitor and a remote active monitor, and can perform availability monitoring, performance monitoring and safety monitoring, wherein the local active monitor can periodically acquire data or states of hardware, software and logs, and the remote active monitor can periodically acquire states of a host and network services;
the aggregator comprises an aggregator client and an aggregation server, and can cache and forward configuration and monitoring information, wherein the aggregation server caches the configuration information and the grouping aggregation monitoring data and forwards the grouping aggregation monitoring data across a network, and the aggregator client forwards the configuration information, classifies the data and stores the data into a data storage;
the situation analyzer can analyze the situations of availability, performance and safety data, the safety situation analysis comprises host safety analysis and network safety analysis, the host safety situation analysis comprises vulnerability analysis, software behavior analysis, user behavior analysis, attack behavior analysis and risk analysis, and the network safety situation analysis comprises self-learning of normal network behavior order, network attack detection, network attack situation prediction and network attack source backtracking;
the real-time alarm can inform the operation and maintenance personnel of abnormal events in a screen, short message and mail mode;
the real-time responder comprises a real-time response client and a real-time response server, wherein the real-time response client remotely sends an operation and response command, and the real-time response server executes operation and emergency response, and can perform software upgrading and unloading, backup and recovery, configuration change, policy reinforcement, Trojan horse process termination and malicious code deletion;
the data storage can store configuration information, monitoring information, alarm information and log information;
the manager comprises information display, alarm response management, configuration management and system management, and can be used for centrally inputting and displaying monitored host information, configuring, displaying monitoring and situation analysis information, wherein the information display comprises list display, graph display and association display.
Firstly, the manager configures information, monitoring information and response commands of a monitored host, and issues the monitoring information to an active monitor on the monitored host through an aggregator; then, the active monitor periodically acquires data or states of hardware, software, configuration files and logs and sends the data or states to the convergence server; the aggregation server side groups, summarizes and caches the monitoring data, and the aggregator client side periodically acquires the cached data, classifies the monitoring data and stores the monitoring data into the data storage; the situation analyzer reads monitoring data from the data storage periodically to perform threshold comparison and statistical analysis, induces the situation therein, and sends abnormal event information to the real-time alarm and the real-time responder client if the abnormal situation occurs; the real-time alarm informs the operation and maintenance personnel in a screen, short message and mail mode; the real-time responder client remotely sends a corresponding response command to a real-time responder server on the monitored host, and the real-time responder server executes the received command, including software upgrading and uninstalling, backup and recovery, configuration change, policy reinforcement, Trojan horse process termination and malicious code deletion; the manager periodically reads the monitoring data from the data storage to display in a list, a graph or an associated mode.
In order that those skilled in the art will better understand the present invention, the present invention will be described in further detail below with reference to the flowchart shown in fig. 3. The method comprises the following steps:
step 301: the manager configures assets, monitors, alarms, responses, displays and system information and stores the information;
step 302: the active monitor obtains monitoring configuration information through the aggregator
Step 303: the active monitor actively monitors the availability, performance and safety;
step 304: the aggregator forwards the monitoring information;
step 305: the situation analyzer performs situation analysis based on availability, performance and safety data of the terminal, the server and the equipment;
step 306: situation analyzer utilizationk-meansThe clustering algorithm self-learns the normal network behavior order and detects the network attack;
step 307: the situation analyzer predicts the network attack situation by using an exponential smoothing method and a threshold value;
step 308: the situation analyzer performs correlation analysis based on the time sequence, the behavior fingerprint and the network connection information, and backtracks the network attack source;
step 309: judging whether an abnormal event exists, if so, judging whether the abnormal event exists
Step 310: the real-time alarm informs operation and maintenance personnel of abnormal events in real time;
step 311: the real-time responder executes response operation in real time to solve the alarm problem;
step 312: storing configuration, monitoring, warning and log information by a data memory;
step 313: if no abnormal event exists, the manager performs centralized configuration, host display, monitoring and situation information.
The present invention is further described in detail below with reference to the flow chart shown in fig. 4. The method comprises the following steps:
step 401: by usingk-meansThe clustering algorithm self-learns the network behavior information to obtain the network behavior order, the network behavior information comprises time, source IP address, destination IP address, source port, destination port, protocol number and behavior fingerprint,k-meansthe algorithm processing procedure is as follows: first, randomly fromnSelection among individual network behaviorskAs an initial clusterCThe center of each initial cluster is taken as a cluster; selecting the rest nets in sequenceA collaterals act, which is assigned to the nearest cluster according to its similarity to the center of each cluster; then, recalculating the clustering center of each new cluster; repeating the process until the standard measure function converges; the timing of a final cluster corresponds to a normal network behavior order. The squared error is used as a standard measure function, which is defined as follows:
E=∑ k i=1 p∈Ci |p - m i | 2
Eis the sum of the squared errors of all network hosts,pis any one of the network behaviors that is,m i is a clusterC i The center of (a);
step 402: detecting the network attack according to the normal network behavior order, if the network behavior to be detected exists in the normal network behavior order, then
Step 403: the network behavior is secure;
step 404: otherwise, the network behavior is a network attack.
The present invention is further described in detail below with reference to the flow chart shown in fig. 5. The method comprises the following steps:
step 501: adopting the average value of the prior data as an initial value;
selecting a smoothing coefficient α, taking a value of α between 0.05 and 0.20 when the network behavior sequence shows a relatively stable horizontal trend, taking a value of α between 0.1 and 0.4 when the network behavior sequence fluctuates but the long-term trend changes little, and selecting a value of α between 0.6 and 0.8 when the network behavior sequence fluctuates greatly, the long-term trend changes in a large amplitude and shows an obvious and rapid rising or falling trend;
step 503: the network situation prediction is carried out by adopting an exponential smoothing method, and the prediction formula is as follows
S t =αY t-1 + (1-α)S t-1
S t For the predicted value of the network situation at the time t,S t-1 is the predicted value of the network situation at the time t-1,Y t-1 is the actual value of the network situation at the moment t-1,αis a smoothing coefficient;
step 504: if the predicted values of the network situation at the t-2, t-1 and t momentsS t-2 S t-1 S t Are all greater than the threshold value, then
Step 505: the network situation is a network attack situation;
step 506: otherwise, the network situation is a normal network situation.
The present invention is further described in detail below with reference to the flow chart shown in fig. 6. The method comprises the following steps:
step 601: analyzing similarity of network attack behaviors on a target computer based on time and behavior fingerprints, and classifying the network attack behaviors with the same target IP address, the same target port and the different source IP addresses in a period of time, wherein the behavior fingerprints comprise database fingerprints, SSH fingerprints, Web fingerprints and mail fingerprints, and the Web fingerprints comprise SQL injection fingerprints, XSS fingerprints, directory traversal fingerprints, Webshell fingerprints and weak password guess fingerprints;
step 602: performing association analysis on the puppet machine based on the timing sequence and the network connection information, backtracking the IP address of the upper puppet machine, and repeating the operation;
step 603: judging whether the source IP address is the final source IP address, if so, judging whether the source IP address is the final source IP address
Step 604: the source IP address is the source of the attack.
While the present invention has been described with respect to the embodiments, those skilled in the art will appreciate that there are numerous variations and permutations of the present invention without departing from the spirit of the invention, and it is intended that the appended claims cover such variations and modifications as fall within the true spirit of the invention.

Claims (5)

1. A borderless network intelligent operation and maintenance management method is characterized by comprising the following steps:
A. the active monitor actively monitors the availability, performance and safety;
B. the aggregator caches, forwards configuration and monitoring information;
C. the situation analyzer performs situation analysis based on availability, performance and safety data of the terminal, the server and the equipment;
D. situation analyzer utilizationk-meansClustering algorithm self-learning normal network rowOrder and detect network attacks;
E. the situation analyzer predicts the network attack situation by using an exponential smoothing method and a threshold value;
F. the situation analyzer performs correlation analysis based on the time sequence, the behavior fingerprint and the network connection information, and backtracks the network attack source;
G. the real-time alarm informs operation and maintenance personnel of abnormal events in real time;
H. the real-time responder executes response operation in real time to solve the alarm problem;
I. storing configuration, monitoring, warning and log information by a data memory;
J. the manager performs centralized configuration, host display, monitoring and situation information.
2. The intelligent operation and maintenance management method for border networks according to claim 1, wherein the step D comprises:
d1, usek-meansThe clustering algorithm self-learns the network behavior information to obtain the network behavior order, the network behavior information comprises time, source IP address, destination IP address, source port, destination port, protocol number and behavior fingerprint,k-meansthe algorithm processing procedure is as follows: first, randomly fromnSelection among individual network behaviorskAs an initial clusterCThe center of each initial cluster is taken as a cluster; sequentially selecting the rest network behaviors, and assigning the network behaviors to the nearest cluster according to the similarity of the network behaviors and the centers of the clusters; then, recalculating the clustering center of each new cluster; repeating the process until the standard measure function converges; the time sequence of a final cluster corresponds to a normal network behavior order;
the squared error is used as a standard measure function, which is defined as follows:
E=∑ k i=1 p∈Ci |p - m i | 2
Eis the sum of the squared errors of all network hosts,pis any one of the network behaviors that is,m i is a clusterC i InA core;
d2, detecting the network attack according to the normal network behavior order, and if the network behavior to be detected exists in the normal network behavior order, judging that the network behavior is safe; otherwise, the network behavior is judged to be the network attack.
3. The intelligent operation and maintenance management method for border networks according to claim 1, wherein the step E comprises:
e1, adopting the average value of the prior data as an initial value;
e2, selecting a smoothing coefficient α, taking a value of α between 0.05 and 0.20 when the network behavior sequence shows a relatively stable horizontal trend, taking a value of α between 0.1 and 0.4 when the network behavior sequence fluctuates but the long-term trend changes little, and selecting a value of α between 0.6 and 0.8 when the network behavior sequence fluctuates greatly, the long-term trend changes in a large amplitude and shows an obvious and rapid rising or falling trend;
e3, adopting an exponential smoothing method to predict the network situation, wherein the prediction formula is as follows
S t = αY t-1 + (1-α)S t-1
S t For the predicted value of the network situation at the time t,S t-1 is the predicted value of the network situation at the time t-1,Y t-1 is the actual value of the network situation at the moment t-1,αis a smoothing coefficient;
e4, network situation prediction value at t-2, t-1 and t momentsS t-2 S t-1 S t If the network state is larger than the threshold value, the network state is a network attack state.
4. The intelligent operation and maintenance management method for border networks according to claim 1, wherein the step F comprises:
f1, performing similarity analysis on network attack behaviors on the target machine based on time and behavior fingerprints, and classifying the network attack behaviors with the same target IP address, the same target port and the different source IP addresses in a period of time, wherein the behavior fingerprints comprise database fingerprints, SSH fingerprints, Web fingerprints and mail fingerprints, and the Web fingerprints comprise SQL injection fingerprints, XSS fingerprints, directory traversal fingerprints, Webshell fingerprints and weak password guessed fingerprints;
f2, performing association analysis on the puppet machine based on the timing and network connection information, tracing back the IP address of the upper puppet machine, and repeating the above operation until the final source IP address, which is the attack source.
5. An intelligent borderless network operation and maintenance management system, comprising:
the active monitors comprise a local active monitor and a remote active monitor, and can actively perform availability monitoring, performance monitoring and safety monitoring, wherein the local active monitor can periodically acquire data or states of hardware, software and logs, and the remote active monitor can periodically acquire states of a host and network services;
the aggregator comprises an aggregator client and an aggregation server, and can cache and forward configuration and monitoring information, wherein the aggregation server caches the configuration information and the grouping aggregation monitoring data and forwards the grouping aggregation monitoring data across a network, and the aggregator client forwards the configuration information, classifies the data and stores the data into a data storage;
the situation analyzer can analyze the situations of availability, performance and safety data, the safety situation analysis comprises host safety analysis and network safety analysis, the host safety situation analysis comprises vulnerability analysis, software behavior analysis, user behavior analysis, attack behavior analysis and risk analysis, and the network safety situation analysis comprises self-learning of normal network behavior order, network attack detection, network attack situation prediction and network attack source backtracking;
the real-time alarm can inform the operation and maintenance personnel of abnormal events in a screen, short message and mail mode;
the real-time responder comprises a real-time response client and a real-time response server, wherein the real-time response client remotely sends an operation and response command in real time, and the real-time response server executes operation and emergency response in real time, so that software upgrading and unloading, backup and recovery, configuration change, policy reinforcement, Trojan horse process termination and malicious code deletion can be performed;
the data storage can store configuration information, monitoring information, alarm information and log information;
the manager comprises information display, alarm response management, asset management, configuration management and system management, and can be used for centrally inputting and displaying monitored host information, configuring, displaying monitoring and situation analysis information, wherein the information display comprises list display, graph display and associated display
Firstly, the manager configures information, monitoring information and response commands of a monitored host, and issues the monitoring information to an active monitor on the monitored host through an aggregator; then, the active monitor periodically acquires data or states of hardware, software, configuration files and logs and sends the data or states to the convergence server; the aggregation server side groups, summarizes and caches the monitoring data, and the aggregator client side periodically acquires the cached data, classifies the monitoring data and stores the monitoring data into the data storage; the situation analyzer reads monitoring data from the data storage periodically to perform threshold comparison and statistical analysis, induces the situation therein, and sends abnormal event information to the real-time alarm and the real-time responder client if the abnormal situation occurs; the real-time alarm informs the operation and maintenance personnel in a screen, short message and mail mode; the real-time responder client remotely sends a corresponding response command to a real-time responder server on the monitored host, and the real-time responder server executes the received command, including software upgrading and uninstalling, backup and recovery, configuration change, policy reinforcement, Trojan horse process termination and malicious code deletion; the manager periodically reads the monitoring data from the data storage to display in a list, a graph or an associated mode.
CN201810047386.XA 2018-01-18 2018-01-18 A kind of non-boundary network intelligence operation management method and system Pending CN110061854A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810047386.XA CN110061854A (en) 2018-01-18 2018-01-18 A kind of non-boundary network intelligence operation management method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810047386.XA CN110061854A (en) 2018-01-18 2018-01-18 A kind of non-boundary network intelligence operation management method and system

Publications (1)

Publication Number Publication Date
CN110061854A true CN110061854A (en) 2019-07-26

Family

ID=67315557

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810047386.XA Pending CN110061854A (en) 2018-01-18 2018-01-18 A kind of non-boundary network intelligence operation management method and system

Country Status (1)

Country Link
CN (1) CN110061854A (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112104618A (en) * 2020-08-27 2020-12-18 深信服科技股份有限公司 Information determination method, information determination device and computer readable storage medium
WO2021057382A1 (en) * 2019-09-23 2021-04-01 中兴通讯股份有限公司 Abnormality detection method and apparatus, terminal, and storage medium
CN113556309A (en) * 2020-04-23 2021-10-26 中国电信股份有限公司 Method for predicting attack scale
WO2023071761A1 (en) * 2021-10-29 2023-05-04 深圳前海微众银行股份有限公司 Anomaly positioning method and device

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2021057382A1 (en) * 2019-09-23 2021-04-01 中兴通讯股份有限公司 Abnormality detection method and apparatus, terminal, and storage medium
US12063528B2 (en) 2019-09-23 2024-08-13 Xi'an Zhongxing New Software Co., Ltd. Anomaly detection method and device, terminal and storage medium
CN113556309A (en) * 2020-04-23 2021-10-26 中国电信股份有限公司 Method for predicting attack scale
CN112104618A (en) * 2020-08-27 2020-12-18 深信服科技股份有限公司 Information determination method, information determination device and computer readable storage medium
WO2023071761A1 (en) * 2021-10-29 2023-05-04 深圳前海微众银行股份有限公司 Anomaly positioning method and device

Similar Documents

Publication Publication Date Title
Kumar et al. A Distributed framework for detecting DDoS attacks in smart contract‐based Blockchain‐IoT Systems by leveraging Fog computing
US11750631B2 (en) System and method for comprehensive data loss prevention and compliance management
US20250016201A1 (en) Correlating network event anomalies using active and passive external reconnaissance to identify attack information
US11025674B2 (en) Cybersecurity profiling and rating using active and passive external reconnaissance
US12058177B2 (en) Cybersecurity risk analysis and anomaly detection using active and passive external reconnaissance
US11601475B2 (en) Rating organization cybersecurity using active and passive external reconnaissance
US10721243B2 (en) Apparatus, system and method for identifying and mitigating malicious network threats
US10594714B2 (en) User and entity behavioral analysis using an advanced cyber decision platform
US11245716B2 (en) Composing and applying security monitoring rules to a target environment
CN108429651B (en) Flow data detection method and device, electronic equipment and computer readable medium
US10432650B2 (en) System and method to protect a webserver against application exploits and attacks
US10296739B2 (en) Event correlation based on confidence factor
US11032311B2 (en) Methods for detecting and mitigating malicious network activity based on dynamic application context and devices thereof
US12206707B2 (en) Rating organization cybersecurity using probe-based network reconnaissance techniques
US11481478B2 (en) Anomalous user session detector
US20180302430A1 (en) SYSTEM AND METHOD FOR DETECTING CREATION OF MALICIOUS new USER ACCOUNTS BY AN ATTACKER
CN110061854A (en) A kind of non-boundary network intelligence operation management method and system
US20230007032A1 (en) Blockchain-based host security monitoring method and apparatus, medium and electronic device
US20230283641A1 (en) Dynamic cybersecurity scoring using traffic fingerprinting and risk score improvement
US11956255B1 (en) Recognizing successful cyberattacks based on subsequent benign activities of an attacker
CN116032501A (en) Network abnormal behavior detection method and device, electronic equipment and storage medium
WO2020102601A1 (en) Comprehensive data loss prevention and compliance management
US12267347B2 (en) System and method for comprehensive data loss prevention and compliance management
CN115150108A (en) DDoS protection system-oriented traffic monitoring method, device and medium
CN117955729A (en) Flow-based malicious software detection method and device and electronic equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
WD01 Invention patent application deemed withdrawn after publication
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20190726