CN114401126B - Interface security monitoring method and device - Google Patents
Interface security monitoring method and device Download PDFInfo
- Publication number
- CN114401126B CN114401126B CN202111652066.5A CN202111652066A CN114401126B CN 114401126 B CN114401126 B CN 114401126B CN 202111652066 A CN202111652066 A CN 202111652066A CN 114401126 B CN114401126 B CN 114401126B
- Authority
- CN
- China
- Prior art keywords
- sensitivity
- interface
- data
- address
- source
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 58
- 238000012544 monitoring process Methods 0.000 title claims abstract description 27
- 230000035945 sensitivity Effects 0.000 claims abstract description 158
- 230000005540 biological transmission Effects 0.000 claims description 29
- 238000012545 processing Methods 0.000 claims description 21
- 238000005516 engineering process Methods 0.000 claims description 11
- 238000004590 computer program Methods 0.000 claims description 10
- 238000004891 communication Methods 0.000 claims description 7
- 238000005206 flow analysis Methods 0.000 claims description 7
- 238000012806 monitoring device Methods 0.000 claims description 5
- 238000011156 evaluation Methods 0.000 abstract description 8
- 230000008569 process Effects 0.000 abstract description 5
- 238000012502 risk assessment Methods 0.000 abstract description 4
- 238000013461 design Methods 0.000 description 29
- 238000010586 diagram Methods 0.000 description 10
- 239000000523 sample Substances 0.000 description 9
- 230000006870 function Effects 0.000 description 6
- 230000006399 behavior Effects 0.000 description 4
- 238000011144 upstream manufacturing Methods 0.000 description 4
- 238000001514 detection method Methods 0.000 description 3
- 238000004458 analytical method Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000004519 manufacturing process Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- 230000004075 alteration Effects 0.000 description 1
- 230000008878 coupling Effects 0.000 description 1
- 238000010168 coupling process Methods 0.000 description 1
- 238000005859 coupling reaction Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 230000006386 memory function Effects 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0631—Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/29—Flow control; Congestion control using a combination of thresholds
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0245—Filtering by information in the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application provides an interface security monitoring method and device, wherein the method comprises the following steps: sensitivity evaluation is carried out on the flow data transmitted when the interface is accessed from two dimensions of a sensitive field and an objective receiver of the flow data included in the flow data, so that the sensitivity of the flow data is obtained. Then, for each access of the interface, according to the sensitivity of the traffic data transmitted by the interface in the access process and the source IP address of the access interface, the risk value of the current access is evaluated, and when the risk value is higher than the threshold value, early warning is carried out, so that the security monitoring of the interface is not only based on the single feature of the access behavior, but also the multiparty features of the interface, the visitor and the like are comprehensively considered, thereby improving the comprehensiveness of the security risk assessment and the accuracy of the risk assessment result.
Description
Technical Field
The present application relates to the field of communications technologies, and in particular, to a method and an apparatus for monitoring interface security.
Background
With the promulgation of "network security laws", data security laws (draft), and "personal information protection laws (draft), protection of personal privacy data has been raised to legal level. In the time of big data age, data become new production factors, the value of the data is gradually highlighted, and the protection of the data is also more and more important.
However, the evolution of digitization has driven data applications and flows within the industry to become more widespread and frequent. There are also more and more scenarios for data streaming, where each business system provides convenient services to other business systems or external partners with an open application programming interface (application programming interface, API) interface.
In the existing method for carrying out security monitoring on interfaces, external requests from an external system are received, and whether normal access is carried out is determined according to the relation between the traffic of the external requests and the access traffic threshold. As can be seen, the existing scheme is only to perform interface security monitoring based on the access amount, as the data becomes more and more open in each scene, the access threat to the interface is not limited to one dimension of the access amount, and the existing monitoring scheme also includes multiple dimensions such as the sensitivity of the access data, and is not suitable for the current interface security monitoring. Therefore, how to perform security monitoring on interfaces during data circulation is a urgent problem to be solved.
Disclosure of Invention
The application provides an interface security monitoring method and device, which are used for effectively monitoring the security of interfaces among business systems.
In a first aspect, an embodiment of the present application provides an interface security monitoring method, which may be executed by an interface security monitoring device, where the interface may be, for example, a software interface between service systems, or may be another type of interface.
The method comprises the following steps: determining a source IP address of the access interface through a flow analysis technology; determining the sensitivity of the traffic data accessing the interface at this time according to sensitive fields included in the traffic data transmitted by the interface and/or information of an target receiver of the traffic data; determining a risk value of the current access of the source IP address according to the sensitivity of the flow data of the interface and the security of the current access of the source IP address; and if the risk value is greater than a set threshold value, positioning an access source of the interface to the source IP address, and carrying out early warning.
According to the technical scheme, the sensitivity evaluation can be carried out on the flow data transmitted when the interface is accessed from the two dimensions of the sensitive field and the target receiver of the flow data, so that the sensitivity of the flow data is obtained. Then, for each access of the interface, according to the sensitivity of the traffic data transmitted by the interface in the access process and the source IP address of the access interface, the risk value of the current access is evaluated, and when the risk value is higher than the threshold value, early warning is carried out, so that the security monitoring of the interface is not only based on the single feature of the access behavior, but also the multiparty features of the interface, the visitor and the like are comprehensively considered, thereby improving the comprehensiveness of the security risk assessment and the accuracy of the risk assessment result.
In one possible design, determining the sensitivity of the traffic data accessing the interface according to the sensitivity field included in the traffic data transmitted by the interface and the receiver of the traffic data, includes: determining the sensitivity of each data packet in the flow data accessed to the interface according to the sensitive field included in the flow data transmitted by the interface and/or the information of the receiver of the flow data; and determining the sum of the sensitivity of each data packet in the flow data as the sensitivity of the flow data accessing the interface at the time.
In one possible design, for each packet in the traffic data that accesses the interface at this time, determining the sensitivity of the packet includes: if the data packet is uplink data and the device where the interface is located is a data producer of the data packet, the sensitivity α=α 2*α3 of the data packet; wherein, α2 is the sensitivity of the data field of the data packet, and α3 is the sensitivity of the target receiver of the data packet.
In one possible design, the set of fields currently marked as sensitive fields is set a, and the set of fields currently marked as non-sensitive fields is set B; if set B, α2=0; if the set B is not an empty set, thenWherein N t is the total number of fields included in the data packet, N b is the number of elements in the set B, i is the element identifier in the set a, j is the element identifier in the set B, and P (i|j) is the probability that the i-th element in the set a is also a sensitive field on the premise that the j-th element in the set B is a sensitive field.
In one possible design, the sensitivity of the intended recipient of the data packet corresponds to the security level of the intended recipient.
In one possible design, for each packet in the traffic data that accesses the interface at this time, determining the sensitivity of the packet includes: if the data packet is uplink data and the device where the interface is located is a data forwarding node of the data packet, the sensitivity α=α 4*α5 of the data packet; wherein, the α4 is the sensitivity of the source IP address of the data packet, and the α5 is the sensitivity of the destination IP address of the data packet.
In one possible design, the sensitivity α4 of the source IP address of the packet is determined according to the device type, device configuration, and transmission channel of the source IP address, and α 4=(I1*I2)I3; wherein, the I1 is type sensitivity corresponding to the equipment type of the equipment where the source IP address is located; the I2 is used for grading the equipment configuration of the equipment where the source IP address is located; and the I3 is the security grade of a transmission channel between the equipment where the interface is located and the equipment where the source IP address is located.
In one possible design, the sensitivity α5 of the destination IP address of the packet is determined according to the device type, device configuration, and transmission channel of the destination IP address, and α 5=(I4*I5)I6; wherein, the I4 is type sensitivity corresponding to the equipment type of the equipment where the target IP address is located; the I5 is used for grading the equipment configuration of the equipment where the target IP address is located; and I6 is the security grade of a transmission channel between the equipment where the interface is located and the equipment where the target IP address is located.
In one possible design, for each packet in the traffic data that accesses the interface at this time, determining the sensitivity of the packet includes: if the data packet is downlink data and the device where the interface is located is an target receiver of the data packet, the sensitivity α= (I7×i8) I9 of the data packet; wherein, the I7 is the type sensitivity corresponding to the equipment type of the equipment where the interface is located; the I8 is used for grading the equipment configuration of the equipment where the source IP address of the data packet is located; and the I9 is the security grade of a transmission channel between the equipment where the source IP address of the data packet is located and the equipment where the interface is located.
In a second aspect, embodiments of the present application provide an interface security monitoring device that may include modules/units that perform the method of any one of the possible designs of the first aspect described above. These modules/units may be implemented by hardware, or may be implemented by hardware executing corresponding software.
Illustratively, the apparatus may include a communication module and a processing module; wherein:
the communication module is used for acquiring the flow data of the access interface at the time;
The processing module is used for determining the source IP address of the access interface through a flow analysis technology; determining the sensitivity of the traffic data accessing the interface at this time according to sensitive fields included in the traffic data transmitted by the interface and/or information of an target receiver of the traffic data; determining a risk value of the current access of the source IP address according to the sensitivity of the flow data of the interface and the security of the current access of the source IP address; and if the risk value is greater than a set threshold value, positioning an access source of the interface to the source IP address, and carrying out early warning.
In one possible design, the processing module is specifically configured to: determining the sensitivity of each data packet in the flow data accessed to the interface according to the sensitive field included in the flow data transmitted by the interface and/or the information of the receiver of the flow data; and determining the sum of the sensitivity of each data packet in the flow data as the sensitivity of the flow data accessing the interface at the time.
In one possible design, the processing module is specifically configured to determine the sensitivity of each packet in the traffic data that accesses the interface this time by: for each data packet in the traffic data accessing the interface at this time, if the data packet is uplink data and the device where the interface is located is a data producer of the data packet, the sensitivity α=α 2*α3 of the data packet; wherein, α2 is the sensitivity of the data field of the data packet, and α3 is the sensitivity of the target receiver of the data packet.
In one possible design, the processing module is specifically configured to determine the data field sensitivity α2 of the data packet by: the set formed by each field currently marked as a sensitive field in all fields included in the data packet is set A, and the set formed by each field currently marked as a non-sensitive field is set B; if set B, α2=0; if the set B is not an empty set, thenWherein N t is the total number of fields included in the data packet, N b is the number of elements in the set B, i is the element identifier in the set a, j is the element identifier in the set B, and P (i|j) is the probability that the i-th element in the set a is also a sensitive field on the premise that the j-th element in the set B is a sensitive field.
In one possible design, the sensitivity α3 of the intended recipient of the data packet corresponds to the security level of the intended recipient.
In one possible design, the processing module is specifically configured to determine the sensitivity of each packet in the traffic data that accesses the interface this time by: for each data packet in the traffic data accessing the interface at this time, if the data packet is uplink data and the device where the interface is located is a data forwarding node of the data packet, the sensitivity α=α 4*α5 of the data packet; wherein, the α4 is the sensitivity of the source IP address of the data packet, and the α5 is the sensitivity of the destination IP address of the data packet.
In one possible design, the sensitivity α4 of the source IP address of the packet is determined according to the device type, device configuration, and transmission channel of the source IP address, and α 4=(I1*I2)I3; wherein, the I1 is type sensitivity corresponding to the equipment type of the equipment where the source IP address is located; the I2 is used for grading the equipment configuration of the equipment where the source IP address is located; and the I3 is the security grade of a transmission channel between the equipment where the interface is located and the equipment where the source IP address is located.
In one possible design, the sensitivity α5 of the destination IP address of the packet is determined according to the device type, device configuration, and transmission channel of the destination IP address, and α 5=(I4*I5)I6; wherein, the I4 is type sensitivity corresponding to the equipment type of the equipment where the target IP address is located; the I5 is used for grading the equipment configuration of the equipment where the target IP address is located; and I6 is the security grade of a transmission channel between the equipment where the interface is located and the equipment where the target IP address is located.
In one possible design, the processing module is specifically configured to determine the sensitivity of each packet in the traffic data that accesses the interface this time by: for each data packet in the traffic data accessing the interface at this time, if the data packet is downlink data and the device where the interface is located is the target receiver of the data packet, the sensitivity α= (I7×i8) I9 of the data packet; wherein, the I7 is the type sensitivity corresponding to the equipment type of the equipment where the interface is located; the I8 is used for grading the equipment configuration of the equipment where the source IP address of the data packet is located; and the I9 is the security grade of a transmission channel between the equipment where the source IP address of the data packet is located and the equipment where the interface is located.
In a third aspect, an embodiment of the present application further provides a computer apparatus, including:
a memory for storing program instructions;
A processor for invoking program instructions stored in said memory and performing the method as described in the various possible designs of the first aspect according to the obtained program instructions.
In a fourth aspect, embodiments of the present application also provide a computer-readable storage medium, in which computer-readable instructions are stored, which, when read and executed by a computer, cause the method described in any one of the possible designs of the first aspect to be implemented.
In a fifth aspect, embodiments of the present application also provide a computer program product comprising computer readable instructions which, when executed by a processor, cause the method described in any one of the possible designs of the first aspect described above to be implemented.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the description of the embodiments will be briefly described below, it will be apparent that the drawings in the following description are only some embodiments of the present application, and that other drawings can be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a flow chart of an interface security monitoring method according to an embodiment of the present application;
FIG. 2 is a schematic diagram of a technical architecture according to an embodiment of the present application;
FIG. 3 is a schematic diagram of an interface security monitoring device according to an embodiment of the present application;
Fig. 4 is a schematic diagram of a computer device according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application will be described in further detail below with reference to the accompanying drawings, and it is apparent that the described embodiments are only some embodiments of the present application, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
In embodiments of the present application, a plurality refers to two or more. The words "first," "second," and the like are used merely for distinguishing between the descriptions and not be construed as indicating or implying a relative importance or order.
The application provides an interface safety monitoring method based on a flow analysis technology, which is used for carrying out sensitivity assessment on two dimensions of sensitive fields included in each data in flow and safety of a receiver to finally form data sensitivity. For each access of the interface, evaluating the risk value of the current access according to all sensitivities related to the access port and the IP of the current visitor, and carrying out early warning when the risk value is higher than a threshold value.
Fig. 1 illustrates an interface security monitoring method according to an embodiment of the present application, where the method may be performed by a corresponding interface security monitoring apparatus, and the apparatus may be a data exchange device in a network or a separate computing device, and is not limited thereto. As shown in fig. 1, the method includes:
Step 101, determining the access source IP address of the access interface through a flow analysis technology.
The source IP address here is the IP address of the last hop.
Specifically, the traffic log may be analyzed by a traffic analysis technique to determine the source IP address of each access of the interface.
Step 102, determining the sensitivity of the traffic data accessing the interface according to the sensitive field included in the traffic data transmitted by the interface and/or the information of the target receiver of the traffic data.
Specifically, the sensitivity of each data packet in the traffic data of the interface can be determined according to the sensitive field included in the traffic data transmitted by the interface and/or the information of the receiver of the traffic data; and then, determining the sum of the sensitivity of each data packet in the flow data as the sensitivity of the flow data accessing the interface at the time.
The traffic data in this step may include upstream data and downstream data through the interface, and the method of determining the sensitivity of the data packet in each of these two cases is described below.
1. Uplink data.
The uplink data refers to data transmitted to other devices by the device where the interface is located (hereinafter abbreviated as device X for convenience of description).
The upstream data is divided into 2 types, one is the data generated by the device X, that is, the source of the data transmission, that is, the device X is the data producer, and not the data forwarding node. And the other data is data which is transmitted to other equipment by the equipment X after the data transmitted by other nodes are received, namely the equipment X only serves as a data transmitting node.
If the device X is the data producer, the sensitivity α of the upstream data may be determined jointly according to both the case of the sensitive field included in the data packet and the case of the intended recipient.
Because the background knowledge mastered by different receivers is different, the understanding degree of the same data is different, and the sensitivity of the same data to some data receivers is low, but for other data receivers, the true meaning of the data can be known after the data is interpreted based on the background knowledge, so that the data is sensitive to the data. For example, for normal data receivers, since the decryption method is not known, the sensitivity is not high, and if for correct data receivers or receivers that steal the decryption method, they decrypt the data based on the known decryption method, and further obtain sensitive data, the encrypted data is sensitive data for these receivers.
Specifically, in this case, the sensitivity α=α 2*α3.
Wherein, α2 is the sensitivity of the data field of the data packet, and α3 is the sensitivity of the target receiver of the data packet.
(1) Data field sensitivity α2.
When the data producer produces data, each field is marked whether to be sensitive or not, so that the data can be safely monitored later. Based on this, this step can be subdivided as follows:
1) All fields of the data are confirmed to obtain the total field number N t.
2) All fields are divided into 2 sets, one set consisting of fields not currently labeled as sensitive fields, i.e. fields labeled as non-sensitive fields, and the other set consisting of fields currently labeled as sensitive fields. For convenience of description to follow, a set composed of fields not currently labeled as sensitive fields is denoted as set a, and a set composed of fields currently labeled as sensitive fields is denoted as set B.
3) If the set B is an empty set, α2=0 is determined.
4) If set B is not an empty set, then determine
Wherein N b is the number of elements in the set B, i is the element identifier in the set A, j is the element identifier in the set B, and P (i|j) is the probability that the ith element in the set A is a sensitive field on the premise that the jth element in the set B is a sensitive field.
In the present application, the value of P (i|j) can be obtained from a large amount of sample data. The sample data may be existing data, data obtained from different channels, or data provided by a user.
In particular, the method comprises the steps of,Wherein P (ij) =the number of sample data containing both the ith element and the jth element, and both the ith element and the jth element are sensitive fields/the total number of sample data containing both the ith element and the jth element. P (j) =j-th element, and j-th element is the number of sample data of the sensitive field/the total number of sample data including j-th element.
(2) Sensitivity α3 of the target recipient.
The target receiver is an object that the data producer wants to send data. For example, device X sends an operation instruction to a server, and then device X is a data producer and the server is an intended recipient.
The sensitivity α3 of the intended recipient of the data packet corresponds to the security level of the intended recipient. α3 is a positive integer, and a larger value indicates a higher security level. Specifically, the range of α3 can be configured, for example, 1 to 5, or 1 to 10, etc.
Alternatively, since the data producer is most familiar with its transmission object, the data producer may evaluate the security level of the target receiver, to obtain an evaluation result, which is α3.
In the present application, the data producer may be a user or a device. If the data producer is a device, the device determines a target IP address when transmitting data, so that the security level of a target receiver can be determined according to the target IP address; or when transmitting data, the device may determine a transmission path, and thus may determine a security level of the intended recipient based on the path, e.g., via a virtual private network (virtual private network, VPN), a relatively high security level, via an IP link, a relatively low security level, etc. The specific security level determining method can be obtained through a pre-configured corresponding relation.
If the device X is a data forwarding node, the sensitivity α of the upstream data may be determined according to both the source IP address and the destination IP address of the data packet.
The source IP address is used to characterize where the packet is transmitted from device X and the destination IP address is used to characterize where the packet is to be sent from device X.
Specifically, in this case, the sensitivity α=α 4*α5.
Wherein, the α4 is the sensitivity of the source IP address of the data packet, and the α5 is the sensitivity of the destination IP address of the data packet.
(1) Sensitivity of source IP address α 4.
Alpha 4 is determined jointly from the device type, device configuration and transport channel of the source IP address.
Specifically, α 4=(I1*I2)I3.
The type sensitivity is obtained according to a preset corresponding table of the device type and the sensitivity, and each sensitivity in the corresponding table can be determined based on the possibility of the device being attacked and the result of the attack. For example, the server is attacked more severely than the hub, so the server corresponds to a larger I1 value than the hub, which corresponds to an empirical value.
And I2 is a device configuration score of the device with the source IP address, wherein the device configuration score can be a security score determined by security prevention and control software of the device with the source IP address, and can be obtained by sending a data request message to the device with the source IP address by the device X.
I3 is a security score for the transmission channel between device X and the device where the source IP address is located. For example, if the source IP address is located between the device and the device X through a VPN connection, I3 may be 1; if the source IP address is connected to the device X via the internet, I3 may be 0.6.
(2) Sensitivity of the destination IP address α 5.
The determination scheme of α 5 is similar to that of α 4, and is determined according to the device type, device configuration and transmission channel of the device where the destination IP address is located.
Specifically, α 5=(I4*I5)I6.
Wherein, I4 is a type sensitivity corresponding to a device type of the device where the target IP address is located, where the type sensitivity may be obtained according to a preset correspondence table of device types and sensitivities.
And I5 is the equipment configuration score of the equipment with the target IP address, wherein the equipment configuration score can be obtained by the security score determined by the security control software of the equipment with the target IP address and can be obtained by sending a data request message to the equipment with the target IP address by the equipment X.
I6 is a security score for the transmission channel between device X and the device where the target IP address is located. For example, if the device X is connected to the destination IP via a VPN, I6 may be 1, and if the device X is connected to the device where the destination IP address is located via the internet, I6 may be 0.6.
2. Downstream data.
Downstream data refers to data received by device X from which other devices sent it, i.e., device X is the intended recipient of the data.
Sensitivity α= (I7 x I8) I9 of the downstream data.
Wherein I7 is a type sensitivity corresponding to the device type of the device X, and the type sensitivity can be obtained according to a preset correspondence table of the device type and the sensitivity. Each sensitivity in the correspondence table may be determined based on the likelihood of the device being attacked and the consequences of the attack. For example, the server is attacked more severely than hub, so the server corresponds to a larger I7 value than hub, which corresponds to an empirical value.
And I8 is a device configuration score of the device where the source IP address of the data packet is located, wherein the device configuration score can be determined by security control software of the device where the source IP address is located, and can be obtained by sending a data request message to the device where the source IP address is located by the device X.
I9 is a security score of a transmission channel between the device where the source IP address of the data packet is located and the device X. For example, if the source IP address is connected to the device X through a VPN, I9 may be 1, and if the source IP address is connected to the device X through the internet, I9 may be 0.6.
And step 103, determining the risk value of the current access of the source IP address according to the sensitivity of the traffic data of the interface and the security of the current access of the source IP address.
Specifically, the security of the current access of the source IP address, i.e. how likely it is that the network attack, can be determined by the existing network attack detection scheme (also referred to as security detection scheme). The existing network attack detection scheme may be adopted herein, and will not be described in detail.
And then, determining the risk value of the current access of the source IP address according to the sensitivity of the traffic data of the interface and the determined security of the current access of the source IP address. The risk value for this access behavior of the source IP may be sensitivity/security of this access of the source IP.
For example, the possibility of this interface access being a packet delivered to the interface (typically 137, 138 and 139) via the TCP/IP protocol and further out of band (OOB) attacks, or the possibility of this interface access being a denial of service (denial of service, doS) attack via the interface, etc. is detected. The sensitivity of the traffic data transmitted by the interface reflects the security level of the interface, and if the sensitivity is higher and the security of the access of the source IP address is lower, the risk of the access is determined to be higher.
And 104, if the risk value is greater than the set threshold value, positioning an access source of the interface to the source IP address, and carrying out early warning.
During early warning, the source IP address with a higher risk value is prompted, and the data related to the interface access can be processed, such as prohibiting the data from being accessed.
In summary, compared with the prior art, the application has the following advantages and effects:
The application provides an interface safety monitoring method based on a flow analysis technology, which carries out sensitivity assessment from two dimensions of a sensitivity field included in each data packet in flow data and the safety of an objective receiver to finally form the sensitivity of the data. And for each access of the interface, evaluating the risk value of the current access according to all sensitivities related to the access interface and the IP address of the current visitor, and carrying out early warning when the risk value is higher than a threshold value.
Sensitivity evaluation is performed from two dimensions of sensitive fields included in the data packet and the security of the target receiver, namely, sensitivity is evaluated from the aspects of data and behaviors, so that the comprehensiveness of sensitivity evaluation can be ensured, and the accuracy of an evaluation result is improved.
For each access of the interface, the risk value of the current access is evaluated according to all sensitivities related to the access interface and the IP address of the current visitor, so that the security monitoring of the interface is not simply based on the single feature of the access behavior, but the multiparty features of the port and the visitor are comprehensively considered, the comprehensiveness of the risk evaluation can be ensured, and the accuracy of the evaluation result is improved.
The technical scheme of the application can be realized in the form of Browser/Server (B/S), and the background service is designed by a service architecture of distributed independent service. The back-end services communicate with each other via a Restful interface and a remote procedure call (remote procedure call, RPC). Development is based on multiple languages, including Java, C/C++, javaScript, HTML, and the like. Through the isolation between the servers, the design effect of low coupling is achieved, and the complexity is reduced.
As shown in fig. 2, the present technical solution is mainly divided into four layers: monitoring platform & open layer, security capability layer, basic platform layer, front-end probe. The monitoring station and the open layer are in charge of receiving the input of a user and presenting the output to the user through various functions; the security capability layer provides interface data for the front end, and issues a scanning task and a desensitizing task; the basic platform layer is used for executing the main flow of the proposal, so as to realize the safety monitoring of the interface; the front-end probes are responsible for interaction with a data source (database), such as a database connection, fetch data, and insert data. The layers are described as follows:
Monitoring station & open layer: and a Echarts, jquery, JS technology is used for realizing a common form interface and a chart display function, and the data storage aspect is stored into a Mysql database in a JDBC mode.
Security capability layer: and adopting Java, springboot micro-service technology to provide interface data for the front end, and issuing a scanning task and a desensitizing task.
Base platform layer: the Java implementation is adopted, the main flow of the proposal is executed, and the safety monitoring of the interface is realized.
Front end probe: using JDBC technology metamodel, it is responsible for interacting with the data source (database), such as database connection, fetching data, inserting data.
Based on the same inventive concept, the application also provides an interface security monitoring device, which is used for realizing the interface security monitoring method in the method embodiment.
As shown in fig. 3, the apparatus 300 includes: a communication module 310 and a processing module 320.
The communication module 310 is configured to obtain flow data of the access interface at this time;
The processing module 320 is configured to determine, by using a traffic analysis technique, a source IP address of the access interface at this time; determining the sensitivity of the traffic data accessing the interface at this time according to sensitive fields included in the traffic data transmitted by the interface and/or information of an target receiver of the traffic data; determining a risk value of the current access of the source IP address according to the sensitivity of the flow data of the interface and the security of the current access of the source IP address; and if the risk value is greater than a set threshold value, positioning an access source of the interface to the source IP address, and carrying out early warning.
In one possible design, the processing module 320 is specifically configured to: determining the sensitivity of each data packet in the flow data accessed to the interface according to the sensitive field included in the flow data transmitted by the interface and/or the information of the receiver of the flow data; and determining the sum of the sensitivity of each data packet in the flow data as the sensitivity of the flow data accessing the interface at the time.
In one possible design, the processing module 320 is specifically configured to determine the sensitivity of each packet in the traffic data that accesses the interface this time by: for each data packet in the traffic data accessing the interface at this time, if the data packet is uplink data and the device where the interface is located is a data producer of the data packet, the sensitivity α=α 2*α3 of the data packet; wherein, α2 is the sensitivity of the data field of the data packet, and α3 is the sensitivity of the target receiver of the data packet.
In one possible design, the processing module 320 is specifically configured to determine the data field sensitivity α2 of the data packet by: the set formed by each field currently marked as a sensitive field in all fields included in the data packet is set A, and the set formed by each field currently marked as a non-sensitive field is set B; if set B, α2=0; if the set B is not an empty set, thenWherein N t is the total number of fields included in the data packet, N b is the number of elements in the set B, i is the element identifier in the set a, j is the element identifier in the set B, and P (i|j) is the probability that the i-th element in the set a is also a sensitive field on the premise that the j-th element in the set B is a sensitive field.
In one possible design, the sensitivity α3 of the intended recipient of the data packet corresponds to the security level of the intended recipient.
In one possible design, the processing module 320 is specifically configured to determine the sensitivity of each packet in the traffic data that accesses the interface this time by: for each data packet in the traffic data accessing the interface at this time, if the data packet is uplink data and the device where the interface is located is a data forwarding node of the data packet, the sensitivity α=α 4*α5 of the data packet; wherein, the α4 is the sensitivity of the source IP address of the data packet, and the α5 is the sensitivity of the destination IP address of the data packet.
In one possible design, the sensitivity α4 of the source IP address of the packet is determined according to the device type, device configuration, and transmission channel of the source IP address, and α 4=(I1*I2)I3; wherein, the I1 is type sensitivity corresponding to the equipment type of the equipment where the source IP address is located; the I2 is used for grading the equipment configuration of the equipment where the source IP address is located; and the I3 is the security grade of a transmission channel between the equipment where the interface is located and the equipment where the source IP address is located.
In one possible design, the sensitivity α5 of the destination IP address of the packet is determined according to the device type, device configuration, and transmission channel of the destination IP address, and α 5=(I4*I5)I6; wherein, the I4 is type sensitivity corresponding to the equipment type of the equipment where the target IP address is located; the I5 is used for grading the equipment configuration of the equipment where the target IP address is located; and I6 is the security grade of a transmission channel between the equipment where the interface is located and the equipment where the target IP address is located.
In one possible design, the processing module 320 is specifically configured to determine the sensitivity of each packet in the traffic data that accesses the interface this time by: for each data packet in the traffic data accessing the interface at this time, if the data packet is downlink data and the device where the interface is located is the target receiver of the data packet, the sensitivity α= (I7×i8) I9 of the data packet; wherein, the I7 is the type sensitivity corresponding to the equipment type of the equipment where the interface is located; the I8 is used for grading the equipment configuration of the equipment where the source IP address of the data packet is located; and the I9 is the security grade of a transmission channel between the equipment where the source IP address of the data packet is located and the equipment where the interface is located.
Based on the same technical concept, the embodiment of the present application further provides a computer device, as shown in fig. 4, including at least one processor 401 and a memory 402 connected to the at least one processor, where in the embodiment of the present application, a specific connection medium between the processor 401 and the memory 402 is not limited, and in fig. 4, the processor 401 and the memory 402 are connected by a bus, for example. The buses may be divided into address buses, data buses, control buses, etc.
In the embodiment of the present application, the memory 402 stores instructions executable by the at least one processor 401, and the at least one processor 401 may implement the steps of the secret sharing method by executing the instructions stored in the memory 402.
Where the processor 401 is a control center of a computer device, various interfaces and lines may be utilized to connect various portions of the computer device, to perform resource setting by executing or executing instructions stored in the memory 402 and invoking data stored in the memory 402. Alternatively, the processor 401 may include one or more processing units, and the processor 401 may integrate an application processor and a modem processor, wherein the application processor mainly processes an operating system, a user interface, an application program, etc., and the modem processor mainly processes wireless communication. It will be appreciated that the modem processor described above may not be integrated into the processor 801. In some embodiments, processor 401 and memory 402 may be implemented on the same chip, and in some embodiments they may be implemented separately on separate chips.
The processor 401 may be a general purpose processor such as a Central Processing Unit (CPU), digital signal processor, application SPECIFIC INTEGRATED Circuit (ASIC), field programmable gate array or other programmable logic device, discrete gate or transistor logic, discrete hardware components, etc., that may implement or perform the methods, steps, and logic diagrams disclosed in embodiments of the present application. The general purpose processor may be a microprocessor or any conventional processor or the like. The steps of a method disclosed in connection with the embodiments of the present application may be embodied directly in a hardware processor for execution, or in a combination of hardware and software modules in the processor for execution.
Memory 402 is a non-volatile computer-readable storage medium that can be used to store non-volatile software programs, non-volatile computer-executable programs, and modules. The Memory 402 may include at least one type of storage medium, which may include, for example, flash Memory, hard disk, multimedia card, card Memory, random access Memory (Random Access Memory, RAM), static random access Memory (Static Random Access Memory, SRAM), programmable Read-Only Memory (Programmable Read Only Memory, PROM), read-Only Memory (ROM), charged erasable programmable Read-Only Memory (ELECTRICALLY ERASABLE PROGRAMMABLE READ-Only Memory, EEPROM), magnetic Memory, magnetic disk, optical disk, and the like. Memory 402 is any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer, but is not limited to such. The memory 402 in embodiments of the present application may also be circuitry or any other device capable of performing memory functions for storing program instructions and/or data.
Based on the same technical concept, the embodiment of the application also provides a computer readable storage medium, wherein the computer readable storage medium stores computer readable instructions, and when the computer reads and executes the computer readable instructions, the method in the embodiment of the method is realized.
Based on the same technical idea, the embodiments of the present application also provide a computer program product comprising computer readable instructions, which when executed by a processor, cause the method in the above-mentioned method embodiments to be implemented.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It will be apparent to those skilled in the art that various modifications and variations can be made to the present application without departing from the spirit or scope of the application. Thus, it is intended that the present application also include such modifications and alterations insofar as they come within the scope of the appended claims or the equivalents thereof.
Claims (13)
1. An interface security monitoring method, the method comprising:
determining a source IP address of the access interface through a flow analysis technology;
Determining the sensitivity of the flow data accessing the interface at the time according to the sensitive field included in the flow data transmitted by the interface and the information of the target receiver of the flow data; the sensitive field and the information of the target receiver of the flow data comprise data field sensitivity, sensitivity of the target receiver and sensitivity of an IP address; the sensitivity of the IP address is determined according to the type of the device, the configuration of the device and the transmission channel; the sensitivity of the IP address includes the sensitivity of the source IP address;
Determining a risk value of the current access of the source IP address according to the sensitivity of the flow data of the interface and the security of the current access of the source IP address;
and if the risk value is greater than a set threshold value, positioning an access source of the interface to the source IP address, and carrying out early warning.
2. The method of claim 1, wherein determining the sensitivity of the traffic data of the access to the interface based on the sensitivity field included in the traffic data transmitted by the access to the interface and information of the intended recipient of the traffic data at the time comprises:
determining the sensitivity of each data packet in the flow data accessed to the interface according to the sensitive field included in the flow data transmitted by the interface and the information of the target receiver of the flow data;
and determining the sum of the sensitivity of each data packet in the flow data as the sensitivity of the flow data accessing the interface at the time.
3. The method of claim 2, wherein determining the sensitivity of each packet in the traffic data for the access to the interface for the time comprises:
If the data packet is uplink data and the device where the interface is located is a data producer of the data packet, the sensitivity α=α 2*α3 of the data packet;
wherein, α2 is the sensitivity of the data field of the data packet, and α3 is the sensitivity of the target receiver of the data packet.
4. A method according to claim 3, wherein the set of fields currently marked as sensitive fields among all fields included in the data packet is set a and the set of fields currently marked as non-sensitive fields is set B;
If the set B is an empty set, α2=0;
If the set B is not an empty set, then
Wherein N t is the total number of fields included in the data packet, N b is the number of elements in the set B, i is the element identifier in the set a, j is the element identifier in the set B, and P (i|j) is the probability that the i-th element in the set a is also a sensitive field on the premise that the j-th element in the set B is a sensitive field.
5. A method according to claim 3, characterized in that the sensitivity α3 of the intended recipient of the data packet corresponds to the security level of the intended recipient.
6. The method of claim 2, wherein determining the sensitivity of each packet in the traffic data for the access to the interface for the time comprises:
if the data packet is uplink data and the device where the interface is located is a data forwarding node of the data packet, the sensitivity α=α 4*α5 of the data packet;
wherein, the α4 is the sensitivity of the source IP address of the data packet, and the α5 is the sensitivity of the destination IP address of the data packet.
7. The method of claim 6, wherein a sensitivity of a source IP address of the data packet, a 4, is determined based on a device type, a device configuration, and a transmission channel of the source IP address, and a 4=(I1*I2)I3;
Wherein, the I1 is type sensitivity corresponding to the equipment type of the equipment where the source IP address is located;
The I2 is used for grading the equipment configuration of the equipment where the source IP address is located;
And the I3 is the security grade of a transmission channel between the equipment where the interface is located and the equipment where the source IP address is located.
8. The method of claim 6, wherein the sensitivity of the destination IP address of the packet, α5, is determined based on the device type, device configuration, and transmission channel of the destination IP address, and α 5=(I4*I5)I6;
Wherein, the I4 is type sensitivity corresponding to the equipment type of the equipment where the target IP address is located;
the I5 is used for grading the equipment configuration of the equipment where the target IP address is located;
And I6 is the security grade of a transmission channel between the equipment where the interface is located and the equipment where the target IP address is located.
9. The method of claim 2, wherein determining the sensitivity of each packet in the traffic data for the access to the interface for the time comprises:
If the data packet is downlink data and the device where the interface is located is an target receiver of the data packet, the sensitivity α= (I7×i8) I9 of the data packet;
wherein, the I7 is the type sensitivity corresponding to the equipment type of the equipment where the interface is located;
the I8 is used for grading the equipment configuration of the equipment where the source IP address of the data packet is located;
and the I9 is the security grade of a transmission channel between the equipment where the source IP address of the data packet is located and the equipment where the interface is located.
10. An interface security monitoring device, comprising:
the communication module is used for acquiring the flow data of the access interface at the time;
The processing module is used for determining the source IP address of the access interface through a flow analysis technology; determining the sensitivity of the traffic data accessing the interface at this time according to sensitive fields included in the traffic data transmitted by the interface and/or information of an target receiver of the traffic data; the sensitive field and the information of the target receiver of the flow data comprise data field sensitivity, sensitivity of the target receiver and sensitivity of an IP address; the sensitivity of the IP address is determined according to the type of the device, the configuration of the device and the transmission channel; the sensitivity of the IP address includes the sensitivity of the source IP address; determining a risk value of the current access of the source IP address according to the sensitivity of the flow data of the interface and the security of the current access of the source IP address; and if the risk value is greater than a set threshold value, positioning an access source of the interface to the source IP address, and carrying out early warning.
11. A computer device, comprising:
a memory for storing program instructions;
A processor for invoking program instructions stored in the memory and for performing the method according to any of claims 1-9 in accordance with the obtained program instructions.
12. A computer readable storage medium comprising computer readable instructions which, when read and executed by a computer, cause the method of any one of claims 1 to 9 to be implemented.
13. A computer program product comprising computer readable instructions which, when executed by a processor, cause the method of any of claims 1 to 9 to be implemented.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111652066.5A CN114401126B (en) | 2021-12-30 | 2021-12-30 | Interface security monitoring method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111652066.5A CN114401126B (en) | 2021-12-30 | 2021-12-30 | Interface security monitoring method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114401126A CN114401126A (en) | 2022-04-26 |
| CN114401126B true CN114401126B (en) | 2024-04-30 |
Family
ID=81229760
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111652066.5A Active CN114401126B (en) | 2021-12-30 | 2021-12-30 | Interface security monitoring method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114401126B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN118890221B (en) * | 2024-09-29 | 2024-12-20 | 杭州水务数智科技股份有限公司 | Method and system for safe transmission of water service Internet of things equipment and platform |
| CN119149474B (en) * | 2024-11-18 | 2025-02-14 | 北京东方融创信息技术有限公司 | Communication method based on multiple operating systems |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103684927A (en) * | 2013-12-27 | 2014-03-26 | 昆山中创软件工程有限责任公司 | Data packet monitoring method and device |
| CN106330532A (en) * | 2016-08-16 | 2017-01-11 | 汉柏科技有限公司 | Network information processing method and system, network management device and network monitoring device |
| CN107426022A (en) * | 2017-07-21 | 2017-12-01 | 上海携程商务有限公司 | Security incident monitoring method and device, electronic equipment, storage medium |
| CN111835705A (en) * | 2020-05-21 | 2020-10-27 | 西安交大捷普网络科技有限公司 | Asset abnormal access detection method |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10296748B2 (en) * | 2016-02-25 | 2019-05-21 | Sas Institute Inc. | Simulated attack generator for testing a cybersecurity system |
-
2021
- 2021-12-30 CN CN202111652066.5A patent/CN114401126B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103684927A (en) * | 2013-12-27 | 2014-03-26 | 昆山中创软件工程有限责任公司 | Data packet monitoring method and device |
| CN106330532A (en) * | 2016-08-16 | 2017-01-11 | 汉柏科技有限公司 | Network information processing method and system, network management device and network monitoring device |
| CN107426022A (en) * | 2017-07-21 | 2017-12-01 | 上海携程商务有限公司 | Security incident monitoring method and device, electronic equipment, storage medium |
| CN111835705A (en) * | 2020-05-21 | 2020-10-27 | 西安交大捷普网络科技有限公司 | Asset abnormal access detection method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114401126A (en) | 2022-04-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| ES2808954T3 (en) | Procedure and device for use in risk management of application information | |
| CN108923908B (en) | Authorization processing method, device, equipment and storage medium | |
| US11861006B2 (en) | High-confidence malware severity classification of reference file set | |
| US10032037B1 (en) | Establishing application trust levels using taint propagation as a service | |
| US9251367B2 (en) | Device, method and program for preventing information leakage | |
| CN114401126B (en) | Interface security monitoring method and device | |
| US20170155683A1 (en) | Remedial action for release of threat data | |
| WO2013173238A1 (en) | Electronic transaction notification system and method | |
| CN113111359A (en) | Big data resource sharing method and resource sharing system based on information security | |
| CN113381984A (en) | Data processing method, device and system, electronic equipment and storage medium | |
| CN113987468A (en) | Security check method and security check device | |
| CN115529130B (en) | Data processing method, terminal, server, system, device, medium and product | |
| CN110990873B (en) | Monitoring method for illegal operation, computer equipment and storage medium | |
| CN108319822A (en) | A kind of method, storage medium, electronic equipment and the system of protection web page code | |
| US9608965B2 (en) | Secure network request anonymization | |
| CN114189383A (en) | Blocking method, device, electronic equipment, medium and computer program product | |
| WO2024041436A1 (en) | Service request processing method and apparatus, and electronic device and storage medium | |
| Senol et al. | Unveiling the Impact of User-Agent Reduction and Client Hints: A Measurement Study | |
| CN114567678B (en) | Resource calling method and device for cloud security service and electronic equipment | |
| CN113709136B (en) | Access request verification method and device | |
| US12177181B2 (en) | Automatic network signature generation | |
| CN116881896A (en) | Method and device for generating device fingerprint library | |
| US20230131988A1 (en) | Privacy preserving malicious network activity detection and mitigation | |
| US20130055393A1 (en) | Method and apparatus for enhancing privacy of contact information in profile | |
| CN114221816B (en) | Flow detection method, device, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |