Disclosure of Invention
In order to solve the above technical problems, the present invention provides an enterprise network security monitoring system, including:
The information flow monitoring module is used for collecting the flow direction information of the information flow in each link of the enterprise network;
The information flow model construction module is used for carrying out vector abstraction on the allowed information flow according to user authority rules and security policies set by the enterprise network to obtain legal information flow vectors, and constructing a virtual information flow model through legal information flow vector combination;
The real-time vector generation module is used for extracting the flow direction information of the information flow in the link to generate a corresponding real-time information flow vector;
And the safety warning module is used for sending out a safety warning if the real-time information flow vector cannot find out the corresponding and consistent information flow vector in the virtual information flow model through vector analysis.
Optionally, the information flow monitoring module includes:
the intranet information flow monitoring sub-module is used for collecting the flow direction information of the information flow in the internal network data transmission link of the enterprise network;
The external network information flow monitoring sub-module is used for collecting the flow direction information of the information flow generated in the data transmission link of the enterprise network and the external internet;
and the information flow size extraction sub-module is used for extracting the current information flow size data in each link through information flow monitoring.
Optionally, the information flow model building module includes:
The coordinate creation sub-module is used for creating a virtual multi-dimensional space coordinate system, and the origin of the multi-dimensional space coordinate system is used as a central node corresponding to a central server of the enterprise network;
the node distribution sub-module is used for generating nodes according to an internal network database, registered users and user registration information in the enterprise network by adopting a preset node setting rule, generating the nodes according to the number of the database and the registered users in a one-to-one correspondence manner, and marking the nodes in a multidimensional space coordinate system to form a virtual node space coordinate distribution diagram;
And the information flow model forming sub-module is used for marking the corresponding nodes of the registered users allowed to have information flows by adopting vector lines according to user authority rules and security policies set by the enterprise network, and forming a virtual information flow model in a multi-dimensional space coordinate system.
Optionally, the real-time vector generation module includes:
the information flow associated user sub-module is used for acquiring registered users of an information flow source end and a target end from information flow flowing direction information in a link;
the real-time information flow node determining submodule is used for determining nodes corresponding to registered users generating information flow on the virtual node space coordinate distribution diagram according to the registered users of the information flow source end and the information flow target end;
And the real-time vector forming sub-module is used for marking the nodes corresponding to the registered users generating the information flow by adopting vector lines according to the flow direction of the information flow to obtain the real-time information flow vector.
Optionally, the safety warning module includes:
The vector comparison sub-module is used for comparing the real-time information flow vector with each allowable information flow vector of the information flow model, and searching whether the allowable information flow vector consistent with the real-time information flow vector exists in the information flow model;
The judging sub-module is used for judging whether the information flow detected in real time is legal or not according to the comparison result of the vector comparison sub-module, and when an allowable information flow vector consistent with the real-time information flow vector exists, the information flow corresponding to the real-time information flow vector is legal, otherwise, the information flow corresponding to the real-time information flow vector is illegal;
and the warning sub-module is used for generating and sending out a safety warning when the judging sub-module judges that the information flow detected in real time is illegal.
Optionally, the vector contrast submodule includes:
The vector projection unit is used for respectively projecting the real-time information flow vector and each allowable information flow vector of the information flow model on different two-dimensional coordinate planes according to the projection rule to obtain a real-time vector projection diagram of the real-time information flow vector on the two-dimensional coordinate plane and an allowable vector projection diagram of each allowable information flow vector on the two-dimensional coordinate plane;
And the projection image comparison unit is used for respectively comparing the real-time vector projection image and the allowed vector projection image of the same two-dimensional coordinate plane, and if the allowed vector projection image of one allowed information flow vector on different two-dimensional coordinate planes is the same as the real-time vector projection image of the real-time information flow vector on the corresponding two-dimensional coordinate plane, the allowed information flow vector in the information flow model is consistent with the real-time information flow vector.
Optionally, the safety warning module includes:
The flow evaluation sub-module is used for evaluating whether the current information flow size data in each link is abnormal or not;
And the warning sub-module is used for generating and sending out traffic abnormal safety warning when the current information flow in the link is abnormal in size.
Optionally, the system further comprises an information flow interruption isolation module, which is used for interrupting and transmitting illegal information flow corresponding to the real-time information flow and performing isolation processing when the safety warning module sends out the safety warning.
Optionally, the external network information flow monitoring submodule includes:
An intrusion IP tracking unit for tracking the intrusion IP of the information flow in the aspect of the external Internet if the real-time information flow vector generated by the collected movement information of the enterprise network and the external Internet is judged to be illegal;
The intrusion IP isolation unit is used for listing the intrusion IP tracked by the intrusion IP tracking unit into an untrusted list, and using the untrusted list to configure a firewall, and isolating the intrusion IP from an Internet interface of an enterprise network through the firewall.
Optionally, the intrusion IP tracking unit includes:
a trace information extraction subunit for extracting trace data from the information stream;
A path reconstruction subunit, configured to reconstruct an attack path according to the trace data;
And the intrusion IP identification subunit is used for determining an attack initiating terminal according to the rebuilt attack path and acquiring the IP address of the attack initiating terminal.
The enterprise network security monitoring system of the invention collects the information of the flow direction of the information flow in each link of the enterprise network by arranging the information flow monitoring module, wherein the links comprise data transmission links in the internal network and also comprise data interaction links between the internal network and the external internet through a central server; setting a real-time vector generation module to generate a real-time information stream vector according to the information of the information stream; setting an information flow model construction module to construct a virtual information flow model by adopting information flow parameters; setting a safety warning module to compare the real-time information flow vector with the information flow model, and if the information flow vector consistent with the real-time information flow vector cannot be found in the information flow model, indicating that the information flow corresponding to the real-time information flow vector is illegal, namely, identifying that the data safety problem exists, so that a safety warning is sent out; the invention can realize the omnibearing safety monitoring of the external network and the internal network of the enterprise network and can find the safety threat from the outside and the inside, thereby ensuring the safety protection of the enterprise network to be more comprehensive.
Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention. The objectives and other advantages of the invention will be realized and attained by the structure particularly pointed out in the written description and claims thereof as well as the appended drawings.
The technical scheme of the invention is further described in detail through the drawings and the embodiments.
Detailed Description
The preferred embodiments of the present invention will be described below with reference to the accompanying drawings, it being understood that the preferred embodiments described herein are for illustration and explanation of the present invention only, and are not intended to limit the present invention.
As shown in fig. 1, an embodiment of the present invention provides an enterprise network security monitoring system, including:
the information flow monitoring module 10 is used for collecting the flow direction information of the information flow in each link of the enterprise network;
the information flow model construction module 20 is configured to abstract the allowed information flow into a legal information flow vector according to a user authority rule and a security policy set by the enterprise network, and construct a virtual information flow model through the legal information flow vector combination;
the real-time vector generation module 30 is configured to extract flow direction information of an information flow in a link to generate a corresponding real-time information flow vector;
The safety warning module 40 is configured to send out a safety warning if the real-time information flow vector cannot find the corresponding information flow vector in the virtual information flow model through vector analysis.
The working principle and beneficial effects of the technical scheme are as follows: the scheme includes that the information flow monitoring module is arranged to collect flow direction information of information flows in links of an enterprise network, wherein the links comprise data transmission links in an internal network and also comprise data interaction links between the internal network and an external internet through a central server; setting a real-time vector generation module to generate a real-time information stream vector according to the information of the information stream; setting an information flow model construction module to construct a virtual information flow model by adopting information flow parameters; setting a safety warning module to compare the real-time information flow vector with the information flow model, and if the information flow vector consistent with the real-time information flow vector cannot be found in the information flow model, indicating that the information flow corresponding to the real-time information flow vector is illegal, namely, identifying that the data safety problem exists, so that a safety warning is sent out; the scheme can realize the omnibearing safety monitoring of the external network and the internal network of the enterprise network, and can also find the safety threat from the outside and the inside, thereby ensuring that the safety protection of the enterprise network is more comprehensive.
In one embodiment, as shown in FIG. 2, the information flow monitoring module 10 includes:
An intranet information flow monitoring sub-module 101, configured to collect flow direction information of an information flow occurring in an intranet data transmission link of an enterprise network;
The external network information flow monitoring sub-module 102 is configured to collect flow direction information of an information flow occurring in a data transmission link between an enterprise network and an external internet;
and the information flow size extraction sub-module 103 is used for extracting current information flow size data in each link through information flow monitoring.
The working principle and beneficial effects of the technical scheme are as follows: the method comprises the steps that information of the flowing direction of information flow occurring in an internal network data transmission link of an enterprise network is collected through an internal network information flow monitoring submodule, and information of the flowing direction of information flow occurring in the data transmission link of the enterprise network and an external internet is collected through an external network information flow monitoring submodule; extracting current information flow size data in each link through an information flow size extraction sub-module; the scheme can monitor the information flow direction and the size of the information flow.
In one embodiment, as shown in FIG. 3, the information flow model building module 20 includes:
The coordinate creation sub-module 201 is configured to create a virtual multidimensional space coordinate system, where an origin of the multidimensional space coordinate system is used as a central node corresponding to a central server of the enterprise network;
the node distribution sub-module 202 is configured to generate nodes according to an internal network database, registered users and user registration information in the enterprise network, and the number of the database and the registered users is one-to-one corresponding to generate a virtual node space coordinate distribution diagram in a multi-dimensional space coordinate system by adopting a preset node setting rule;
The information flow model forming sub-module 203 is configured to mark the nodes corresponding to the registered users allowed to have information flows by using vector lines according to the user authority rule and the security policy set by the enterprise network, and form a virtual information flow model in a multidimensional space coordinate system.
The working principle and beneficial effects of the technical scheme are as follows: according to the scheme, for information flow model construction of an information flow model construction module, a coordinate construction submodule is adopted to construct a virtual multidimensional space coordinate system, and the origin of the coordinate system is used as a central node corresponding to a central server of an enterprise network; the node distribution sub-module is used for generating nodes according to the one-to-one correspondence of the database and the number of registered users by adopting a preset node setting rule and marking the nodes in a multi-dimensional space coordinate system to form a virtual node space coordinate distribution diagram; then, the information flow model forming submodule marks the corresponding nodes of the registered users allowed to have information flows by adopting vector lines according to user authority rules and security policies set by the enterprise network to form a virtual information flow model; according to the scheme, a vector abstraction mode of information flow is adopted, an information flow vector is used as a basis for constructing an information flow model, a basis is provided for quantitative analysis of monitoring data, and the safety condition of an enterprise network can be evaluated more accurately and objectively through vector type quantitative analysis; wherein, the multi-dimensional space coordinate system can be selected to adopt a three-dimensional space coordinate system.
In one embodiment, as shown in FIG. 4, the real-time vector generation module 30 includes:
The information flow associated user sub-module 301 is configured to obtain registered users of the information flow source end and the target end from the information flow direction information in the link;
The real-time information flow node determining submodule 302 is configured to determine, according to registered users of the information flow source end and the target end, a node corresponding to the registered user where the information flow occurs on the virtual node space coordinate distribution map;
The real-time vector forming sub-module 303 is configured to, according to the flow direction of the information flow, mark the node corresponding to the registered user where the information flow occurs with a vector line, and obtain a real-time information flow vector.
The working principle and beneficial effects of the technical scheme are as follows: according to the scheme, registered users of an information flow source end and a target end are determined through an information flow associated user sub-module, nodes corresponding to the registered users generating information flow are determined on a virtual node space coordinate distribution diagram through a real-time information flow node determining sub-module, and a real-time information flow vector is formed through a real-time vector forming sub-module; the scheme provides a vector conversion mode of the real-time information flow, and the real-time information flow is subjected to vector graphics by adopting a vector line, so that the real-time monitoring of the information flow is more visual.
In one embodiment, as shown in FIG. 5, the safety warning module 40 includes:
the vector comparison sub-module 401 is configured to compare the real-time information flow vector with each allowable information flow vector of the information flow model, and find whether there is an allowable information flow vector consistent with the real-time information flow vector in the information flow model;
a judging sub-module 402, configured to judge whether the information stream detected in real time is legal according to the comparison result of the vector comparison sub-module, and when an allowable information stream vector consistent with the real-time information stream vector exists, indicate that the information stream corresponding to the real-time information stream vector is legal, otherwise indicate that the information stream corresponding to the real-time information stream vector is illegal;
A traffic evaluation sub-module 403, configured to evaluate whether an abnormality exists in the current information flow size data in each link;
The warning sub-module 404 is configured to generate and send out a security warning when the judging sub-module determines that the information stream detected in real time is illegal; and if the flow evaluation sub-module evaluates that the current information flow in the link is abnormal, generating and sending out a flow abnormal safety warning.
The working principle and beneficial effects of the technical scheme are as follows: the scheme comprises the steps that a vector comparison sub-module is used for comparing a real-time information flow vector with each allowable information flow vector of an information flow model, on the basis, a judging sub-module is used for determining whether an information flow corresponding to the real-time information flow vector is legal or not according to a comparison result, and if the information flow corresponding to the real-time information flow vector is illegal, a safety warning is sent out through a warning sub-module; on the other hand, whether the current information flow size data in each link is abnormal or not is evaluated by the flow evaluation submodule, and if the current information flow size data is abnormal, a flow abnormal safety warning is sent by the warning submodule; the scheme not only carries out safety judgment from the flow direction of the information flow, but also carries out safety judgment from the size of the information flow, thereby improving the comprehensiveness of enterprise network safety monitoring and enhancing the security guarantee force of the enterprise network.
In one embodiment, the vector contrast submodule includes:
The vector projection unit is used for respectively projecting the real-time information flow vector and each allowable information flow vector of the information flow model on different two-dimensional coordinate planes according to the projection rule to obtain a real-time vector projection diagram of the real-time information flow vector on the two-dimensional coordinate plane and an allowable vector projection diagram of each allowable information flow vector on the two-dimensional coordinate plane;
And the projection image comparison unit is used for respectively comparing the real-time vector projection image and the allowed vector projection image of the same two-dimensional coordinate plane, and if the allowed vector projection image of one allowed information flow vector on different two-dimensional coordinate planes is the same as the real-time vector projection image of the real-time information flow vector on the corresponding two-dimensional coordinate plane, the allowed information flow vector in the information flow model is consistent with the real-time information flow vector.
The working principle and beneficial effects of the technical scheme are as follows: in the scheme, for the contrast of information flow vectors, image contrast is carried out through a vector model and a vector line image under the definition of coordinates, in order to simplify the image contrast of vectors, a multi-dimensional vector representation image is converted into a vector projection image under two-dimensional coordinates in a projection mode, and in order to achieve accurate contrast, the conclusion is obtained by combining the contrast condition of the vector projection image adopting at least two different two-dimensional coordinate planes; the scheme can simplify the quantitative analysis process of enterprise network security, can quickly obtain analysis results, and can give an alarm in time if a security problem exists.
In one embodiment, the system further comprises an information flow interruption isolation module, which is used for interrupting and transmitting illegal information flow corresponding to the real-time information flow and performing isolation processing when the safety warning module sends out the safety warning.
The working principle and beneficial effects of the technical scheme are as follows: according to the scheme, an information flow interruption isolation module is arranged, and when the security problem of an enterprise network is found, illegal information flows corresponding to real-time information flow are interrupted to be transmitted and isolated; for the information flow which interrupts transmission and performs isolation processing, further judgment can be performed, corresponding processing can be respectively performed according to the situation, and the transmission can be changed into continuous transmission by further judgment; if the security problem is considered to exist, the corresponding information flow activity can be deleted and forbidden, the scheme provides a remedy opportunity for the possible misjudgment condition of illegal information flow through interruption and isolation, and the legal data interaction and operation are maintained on the basis of maintaining the network security of an enterprise.
In one embodiment, the extranet information flow monitoring submodule includes:
An intrusion IP tracking unit for tracking the intrusion IP of the information flow in the aspect of the external Internet if the real-time information flow vector generated by the collected movement information of the enterprise network and the external Internet is judged to be illegal;
The intrusion IP isolation unit is used for listing the intrusion IP tracked by the intrusion IP tracking unit into an untrusted list, and using the untrusted list to configure a firewall, and isolating the intrusion IP from an Internet interface of an enterprise network through the firewall.
The working principle and beneficial effects of the technical scheme are as follows: according to the scheme, an intrusion IP tracking unit is used for carrying out intrusion IP tracking on illegal behaviors from the external Internet, an intrusion IP tracked by the intrusion IP tracking unit is listed into an untrusted list in cooperation with an intrusion IP isolation unit, and a firewall is configured to isolate the intrusion IP from an Internet interface of an enterprise network based on the untrusted list; the scheme is based on uncertainty and universality of external Internet threat sources, enumeration or global detection cannot be carried out on all Internet access terminals initially, therefore, real-time threat monitoring is adopted to carry out intrusion IP tracking, unlimited wide Internet is converted into limited tracking, simple external monitoring and processing can be carried out on the basis of security protection, and external Internet threats are effectively protected.
In one embodiment, an intrusion IP tracking unit includes:
a trace information extraction subunit for extracting trace data from the information stream;
A path reconstruction subunit, configured to reconstruct an attack path according to the trace data;
And the intrusion IP identification subunit is used for determining an attack initiating terminal according to the rebuilt attack path and acquiring the IP address of the attack initiating terminal.
The working principle and beneficial effects of the technical scheme are as follows: the scheme comprises the steps that tracking information is extracted from an information flow through a tracking information extraction subunit, a path reconstruction subunit is adopted to reconstruct an attack path, and then an attack initiating terminal is determined from the reconstructed attack path by using an intrusion IP identification subunit, so that an IP address of the attack initiating terminal is obtained; by the method, tracking can be implemented even if an attack is stopped, and the method is not affected by short attack time, so that the tracking is more reliable.
In one embodiment, when the traffic evaluation sub-module evaluates whether the current information flow size data in the link has abnormality, comparing and determining the data volume of the current information flow with a preset data volume threshold value of the corresponding link;
According to the historical data of information flow size monitoring of each node, the data volume threshold value of each link is reset by adopting the following formula:
In the above formula, Qi represents a data amount threshold of the size of the i-th link information flow that is reset; qij represents the jth information flow size data of the ith link; n represents the number of historical data for information flow size monitoring; m represents the number of historical data of which the historical data of information flow size monitoring is larger than the average data; qik represents the kth stream size data larger than the average data in the ith link history data.
The working principle and beneficial effects of the technical scheme are as follows: according to the scheme, different data volume thresholds are set for different links, so that the data transmission sizes of different nodes are adaptively monitored; the data quantity threshold value of each link is reset regularly, so that the method can adapt to the business operation change condition of enterprises, and the flow allowable range of the information flow is correspondingly adjusted, so that the monitoring is more matched with the business operation condition, and the data safety of the enterprises is ensured as much as possible on the basis of not affecting the normal business of the enterprises.
It will be apparent to those skilled in the art that various modifications and variations can be made to the present invention without departing from the spirit or scope of the invention. Thus, it is intended that the present invention also include such modifications and alterations insofar as they come within the scope of the appended claims or the equivalents thereof.