阅读说明：本技术 一种基于微传感器技术的网络安全常态监控系统 (Network security normality monitoring system based on micro-sensor technology ) 是由 汪文杰 许凡强 王涛 张玉兵 徐玲 于 2021-07-23 设计创作，主要内容包括：本发明公开了一种基于微传感器技术的网络安全常态监控系统,所述系统包括微DNS传感器、微流量传感器和微无线传感器,所述微DNS传感器、微流量传感器和微无线传感器分别安装在独立的树莓派上,所述微DNS传感器、微流量传感器和微无线传感器均与数据中心连接；所述微DNS传感器用于区域的DNS流量监听；所述微流量传感器用于网络异常行为分析；所述微无线传感器用于区域的WiFi/蓝牙监听。本发明采用微边界思想,在供电所、变电站等小规模网络部署轻量级威胁监测传感器,通过系统微分域动态监测与分析技术,对终端设备行为进行安全监测与分析,无论是变化多样的攻击方式、病毒变种,还是利用零日漏洞进行的攻击行为,都能够精准有效地识别并实时监测。(The invention discloses a network security normal state monitoring system based on a microsensor technology, which comprises a micro DNS sensor, a micro-flow sensor and a micro wireless sensor, wherein the micro DNS sensor, the micro-flow sensor and the micro wireless sensor are respectively arranged on independent raspberry clusters, and the micro DNS sensor, the micro-flow sensor and the micro wireless sensor are all connected with a data center; the micro DNS sensor is used for monitoring DNS traffic of a region; the micro-flow sensor is used for analyzing network abnormal behaviors; the micro wireless sensor is used for WiFi/Bluetooth monitoring of areas. The invention adopts the micro-boundary idea, deploys the lightweight threat monitoring sensors in small-scale networks such as a power supply station, a transformer substation and the like, and carries out safety monitoring and analysis on the behavior of the terminal equipment through a system differential domain dynamic monitoring and analyzing technology, so that the behavior of the terminal equipment can be accurately and effectively identified and monitored in real time no matter the attack way and the virus variation are varied or the attack behavior is carried out by utilizing a zero-day leak.)

1. A network security normal state monitoring system based on a microsensor technology is characterized by comprising a microsensor, a micro-flow sensor and a micro-wireless sensor, wherein the microsensor, the micro-flow sensor and the micro-wireless sensor are respectively arranged on independent raspberry clusters, and the microsensor, the micro-flow sensor and the micro-wireless sensor are all connected with a data center;

the micro DNS sensor is used for monitoring DNS traffic of a region;

the micro-flow sensor is used for analyzing network abnormal behaviors;

the micro wireless sensor is used for WiFi/Bluetooth monitoring of areas.

2. The system for monitoring the network security normality based on the microsensor technology according to claim 1, wherein the micro DNS sensor, the micro flow sensor and the micro wireless sensor are all connected with a data center through https protocol or syslog protocol.

3. The system for monitoring the normality of network security based on the microsensor technology according to claim 1, wherein the microsensor is used for monitoring DNS traffic of a region, including malicious domain name monitoring and analysis, and specifically comprises:

the micro DNS sensor establishes a mathematical model according to the characteristics of a host request malicious domain name, monitors and finds abnormal behaviors of a DNS layer in a machine learning mode, continuously supplements a malicious program domain name black list library, and establishes malicious domain name identification capability;

the micro DNS sensor requests a terminal IP through the recorded malicious domain name, and is linked with the firewall to timely block the infected host.

4. The microsensor technology-based network security normality monitoring system of claim 1, wherein the microsensor dynamically assesses and defends malicious domain names, including designing threat intelligence sources, designing threat policy rules, designing policy synchronization, and designing statistical statements.

5. The network security normality monitoring system based on microsensor technology of claim 4, wherein the design threat intelligence source comprises:

establishing a threat information source;

configuring default triggers and actions;

enabling an intelligence source;

and judging the type of an information source:

if the product is a third-party safety product, whether default trigger and action are configured or not is continuously judged:

if the default trigger and action are not configured, returning to configure the default trigger and action;

if default trigger and action are configured, downloading an information strategy and judging the issuing state of an information source;

if the type of the other information sources is the type of the other information sources, downloading the information strategy and judging the issuing state of the information sources;

if the type of the information source is self-defined, judging the issuing state of the information source;

if the information source is not issued, the DNS is issued in full;

if the intelligence source is issued, the DNS issues the intelligence source to be started.

6. The network security normality monitoring system based on the microsensor technology according to claim 4, wherein the design strategy synchronization comprises:

automatically issuing a threat strategy;

acquiring a list to be issued;

judging the state of the threat strategy:

if the policy is normal, the DNS issuing policy is newly increased;

and if the policy is deleted/forbidden, the DNS issues the policy deletion.

7. The system for monitoring the normality of the network security based on the microsensor technology according to claim 4, wherein the design statistics report comprises:

intercepting and ranking every day, intercepting detail inquiry, threat interception curve and threat intelligence source information statistics.

8. The system for monitoring the network security normality based on the microsensor technology according to claim 1, wherein the micro-flow sensor is used for analyzing network abnormal behaviors, and specifically comprises:

the micro-flow sensor establishes complete flow index and network metadata information by collecting and analyzing network original data packets in real time, and finds abnormal behaviors of the terminal in time by combining a network threat model.

9. The system for monitoring the normality of network security based on the micro-sensor technology according to claim 1, wherein the micro-wireless sensor is used for WiFi/Bluetooth monitoring of a region and comprises suspicious http/https communication detection, and specifically comprises:

the micro wireless sensor analyzes http/https communication data flow in the network, and generates an alarm if suspicious http and https transmission behaviors are detected.

Technical Field

The invention belongs to the technical field of network security, and particularly relates to a network security normal state monitoring system based on a micro-sensor technology.

Background

In the traditional safety protection thought and technical means, an IDS is mostly deployed at a central node of a network, a network firewall is deployed at a boundary position and a gateway position, and the passing flow is monitored and analyzed. However, at present, the network scale is continuously enlarged, the structure is gradually complicated, the network data information transmission distance is long, the communication range is wide, the transmission path can pass through various networks, and the network has the characteristic of no boundary. In terms of network information exchange, technologies and protocols (network storage, heterogeneous network technologies, and the like) required in the implementation of network layer functions themselves have security defects, and are vulnerable to asynchronization, collusion attack, and the like, particularly in terms of heterogeneous network information exchange. The denial of service attack is because the number of network terminals is huge and the defense capability is weak, and an attacker can initiate the denial of service attack to the network by depending on the networking terminal, so that the congestion of the core network is caused. The attack of the fake base station, namely an attacker cheats the terminal to reside on the fake base station through the fake base station, and steals the user information through subsequent information interaction. After an attacker breaks through communication between networks, the privacy of the user and sensitive information are stolen, and the privacy is leaked. These security threats in the network layer may cause the network communication to fail to operate normally, and cause the network service to be interrupted, even in a paralyzed state, and the traditional IDS and border firewall are difficult to deal with the internal problems of the management and control network.

Therefore, a network security normality monitoring system based on micro sensor technology is needed to solve the above technical problems.

Disclosure of Invention

In view of the above problems, the present invention provides a network security normality monitoring system based on a micro sensor technology, so as to solve the problems proposed in the background art.

In order to achieve the purpose, the invention provides the following technical scheme:

a network security normal state monitoring system based on a microsensor technology comprises a micro DNS sensor, a micro flow sensor and a micro wireless sensor, wherein the micro DNS sensor, the micro flow sensor and the micro wireless sensor are respectively arranged on independent raspberry clusters, and the micro DNS sensor, the micro flow sensor and the micro wireless sensor are all connected with a data center;

the micro DNS sensor is used for monitoring DNS traffic of a region;

the micro-flow sensor is used for analyzing network abnormal behaviors;

the micro wireless sensor is used for WiFi/Bluetooth monitoring of areas.

Further, the micro DNS sensor, the micro flow sensor and the micro wireless sensor are connected with the data center through https protocol or syslog protocol.

Further, the micro DNS sensor is used for monitoring DNS traffic of a region, including monitoring and analyzing a malicious domain name, and specifically includes:

the micro DNS sensor establishes a mathematical model according to the characteristics of a host request malicious domain name, monitors and finds abnormal behaviors of a DNS layer in a machine learning mode, continuously supplements a malicious program domain name black list library, and establishes malicious domain name identification capability;

the micro DNS sensor requests a terminal IP through the recorded malicious domain name, and is linked with the firewall to timely block the infected host.

Further, the micro DNS sensor dynamically evaluates and defends the malicious domain name, and the evaluation and defense comprises a threat intelligence source design, a threat strategy rule design, a strategy design synchronization design and a statistical statement design.

Further, the source of engineered threat intelligence comprises:

establishing a threat information source;

configuring default triggers and actions;

enabling an intelligence source;

and judging the type of an information source:

if the product is a third-party safety product, whether default trigger and action are configured or not is continuously judged:

if the default trigger and action are not configured, returning to configure the default trigger and action;

if default trigger and action are configured, downloading an information strategy and judging the issuing state of an information source;

if the type of the other information sources is the type of the other information sources, downloading the information strategy and judging the issuing state of the information sources;

if the type of the information source is self-defined, judging the issuing state of the information source;

if the information source is not issued, the DNS is issued in full;

if the intelligence source is issued, the DNS issues the intelligence source to be started.

Further, the design strategy synchronization includes:

automatically issuing a threat strategy;

acquiring a list to be issued;

judging the state of the threat strategy:

if the policy is normal, the DNS issuing policy is newly increased;

and if the policy is deleted/forbidden, the DNS issues the policy deletion.

Further, the designing the statistical form includes:

intercepting and ranking every day, intercepting detail inquiry, threat interception curve and threat intelligence source information statistics.

Further, the micro-flow sensor is used for analyzing network abnormal behaviors, and specifically comprises the following steps:

the micro-flow sensor establishes complete flow index and network metadata information by collecting and analyzing network original data packets in real time, and finds abnormal behaviors of the terminal in time by combining a network threat model.

Further, the micro wireless sensor is used for monitoring WiFi/Bluetooth in an area and detecting suspicious http/https communication, and specifically comprises the following steps:

the micro wireless sensor analyzes http/https communication data flow in the network, and generates an alarm if suspicious http and https transmission behaviors are detected.

The invention has the technical effects and advantages that:

1. the invention classifies the network edge data, puts partial data on the edge for processing, reduces delay and realizes real-time and more efficient data processing.

2. The invention adopts the micro-boundary idea, deploys the lightweight threat monitoring sensors in small-scale networks such as a power supply station, a transformer substation and the like, and carries out safety monitoring and analysis on the behavior of the terminal equipment through a system differential domain dynamic monitoring and analyzing technology, so that the behavior of the terminal equipment can be accurately and effectively identified and monitored in real time no matter the attack way and the virus variation are varied or the attack behavior is carried out by utilizing a zero-day leak.

Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention. The objectives and other advantages of the invention will be realized and attained by the structure particularly pointed out in the written description and drawings.

Drawings

In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and those skilled in the art can also obtain other drawings according to the drawings without creative efforts.

FIG. 1 is a schematic diagram showing the overall structure of the system according to the embodiment of the invention;

FIG. 2 illustrates a flowchart for designing a threat intelligence source, according to an embodiment of the invention;

FIG. 3 illustrates a design strategy synchronization flow diagram of an embodiment of the present invention.

Detailed Description

In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

At present, the power information network flooding terminal equipment has various types, and the functions, services and processing capacities are greatly different, so that the safety protection capacity cannot be provided by a traditional safety solution, such as a mode of installing traditional safety software or erecting safety hardware. Meanwhile, the storage and calculation capacities of a plurality of universal terminals are extremely limited, the implementation of a safety protection function on the universal terminals is an industrial problem without influencing the operation of terminal services, and the traditional network boundary disappears due to the mobility, and the safety software and hardware products depending on the network boundary cannot play a role.

The invention provides a network security normal state monitoring system based on a microsensor technology, which adopts ARM architecture embedded equipment as bottom hardware, is equipped with a Kali2.0 for ARM light operating system, is developed based on python 2.7.16/scapy components, and has an sqlite3 database as an exemplary figure 1, and mainly comprises three module parts, namely a micro DNS sensor, a micro flow sensor and a micro wireless sensor, wherein the micro DNS sensor, the micro flow sensor and the micro wireless sensor are respectively arranged on a raspberry and are mutually independent, and data information is sent to a data center by adopting an https protocol or a syslog protocol through a raspberry group. The embodiment of the invention adopts the structure, so that the functions and the arrangement are very flexible, and the cost is very low.

In the embodiment of the invention, the micro DNS sensor is used for monitoring DNS traffic of a region, including malicious domain name monitoring and analysis. Specifically, a micro DNS sensor establishes a mathematical model according to the characteristics of a host request malicious domain name, monitors and finds abnormal behaviors of a DNS layer in a machine learning mode, continuously supplements a malicious program domain name blacklist library, and establishes malicious domain name identification capability;

meanwhile, the micro DNS sensor requests the terminal IP through the recorded malicious domain name, and is linked with the firewall to block the infected host in time.

In the embodiment of the invention, the micro DNS sensor can also be used for dynamically evaluating and defending malicious domain names, including designing a threat intelligence source, designing a threat strategy rule, designing strategy synchronization and designing a statistical report, and the method comprises the following specific steps:

designing a source of threat intelligence, as shown, for example, in FIG. 2:

creating a threat information source through a management page;

entering a configuration page by clicking one of the information sources;

clicking an enabling button of one information source;

judging the type of an information source in the background;

if the third-party security product is the third-party security product, judging whether the information source is configured with default trigger and action in the background;

if the default trigger and action are not configured, returning to configure the default trigger and action;

if default trigger and action are configured, downloading an information strategy and judging whether the current information source is issued;

if the type of the other information sources is the type of the other information sources, downloading the information strategy from the information sources according to the configured address and authorization, and judging whether the current information sources are issued;

if the type of the information source is self-defined, judging whether the current information source is issued;

if the information source is not issued, calling a remote interface to realize full-scale issuing;

if the intelligence source is issued, a remote interface is called to start the intelligence source.

Design strategy synchronization, exemplary, as shown in FIG. 3:

scheduling a timed task, and automatically issuing a threat strategy;

inquiring a policy list which is not issued in the state of inquiry;

determining whether the threat policy is in a normal or deleted/disabled state:

if the remote interface is normal, calling a remote interface newly-added strategy;

and if the remote interface is deleted/forbidden, calling a remote interface deletion strategy.

Designing a statistical form:

the method comprises daily interception ranking, interception detail inquiry, threat interception curve and threat information source information statistics, is convenient for an administrator to count and inquire the access condition of the malicious domain name in real time, and can locate the infection source through the client IP.

In the embodiment of the invention, the micro-flow sensor is used for analyzing the abnormal behaviors of the network, and the micro-flow sensor establishes complete flow index and network metadata information by collecting and analyzing the network original data packet in real time and finds the abnormal behaviors of the terminal in time by combining a network threat model.

In the embodiment of the invention, the micro wireless sensor is used for WiFi/Bluetooth monitoring of the area and comprises suspicious http/https communication detection, the micro wireless sensor analyzes http/https communication data flow in the network, if suspicious http and https transmission behaviors are detected, an alarm is generated, a user can perform deep mining analysis through alarm data, and an application scene can be flexibly deployed according to actual needs.

The embodiment of the invention also has other functions:

and (3) carrying out multi-dimensional report statistics: the malicious domain names and the overall activity conditions of the terminal users in the period are collected, including all the analysis data such as the number of the affected desktop office terminals and servers and the network abnormal behaviors influencing the top ranking are convenient for the administrator to count;

self-defining monitoring and alarming: the method supports custom addition of monitored network protocols and ports according to user requirements, supports statistical analysis of network requests and supports custom alarm level;

safety event review: the method provides a retrieval function based on IP, domain name, flow characteristic value, DNS analysis record and behavior modeling, can perform data back-check from data characteristics of different dimensions and network behavior modes, and can quickly locate various known and unknown security events.

The embodiment of the invention classifies the network edge data, places part of the data on the edge for processing, reduces delay and further realizes real-time and more efficient data processing. In addition, the embodiment of the invention adopts the micro-boundary idea, deploys the lightweight threat monitoring sensors in small-scale networks such as a power supply station, a transformer substation and the like, and carries out safety monitoring and analysis on the terminal equipment behaviors through a system differential domain dynamic monitoring and analysis technology, so that the terminal equipment behaviors can be accurately and effectively identified and monitored in real time no matter whether the attack behaviors are varied in various attack modes and virus varieties or attack behaviors carried out by utilizing zero-day loopholes.

Although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.