Network safety monitoring method, system and equipment, and storage medium

Abstract

The invention provides a network safety monitoring method, system and equipment, and a storage medium. The method comprises the following steps: colleting safety logs of multiple network safety defense equipment and sending the same to a message caching cluster and an intrusion detection server; performing safety semantic conversion on the safety logs through the intrusion detection server, and analyzing to generate a safety event according to a preset rule, sending the safety event to the message caching cluster, and sending alarm information when the safety event satisfies a preset alarm condition; reading the storage data in the message caching cluster through a centralized log analysis platform, performing normalization processing and field filling on the storage data to acquire indexdata, querying the index data through a retrieval front end, thereby acquiring the safety log or safety event corresponding to the index data. Through the network safety monitoring method provided bythe invention, the light-weight and multi-dimensional safety monitoring with unified safety semantic standard and traceable source can be realized through the safety log unified collection, the intrusion detection server, the message caching cluster and the centralized log analysis platform.

Description

technical field [0001] The present invention relates to the field of network security, in particular to a method, system, device and storage medium for network security monitoring based on intrusion detection and data indexing. Background technique [0002] With the popularization of various network technologies, enterprise network systems are also facing more and more dangers of being attacked, and often suffer from different degrees of intrusion and damage, which seriously interferes with the normal operation of enterprise networks. In order to ensure the security of the basic environment and business, enterprises have to strengthen the security protection of the network system, and constantly pursue a multi-level and three-dimensional network security monitoring system, including network firewall, IPS (Intrusion Prevention System, intrusion prevention system), WAF (Web Application Firewall, Web Application Firewall), HIPS (Host-based Intrusion Prevention System, host-base...

AI Technical Summary

Problems solved by technology

[0003] (1) Log security semantic standards are not uniform

Since multiple network security defense technologies come from different providers, different products have differences in the definition and log output of the same security problem

In addition, firewalls, operating systems, etc. only record events, and do not perform full security semantic conversion on event logs

[0004] (2) There is no unified entrance, and timing analysis and query based on logs cannot be done

The entrances provided by different network security defense technologies are not uniform, and cannot provide support for time series query and original log query for manual analysis

[0005] (3) Insufficient dimension of monitoring rules

If monitoring rules are set based on a single factor, the monitoring false positive rate is high, and the level of security incidents cannot be determined qualitatively

[0006] (4) The monitoring platform requires professional team maintenance support

In terms of monitoring, mainstream large platforms will introduce professional technical solutions, such as streaming engines, rule engines, large storage environments, and front-end design. These large and comprehensive platform systems are heavy and complex, and require a lot of time to be supported by dedicated personnel. Development and maintenance

Images