Anomaly detection method and system based on business flow

Abstract

The invention belongs to the field of network space security, and discloses a method and system for abnormality detection based on business flow. By monitoring the business flow, the source IP address, destination IP address, source port, destination port, protocol type, Time and other elements, analyze whether there is anomaly from the perspective of business agreement; based on the time interval between current business events and the execution frequency of certain parts of business activities, analyze whether there is anomaly from the perspective of business performance; from the perspective of business logic, Construct a business logic matrix based on the normal business process logic structure, and analyze whether there is any abnormality in the sequence of current business events. The invention makes up for the deficiencies of traditional safety protection measures, detects safety problems that cannot be found by traditional technical means, strengthens the internal control of safety protection, prevents the occurrence of violations by internal personnel, and forms a powerful supplement and improvement to the existing safety protection system.

Description

technical field [0001] The invention belongs to the field of network space security, and in particular relates to a business flow-based abnormality detection method and system. Background technique [0002] At present, the existing technologies commonly used in the industry are as follows: [0003] With the continuous development of network attack technology, the attack methods are becoming more and more complex and the attack scale is expanding. However, the existing security protection system emphasizes external defense. Traditional security measures such as intrusion detection based on rules and attack characteristics, firewalls, etc. and monitoring insider violations have been far from ideal. When more and more attackers launch an attack, they will first test whether they can bypass the security detection of the target network and use some new attack methods, such as zero-day threats, advanced evasion techniques, multi-stage attacks, and APT attacks. Because they bypa...

AI Technical Summary

Problems solved by technology

There are three problems in detecting abnormal traffic in this way: (1) The relevant elements of business traffic in statistical analysis cannot reflect the business logic relationship, and it is impossible to judge whether there are possible unknown threats and attack behaviors on the network based on business logic

(2) It is difficult to detect attacks that exploit internal logic loopholes in the business; (3) It is impossible to detect violations by legitimate employees

[0009] With the continuous development of network attack technology, the attack methods are becoming more complex and the attack scale is expanding. However, the existing security protection system is not very effective in detecting unknown threats and monitoring insider violations.

Images