Abstract: The network security market demands for Network Traffic Analysis (NTA) and traffic retrospective analysis products are increasing rapidly in recent years, whereas NTA is still facing some challenges concerning on the deficiency of low speed, lack of accuracy when analyzing the security of data flow and lack of situation awareness capability. In this paper, we design a network security largetraffic retrospective analysis system, which is carried on dedicated hardware and deployed in the form of a bypass on the network boundary or security domain boundary. It can analyze the entire traffic of the enterprise and combine with Eversec threat intelligence to detect traffic anomalies, Network asset changes, event behavior characteristics, attack source behaviors, which can be displayed in a visual interface, and the attack chain can be replayed for successful attack events, allowing users to quickly trace the source of the attack process.

Key words: critical information infrastructure, network security, situational awareness, full traffic analysis, traffic retrospective, threat intelligence, visualization

摘要： 当前，网络安全流量取证分析市场应用广泛，在流量回溯取证方面面临着检测速率不高、安全事件监测不准、多维态势展示不清晰的特点.设计了一种网络安全大流量回溯分析系统，该系统承载于专用硬件之上，并以旁路形式部署在网络边界或安全域边界，可对企业的全流量进行分析，结合恒安嘉新威胁情报，全方位检测流量异常、网络资产变化、事件行为特征、攻击来源行为并以可视化的界面展示，对于成功的攻击事件能够进行攻击链回放，使用户快速溯源攻击过程.

关键词: 关键信息基础设施, 网络安全, 态势感知, 全流量分析, 流量回溯, 威胁情报, 可视化