CN102801739A - Network risk determining and evidence obtaining method based on cloud computing environment - Google Patents
Network risk determining and evidence obtaining method based on cloud computing environment Download PDFInfo
- Publication number
- CN102801739A CN102801739A CN2012103151216A CN201210315121A CN102801739A CN 102801739 A CN102801739 A CN 102801739A CN 2012103151216 A CN2012103151216 A CN 2012103151216A CN 201210315121 A CN201210315121 A CN 201210315121A CN 102801739 A CN102801739 A CN 102801739A
- Authority
- CN
- China
- Prior art keywords
- centerdot
- risk
- network
- value
- server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The invention discloses a network risk determining and evidence obtaining method based on a cloud computing environment, and the method comprises following steps of firstly conducting the grid intrusion risk evaluation under the cloud computing environment, then establishing a layered quantitative risk evaluation system under the cloud computing environment, and finally obtaining the evidence in real time and conducting the strategic control. The network is monitored by detectors which are scattered in a network environment so as to quantitatively evaluate an overall comprehensive risk value of the current network in real time as well as a risk value of any host in the network suffering one kind of attack and multiple kinds of attack and to obtain the evidence in real time, and further a defense strategy of the entire system is initiatively changed according to a risk index. According to the method, evaluation and risk prediction are conducted for the network security state under the cloud computing environment, and effective network risk evaluation and evidence obtaining can be conducted for the attack behavior suffered by the monitored network, so that a purpose for realizing the network security can be achieved.
Description
Technical field
The invention belongs to the network risks technical field, relate in particular to a kind of network risks evidence obtaining assay method based on cloud computing environment.
Background technology
The cloud computing technology is towards extensive, high-performance, distributed direction, and it brings the significant innovation of information technology, becomes the focus that industrial circle, academia even government all very pay close attention to.Country's " 12 " planning outline is classified cloud computing as the strategic new industry of giving priority to.The development of cloud computing will change the whole piece information industry chain of CPU, storage, server, terminal, operation and application software, and far-reaching the influence from producing to the informationization of living used.Along with network security progressively rises in the importance under the cloud computing environment, safety problem has become the key factor of restriction cloud computing development.Regrettably existing network security model; Mainly be based on abnormality detection, be directed against log analysis; Method such as rule coupling etc., and mainly be after the attack generation, to find, also and one of the characteristic that does not fit into the cloud computing environment cloud computing be exactly to have eliminated network boundary.Traditional intrusion detection method based on misuse detection algorithm and abnormality detection algorithm is also inapplicable under cloud computing environment, lacks distributed and autgmentability.
Summary of the invention
In order to solve the problem of present existence; The invention provides based on the network risks of cloud computing environment evidence obtaining assay method, provide the attack that network was suffering that cloud computing environment is monitored down effectively to analyze and the network risk factor calculated the method for assessment.Under cloud computing environment, set up measurement index system layering, quantitative; Network situation is carried out the assurance of integral body, the overall situation; And utilize the relevant theory analysis of Fuzzy Calculation, assets assessment is combined the application safety system engineering theory with network situation evaluation system; Intrinsic in the cloud computing environment lower network or potential risks are carried out qualitative, quantitative analysis, draw possibility and the serious degree of consequence thereof that whole network is caused danger.
Another purpose of the embodiment of the invention is to provide a kind of network risks evidence obtaining assay method based on cloud computing environment, it is characterized in that this method comprises:
At first carry out grid invasion risk assessment under the cloud computing environment;
Set up the quantitative risk evaluation system of cloud computing environment lower leaf;
Collect evidence in real time and policy control.
Further, the method for this network risks assessment is:
At first detector is distributed to each node of network, promptly on the security server, network is monitored, beginning collection network data;
Data center server is collected risk information in the control point down to linchpin;
The secondary data central server is with the Information Statistics analysis of collecting, and the relevant information that comprehensive top data center server obtains calculates and is directly under the jurisdiction of network overall risk value;
The overall risk and the top security server risk of top data center server statistical analysis secondary data central server assessment, the relevant important information of integrated risk calculates the value-at-risk of whole system;
Top data center server is collected security server information and overall risk information from the secondary data central server respectively, collects risk information from top security server, obtains the relevant important information of risk from this locality.
Further, in the risk statistical module, all data center servers are counted as identical role; Data center server is down collected risk information in the control point to linchpin, if linchpin belongs to subordinate's data center server in the control point down, then collects its overall risk, if linchpin belongs to security server in the control point down, then collects its self risk; Security server monitoring in real time obtains the risk record of self; The secondary data central server is got in touch top data center server, obtains the relevant important information of risk; The monitoring security server risk information that the secondary data central server will be directly under the jurisdiction of is all collected this locality.
Further, the quantitative risk appraisal procedure of cloud computing environment lower leaf comprises:
Calculate the risk factor r of t single attack that individual host faces constantly
I, j(t); T moment i is individual to the main frame risk factor value on j the LCSA to be unusually:
Wherein, u representes the degree of danger of such attack;
Calculate the COMPREHENSIVE RISK DEGREE r of t multiple attack that individual host faces constantly
j(t), our setting parameter u
i(0≤u
i≤1) represents i (1≤i≤m) type attack
Danger, the risk factor value r on j main frame so
j(t) value does,
r
j(t) value is big more, and system is more dangerous;
Set up risk of attack property index system, will attack according to behavioural characteristic and be divided into four big types, some groups, the purpose of classification are in order better to confirm the extent of injury of every type of attack, to set up the harmfulness vector D that the i kind is attacked then
i, be
(1≤i≤m).The harmfulness vector that this m kind is attacked is arranged in together, constitutes the harmfulness matrix D:
Calculate risk of attack property; According to the difference service that every main frame provided; User object, different systems soft wares, application software or the like attribute separately; (the relative importance value of the network bandwidth of the individual main frame of 1≤j≤N), service, systems soft ware, application software, data, these 6 types of indexs of information is designated as comprehensively to set up j
J (the individual main frame E of 1≤j≤N)
jValue, be according to expert marking and survey comprehensive grading; Like this, attack that (the degree of danger u value of platform main frame of 1≤j≤N) is so have: u to j for i
i=D
iE
jD wherein
iI the component of representing matrix D calculates u
iAfter can obtain r
j(t);
Computing network risk factor value; At first the bottom from tree begins to calculate the risk factor value, the recursive calculation that makes progress then, and the importance values that defines j main frame is designated as Importance
j, the risk factor value of this LCSA is the All hosts risk factor value r on this LCSA
j(t) weighted sum Q (t):
J main frame (Host
j) the risk factor value be r
j(t); Importance
jBe the importance values of j main frame, and then Q (t) carried out normalization calculate, just can be must this LCSA the risk factor value;
These indexs are quantized, set up main frame importance assessment indicator system from many levels;
Adopt multistage related gray level model; Suppose to identify in the network total n kind and influence the Importance index; Every kind of total m attribute of Importance is confirmed assessment indicator system according to estimating purpose, and the data sequence of achievement data being carried out nondimensionalization forms following matrix:
Wherein
I=0 wherein, 1 ..., n; K=1,2 ..., m. also calculates each by the absolute difference of evaluation object index series and reference sequences corresponding element one by one | x
0(k)-x
i(k) |, and confirm
And
Through calculating the incidence coefficient of each comparative sequences and reference sequences corresponding element.
ρ is a resolution ratio in the formula, and in (0,1) interior value, ρ is more little, and the difference between incidence coefficient is big more, and separating capacity is strong more. we get ρ and get 0.5 here;
Each evaluation object is calculated the average of the incidence coefficient of its m index and reference sequences corresponding element respectively; To reflect the incidence relation of each evaluation object and reference sequences; Because each index role in overall merit is different in the native system, adopts and asks weighted average promptly to incidence coefficient:
Finally, draw evaluation result according to the related preface of each object of observation; Wherein, w
kBe each index weight;
Calculate the assessment general objective; Assessment general objective=∑ (each index score value * institute respective weights), the assessment catalogue is designated as the importance values of each main frame of assessment, just calculates the size of Importance value.Like this, we try to achieve the Importance value and are:
Assess whole network risks degree, SREC (System Risk Evaluation Center) collects local security information (for example the AC on the main frame, risk value etc.) from each LCSA, remembers m LCSA
mImportance be LCSA_Weight
m, establish total N the LCSA of network,
And carry out normalization and handle, whole network risks degree value R (t) is:
R (t) is exactly the final network risks degree value that calculates of SREC in the risk assessment, and its score value is high more, explains that network risks degree rank is high more, and system is in risk status more; Otherwise score value is low more, and network is safe more.
Further, this method further comprises:
In step S1031, WEB server monitoring evidence obtaining or strategy request; Client is obtained the application failure, and each cycle all attempts obtaining, until overtime;
In step S1032, the WEB server obtains evidence obtaining or the strategy application that the user submits to, and the application of depositing the permission execution is in database; The then execution in step S1037 if WEB server data library storage is failed; Client is obtained the application failure, and each cycle all attempts obtaining, until overtime; Obtain successful execution step S1033;
In step S1033, the SOCKET client is initiated the TCP connection request to the destination server end; If connection failure, then operating procedure S1037 EP (end of program), successful connection execution in step S1034;
In step S1034, client reports server end with detected evidence obtaining or strategy application, and server end is in the instruction of self-operating application; If failure, operating procedure S1037 server finishes, and session is broken off; Successful then feed back execution result to client, execution in step S1035;
The result of client reception server end is if failure operating procedure S1037 program withdraws from; Successful then event memory in database, execution in step S1036;
In step S1036, the WEB server end is monitored the execution result of evidence obtaining or strategy application, shows the user through browser interface.
Further, this method further comprises:
Time series X (t) is its early stage and the random error item in early stage and the linear function of preceding time value, both can be expressed as:
X(t)=φ
1X(t-1)+φ
2X(t-2)+...+φ
pX(t-p)+u(t)-θ
1u(t-1)-θ
2u(t-2)-...-θ
qu(t-q) (1)
Then this time series X (t) is the autoregressive moving average sequence, formula (1) be (p, the q) ARMA model on rank, be designated as ARMA (p, q).In the formula, φ
i(i=1,2,3 ..., p) be auto-regressive parameter, θ
i(i=1,2,3 ..., q) being the moving average parameter, u (t) is a residual error, when formula (1) can correctly disclose structure and the rule of sequential, then { u (t) } was white noise; Formula (1) becomes ARMA (p, q) model with p rank autoregression part, q rank moving average part.Introduce hysteresis operator B, formula (1) can be noted by abridging and is:
φ(B)X(t)=θ(B)u(t)
ARMA (p, q) smooth conditions of process be the root of hysteresis multinomial φ (B) all outside unit circle, reversal condition is that the root of φ (B) is all outside unit circle;
The predicted value of institute's monitor network risk time series { R (t) } is the predicted value of nonlinear fitting sequential { Y (t) } and the predicted value sum of residual error sequential { X (t) }:
Network risks assessment evidence collecting method based on cloud computing environment provided by the invention at first carries out grid invasion risk assessment under the cloud computing environment, sets up the quantitative risk evaluation system of cloud computing environment lower leaf then, collects evidence in real time at last and policy control.Detector through being dispersed in the network environment is monitored network; Value-at-risk when certain attack that any main frame faces in real-time quantitative assessment current network whole synthesis value-at-risk and the network and multiple attack and real-time the evidence obtaining, and then initiatively change the defence policies of whole system according to the risk factor index.This scheme is assessed and risk profile the network safety situation under the cloud computing environment, realizes effective network risks assessment and evidence obtaining are carried out in the attack of being monitored that network suffered, and realizes the network security purpose thereby reach.
Description of drawings
What Fig. 1 showed that the embodiment of the invention provides measures the flow chart of evidence collecting method based on the network risks of cloud computing environment;
The flow chart of the method that the network risks that Fig. 2 has gone out case study on implementation of the present invention to be provided is assessed;
Fig. 3 shows the flow chart of the quantitative risk evaluation system of the cloud computing environment lower leaf method for building up that case study on implementation of the present invention provides;
Fig. 4 shows the flow chart of the method for real-time evidence obtaining that the embodiment of the invention provides and policy control.
Embodiment
In order to make the object of the invention, technical scheme and advantage clearer,, the present invention is further elaborated below in conjunction with accompanying drawing and embodiment.Should be appreciated that specific embodiment described herein only in order to explanation the present invention, and be not used in qualification the present invention.
The network risks based on cloud computing environment that Fig. 1 shows case study on implementation of the present invention to be provided is measured evidence collecting method, and this method comprises:
In step S101, at first carry out grid invasion risk assessment under the cloud computing environment.
In step S102, set up the quantitative risk evaluation system of cloud computing environment lower leaf.
In step S103, collect evidence in real time and policy control.
The method that the network risks that Fig. 2 has gone out case study on implementation of the present invention to be provided is assessed, this method comprises:
In step S1011, at first detector is distributed to each node of network (being on the security server), network is monitored beginning collection network data.
In step S1012, data center server is collected risk information in the control point down to linchpin.In the risk statistical module, all data center servers (comprising: top data center server and secondary data central server) are counted as identical role; Data center server is down collected risk information in the control point to linchpin, if linchpin belongs to subordinate's data center server in the control point down, then collects its overall risk, if linchpin belongs to security server in the control point down, then collects its self risk; Security server monitoring in real time obtains the risk record of self; The secondary data central server is got in touch top data center server, obtains the relevant important information (as: main frame weight, attack type weights etc.) of risk; The monitoring security server risk information that the secondary data central server will be directly under the jurisdiction of is all collected this locality.
In step S1013, the secondary data central server is with the Information Statistics analysis of collecting, and the relevant information that comprehensive top data center server obtains calculates and is directly under the jurisdiction of network overall risk value.
In step S1014, the overall risk and the top security server risk of top data center server statistical analysis secondary data central server assessment, the relevant important information of integrated risk calculates the value-at-risk of whole system.
Top data center server is collected security server information and overall risk information from the secondary data central server respectively; Collect risk information from top security server; Obtain the relevant important information (as: main frame weight, attack type weights etc.) of risk from this locality.
The method of the foundation that the quantitative risk of cloud computing environment lower leaf that Fig. 3 shows case study on implementation of the present invention to be provided is assessed, this method comprises:
In step S1021, calculate the risk factor r of t single attack that individual host faces constantly
I, j(t).T moment i is individual to the main frame risk factor value on j the LCSA to be unusually:
Wherein, u representes the degree of danger of such attack.
In step S1022, calculate the COMPREHENSIVE RISK DEGREE r of t multiple attack that individual host faces constantly
j(t).We are setting parameter u
i(0≤u
i≤1) represents i (1≤i≤m) type attack
Danger, the risk factor value r on j main frame so
j(t) value does,
r
j(t) value is big more, and system is more dangerous.
In step S1023, set up risk of attack property index system.
To attack according to behavioural characteristic and be divided into four big types, some groups, the purpose of classification are in order better to confirm the extent of injury of every type of attack.Set up the harmfulness vector D that the i kind is attacked then
i, be
(1≤i≤m).The harmfulness vector that this m kind is attacked is arranged in together, constitutes the harmfulness matrix D:
In step S1024, calculate risk of attack property.
According to the difference service that every main frame provided; User object, different systems soft wares, application software or the like attribute separately; (the relative importance value of the network bandwidth of the individual main frame of 1≤j≤N), service, systems soft ware, application software, data, these 6 types of indexs of information is designated as comprehensively to set up j
J (the individual main frame E of 1≤j≤N)
jValue, be according to expert marking and survey comprehensive grading.Like this, attack that (the degree of danger u value of platform main frame of 1≤j≤N) is so have: u to j for i
i=D
iE
jD wherein
iI the component of representing matrix D.Calculate u
iAfter can obtain r
j(t).
In step S1025, computing network risk factor value.
The risk factor value of whole network should reflect the risk factor of each main frame comprehensively; But because the status of each main frame is not equal to; Moving different systems,, different services is being provided towards different users; Have different economy, society even politics to be worth, they have different importance.Considering might have child node LCSA again below each LCSA, forms tree, and at first the bottom from tree begins to calculate the risk factor value, then recursive calculation upwards.The importance values that defines j main frame is designated as Importance
j, like this, the risk factor value of this LCSA is the All hosts risk factor value r on this LCSA
j(t) weighted sum Q (t):
J main frame (Host
j) the risk factor value be r
j(t); Importance
jBe the importance values of j main frame, and then Q (t) carried out normalization calculate, just can be must this LCSA the risk factor value.
In step S1026, the importance values (being the Importance value) in order to try to achieve each main frame comprehensively quantizes these indexs, sets up main frame importance assessment indicator system from many levels.
Adopt multistage related gray level model, supposing to identify in the network total n kind influence the Importance index, and every kind of Importance has m attribute (weighing with m index in other words).Confirm assessment indicator system according to estimating purpose, the data sequence of achievement data being carried out nondimensionalization forms following matrix:
Here our nondimensionalization method is the equalization method:
I=0 wherein, 1 ..., n; K=1,2 ..., m. also calculates each by the absolute difference of evaluation object index series (comparative sequences) with the reference sequences corresponding element one by one | x
0(k)-x
i(k) |, and confirm
And
Through calculating the incidence coefficient of each comparative sequences and reference sequences corresponding element.
ρ is a resolution ratio in the formula, and in (0,1) interior value, ρ is more little, and the difference between incidence coefficient is big more, and separating capacity is strong more. we get ρ and get 0.5 here.
Each evaluation object (comparative sequences) is calculated the average of the incidence coefficient of its m index and reference sequences corresponding element respectively; To reflect the incidence relation of each evaluation object and reference sequences; Because each index role in overall merit is different in the native system; Employing asks weighted average promptly to incidence coefficient: [wherein, W
kBe each index weight.]
Finally, draw evaluation result according to the related preface of each object of observation.
In step S1027, calculate the assessment general objective.
Assessment general objective=∑ (each index score value * institute respective weights), the assessment catalogue is designated as the importance values of each main frame of assessment, just calculates the size of Importance value.Like this, we try to achieve the Importance value and are:
In step S1028, assess whole network risks degree.
SREC (System Risk Evaluation Center) collects local security information (for example the AC on the main frame, risk value etc.) from each LCSA, remembers m LCSA
mImportance be LCSA_Weight
m, establish total N the LCSA of network,
And carry out normalization and handle, whole network risks degree value R (t) is:
R (t) is exactly the final network risks degree value that calculates of the SREC of risk CELA, and its score value is high more, explains that network risks degree rank is high more, and system is in risk status more; Otherwise score value is low more, and network is safe more.
Fig. 4 shows the real-time evidence obtaining that case study on implementation of the present invention provides and the method for policy control, and this method comprises:
In step S1031, WEB server monitoring evidence obtaining or strategy request.
Client is obtained the application failure, and each cycle all attempts obtaining, until overtime.
In step S1032, the WEB server obtains evidence obtaining or the strategy application that the user submits to, and the application of depositing the permission execution is in database.
The then execution in step S1037 if WEB server data library storage is failed; Client is obtained the application failure, and each cycle all attempts obtaining, until overtime; Obtain successful execution step S1033.
In step S1033, the SOCKET client is initiated the TCP connection request to the destination server end.
If connection failure, then operating procedure S1037 EP (end of program), successful connection execution in step S1034.
In step S1034, client reports server end with detected evidence obtaining or strategy application, and server end is in the instruction of self-operating application.If failure, operating procedure S1037 server finishes, and session is broken off; Successful then feed back execution result to client, execution in step S1035.
In step S1035, the result of client reception server end.
If failure operating procedure S1037 program withdraws from; Successful then event memory in database, execution in step S1036.
In step S1036, the WEB server end is monitored the execution result of evidence obtaining or strategy application, shows the user through browser interface.
At first carry out grid invasion risk assessment under the cloud computing environment.Detector is distributed to each node of network (being on the security server), network is monitored, beginning collection network data; Data center server is collected risk information in the control point down to linchpin; The secondary data central server is with the Information Statistics analysis of collecting, and the relevant information that comprehensive top data center server obtains calculates and is directly under the jurisdiction of network overall risk value; The overall risk and the top security server risk of top data center server statistical analysis secondary data central server assessment, the relevant important information of integrated risk calculates the value-at-risk of whole system.
Secondly, set up the quantitative risk evaluation system of cloud computing environment lower leaf.
Calculate the risk factor r of t single attack that individual host faces constantly
I, j(t):
Wherein, u representes the degree of danger of such attack; Calculate the COMPREHENSIVE RISK DEGREE r of t multiple attack that individual host faces constantly
j(t):
Set up risk of attack property index system; Calculate risk of attack property; Below each LCSA child node LCSA might be arranged again, form tree, at first the bottom from tree begins to calculate the risk factor value, and upwards recursive calculation goes out whole network risk factor value then; Importance values (being the Importance value) in order to try to achieve each main frame comprehensively quantizes these indexs, sets up main frame importance assessment indicator system from many levels; Calculate the assessment general objective, assessment general objective=∑ (each index score value * institute respective weights), the assessment catalogue is designated as the importance values of each main frame of assessment, just calculates the size of Importance value:
Assess whole network risks degree, SREC (System Risk Evaluation Center) collects local security information (for example the AC on the main frame, risk value etc.) from each LCSA, remembers m LCSA
mImportance be LCSA_Weight
m, establish total N the LCSA of network,
And carry out normalization and handle, whole network risks degree value R (t) is:
R (t) is exactly the final network risks degree value that calculates of the SREC of risk CELA, and its score value is high more, explains that network risks degree rank is high more, and system is in risk status more; Otherwise score value is low more, and network is safe more.
At last, collect evidence in real time and policy control.
If WEB server monitoring evidence obtaining or strategy request failure, each cycle all attempts obtaining, until overtime; Obtain evidence obtaining or the strategy application that the user submits to as if the WEB server, the application of then depositing the permission execution is in database.The SOCKET client is initiated the TCP connection request to the destination server end then, if connection failure, then working procedure finishes; Successful connection, client can report server end with detected evidence obtaining or strategy application, and the server end application is at self-operating.If server end is in self-operating application failure, then server finishes, and session is broken off; Successful then feed back execution result to client, the result of client reception server end.If the result of client reception server end failure, then working procedure withdraws from; If then event memory is in database in success, the WEB server end is monitored the execution result of evidence obtaining or strategy application, shows the user through browser interface.
The risk profile model of quantitative network under the cloud computing environment
According to the relevant theory of time series analysis, the present invention proposes a kind of new algorithm that is used for the network risks prediction, plans nonstationary time series and is decomposed into definite (indicating tendency or periodic regularity) and two parts of random entry.Definite item can be used the certainty function representation relevant with the time (because intrusion behavior and people's cycle of activity is closely related); Random entry indicates random element stably, uses the arma modeling match.Both improve accuracy of predicting with this at the stack of prediction.
Receive the combined influence of complicated factors such as social development, personal behavior custom, equipment and technology renewal for the network intrusions behavior of midium or long term, the network risks situation has tangible tendency and randomness (being non-stationary).Because the network intrusions behavior is mostly according to certain cyclic swing, for example the monthly average intrusion behavior was according to 12 months cyclic swing, and per day intrusion behavior is the cyclic swing according to 24 hours, has seasonality.This project will be studied the network risks Forecasting Methodology based on nonstationary time series.We are its early stage and the random error item in early stage and the linear function of preceding time value according to time series X (t), both can be expressed as:
X(t)=φ
1X(t-1)+φ
2X(t-2)+...+φ
pX(t-p)+u(t)-θ
1u(t-1)-θ
2u(t-2)-...-θ
qu(t-q) (1)
Then this time series X (t) is the autoregressive moving average sequence, formula (1) be (p, the q) ARMA model on rank, be designated as ARMA (p, q).In the formula, φ
i(i=1,2,3 ..., p) be auto-regressive parameter, θ
i(i=1,2,3 ..., q) being the moving average parameter, u (t) is a residual error, when formula (1) can correctly disclose structure and the rule of sequential, then { u (t) } was white noise.Formula (1) becomes ARMA (p, q) model with p rank autoregression part, q rank moving average part.Introduce hysteresis operator B, formula (1) can be noted by abridging and is:
φ(B)X(t)=θ(B)u(t)
ARMA (p, q) smooth conditions of process be the root of hysteresis multinomial φ (B) all outside unit circle, reversal condition is that the root of φ (B) is all outside unit circle.
The predicted value of institute's monitor network risk time series { R (t) } is the predicted value of nonlinear fitting sequential { Y (t) } and the predicted value sum of residual error sequential { X (t) }:
The network risks assessment evidence collecting method based on cloud computing environment of this programme invention; At first carry out grid invasion risk assessment under the cloud computing environment; Set up the quantitative risk evaluation system of cloud computing environment lower leaf then, collect evidence in real time at last, policy control and risk profile.Detector through being dispersed in the network environment is monitored network, and value-at-risk when certain attack that any main frame faces in real-time quantitative assessment current network whole synthesis value-at-risk and the network and multiple attack and evidence obtaining in real time obtain real-time value-at-risk.And can shift to an earlier date according to the risk profile value of platform and initiatively to adjust defence policies; Guarantee to be controlled at risk within the acceptable scope; The dangerous port of emergency cut-off under the necessary situation, increase that precautionary measures, limiting network connect, the adjustment network traffics, limit or stop high risk service in addition under unusual situation emergency cut-off host server or network interconnection device etc., and then initiatively change the defence policies of whole system according to the risk factor index.This scheme is assessed and risk profile the network safety situation under the cloud computing environment, realizes effective network risks assessment and evidence obtaining are carried out in the attack of being monitored that network suffered, and realizes the network security purpose thereby reach.
The above is merely preferred embodiment of the present invention, not in order to restriction the present invention, all any modifications of within spirit of the present invention and principle, being done, is equal to and replaces and improvement etc., all should be included within protection scope of the present invention.
Claims (5)
1. one kind based on the network risks of cloud computing environment evidence obtaining assay method, it is characterized in that this method comprises:
At first carrying out cloud computing environment lower network invasion risk measures;
Set up the quantitative risk evaluation system of cloud computing environment lower leaf;
Collect evidence in real time and policy control.
2. the network risks assay method based on cloud computing environment as claimed in claim 1 is characterized in that,
In the risk statistical module, all data center servers are counted as identical role; Data center server is down collected risk information in the control point to linchpin, if linchpin belongs to subordinate's data center server in the control point down, then collects its overall risk, if linchpin belongs to security server in the control point down, then collects its self risk; Security server monitoring in real time obtains the risk record of self; The secondary data central server is got in touch top data center server, obtains the relevant important information of risk; The monitoring security server risk information that the secondary data central server will be directly under the jurisdiction of is all collected this locality.Detailed process is following:
At first detector is distributed to each node of network, promptly on the security server, network is monitored, beginning collection network data;
Data center server is collected risk information in the control point down to linchpin;
The secondary data central server is with the Information Statistics analysis of collecting, and the relevant information that comprehensive top data center server obtains calculates and is directly under the jurisdiction of network overall risk value;
The overall risk and the top security server risk of top data center server statistical analysis secondary data central server assessment, the relevant important information of integrated risk calculates the value-at-risk of whole system;
Top data center server is collected security server information and overall risk information from the secondary data central server respectively, collects risk information from top security server, obtains the relevant important information of risk from this locality.
3. the network risks based on cloud computing environment as claimed in claim 2 is got appraisal procedure, it is characterized in that, the quantitative risk appraisal procedure of cloud computing environment lower leaf comprises:
Calculate the risk factor r of t single attack that individual host faces constantly
I, j(t); T moment i is individual to the main frame risk factor value on j the LCSA to be unusually:
Wherein, u representes the degree of danger of such attack;
Calculate the COMPREHENSIVE RISK DEGREE r of t multiple attack that individual host faces constantly
j(t), our setting parameter u
i(0≤u
i≤1) represents i (1≤i≤m) type attack
Danger, the risk factor value r on j main frame so
j(t) value does,
r
j(t) value is big more, and system is more dangerous;
Set up risk of attack property index system, will attack according to behavioural characteristic and be divided into four big types, some groups, the purpose of classification are in order better to confirm the extent of injury of every type of attack, to set up the harmfulness vector D that the i kind is attacked then
i, be
(1≤i≤m).The harmfulness vector that this m kind is attacked is arranged in together, constitutes the harmfulness matrix D:
Calculate risk of attack property; According to the difference service that every main frame provided; User object, different systems soft wares, application software or the like attribute separately; (the relative importance value of the network bandwidth of the individual main frame of 1≤j≤N), service, systems soft ware, application software, data, these 6 types of indexs of information is designated as comprehensively to set up j
J (the individual main frame E of 1≤j≤N)
jValue, be according to expert marking and survey comprehensive grading; Like this, attack that (the degree of danger u value of platform main frame of 1≤j≤N) is so have: u to j for i
i=D
iE
jD wherein
iI the component of representing matrix D calculates u
iAfter can obtain r
j(t);
Computing network risk factor value; At first the bottom from tree begins to calculate the risk factor value, the recursive calculation that makes progress then, and the importance values that defines j main frame is designated as Importance
j, the risk factor value of this LCSA is the All hosts risk factor value r on this LCSA
j(t) weighted sum Q (t):
J main frame (Host
j) the risk factor value be r
j(t); Importance
jBe the importance values of j main frame, and then Q (t) carried out normalization calculate, just can be must this LCSA the risk factor value;
These indexs are quantized, set up main frame importance assessment indicator system from many levels;
Adopt multistage related gray level model; Suppose to identify in the network total n kind and influence the Importance index; Every kind of total m attribute of Importance is confirmed assessment indicator system according to estimating purpose, and the data sequence of achievement data being carried out nondimensionalization forms following matrix:
Wherein
I=0 wherein, 1 ..., n; K=1,2 ..., m. also calculates each by the absolute difference of evaluation object index series and reference sequences corresponding element one by one | x
0(k)-x
i(k) |, and confirm
And
Through calculating the incidence coefficient of each comparative sequences and reference sequences corresponding element.
ρ is a resolution ratio in the formula, and in (0,1) interior value, ρ is more little, and the difference between incidence coefficient is big more, and separating capacity is strong more. we get ρ and get 0.5 here;
Each evaluation object is calculated the average of the incidence coefficient of its m index and reference sequences corresponding element respectively; To reflect the incidence relation of each evaluation object and reference sequences; Because each index role in overall merit is different in the native system, adopts and asks weighted average promptly to incidence coefficient:
Finally, draw evaluation result according to the related preface of each object of observation; Wherein, W
kBe each index weight;
Calculate the assessment general objective; Assessment general objective=∑ (each index score value * institute respective weights), the assessment catalogue is designated as the importance values of each main frame of assessment, just calculates the size of Importance value.Like this, we try to achieve the Importance value and are:
Assess whole network risks degree, SREC (System Risk Evaluation Center) collects local security information (for example the AC on the main frame, risk value etc.) from each LCSA, remembers m LCSA
mImportance be LCSA_Weight
m, establish total N the LCSA of network,
And carry out normalization and handle, whole network risks degree value R (t) is:
R (t) is exactly the final network risks degree value that calculates of the SREC of risk CELA, and its score value is high more, explains that network risks degree rank is high more, and system is in risk status more; Otherwise score value is low more, and network is safe more.
4. the network risks evidence collecting method based on cloud computing environment as claimed in claim 1 is characterized in that this method further comprises:
In step S1031, WEB server monitoring evidence obtaining or strategy request; Client is obtained the application failure, and each cycle all attempts obtaining, until overtime;
In step S1032, the WEB server obtains evidence obtaining or the strategy application that the user submits to, and the application of depositing the permission execution is in database; The then execution in step S1037 if WEB server data library storage is failed; Client is obtained the application failure, and each cycle all attempts obtaining, until overtime; Obtain successful execution step S1033;
In step S1033, the SOCKET client is initiated the TCP connection request to the destination server end; If connection failure, then operating procedure S1037 EP (end of program), successful connection execution in step S1034;
In step S1034, client reports server end with detected evidence obtaining or strategy application, and server end is in the instruction of self-operating application; If failure, operating procedure S1037 server finishes, and session is broken off; Successful then feed back execution result to client, execution in step S1035;
The result of client reception server end is if failure operating procedure S1037 program withdraws from; Successful then event memory in database, execution in step S1036;
In step S1036, the WEB server end is monitored the execution result of evidence obtaining or strategy application, shows the user through browser interface.
5. the network risks evidence collecting method based on cloud computing environment as claimed in claim 1 is characterized in that this method further comprises:
Time series X (t) is its early stage and the random error item in early stage and the linear function of preceding time value, both can be expressed as:
X(t)=φ
1X(t-1)+φ
2X(t-2)+...+φ
pX(t-p)+u(t)-θ
1u(t-1)-θ
2u(t-2)-...-θ
qu(t-q) (1)
Then this time series X (t) is the autoregressive moving average sequence, formula (1) be (p, the q) ARMA model on rank, be designated as ARMA (p, q).In the formula, φ
i(i=1,2,3 ..., p) be auto-regressive parameter, θ
i(i=1,2,3 ..., q) being the moving average parameter, u (t) is a residual error, when formula (1) can correctly disclose structure and the rule of sequential, then { u (t) } was white noise; Formula (1) becomes ARMA (p, q) model with p rank autoregression part, q rank moving average part.Introduce hysteresis operator B, formula (1) can be noted by abridging and is:
φ(B)X(t)=θ(B)u(t)
ARMA (p, q) smooth conditions of process be the root of hysteresis multinomial φ (B) all outside unit circle, reversal condition is that the root of φ (B) is all outside unit circle;
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN2012103151216A CN102801739A (en) | 2012-08-25 | 2012-08-25 | Network risk determining and evidence obtaining method based on cloud computing environment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN2012103151216A CN102801739A (en) | 2012-08-25 | 2012-08-25 | Network risk determining and evidence obtaining method based on cloud computing environment |
Publications (1)
Publication Number | Publication Date |
---|---|
CN102801739A true CN102801739A (en) | 2012-11-28 |
Family
ID=47200701
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN2012103151216A Pending CN102801739A (en) | 2012-08-25 | 2012-08-25 | Network risk determining and evidence obtaining method based on cloud computing environment |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN102801739A (en) |
Cited By (23)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103106277A (en) * | 2013-02-18 | 2013-05-15 | 浪潮(北京)电子信息产业有限公司 | Evidence obtaining method based on cloud computing |
CN103619012A (en) * | 2013-12-02 | 2014-03-05 | 中国联合网络通信集团有限公司 | Method and system for security assessment of mobile internet |
CN103701810A (en) * | 2013-12-26 | 2014-04-02 | 蓝盾信息安全技术股份有限公司 | Automatic marking system of network attack and defense experiment |
CN104125217A (en) * | 2014-06-30 | 2014-10-29 | 复旦大学 | Cloud data center real-time risk assessment method based on mainframe log analysis |
CN104680028A (en) * | 2015-03-13 | 2015-06-03 | 河南群智信息技术有限公司 | Medical system case information optimal storage method on basis of cloud platform |
CN106209831A (en) * | 2016-07-08 | 2016-12-07 | 瑞达信息安全产业股份有限公司 | A kind of network security index calculation method |
CN106921649A (en) * | 2015-12-28 | 2017-07-04 | 施耐德电气美国股份有限公司 | Network security exposure assessment and response system and method in embedded Control equipment |
CN107077398A (en) * | 2014-10-23 | 2017-08-18 | 高通股份有限公司 | System and method for carrying out dynamic bandwidth throttling based on the danger signal monitored by one or more elements using shared resource |
CN107274324A (en) * | 2017-06-06 | 2017-10-20 | 张黎明 | A kind of method that accident risk assessment is carried out based on cloud service |
CN107292174A (en) * | 2016-03-31 | 2017-10-24 | 中国电子科技集团公司电子科学研究院 | A kind of cloud computing system security assessment method and device |
CN107317824A (en) * | 2017-08-01 | 2017-11-03 | 北京观数科技有限公司 | A kind of controllable real net attack and defense training system of risk |
CN107451029A (en) * | 2016-06-01 | 2017-12-08 | 腾讯科技(深圳)有限公司 | A kind of information processing method and device, equipment |
CN109040655A (en) * | 2018-09-03 | 2018-12-18 | 徐兴年 | A kind of video conferencing system based on information network |
WO2019237523A1 (en) * | 2018-06-11 | 2019-12-19 | 平安科技(深圳)有限公司 | Safety risk evaluation method and apparatus, computer device, and storage medium |
TWI682281B (en) * | 2015-09-15 | 2020-01-11 | 日商日本電氣股份有限公司 | Information processing device, information processing method and computer readable recording medium |
CN112241534A (en) * | 2020-09-08 | 2021-01-19 | 法信公证云(厦门)科技有限公司 | Evidence obtaining method and device of electronic evidence, evidence obtaining equipment and medium |
CN113420975A (en) * | 2021-06-17 | 2021-09-21 | 中智行科技有限公司 | System performance evaluation method and device |
CN113765890A (en) * | 2021-08-10 | 2021-12-07 | 广州天懋信息系统股份有限公司 | Private network security risk processing method, device, equipment and storage medium |
CN115357910A (en) * | 2022-10-20 | 2022-11-18 | 中孚安全技术有限公司 | Network risk situation analysis method and system based on spatial relationship |
CN117081851A (en) * | 2023-10-10 | 2023-11-17 | 网思科技股份有限公司 | Display method, system and medium of network security situation awareness information |
CN117097569A (en) * | 2023-10-19 | 2023-11-21 | 南京怡晟安全技术研究院有限公司 | Network security situation diagnosis method and system based on multi-node relevance |
CN117350548A (en) * | 2023-12-04 | 2024-01-05 | 国网浙江省电力有限公司宁波供电公司 | Power distribution equipment potential safety hazard investigation method |
CN117354053A (en) * | 2023-12-04 | 2024-01-05 | 湖北华特信息技术有限公司 | Network security protection method based on big data |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1567853A (en) * | 2004-03-29 | 2005-01-19 | 四川大学 | Network safety risk detection system and method |
US20060282893A1 (en) * | 2005-06-10 | 2006-12-14 | D-Link Corporation | Network information security zone joint defense system |
CN101005510A (en) * | 2007-01-19 | 2007-07-25 | 南京大学 | Network real time risk evaluating method for comprehensive loop hole |
CN102263410A (en) * | 2010-05-31 | 2011-11-30 | 河南省电力公司 | Security risk assessment model, assessment method and assessment parameter determining method |
US20120124666A1 (en) * | 2009-07-23 | 2012-05-17 | Ahnlab, Inc. | Method for detecting and preventing a ddos attack using cloud computing, and server |
-
2012
- 2012-08-25 CN CN2012103151216A patent/CN102801739A/en active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1567853A (en) * | 2004-03-29 | 2005-01-19 | 四川大学 | Network safety risk detection system and method |
US20060282893A1 (en) * | 2005-06-10 | 2006-12-14 | D-Link Corporation | Network information security zone joint defense system |
CN101005510A (en) * | 2007-01-19 | 2007-07-25 | 南京大学 | Network real time risk evaluating method for comprehensive loop hole |
US20120124666A1 (en) * | 2009-07-23 | 2012-05-17 | Ahnlab, Inc. | Method for detecting and preventing a ddos attack using cloud computing, and server |
CN102263410A (en) * | 2010-05-31 | 2011-11-30 | 河南省电力公司 | Security risk assessment model, assessment method and assessment parameter determining method |
Non-Patent Citations (1)
Title |
---|
刘念等: ""基于免疫的网络安全态势感知关键技术研究"", 《四川大学学报(工程科学版)》 * |
Cited By (33)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103106277A (en) * | 2013-02-18 | 2013-05-15 | 浪潮(北京)电子信息产业有限公司 | Evidence obtaining method based on cloud computing |
CN103619012A (en) * | 2013-12-02 | 2014-03-05 | 中国联合网络通信集团有限公司 | Method and system for security assessment of mobile internet |
CN103619012B (en) * | 2013-12-02 | 2017-04-12 | 中国联合网络通信集团有限公司 | Method and system for security assessment of mobile internet |
CN103701810A (en) * | 2013-12-26 | 2014-04-02 | 蓝盾信息安全技术股份有限公司 | Automatic marking system of network attack and defense experiment |
CN104125217A (en) * | 2014-06-30 | 2014-10-29 | 复旦大学 | Cloud data center real-time risk assessment method based on mainframe log analysis |
CN107077398A (en) * | 2014-10-23 | 2017-08-18 | 高通股份有限公司 | System and method for carrying out dynamic bandwidth throttling based on the danger signal monitored by one or more elements using shared resource |
CN104680028B (en) * | 2015-03-13 | 2017-07-21 | 河南群智信息技术有限公司 | Medical system case information optimization storage method based on cloud platform |
CN104680028A (en) * | 2015-03-13 | 2015-06-03 | 河南群智信息技术有限公司 | Medical system case information optimal storage method on basis of cloud platform |
TWI682281B (en) * | 2015-09-15 | 2020-01-11 | 日商日本電氣股份有限公司 | Information processing device, information processing method and computer readable recording medium |
US10922417B2 (en) | 2015-09-15 | 2021-02-16 | Nec Corporation | Information processing apparatus, information processing method, and program |
CN106921649A (en) * | 2015-12-28 | 2017-07-04 | 施耐德电气美国股份有限公司 | Network security exposure assessment and response system and method in embedded Control equipment |
CN106921649B (en) * | 2015-12-28 | 2021-05-04 | 施耐德电气美国股份有限公司 | Network security exposure evaluation and response system and method in embedded control device |
CN107292174A (en) * | 2016-03-31 | 2017-10-24 | 中国电子科技集团公司电子科学研究院 | A kind of cloud computing system security assessment method and device |
CN107451029A (en) * | 2016-06-01 | 2017-12-08 | 腾讯科技(深圳)有限公司 | A kind of information processing method and device, equipment |
CN107451029B (en) * | 2016-06-01 | 2021-01-05 | 腾讯科技(深圳)有限公司 | Information processing method, device and equipment |
CN106209831A (en) * | 2016-07-08 | 2016-12-07 | 瑞达信息安全产业股份有限公司 | A kind of network security index calculation method |
CN107274324A (en) * | 2017-06-06 | 2017-10-20 | 张黎明 | A kind of method that accident risk assessment is carried out based on cloud service |
CN107317824A (en) * | 2017-08-01 | 2017-11-03 | 北京观数科技有限公司 | A kind of controllable real net attack and defense training system of risk |
CN107317824B (en) * | 2017-08-01 | 2023-07-25 | 北京观数科技有限公司 | Real network attack and defense exercise system with controllable risk |
WO2019237523A1 (en) * | 2018-06-11 | 2019-12-19 | 平安科技(深圳)有限公司 | Safety risk evaluation method and apparatus, computer device, and storage medium |
CN109040655A (en) * | 2018-09-03 | 2018-12-18 | 徐兴年 | A kind of video conferencing system based on information network |
CN112241534A (en) * | 2020-09-08 | 2021-01-19 | 法信公证云(厦门)科技有限公司 | Evidence obtaining method and device of electronic evidence, evidence obtaining equipment and medium |
CN113420975A (en) * | 2021-06-17 | 2021-09-21 | 中智行科技有限公司 | System performance evaluation method and device |
CN113765890A (en) * | 2021-08-10 | 2021-12-07 | 广州天懋信息系统股份有限公司 | Private network security risk processing method, device, equipment and storage medium |
CN115357910A (en) * | 2022-10-20 | 2022-11-18 | 中孚安全技术有限公司 | Network risk situation analysis method and system based on spatial relationship |
CN117081851A (en) * | 2023-10-10 | 2023-11-17 | 网思科技股份有限公司 | Display method, system and medium of network security situation awareness information |
CN117081851B (en) * | 2023-10-10 | 2024-03-19 | 网思科技股份有限公司 | Display method, system and medium of network security situation awareness information |
CN117097569A (en) * | 2023-10-19 | 2023-11-21 | 南京怡晟安全技术研究院有限公司 | Network security situation diagnosis method and system based on multi-node relevance |
CN117097569B (en) * | 2023-10-19 | 2023-12-19 | 南京怡晟安全技术研究院有限公司 | Network security situation diagnosis method and system based on multi-node relevance |
CN117350548A (en) * | 2023-12-04 | 2024-01-05 | 国网浙江省电力有限公司宁波供电公司 | Power distribution equipment potential safety hazard investigation method |
CN117354053A (en) * | 2023-12-04 | 2024-01-05 | 湖北华特信息技术有限公司 | Network security protection method based on big data |
CN117354053B (en) * | 2023-12-04 | 2024-03-08 | 湖北华特信息技术有限公司 | Network security protection method based on big data |
CN117350548B (en) * | 2023-12-04 | 2024-04-16 | 国网浙江省电力有限公司宁波供电公司 | Power distribution equipment potential safety hazard investigation method |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN102801739A (en) | Network risk determining and evidence obtaining method based on cloud computing environment | |
Romano et al. | Automated detection of pipe bursts and other events in water distribution systems | |
Erdik | Earthquake risk assessment | |
CN108833416B (en) | SCADA system information security risk assessment method and system | |
CN107886235A (en) | A kind of Fire risk assessment method for coupling certainty and uncertainty analysis | |
US10437696B2 (en) | Proactive information technology infrastructure management | |
CN105868629B (en) | Security threat situation assessment method suitable for electric power information physical system | |
CN105681298A (en) | Data security abnormity monitoring method and system in public information platform | |
Gul et al. | An artificial neural network-based earthquake casualty estimation model for Istanbul city | |
Liu et al. | Analysis and prediction of hazard risks caused by tropical cyclones in Southern China with fuzzy mathematical and grey models | |
CN106600115A (en) | Intelligent operation and maintenance analysis method for enterprise information system | |
CN115640915B (en) | Intelligent gas pipe network compressor safety management method and Internet of things system | |
CN115086089B (en) | Method and system for network security assessment prediction | |
Yu et al. | Quantifying community resilience using hierarchical Bayesian kernel methods: A case study on recovery from power outages | |
CN106209829A (en) | A kind of network security management system based on warning strategies | |
Chatterjee et al. | A methodology for modeling regional terrorism risk | |
Toure et al. | Real time big data analytics for predicting terrorist incidents | |
CN111310803B (en) | Environment data processing method and device | |
CN116341914A (en) | Assessment method, device, equipment and storage medium for dust explosion risk level | |
CN114565210A (en) | Urban rail transit risk assessment method and system based on fault tree analysis | |
CN112950024A (en) | Decision-making method based on hydropower station emergency command, storage medium and electronic equipment | |
CN113612625A (en) | Network fault positioning method and device | |
CN116882756B (en) | Power safety control method based on block chain | |
CN117061211A (en) | Data processing method and system based on network security management | |
Wei et al. | A new BRB model for cloud security-state prediction based on the large-scale monitoring data |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20121128 |