CN102801739A - Network risk determining and evidence obtaining method based on cloud computing environment - Google Patents

Abstract

The invention discloses a network risk determining and evidence obtaining method based on a cloud computing environment, and the method comprises following steps of firstly conducting the grid intrusion risk evaluation under the cloud computing environment, then establishing a layered quantitative risk evaluation system under the cloud computing environment, and finally obtaining the evidence in real time and conducting the strategic control. The network is monitored by detectors which are scattered in a network environment so as to quantitatively evaluate an overall comprehensive risk value of the current network in real time as well as a risk value of any host in the network suffering one kind of attack and multiple kinds of attack and to obtain the evidence in real time, and further a defense strategy of the entire system is initiatively changed according to a risk index. According to the method, evaluation and risk prediction are conducted for the network security state under the cloud computing environment, and effective network risk evaluation and evidence obtaining can be conducted for the attack behavior suffered by the monitored network, so that a purpose for realizing the network security can be achieved.

Description

Network risks based on cloud computing environment is measured evidence collecting method

Technical field

The invention belongs to the network risks technical field, relate in particular to a kind of network risks evidence obtaining assay method based on cloud computing environment.

Background technology

The cloud computing technology is towards extensive, high-performance, distributed direction, and it brings the significant innovation of information technology, becomes the focus that industrial circle, academia even government all very pay close attention to.Country's " 12 " planning outline is classified cloud computing as the strategic new industry of giving priority to.The development of cloud computing will change the whole piece information industry chain of CPU, storage, server, terminal, operation and application software, and far-reaching the influence from producing to the informationization of living used.Along with network security progressively rises in the importance under the cloud computing environment, safety problem has become the key factor of restriction cloud computing development.Regrettably existing network security model; Mainly be based on abnormality detection, be directed against log analysis; Method such as rule coupling etc., and mainly be after the attack generation, to find, also and one of the characteristic that does not fit into the cloud computing environment cloud computing be exactly to have eliminated network boundary.Traditional intrusion detection method based on misuse detection algorithm and abnormality detection algorithm is also inapplicable under cloud computing environment, lacks distributed and autgmentability.

Summary of the invention

In order to solve the problem of present existence; The invention provides based on the network risks of cloud computing environment evidence obtaining assay method, provide the attack that network was suffering that cloud computing environment is monitored down effectively to analyze and the network risk factor calculated the method for assessment.Under cloud computing environment, set up measurement index system layering, quantitative; Network situation is carried out the assurance of integral body, the overall situation; And utilize the relevant theory analysis of Fuzzy Calculation, assets assessment is combined the application safety system engineering theory with network situation evaluation system; Intrinsic in the cloud computing environment lower network or potential risks are carried out qualitative, quantitative analysis, draw possibility and the serious degree of consequence thereof that whole network is caused danger.

Another purpose of the embodiment of the invention is to provide a kind of network risks evidence obtaining assay method based on cloud computing environment, it is characterized in that this method comprises:

At first carry out grid invasion risk assessment under the cloud computing environment;

Set up the quantitative risk evaluation system of cloud computing environment lower leaf;

Collect evidence in real time and policy control.

Further, the method for this network risks assessment is:

At first detector is distributed to each node of network, promptly on the security server, network is monitored, beginning collection network data;

Data center server is collected risk information in the control point down to linchpin;

The secondary data central server is with the Information Statistics analysis of collecting, and the relevant information that comprehensive top data center server obtains calculates and is directly under the jurisdiction of network overall risk value;

The overall risk and the top security server risk of top data center server statistical analysis secondary data central server assessment, the relevant important information of integrated risk calculates the value-at-risk of whole system;

Top data center server is collected security server information and overall risk information from the secondary data central server respectively, collects risk information from top security server, obtains the relevant important information of risk from this locality.

Further, in the risk statistical module, all data center servers are counted as identical role; Data center server is down collected risk information in the control point to linchpin, if linchpin belongs to subordinate's data center server in the control point down, then collects its overall risk, if linchpin belongs to security server in the control point down, then collects its self risk; Security server monitoring in real time obtains the risk record of self; The secondary data central server is got in touch top data center server, obtains the relevant important information of risk; The monitoring security server risk information that the secondary data central server will be directly under the jurisdiction of is all collected this locality.

Further, the quantitative risk appraisal procedure of cloud computing environment lower leaf comprises:

Calculate the risk factor r of t single attack that individual host faces constantly _{I, j}(t); T moment i is individual to the main frame risk factor value on j the LCSA to be unusually:

Wherein, u representes the degree of danger of such attack;

Calculate the COMPREHENSIVE RISK DEGREE r of t multiple attack that individual host faces constantly _j(t), our setting parameter u _i(0≤u _i≤1) represents i (1≤i≤m) type attack

Danger, the risk factor value r on j main frame so _j(t) value does, $r_j\left(t\right)=\mathrm{Tanh}(\mathrm{\ζ}\·\underset{i=1}{\overset{n}{\mathrm{\Σ}}}(u_i\·\underset{x\∈A_i\left(t\right)}{\mathrm{\Σ}}{\mathrm{\ρ}}_i\left(t\right))),$ r _j(t) value is big more, and system is more dangerous;

Set up risk of attack property index system, will attack according to behavioural characteristic and be divided into four big types, some groups, the purpose of classification are in order better to confirm the extent of injury of every type of attack, to set up the harmfulness vector D that the i kind is attacked then ⁱ, be $D^i=\{D_1^i,D_2^i,D_3^i,D_4^i,D_5^i,D_6^i\}$ (1≤i≤m).The harmfulness vector that this m kind is attacked is arranged in together, constitutes the harmfulness matrix D:

$D=\left(\begin{array}{cccccc}{D}_1^1& D_2^1& D_3^1& D_4^1& D_5^1& D_6^1\\ \·\·\·& \·\·\·& \·\·\·& \·\·\·& \·\·\·& \·\·\·\\ D_1^i& D_2^i& D_3^i& D_4^i& D_5^i& D_6^i\\ \·\·\·& \·\·\·& \·\·\·& \·\·\·& \·\·\·& \·\·\·\\ D_1^m& D_2^m& D_3^m& D_4^m& D_5^m& D_6^m\end{array}\right);$

Calculate risk of attack property; According to the difference service that every main frame provided; User object, different systems soft wares, application software or the like attribute separately; (the relative importance value of the network bandwidth of the individual main frame of 1≤j≤N), service, systems soft ware, application software, data, these 6 types of indexs of information is designated as comprehensively to set up j

J (the individual main frame E of 1≤j≤N) ^jValue, be according to expert marking and survey comprehensive grading; Like this, attack that (the degree of danger u value of platform main frame of 1≤j≤N) is so have: u to j for i _i=D ⁱE ^jD wherein ⁱI the component of representing matrix D calculates u _iAfter can obtain r _j(t);

Computing network risk factor value; At first the bottom from tree begins to calculate the risk factor value, the recursive calculation that makes progress then, and the importance values that defines j main frame is designated as Importance _j, the risk factor value of this LCSA is the All hosts risk factor value r on this LCSA _j(t) weighted sum Q (t):

J main frame (Host _j) the risk factor value be r _j(t); Importance _jBe the importance values of j main frame, and then Q (t) carried out normalization calculate, just can be must this LCSA the risk factor value;

These indexs are quantized, set up main frame importance assessment indicator system from many levels;

Adopt multistage related gray level model; Suppose to identify in the network total n kind and influence the Importance index; Every kind of total m attribute of Importance is confirmed assessment indicator system according to estimating purpose, and the data sequence of achievement data being carried out nondimensionalization forms following matrix:

$(X_0,X_1,\·\·\·{,X}_n)=\left(\begin{array}{cccc}{x}_0\left(1\right)& x_1\left(1\right)& \·\·\·& x_n\left(1\right)\\ x_0\left(2\right)& x_1\left(2\right)& \·\·\·& x_n\left(2\right)\\ \·& \·& \·& \·\\ \·& \·& \·& \·\\ \·& \·& \·& \·\\ x_0\left(m\right)& x_1\left(m\right)& \·\·\·& x_n\left(m\right)\end{array}\right)$

Wherein

I=0 wherein, 1 ..., n; K=1,2 ..., m. also calculates each by the absolute difference of evaluation object index series and reference sequences corresponding element one by one | x ₀(k)-x _i(k) |, and confirm

And

Through calculating the incidence coefficient of each comparative sequences and reference sequences corresponding element.

${\mathrm{\ζ}}_i\left(k\right)=\frac{\underset{i}{\min }\underset{k}{\min }|x_0\left(k\right)-x_i\left(k\right)|+\mathrm{\ρ}\·\underset{i}{\max }\underset{k}{\max }|x_0\left(k\right)-x_i\left(k\right)|}{|x_0\left(k\right)-x_i\left(k\right)|+\mathrm{\ρ}\·\underset{i}{\max }\underset{k}{\max }|x_0\left(k\right)-x_i\left(k\right)|}$ k＝1，…，m

ρ is a resolution ratio in the formula, and in (0,1) interior value, ρ is more little, and the difference between incidence coefficient is big more, and separating capacity is strong more. we get ρ and get 0.5 here;

Each evaluation object is calculated the average of the incidence coefficient of its m index and reference sequences corresponding element respectively; To reflect the incidence relation of each evaluation object and reference sequences; Because each index role in overall merit is different in the native system, adopts and asks weighted average promptly to incidence coefficient:

$r_{0i}^{\′}=\frac{1}{m}\underset{k=1}{\overset{m}{\mathrm{\Σ}}}{W}_k\·{\mathrm{\ζ}}_i\left(k\right)$ k＝1，…，m

Finally, draw evaluation result according to the related preface of each object of observation; Wherein, w _kBe each index weight;

Calculate the assessment general objective; Assessment general objective=∑ (each index score value * institute respective weights), the assessment catalogue is designated as the importance values of each main frame of assessment, just calculates the size of Importance value.Like this, we try to achieve the Importance value and are: $\mathrm{Impor}\mathrm{Tan}\mathrm{Ce}=\underset{k=1}{\overset{8}{\mathrm{\Σ}}}(I_k\×W_k);$

Assess whole network risks degree, SREC (System Risk Evaluation Center) collects local security information (for example the AC on the main frame, risk value etc.) from each LCSA, remembers m LCSA _mImportance be LCSA_Weight _m, establish total N the LCSA of network, And carry out normalization and handle, whole network risks degree value R (t) is:

$R\left(t\right)=\tanh \left(\underset{m=1}{\overset{N}{\mathrm{\Σ}}}(\underset{j=1}{\overset{n}{\mathrm{\Σ}}}(r_j\left(t\right)\×\underset{k=1}{\overset{8}{\mathrm{\Σ}}}(I_{j,k}\×W_k))\×\mathrm{LCSA}\_{\mathrm{Weight}}_m)\right)$

R (t) is exactly the final network risks degree value that calculates of SREC in the risk assessment, and its score value is high more, explains that network risks degree rank is high more, and system is in risk status more; Otherwise score value is low more, and network is safe more.

Further, this method further comprises:

In step S1031, WEB server monitoring evidence obtaining or strategy request; Client is obtained the application failure, and each cycle all attempts obtaining, until overtime;

In step S1032, the WEB server obtains evidence obtaining or the strategy application that the user submits to, and the application of depositing the permission execution is in database; The then execution in step S1037 if WEB server data library storage is failed; Client is obtained the application failure, and each cycle all attempts obtaining, until overtime; Obtain successful execution step S1033;

In step S1033, the SOCKET client is initiated the TCP connection request to the destination server end; If connection failure, then operating procedure S1037 EP (end of program), successful connection execution in step S1034;

In step S1034, client reports server end with detected evidence obtaining or strategy application, and server end is in the instruction of self-operating application; If failure, operating procedure S1037 server finishes, and session is broken off; Successful then feed back execution result to client, execution in step S1035;

The result of client reception server end is if failure operating procedure S1037 program withdraws from; Successful then event memory in database, execution in step S1036;

In step S1036, the WEB server end is monitored the execution result of evidence obtaining or strategy application, shows the user through browser interface.

Further, this method further comprises:

Time series X (t) is its early stage and the random error item in early stage and the linear function of preceding time value, both can be expressed as:

X(t)＝φ ₁X(t-1)+φ ₂X(t-2)+...+φ _pX(t-p)+u(t)-θ ₁u(t-1)-θ ₂u(t-2)-...-θ _qu(t-q) (1)

Then this time series X (t) is the autoregressive moving average sequence, formula (1) be (p, the q) ARMA model on rank, be designated as ARMA (p, q).In the formula, φ _i(i=1,2,3 ..., p) be auto-regressive parameter, θ _i(i=1,2,3 ..., q) being the moving average parameter, u (t) is a residual error, when formula (1) can correctly disclose structure and the rule of sequential, then { u (t) } was white noise; Formula (1) becomes ARMA (p, q) model with p rank autoregression part, q rank moving average part.Introduce hysteresis operator B, formula (1) can be noted by abridging and is:

φ(B)X(t)＝θ(B)u(t)

ARMA (p, q) smooth conditions of process be the root of hysteresis multinomial φ (B) all outside unit circle, reversal condition is that the root of φ (B) is all outside unit circle;

The predicted value of institute's monitor network risk time series { R (t) } is the predicted value of nonlinear fitting sequential { Y (t) } and the predicted value sum of residual error sequential { X (t) }:

Network risks assessment evidence collecting method based on cloud computing environment provided by the invention at first carries out grid invasion risk assessment under the cloud computing environment, sets up the quantitative risk evaluation system of cloud computing environment lower leaf then, collects evidence in real time at last and policy control.Detector through being dispersed in the network environment is monitored network; Value-at-risk when certain attack that any main frame faces in real-time quantitative assessment current network whole synthesis value-at-risk and the network and multiple attack and real-time the evidence obtaining, and then initiatively change the defence policies of whole system according to the risk factor index.This scheme is assessed and risk profile the network safety situation under the cloud computing environment, realizes effective network risks assessment and evidence obtaining are carried out in the attack of being monitored that network suffered, and realizes the network security purpose thereby reach.

Description of drawings

What Fig. 1 showed that the embodiment of the invention provides measures the flow chart of evidence collecting method based on the network risks of cloud computing environment;

The flow chart of the method that the network risks that Fig. 2 has gone out case study on implementation of the present invention to be provided is assessed;

Fig. 3 shows the flow chart of the quantitative risk evaluation system of the cloud computing environment lower leaf method for building up that case study on implementation of the present invention provides;

Fig. 4 shows the flow chart of the method for real-time evidence obtaining that the embodiment of the invention provides and policy control.

Embodiment

In order to make the object of the invention, technical scheme and advantage clearer,, the present invention is further elaborated below in conjunction with accompanying drawing and embodiment.Should be appreciated that specific embodiment described herein only in order to explanation the present invention, and be not used in qualification the present invention.

The network risks based on cloud computing environment that Fig. 1 shows case study on implementation of the present invention to be provided is measured evidence collecting method, and this method comprises:

In step S101, at first carry out grid invasion risk assessment under the cloud computing environment.

In step S102, set up the quantitative risk evaluation system of cloud computing environment lower leaf.

In step S103, collect evidence in real time and policy control.

The method that the network risks that Fig. 2 has gone out case study on implementation of the present invention to be provided is assessed, this method comprises:

In step S1011, at first detector is distributed to each node of network (being on the security server), network is monitored beginning collection network data.

In step S1012, data center server is collected risk information in the control point down to linchpin.In the risk statistical module, all data center servers (comprising: top data center server and secondary data central server) are counted as identical role; Data center server is down collected risk information in the control point to linchpin, if linchpin belongs to subordinate's data center server in the control point down, then collects its overall risk, if linchpin belongs to security server in the control point down, then collects its self risk; Security server monitoring in real time obtains the risk record of self; The secondary data central server is got in touch top data center server, obtains the relevant important information (as: main frame weight, attack type weights etc.) of risk; The monitoring security server risk information that the secondary data central server will be directly under the jurisdiction of is all collected this locality.

In step S1013, the secondary data central server is with the Information Statistics analysis of collecting, and the relevant information that comprehensive top data center server obtains calculates and is directly under the jurisdiction of network overall risk value.

In step S1014, the overall risk and the top security server risk of top data center server statistical analysis secondary data central server assessment, the relevant important information of integrated risk calculates the value-at-risk of whole system.

Top data center server is collected security server information and overall risk information from the secondary data central server respectively; Collect risk information from top security server; Obtain the relevant important information (as: main frame weight, attack type weights etc.) of risk from this locality.

The method of the foundation that the quantitative risk of cloud computing environment lower leaf that Fig. 3 shows case study on implementation of the present invention to be provided is assessed, this method comprises:

In step S1021, calculate the risk factor r of t single attack that individual host faces constantly _{I, j}(t).T moment i is individual to the main frame risk factor value on j the LCSA to be unusually:

Wherein, u representes the degree of danger of such attack.

In step S1022, calculate the COMPREHENSIVE RISK DEGREE r of t multiple attack that individual host faces constantly _j(t).We are setting parameter u _i(0≤u _i≤1) represents i (1≤i≤m) type attack

Danger, the risk factor value r on j main frame so _j(t) value does,

r _j(t) value is big more, and system is more dangerous.

In step S1023, set up risk of attack property index system.

To attack according to behavioural characteristic and be divided into four big types, some groups, the purpose of classification are in order better to confirm the extent of injury of every type of attack.Set up the harmfulness vector D that the i kind is attacked then ⁱ, be

(1≤i≤m).The harmfulness vector that this m kind is attacked is arranged in together, constitutes the harmfulness matrix D:

$D=\left(\begin{array}{cccccc}{D}_1^1& D_2^1& D_3^1& D_4^1& D_5^1& D_6^1\\ \·\·\·& \·\·\·& \·\·\·& \·\·\·& \·\·\·& \·\·\·\\ D_1^i& D_2^i& D_3^i& D_4^i& D_5^i& D_6^i\\ \·\·\·& \·\·\·& \·\·\·& \·\·\·& \·\·\·& \·\·\·\\ D_1^m& D_2^m& D_3^m& D_4^m& D_5^m& D_6^m\end{array}\right)$

In step S1024, calculate risk of attack property.

According to the difference service that every main frame provided; User object, different systems soft wares, application software or the like attribute separately; (the relative importance value of the network bandwidth of the individual main frame of 1≤j≤N), service, systems soft ware, application software, data, these 6 types of indexs of information is designated as comprehensively to set up j

J (the individual main frame E of 1≤j≤N) ^jValue, be according to expert marking and survey comprehensive grading.Like this, attack that (the degree of danger u value of platform main frame of 1≤j≤N) is so have: u to j for i _i=D ⁱE ^jD wherein ⁱI the component of representing matrix D.Calculate u _iAfter can obtain r _j(t).

In step S1025, computing network risk factor value.

The risk factor value of whole network should reflect the risk factor of each main frame comprehensively; But because the status of each main frame is not equal to; Moving different systems,, different services is being provided towards different users; Have different economy, society even politics to be worth, they have different importance.Considering might have child node LCSA again below each LCSA, forms tree, and at first the bottom from tree begins to calculate the risk factor value, then recursive calculation upwards.The importance values that defines j main frame is designated as Importance _j, like this, the risk factor value of this LCSA is the All hosts risk factor value r on this LCSA _j(t) weighted sum Q (t): J main frame (Host _j) the risk factor value be r _j(t); Importance _jBe the importance values of j main frame, and then Q (t) carried out normalization calculate, just can be must this LCSA the risk factor value.

In step S1026, the importance values (being the Importance value) in order to try to achieve each main frame comprehensively quantizes these indexs, sets up main frame importance assessment indicator system from many levels.

Adopt multistage related gray level model, supposing to identify in the network total n kind influence the Importance index, and every kind of Importance has m attribute (weighing with m index in other words).Confirm assessment indicator system according to estimating purpose, the data sequence of achievement data being carried out nondimensionalization forms following matrix:

$(X_0,X_1,\·\·\·{,X}_n)=\left(\begin{array}{cccc}{x}_0\left(1\right)& x_1\left(1\right)& \·\·\·& x_n\left(1\right)\\ x_0\left(2\right)& x_1\left(2\right)& \·\·\·& x_n\left(2\right)\\ \·& \·& \·& \·\\ \·& \·& \·& \·\\ \·& \·& \·& \·\\ x_0\left(m\right)& x_1\left(m\right)& \·\·\·& x_n\left(m\right)\end{array}\right)$

Here our nondimensionalization method is the equalization method:

I=0 wherein, 1 ..., n; K=1,2 ..., m. also calculates each by the absolute difference of evaluation object index series (comparative sequences) with the reference sequences corresponding element one by one | x ₀(k)-x _i(k) |, and confirm

And

Through calculating the incidence coefficient of each comparative sequences and reference sequences corresponding element.

${\mathrm{\ζ}}_i\left(k\right)=\frac{\underset{i}{\min }\underset{k}{\min }|x_0\left(k\right)-x_i\left(k\right)|+\mathrm{\ρ}\·\underset{i}{\max }\underset{k}{\max }|x_0\left(k\right)-x_i\left(k\right)|}{|x_0\left(k\right)-x_i\left(k\right)|+\mathrm{\ρ}\·\underset{i}{\max }\underset{k}{\max }|x_0\left(k\right)-x_i\left(k\right)|}$ k＝1，…，m

ρ is a resolution ratio in the formula, and in (0,1) interior value, ρ is more little, and the difference between incidence coefficient is big more, and separating capacity is strong more. we get ρ and get 0.5 here.

Each evaluation object (comparative sequences) is calculated the average of the incidence coefficient of its m index and reference sequences corresponding element respectively; To reflect the incidence relation of each evaluation object and reference sequences; Because each index role in overall merit is different in the native system; Employing asks weighted average promptly to incidence coefficient: [wherein, W _kBe each index weight.]

$r_{0i}^{\′}=\frac{1}{m}\underset{k=1}{\overset{m}{\mathrm{\Σ}}}{W}_k\·{\mathrm{\ζ}}_i\left(k\right)$ k＝1，…，m

Finally, draw evaluation result according to the related preface of each object of observation.

In step S1027, calculate the assessment general objective.

Assessment general objective=∑ (each index score value * institute respective weights), the assessment catalogue is designated as the importance values of each main frame of assessment, just calculates the size of Importance value.Like this, we try to achieve the Importance value and are: $\mathrm{Impor}\mathrm{Tan}\mathrm{Ce}=\underset{k=1}{\overset{8}{\mathrm{\Σ}}}(I_k\×W_k).$

In step S1028, assess whole network risks degree.

SREC (System Risk Evaluation Center) collects local security information (for example the AC on the main frame, risk value etc.) from each LCSA, remembers m LCSA _mImportance be LCSA_Weight _m, establish total N the LCSA of network,

And carry out normalization and handle, whole network risks degree value R (t) is:

$R\left(t\right)=\tanh \left(\underset{m=1}{\overset{N}{\mathrm{\Σ}}}(\underset{j=1}{\overset{n}{\mathrm{\Σ}}}(r_j\left(t\right)\×\underset{k=1}{\overset{8}{\mathrm{\Σ}}}(I_{j,k}\×W_k))\×\mathrm{LCSA}\_{\mathrm{Weight}}_m)\right)$

R (t) is exactly the final network risks degree value that calculates of the SREC of risk CELA, and its score value is high more, explains that network risks degree rank is high more, and system is in risk status more; Otherwise score value is low more, and network is safe more.

Fig. 4 shows the real-time evidence obtaining that case study on implementation of the present invention provides and the method for policy control, and this method comprises:

In step S1031, WEB server monitoring evidence obtaining or strategy request.

Client is obtained the application failure, and each cycle all attempts obtaining, until overtime.

In step S1032, the WEB server obtains evidence obtaining or the strategy application that the user submits to, and the application of depositing the permission execution is in database.

The then execution in step S1037 if WEB server data library storage is failed; Client is obtained the application failure, and each cycle all attempts obtaining, until overtime; Obtain successful execution step S1033.

In step S1033, the SOCKET client is initiated the TCP connection request to the destination server end.

If connection failure, then operating procedure S1037 EP (end of program), successful connection execution in step S1034.

In step S1034, client reports server end with detected evidence obtaining or strategy application, and server end is in the instruction of self-operating application.If failure, operating procedure S1037 server finishes, and session is broken off; Successful then feed back execution result to client, execution in step S1035.

In step S1035, the result of client reception server end.

If failure operating procedure S1037 program withdraws from; Successful then event memory in database, execution in step S1036.

In step S1036, the WEB server end is monitored the execution result of evidence obtaining or strategy application, shows the user through browser interface.

At first carry out grid invasion risk assessment under the cloud computing environment.Detector is distributed to each node of network (being on the security server), network is monitored, beginning collection network data; Data center server is collected risk information in the control point down to linchpin; The secondary data central server is with the Information Statistics analysis of collecting, and the relevant information that comprehensive top data center server obtains calculates and is directly under the jurisdiction of network overall risk value; The overall risk and the top security server risk of top data center server statistical analysis secondary data central server assessment, the relevant important information of integrated risk calculates the value-at-risk of whole system.

Secondly, set up the quantitative risk evaluation system of cloud computing environment lower leaf.

Calculate the risk factor r of t single attack that individual host faces constantly _{I, j}(t):

Wherein, u representes the degree of danger of such attack; Calculate the COMPREHENSIVE RISK DEGREE r of t multiple attack that individual host faces constantly _j(t): Set up risk of attack property index system; Calculate risk of attack property; Below each LCSA child node LCSA might be arranged again, form tree, at first the bottom from tree begins to calculate the risk factor value, and upwards recursive calculation goes out whole network risk factor value then; Importance values (being the Importance value) in order to try to achieve each main frame comprehensively quantizes these indexs, sets up main frame importance assessment indicator system from many levels; Calculate the assessment general objective, assessment general objective=∑ (each index score value * institute respective weights), the assessment catalogue is designated as the importance values of each main frame of assessment, just calculates the size of Importance value:

Assess whole network risks degree, SREC (System Risk Evaluation Center) collects local security information (for example the AC on the main frame, risk value etc.) from each LCSA, remembers m LCSA _mImportance be LCSA_Weight _m, establish total N the LCSA of network,

And carry out normalization and handle, whole network risks degree value R (t) is:

$R\left(t\right)=\tanh \left(\underset{m=1}{\overset{N}{\mathrm{\Σ}}}(\underset{j=1}{\overset{n}{\mathrm{\Σ}}}(r_j\left(t\right)\×\underset{k=1}{\overset{8}{\mathrm{\Σ}}}(I_{j,k}\×W_k))\×\mathrm{LCSA}\_{\mathrm{Weight}}_m)\right)$

R (t) is exactly the final network risks degree value that calculates of the SREC of risk CELA, and its score value is high more, explains that network risks degree rank is high more, and system is in risk status more; Otherwise score value is low more, and network is safe more.

At last, collect evidence in real time and policy control.

If WEB server monitoring evidence obtaining or strategy request failure, each cycle all attempts obtaining, until overtime; Obtain evidence obtaining or the strategy application that the user submits to as if the WEB server, the application of then depositing the permission execution is in database.The SOCKET client is initiated the TCP connection request to the destination server end then, if connection failure, then working procedure finishes; Successful connection, client can report server end with detected evidence obtaining or strategy application, and the server end application is at self-operating.If server end is in self-operating application failure, then server finishes, and session is broken off; Successful then feed back execution result to client, the result of client reception server end.If the result of client reception server end failure, then working procedure withdraws from; If then event memory is in database in success, the WEB server end is monitored the execution result of evidence obtaining or strategy application, shows the user through browser interface.

The risk profile model of quantitative network under the cloud computing environment

According to the relevant theory of time series analysis, the present invention proposes a kind of new algorithm that is used for the network risks prediction, plans nonstationary time series and is decomposed into definite (indicating tendency or periodic regularity) and two parts of random entry.Definite item can be used the certainty function representation relevant with the time (because intrusion behavior and people's cycle of activity is closely related); Random entry indicates random element stably, uses the arma modeling match.Both improve accuracy of predicting with this at the stack of prediction.

Receive the combined influence of complicated factors such as social development, personal behavior custom, equipment and technology renewal for the network intrusions behavior of midium or long term, the network risks situation has tangible tendency and randomness (being non-stationary).Because the network intrusions behavior is mostly according to certain cyclic swing, for example the monthly average intrusion behavior was according to 12 months cyclic swing, and per day intrusion behavior is the cyclic swing according to 24 hours, has seasonality.This project will be studied the network risks Forecasting Methodology based on nonstationary time series.We are its early stage and the random error item in early stage and the linear function of preceding time value according to time series X (t), both can be expressed as:

X(t)＝φ ₁X(t-1)+φ ₂X(t-2)+...+φ _pX(t-p)+u(t)-θ ₁u(t-1)-θ ₂u(t-2)-...-θ _qu(t-q) (1)

Then this time series X (t) is the autoregressive moving average sequence, formula (1) be (p, the q) ARMA model on rank, be designated as ARMA (p, q).In the formula, φ _i(i=1,2,3 ..., p) be auto-regressive parameter, θ _i(i=1,2,3 ..., q) being the moving average parameter, u (t) is a residual error, when formula (1) can correctly disclose structure and the rule of sequential, then { u (t) } was white noise.Formula (1) becomes ARMA (p, q) model with p rank autoregression part, q rank moving average part.Introduce hysteresis operator B, formula (1) can be noted by abridging and is:

φ(B)X(t)＝θ(B)u(t)

ARMA (p, q) smooth conditions of process be the root of hysteresis multinomial φ (B) all outside unit circle, reversal condition is that the root of φ (B) is all outside unit circle.

The predicted value of institute's monitor network risk time series { R (t) } is the predicted value of nonlinear fitting sequential { Y (t) } and the predicted value sum of residual error sequential { X (t) }:

The network risks assessment evidence collecting method based on cloud computing environment of this programme invention; At first carry out grid invasion risk assessment under the cloud computing environment; Set up the quantitative risk evaluation system of cloud computing environment lower leaf then, collect evidence in real time at last, policy control and risk profile.Detector through being dispersed in the network environment is monitored network, and value-at-risk when certain attack that any main frame faces in real-time quantitative assessment current network whole synthesis value-at-risk and the network and multiple attack and evidence obtaining in real time obtain real-time value-at-risk.And can shift to an earlier date according to the risk profile value of platform and initiatively to adjust defence policies; Guarantee to be controlled at risk within the acceptable scope; The dangerous port of emergency cut-off under the necessary situation, increase that precautionary measures, limiting network connect, the adjustment network traffics, limit or stop high risk service in addition under unusual situation emergency cut-off host server or network interconnection device etc., and then initiatively change the defence policies of whole system according to the risk factor index.This scheme is assessed and risk profile the network safety situation under the cloud computing environment, realizes effective network risks assessment and evidence obtaining are carried out in the attack of being monitored that network suffered, and realizes the network security purpose thereby reach.

The above is merely preferred embodiment of the present invention, not in order to restriction the present invention, all any modifications of within spirit of the present invention and principle, being done, is equal to and replaces and improvement etc., all should be included within protection scope of the present invention.

Claims (5)

1. one kind based on the network risks of cloud computing environment evidence obtaining assay method, it is characterized in that this method comprises:

At first carrying out cloud computing environment lower network invasion risk measures;

Set up the quantitative risk evaluation system of cloud computing environment lower leaf;

Collect evidence in real time and policy control.

2. the network risks assay method based on cloud computing environment as claimed in claim 1 is characterized in that,

In the risk statistical module, all data center servers are counted as identical role; Data center server is down collected risk information in the control point to linchpin, if linchpin belongs to subordinate's data center server in the control point down, then collects its overall risk, if linchpin belongs to security server in the control point down, then collects its self risk; Security server monitoring in real time obtains the risk record of self; The secondary data central server is got in touch top data center server, obtains the relevant important information of risk; The monitoring security server risk information that the secondary data central server will be directly under the jurisdiction of is all collected this locality.Detailed process is following:

At first detector is distributed to each node of network, promptly on the security server, network is monitored, beginning collection network data;

Data center server is collected risk information in the control point down to linchpin;

The secondary data central server is with the Information Statistics analysis of collecting, and the relevant information that comprehensive top data center server obtains calculates and is directly under the jurisdiction of network overall risk value;

The overall risk and the top security server risk of top data center server statistical analysis secondary data central server assessment, the relevant important information of integrated risk calculates the value-at-risk of whole system;

Top data center server is collected security server information and overall risk information from the secondary data central server respectively, collects risk information from top security server, obtains the relevant important information of risk from this locality.

3. the network risks based on cloud computing environment as claimed in claim 2 is got appraisal procedure, it is characterized in that, the quantitative risk appraisal procedure of cloud computing environment lower leaf comprises:

Calculate the risk factor r of t single attack that individual host faces constantly _{I, j}(t); T moment i is individual to the main frame risk factor value on j the LCSA to be unusually:

Wherein, u representes the degree of danger of such attack;

Calculate the COMPREHENSIVE RISK DEGREE r of t multiple attack that individual host faces constantly _j(t), our setting parameter u _i(0≤u _i≤1) represents i (1≤i≤m) type attack

Danger, the risk factor value r on j main frame so _j(t) value does, $r_j\left(t\right)=\mathrm{Tanh}(\mathrm{\ζ}\·\underset{i=1}{\overset{n}{\mathrm{\Σ}}}(u_i\·\underset{x\∈A_i\left(t\right)}{\mathrm{\Σ}}{\mathrm{\ρ}}_i\left(t\right))),$ r _j(t) value is big more, and system is more dangerous;

Set up risk of attack property index system, will attack according to behavioural characteristic and be divided into four big types, some groups, the purpose of classification are in order better to confirm the extent of injury of every type of attack, to set up the harmfulness vector D that the i kind is attacked then ⁱ, be $D^i=\{D_1^i,D_2^i,D_3^i,D_4^i,D_5^i,D_6^i\}$ (1≤i≤m).The harmfulness vector that this m kind is attacked is arranged in together, constitutes the harmfulness matrix D:

$D=\left(\begin{array}{cccccc}{D}_1^1& D_2^1& D_3^1& D_4^1& D_5^1& D_6^1\\ \·\·\·& \·\·\·& \·\·\·& \·\·\·& \·\·\·& \·\·\·\\ D_1^i& D_2^i& D_3^i& D_4^i& D_5^i& D_6^i\\ \·\·\·& \·\·\·& \·\·\·& \·\·\·& \·\·\·& \·\·\·\\ D_1^m& D_2^m& D_3^m& D_4^m& D_5^m& D_6^m\end{array}\right);$

Calculate risk of attack property; According to the difference service that every main frame provided; User object, different systems soft wares, application software or the like attribute separately; (the relative importance value of the network bandwidth of the individual main frame of 1≤j≤N), service, systems soft ware, application software, data, these 6 types of indexs of information is designated as comprehensively to set up j

J (the individual main frame E of 1≤j≤N) ^jValue, be according to expert marking and survey comprehensive grading; Like this, attack that (the degree of danger u value of platform main frame of 1≤j≤N) is so have: u to j for i _i=D ⁱE ^jD wherein ⁱI the component of representing matrix D calculates u _iAfter can obtain r _j(t);

Computing network risk factor value; At first the bottom from tree begins to calculate the risk factor value, the recursive calculation that makes progress then, and the importance values that defines j main frame is designated as Importance _j, the risk factor value of this LCSA is the All hosts risk factor value r on this LCSA _j(t) weighted sum Q (t): J main frame (Host _j) the risk factor value be r _j(t); Importance _jBe the importance values of j main frame, and then Q (t) carried out normalization calculate, just can be must this LCSA the risk factor value;

These indexs are quantized, set up main frame importance assessment indicator system from many levels;

Adopt multistage related gray level model; Suppose to identify in the network total n kind and influence the Importance index; Every kind of total m attribute of Importance is confirmed assessment indicator system according to estimating purpose, and the data sequence of achievement data being carried out nondimensionalization forms following matrix:

$(X_0,X_1,\·\·\·{,X}_n)=\left(\begin{array}{cccc}{x}_0\left(1\right)& x_1\left(1\right)& \·\·\·& x_n\left(1\right)\\ x_0\left(2\right)& x_1\left(2\right)& \·\·\·& x_n\left(2\right)\\ \·& \·& \·& \·\\ \·& \·& \·& \·\\ \·& \·& \·& \·\\ x_0\left(m\right)& x_1\left(m\right)& \·\·\·& x_n\left(m\right)\end{array}\right)$

Wherein I=0 wherein, 1 ..., n; K=1,2 ..., m. also calculates each by the absolute difference of evaluation object index series and reference sequences corresponding element one by one | x ₀(k)-x _i(k) |, and confirm

And

Through calculating the incidence coefficient of each comparative sequences and reference sequences corresponding element.

${\mathrm{\ζ}}_i\left(k\right)=\frac{\underset{i}{\min }\underset{k}{\min }|x_0\left(k\right)-x_i\left(k\right)|+\mathrm{\ρ}\·\underset{i}{\max }\underset{k}{\max }|x_0\left(k\right)-x_i\left(k\right)|}{|x_0\left(k\right)-x_i\left(k\right)|+\mathrm{\ρ}\·\underset{i}{\max }\underset{k}{\max }|x_0\left(k\right)-x_i\left(k\right)|}$ k＝1，…，m

ρ is a resolution ratio in the formula, and in (0,1) interior value, ρ is more little, and the difference between incidence coefficient is big more, and separating capacity is strong more. we get ρ and get 0.5 here;

Each evaluation object is calculated the average of the incidence coefficient of its m index and reference sequences corresponding element respectively; To reflect the incidence relation of each evaluation object and reference sequences; Because each index role in overall merit is different in the native system, adopts and asks weighted average promptly to incidence coefficient:

$r_{0i}^{\′}=\frac{1}{m}\underset{k=1}{\overset{m}{\mathrm{\Σ}}}{W}_k\·{\mathrm{\ζ}}_i\left(k\right)$ k＝1，…，m

Finally, draw evaluation result according to the related preface of each object of observation; Wherein, W _kBe each index weight;

Calculate the assessment general objective; Assessment general objective=∑ (each index score value * institute respective weights), the assessment catalogue is designated as the importance values of each main frame of assessment, just calculates the size of Importance value.Like this, we try to achieve the Importance value and are: $\mathrm{Impor}\mathrm{Tan}\mathrm{Ce}=\underset{k=1}{\overset{8}{\mathrm{\Σ}}}(I_k\×W_k);$

Assess whole network risks degree, SREC (System Risk Evaluation Center) collects local security information (for example the AC on the main frame, risk value etc.) from each LCSA, remembers m LCSA _mImportance be LCSA_Weight _m, establish total N the LCSA of network,

And carry out normalization and handle, whole network risks degree value R (t) is:

$R\left(t\right)=\tanh \left(\underset{m=1}{\overset{N}{\mathrm{\Σ}}}(\underset{j=1}{\overset{n}{\mathrm{\Σ}}}(r_j\left(t\right)\×\underset{k=1}{\overset{8}{\mathrm{\Σ}}}(I_{j,k}\×W_k))\×\mathrm{LCSA}\_{\mathrm{Weight}}_m)\right)$

R (t) is exactly the final network risks degree value that calculates of the SREC of risk CELA, and its score value is high more, explains that network risks degree rank is high more, and system is in risk status more; Otherwise score value is low more, and network is safe more.

4. the network risks evidence collecting method based on cloud computing environment as claimed in claim 1 is characterized in that this method further comprises:

In step S1031, WEB server monitoring evidence obtaining or strategy request; Client is obtained the application failure, and each cycle all attempts obtaining, until overtime;

In step S1032, the WEB server obtains evidence obtaining or the strategy application that the user submits to, and the application of depositing the permission execution is in database; The then execution in step S1037 if WEB server data library storage is failed; Client is obtained the application failure, and each cycle all attempts obtaining, until overtime; Obtain successful execution step S1033;

In step S1033, the SOCKET client is initiated the TCP connection request to the destination server end; If connection failure, then operating procedure S1037 EP (end of program), successful connection execution in step S1034;

In step S1034, client reports server end with detected evidence obtaining or strategy application, and server end is in the instruction of self-operating application; If failure, operating procedure S1037 server finishes, and session is broken off; Successful then feed back execution result to client, execution in step S1035;

The result of client reception server end is if failure operating procedure S1037 program withdraws from; Successful then event memory in database, execution in step S1036;

In step S1036, the WEB server end is monitored the execution result of evidence obtaining or strategy application, shows the user through browser interface.

5. the network risks evidence collecting method based on cloud computing environment as claimed in claim 1 is characterized in that this method further comprises:

Time series X (t) is its early stage and the random error item in early stage and the linear function of preceding time value, both can be expressed as:

X(t)＝φ ₁X(t-1)+φ ₂X(t-2)+...+φ _pX(t-p)+u(t)-θ ₁u(t-1)-θ ₂u(t-2)-...-θ _qu(t-q) (1)

Then this time series X (t) is the autoregressive moving average sequence, formula (1) be (p, the q) ARMA model on rank, be designated as ARMA (p, q).In the formula, φ _i(i=1,2,3 ..., p) be auto-regressive parameter, θ _i(i=1,2,3 ..., q) being the moving average parameter, u (t) is a residual error, when formula (1) can correctly disclose structure and the rule of sequential, then { u (t) } was white noise; Formula (1) becomes ARMA (p, q) model with p rank autoregression part, q rank moving average part.Introduce hysteresis operator B, formula (1) can be noted by abridging and is:

φ(B)X(t)＝θ(B)u(t)

ARMA (p, q) smooth conditions of process be the root of hysteresis multinomial φ (B) all outside unit circle, reversal condition is that the root of φ (B) is all outside unit circle;

The predicted value of institute's monitor network risk time series { R (t) } is the predicted value of nonlinear fitting sequential { Y (t) } and the predicted value sum of residual error sequential { X (t) }:

Images