CN111786950B - Network security monitoring method, device, equipment and medium based on situation awareness - Google Patents

Network security monitoring method, device, equipment and medium based on situation awareness Download PDF

Info

Publication number
CN111786950B
CN111786950B CN202010467167.4A CN202010467167A CN111786950B CN 111786950 B CN111786950 B CN 111786950B CN 202010467167 A CN202010467167 A CN 202010467167A CN 111786950 B CN111786950 B CN 111786950B
Authority
CN
China
Prior art keywords
data
security
sample
address
random forest
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010467167.4A
Other languages
Chinese (zh)
Other versions
CN111786950A (en
Inventor
杨超
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ping An Property and Casualty Insurance Company of China Ltd
Original Assignee
Ping An Property and Casualty Insurance Company of China Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ping An Property and Casualty Insurance Company of China Ltd filed Critical Ping An Property and Casualty Insurance Company of China Ltd
Priority to CN202010467167.4A priority Critical patent/CN111786950B/en
Publication of CN111786950A publication Critical patent/CN111786950A/en
Application granted granted Critical
Publication of CN111786950B publication Critical patent/CN111786950B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • G06F18/243Classification techniques relating to the number of classes
    • G06F18/24323Tree-organised classifiers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Evolutionary Computation (AREA)
  • Evolutionary Biology (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Artificial Intelligence (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a network security monitoring method, device, equipment and medium based on situation awareness, wherein the method comprises the following steps: and collecting original data, wherein the original data comprises security situation data and security event data, carrying out data preprocessing and aggregation analysis on the security situation data in combination with the security event data to obtain characteristic values corresponding to the security situation data, inputting the characteristic values into a preset random forest model, training the characteristic values through the preset random forest model to obtain target classification corresponding to the characteristic values, and obtaining a security evaluation result based on the target classification and preset event occurrence conditions. The invention also relates to a block chain technology, and the security situation data and the security event data can be stored in the block chain.

Description

Network security monitoring method, device, equipment and medium based on situation awareness
Technical Field
The present invention relates to the field of network security, and in particular, to a method, apparatus, device, and medium for monitoring network security based on situation awareness.
Background
With the continuous expansion of the network scale, the combination of the traditional industry and the internet is more and more extensive, and the life of people is highly dependent on the network. At present, the network security environment is not optimistic, network attacks are increasingly frequent, and the threat and loss caused by the network attacks are also increasingly large. Therefore, the network security state and the development trend thereof are perceived, understood and predicted in a complex and changeable network environment, management staff can master the network security state in time, and the possible threat in the future can be protected in advance, so that the harm of the attack to the network is reduced. Network security situation prediction is used as an important link of security situation awareness, and by predicting the development of future network security situations, an administrator is helped to make protection accurately in advance, and potential loss caused by network attack is reduced.
When the traditional method predicts the trend of the security state, attack threat and network vulnerability are mainly taken as prediction elements, and the method only combines a single element to predict, so that the requirement of management personnel on grasping the overall security trend of the network cannot be met. The network security situation awareness technology fuses protection data of network security devices such as an intrusion detection system IDS, a firewall, a virus detection system VDS and the like, is an integral reflection of network security conditions and trends, and can be used as an important reference for network early warning and response. The current mainstream network security situation prediction method is generally divided into the following three types: in one embodiment, a method is provided based on spatio-temporal sequence analysis. The method has the assumed conditions that the change of the security situation value has rules and periodicity, so that the prediction of the network security trend is realized through the analysis of the historical and current security situation values in the network, and the method does not analyze the change of each security situation element of the network and the mutual influence among each dynamic security situation element, so that the mode is fixed, and the prediction of the emergency is not strong; in a second mode, a method based on game theory. In the attack and defense countermeasure environment, the method dynamically selects the optimal strategy selection of an attacker and a defender by utilizing a game theory, the situation factor selection is comprehensive by comprehensively analyzing the change of the information of the attacker, the defender and the network environment, the game theory is applied to the military field more mature, and the sudden strong and unpredictable factors are excessive in the network environment, so that the model difficulty of establishing the game theory for the network attack and defense is high, and the method can only predict the security trend in a short period and can not give the long-term prediction of the network situation; in a third mode, based on the graph theory method, the method generates a state transition graph by utilizing vulnerability information in a network environment, and predicts the possible future security state of the network according to the current state from the point of view of an attacker. However, the method only considers the information of the attacker and the network environment, the established attack graph is a static attack graph, and the influence of the strategy selection of the defender on the future security situation of the network is ignored. In summary, the existing methods are all predictions of a future period of time of the network, which are the next period of time with ambiguity and lack of quantitative predictions of successful time of intrusion to the attack. Therefore, finding an effective monitoring method for real-time network attack becomes a technical problem to be solved urgently.
Disclosure of Invention
The embodiment of the application provides a network security monitoring method, a device, computer equipment and a storage medium based on situation awareness, so as to improve timeliness of network security monitoring.
In order to solve the technical problems, an embodiment of the present application provides a network security monitoring method based on situation awareness, including:
collecting original data, wherein the original data comprises security situation data and security event data;
carrying out data preprocessing and aggregation analysis on the security situation data by combining the security event data to obtain a characteristic value corresponding to the security situation data;
inputting the characteristic values into a preset random forest model, and training the characteristic values through the preset random forest model to obtain target classifications corresponding to the characteristic values;
and obtaining a safety evaluation result based on the target classification and a preset event occurrence condition.
Optionally, the security situation data includes difference data and malicious data, and the combining the security event data, performing data preprocessing and aggregation analysis on the security situation data, to obtain a feature value corresponding to the security situation data includes:
Extracting a sample IP from each security event data by a sample IP extraction algorithm;
for each sample IP, querying a RIR database, acquiring all IP address blocks related to the sample IP, and taking the sample IP and the IP address block corresponding to the sample IP as an aggregation unit;
and aggregating each aggregation unit with the security situation data to obtain aggregation data, calculating the proportion of each difference data and each malicious data hitting the IP address block contained in the aggregation unit, and obtaining the characteristic value.
Optionally, said extracting a sample IP from each of said security event data by a sample IP extraction algorithm comprises:
extracting each initial site associated with an event from the security event data;
detecting the IP address of each initial site, if the IP address of the initial site is an intrusion point, taking the IP address of the initial site as an intrusion IP, and if the IP address of the initial site is a target IP address to be attacked, taking the IP address of the initial site as a target attack IP;
and taking the intrusion IP and the target attack IP as the sample IP.
Optionally, inputting the feature value into a preset random forest model, training the feature value through the preset random forest model, and obtaining the target classification corresponding to the feature value includes:
inputting the characteristic value into a preset random forest model;
calculating a coefficient value of the foundation corresponding to each characteristic value through the preset random forest model;
determining a decision tree corresponding to the characteristic value in the preset random forest model according to the obtained coefficient value of the foundation and the preset dimension number, and taking the decision tree as a target decision tree;
and determining the target classification corresponding to the characteristic value according to the target decision tree.
Optionally, before the feature value is input into a preset random forest model, training the feature value through the preset random forest model to obtain the target classification corresponding to the feature value, the situation awareness-based network security monitoring method further includes:
according to the characteristic data corresponding to the attack target in the security event data, the characteristic data is used as first data, and characteristic data corresponding to the non-attack target is used as second data;
And generating the preset random forest model according to the characteristic dimension of the first data and the characteristic dimension of the second data.
Optionally, the generating the preset random forest model according to the feature dimension of the first data and the feature dimension of the second data includes:
taking the first data and the second data as training sets, and extracting training samples from the training sets by using a random sampling mode to construct K sub-training sets, wherein K is a positive integer;
calculating the information entropy and the information gain of each feature dimension aiming at each sub training set;
according to the information entropy and the information gain, determining an information gain ratio of each characteristic dimension;
selecting a feature dimension corresponding to the maximum information gain ratio as a splitting node for splitting, returning to each sub-training set, and continuously executing the step of calculating the information entropy and the information gain of each feature dimension until each feature dimension is used as a splitting point to finish splitting, so as to generate K decision trees;
constructing a random forest according to the K decision trees to obtain the preset random forest model.
Optionally, the network security monitoring method based on situation awareness further comprises:
and storing the collected security situation data and the collected security event data into a blockchain.
In order to solve the above technical problems, an embodiment of the present application further provides a network security monitoring device based on situation awareness, including:
the data collection module is used for collecting original data, wherein the original data comprises security situation data and security event data;
the feature extraction module is used for carrying out data preprocessing and aggregation analysis on the security situation data in combination with the security event data to obtain a feature value corresponding to the security situation data;
the feature classification module is used for inputting the feature value into a preset random forest model, and training the feature value through the preset random forest model to obtain target classification corresponding to the feature value;
and the safety evaluation module is used for obtaining a safety evaluation result based on the target classification and the preset event occurrence condition.
Optionally, the feature extraction module includes:
a sample IP extraction unit, configured to extract a sample IP from each of the security event data by using a sample IP extraction algorithm;
The aggregation unit is used for querying a RIR database for each sample IP, acquiring all IP address blocks related to the sample IP, and taking the sample IP and the IP address block corresponding to the sample IP as an aggregation unit;
and the characteristic value calculation unit is used for aggregating each aggregation unit with the security situation data to obtain aggregation data, calculating the proportion of each difference data and each malicious data hitting the IP address block contained in the aggregation unit, and obtaining the characteristic value.
Optionally, the sample IP extraction unit includes:
an initial site extraction subunit, configured to extract, from the security event data, each initial site associated with an event;
an abnormal IP address determining subunit, configured to detect an IP address of each initial site, if the IP address of the initial site is an intrusion point, take the IP address of the initial site as an intrusion IP, and if the IP address of the initial site is a target IP address that is attacked, take the IP address of the initial site as a target attack IP;
and the sample IP determining subunit is used for taking the intrusion IP and the target attack IP as the sample IP.
Optionally, the feature classification module includes:
the characteristic value input unit is used for inputting the characteristic value into a preset random forest model;
the coefficient of the foundation calculation unit is used for calculating the coefficient of the foundation value corresponding to each characteristic value through the preset random forest model;
the decision tree selection unit is used for determining a decision tree corresponding to the characteristic value in the preset random forest model according to the obtained coefficient value and the preset dimension number, and taking the decision tree as a target decision tree;
and the classification determining unit is used for determining the target classification corresponding to the characteristic value according to the target decision tree.
Optionally, the network security monitoring device based on situation awareness further comprises:
the data classification module is used for taking characteristic data corresponding to an attack target in the security event data as first data and taking characteristic data corresponding to a non-attack target as second data;
the model generation module is used for generating the preset random forest model according to the characteristic dimension of the first data and the characteristic dimension of the second data.
Optionally, the model generation module includes:
a sub-training set component unit, configured to take the first data and the second data as training sets, and extract training samples from the training sets by using a random sampling manner, so as to construct K sub-training sets, where K is a positive integer;
A split parameter calculation unit, configured to calculate, for each of the sub-training sets, an information entropy and an information gain of each of the feature dimensions;
an information gain ratio determining unit configured to determine an information gain ratio for each of the feature dimensions according to the information entropy and the information gain;
the cyclic splitting unit is used for selecting the feature dimension corresponding to the maximum information gain ratio as a splitting node to split, returning to each sub-training set, and continuously executing the step of calculating the information entropy and the information gain of each feature dimension until each feature dimension is used as a splitting point to finish splitting, so as to generate K decision trees;
the model generation unit is used for constructing a random forest according to the K decision trees to obtain the preset random forest model.
Optionally, the network security monitoring device based on situation awareness further comprises:
and the storage module is used for storing the collected security situation data and the collected security event data into a blockchain.
In order to solve the above technical problems, an embodiment of the present application further provides a computer device, including a memory, a processor, and a computer program stored in the memory and capable of running on the processor, where the processor implements the steps of the above network security monitoring method based on situational awareness when executing the computer program.
In order to solve the above technical problem, an embodiment of the present application further provides a computer readable storage medium, where a computer program is stored, where the computer program, when executed by a processor, implements the steps of the network security monitoring method based on situation awareness.
According to the situation awareness-based network security monitoring method, device, equipment and medium, raw data are collected, wherein the raw data comprise security situation data and security event data, the security situation data are subjected to data preprocessing and aggregation analysis in combination with the security event data to obtain the characteristic values corresponding to the security situation data, the data characteristics and the environmental factors when network security events occur are taken as one essential factor for characteristic extraction of the security situation data, network attack detection of different network environments is facilitated in subsequent real time, meanwhile, the characteristic values are input into a preset random forest model, training is conducted on the characteristic values through the preset random forest model to obtain target classification corresponding to the characteristic values, and based on the target classification and preset event occurrence conditions, the network security assessment is achieved, and the timeliness of network security monitoring is facilitated.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the description of the embodiments of the present application will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is an exemplary system architecture diagram in which the present application may be applied;
FIG. 2 is a flow chart of one embodiment of a situation awareness based network security monitoring method of the present application;
FIG. 3 is a schematic diagram of one embodiment of a situational awareness based network security monitoring apparatus in accordance with the present application;
FIG. 4 is a schematic structural diagram of one embodiment of a computer device in accordance with the present application.
Description of the embodiments
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs; the terminology used in the description of the applications herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application; the terms "comprising" and "having" and any variations thereof in the description of the application and the claims and the description of the drawings above are intended to cover a non-exclusive inclusion. The terms first, second and the like in the description and in the claims or in the above-described figures, are used for distinguishing between different objects and not necessarily for describing a sequential or chronological order.
Reference herein to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment may be included in at least one embodiment of the application. The appearances of such phrases in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. Those of skill in the art will explicitly and implicitly appreciate that the embodiments described herein may be combined with other embodiments.
The following description of the embodiments of the present application will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are some, but not all embodiments of the application. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
Referring to fig. 1, as shown in fig. 1, a system architecture 100 may include terminal devices 101, 102, 103, a network 104, and a server 105. The network 104 is used as a medium to provide communication links between the terminal devices 101, 102, 103 and the server 105. The network 104 may include various connection types, such as wired, wireless communication links, or fiber optic cables, among others.
The user may interact with the server 105 via the network 104 using the terminal devices 101, 102, 103 to receive or send messages or the like.
The terminal devices 101, 102, 103 may be various electronic devices having a display screen and supporting web browsing, including but not limited to smartphones, tablet computers, electronic book readers, MP3 players (Moving Picture E interface display perts Group Audio Layer III, moving Picture expert compression standard audio layer 3), MP4 players (Moving Picture E interface display perts Group Audio Layer IV, moving Picture expert compression standard audio layer 4), laptop and desktop computers, and so on.
The server 105 may be a server providing various services, such as a background server providing support for pages displayed on the terminal devices 101, 102, 103.
It should be noted that, the network security monitoring method based on situation awareness provided by the embodiment of the present application is executed by a server, and correspondingly, the network security monitoring device based on situation awareness is set in the server.
It should be understood that the number of terminal devices, networks and servers in fig. 1 is merely illustrative. Any number of terminal devices, networks and servers may be provided according to implementation requirements, and the terminal devices 101, 102, 103 in the embodiment of the present application may specifically correspond to application systems in actual production.
Referring to fig. 2, fig. 2 shows a situation awareness-based network security monitoring method according to an embodiment of the present invention, and the method is applied to the server in fig. 1 for illustration, and is described in detail as follows:
s201: raw data is collected, wherein the raw data includes security posture data and security event data.
Specifically, when the server side performs network interaction, the original data related to network security is collected, and the original data comprises security situation data and security event data.
The security situation data refer to data affecting the occurrence of a security event, the security situation data adopts two measurement methods, one is to measure the misconfiguration or the difference between the misconfiguration and the standard/recommended configuration of a network, and the security situation data obtained according to the method is also referred to as difference data; the other is to measure the malicious behavior degree from the network, the difference refers to comparing the acquired network data with standard data, the malicious behavior refers to the malicious behavior which is observed by external detection and is derived from the inside of a certain organization, the data source can be obtained from a behavior library of the external organization, and the security situation data acquired by the way is also called malicious data.
The security event data refer to data collected when a security event occurs, and the security event data can be collected through three public network security databases, wherein the three network security databases are respectively: VERIS Commnunity Database (VCDB), hackmageddon and The Web Hacing Incidents Database (WHID).
It should be noted that the security situation data and the security event data are not one numerical value, but include data of a plurality of feature dimensions, and the security event data may include different feature dimensions according to the source thereof.
It should be understood that the network situation refers to the current state and the trend of the entire network composed of various factors such as the running status of the network device, the network behavior, and the user behavior. The network situation awareness is to acquire, understand, display and predict future trends of security elements capable of causing the change of the network situation in a large-scale network environment, and in this embodiment, the network security situation awareness is performed in combination with security event data, so that it is beneficial to quickly and efficiently determine possible network security hidden dangers and to improve timeliness of network security monitoring.
S202: and carrying out data preprocessing and aggregation analysis on the security situation data by combining the security event data to obtain a characteristic value corresponding to the security situation data.
Specifically, in this embodiment, in order to enhance compatibility of security situation data to different network environments, before network security detection is performed on security event data, data processing is performed on the security situation data according to the security event data to obtain a corresponding feature value, and then network security detection is performed according to the feature value, so as to improve compatibility and accuracy of network security monitoring.
Wherein, the data processing of the security situation data according to the security event data comprises
The feature value is a mathematical expression for representing various data features in the security situation data, and the feature value can be in a vector form.
In combination with the security event data, the security situation data is subjected to data preprocessing and aggregation analysis to obtain the implementation process of the feature value corresponding to the security situation data, and the description of the subsequent embodiments may be referred to specifically, so that repetition is avoided and will not be repeated here.
S203: inputting the characteristic values into a preset random forest model, and training the characteristic values through the preset random forest model to obtain target classifications corresponding to the characteristic values.
Specifically, the server pre-stores a trained random forest model, the random forest model comprises a plurality of decision trees, each decision tree corresponds to one class, the characteristic value is input into the pre-trained random forest model, the characteristic value is trained through the random forest model, the decision tree which is most matched with the characteristic value is obtained, and the branch class of the decision tree is obtained and is used as the target class.
Where Random forest (Random forest) refers to a classifier that trains and predicts samples using multiple trees. In machine learning, a random forest is a classifier that contains multiple decision trees, and whose output class is a mode of the class output by the individual trees.
Each decision tree in the random forest, after training, contains a fixed class of branches, each branch representing a dimensional feature of the data.
The specific implementation details of the target classification corresponding to the feature values are obtained by training the feature values through a preset random forest model, and reference may be made to the description of the subsequent embodiments, so that repetition is avoided and no further description is given here.
S204: and obtaining a safety evaluation result based on the target classification and the preset event occurrence condition.
Specifically, after the target classification is obtained, that is, the dimension characteristics of potential safety hazards exist in the clear safety situation data, whether the current network is safe or not is judged by combining preset event occurrence conditions, and corresponding processing measures are adopted according to judgment results.
It should be noted that, different security events have different occurrence conditions and buffering time, and according to the protection level of the actual needs and the security event to be monitored, a preset event occurrence condition is determined to monitor network security, where the preset event occurrence condition may be set according to the actual needs, for example, in a specific embodiment, the preset event occurrence condition is as follows: the network requests exceeded 2000 per minute and lasted 10 minutes.
In this embodiment, by collecting raw data, where the raw data includes security situation data and security event data, and combining the security event data, performing data preprocessing and aggregation analysis on the security situation data to obtain a feature value corresponding to the security situation data, so as to implement feature extraction of data features and environmental factors when a network security event occurs as one essential factor of the security situation data, which is favorable for subsequent real-time network attack detection in different network environments, and meanwhile, inputting the feature value into a preset random forest model, training the feature value through the preset random forest model to obtain a target classification corresponding to the feature value, and obtaining a security evaluation result based on the target classification and a preset event occurrence condition, thereby implementing rapid network security evaluation, and being favorable for improving timeliness of network security monitoring.
In an embodiment, the collected security situation data and security event data can be stored on a blockchain network, and sharing of data information among different platforms can be realized through blockchain storage, and data can be prevented from being tampered.
Blockchains are novel application modes of computer technologies such as distributed data storage, point-to-point transmission, consensus mechanisms, encryption algorithms, and the like. The Blockchain (Blockchain), which is essentially a decentralised database, is a string of data blocks that are generated by cryptographic means in association, each data block containing a batch of information of network transactions for verifying the validity of the information (anti-counterfeiting) and generating the next block. The blockchain may include a blockchain underlying platform, a platform product services layer, and an application services layer.
In some optional implementations of the present embodiment, in step S202, the security situation data includes difference data and malicious data, and in combination with the security event data, performing data preprocessing and aggregation analysis on the security situation data, where obtaining a feature value corresponding to the security situation data includes:
extracting a sample IP from each security event data by a sample IP extraction algorithm;
for each sample IP, inquiring a RIR database, acquiring all IP address blocks related to the sample IP, and taking the sample IP and the IP address block corresponding to the sample IP as an aggregation unit;
and aggregating each aggregation unit with the security situation data to obtain aggregation data, calculating each difference data and each malicious data, and hitting the proportion of the IP address blocks contained in the aggregation units to obtain the characteristic value.
Specifically, the security event mentioned in this embodiment is an organization/enterprise-level-based network security event, by analyzing the security event data, determining attack target organizations/enterprises in the security event data, and the invaded organizations/enterprises, and obtaining the IP of the organizations/enterprises as sample IP, further by querying the RIR database, determining all IP address blocks associated with the sample IP, obtaining an aggregation unit, then by aggregation analysis, obtaining some associated values of the security situation data and the security event data, vectorizing the associated values, and obtaining the feature value corresponding to the security situation data.
Wherein RIR (Regional Internet Registry) refers to a regional Internet registry, and the RIR database contains associated service information for local IP address blocks.
Wherein the source of differential data includes, but is not limited to: incorrect configuration of a DNS server that is incorrectly configured, no randomization of DNS source ports and query IDs, BGP configuration errors or frequent reconfiguration, incorrect configuration of an X509 certificate for achieving d-client authentication in TLS protocol, open authority of mail relay server information, and the like.
Wherein malicious behavior data mainly refers to malicious behavior observed by external detection and originating from inside a certain organization, and main sources thereof include but are not limited to: spam (Spam), web spoofing (Phishing), scanning (Scan) behavior, etc.
In this embodiment, data preprocessing and aggregation analysis are performed on the security situation data in combination with the security event data, so as to obtain a feature value corresponding to the security situation data, and then network security detection is performed through the feature value, which is favorable for accurately determining potential network security hazards.
In some optional implementations of the present embodiment, extracting the sample IP from each of the security event data by a sample IP extraction algorithm includes:
Extracting each initial site associated with the event from the security event data;
detecting the IP address of each initial site, if the IP address of the initial site is an intrusion point, taking the IP address of the initial site as an intrusion IP, and if the IP address of the initial site is a target IP address to be attacked, taking the IP address of the initial site as a target attack IP;
the intrusion IP and the target attack IP are taken as sample IP.
Specifically, after obtaining one security event data, extracting a site of an organization/enterprise related to the event from the security event data, if the site is a starting point/invasion point of the security event, taking an IP address of the site as a Sample IP, and if the site is not an invasion point, but may represent an attack target, that is, an owner of the site is a victim of the attack event, taking the IP of the site as a Sample IP of the event, wherein the Sample IP of other cases is temporarily not considered, so as to avoid misjudgment of the Sample IP, and other sites are not considered.
In this embodiment, the sample IP extraction algorithm accurately extracts sample IPs related to security events for subsequent prediction of network security through these sample IPs.
In some optional implementations of the present embodiment, in step S203, inputting the feature value into a preset random forest model, training the feature value through the preset random forest model, and obtaining the target classification corresponding to the feature value includes:
inputting the characteristic value into a preset random forest model;
calculating a coefficient value of the foundation corresponding to each characteristic value through a preset random forest model;
determining a decision tree corresponding to the characteristic value in a preset random forest model according to the obtained coefficient value of the foundation and the preset dimension number, and taking the decision tree as a target decision tree;
and determining the target classification corresponding to the characteristic value according to the target decision tree.
Specifically, training the feature values through a preset random forest model, calculating a coefficient value of a foundation coefficient corresponding to each feature value in the preset random forest model, determining a target decision tree according to the coefficient value of the foundation coefficient and the number of preset dimensions, and obtaining target classification corresponding to the feature values according to branching features of the target decision tree.
Wherein the coefficient value of the kunning is an index of the degree of variance of the assigned quantity, which is actually the percentage of the variance data of the non-average distribution to the total value.
The preset dimension number is determined by a preset random forest model, and when the random forest model is trained, the feature dimension number of each branch is unified to ensure fairness and reasonability of decision tree splitting, so that reasonable and accurate data classification is ensured, and when some branch feature dimensions are missing, 0 can be properly adopted for filling.
In the embodiment, the characteristic values are classified rapidly through the preset random forest model, so that the efficiency of network security detection is improved, and the detection and the processing of network security in time are facilitated.
In some optional implementations of this embodiment, before step S203, the network security monitoring method based on situation awareness further includes:
according to the characteristic data corresponding to the attack target in the security event data, the characteristic data is used as first data, and the characteristic data corresponding to the non-attack target is used as second data;
and generating a preset random forest model according to the characteristic dimension of the first data and the characteristic dimension of the second data.
Specifically, according to whether the characteristic data in the security event data is an attack target or not, dividing the data into first data corresponding to the attack target and second data corresponding to a non-attack target, and generating a preset random forest model according to the characteristic dimension of the first data and the characteristic dimension of the second data.
It should be noted that, each data has multiple attributes, each attribute may be used as a dimension, in practical implementation, because the source of the collected safe practical data is not single, the attributes of different data exist different, so some attributes with stronger association with network security may be selected as feature dimensions of the first data or the second data according to practical needs.
In this embodiment, the security event data is classified according to the attack target, and the classified data is used to construct a random forest model, so that the subsequent rapid network security detection can be performed through the random forest model.
In some optional implementations of this embodiment, generating the preset random forest model according to the feature dimension of the first data and the feature dimension of the second data includes:
taking the first data and the second data as training sets, and extracting training samples from the training sets by using a random sampling mode to construct K sub-training sets, wherein K is a positive integer;
for each sub-training set, calculating the information entropy and the information gain of each feature dimension;
according to the information entropy and the information gain, determining the information gain ratio of each characteristic dimension;
Selecting the feature dimension corresponding to the maximum information gain ratio as a splitting node for splitting, returning to each sub-training set, and continuously executing the step of calculating the information entropy and the information gain of each feature dimension until each feature dimension is used as a splitting point to finish splitting, so as to generate K decision trees;
constructing a random forest according to the K decision trees to obtain a preset random forest model.
Specifically, the first data and the second data are used as a training set, training samples are extracted from the training set in a random sampling mode, the training samples can be extracted from the training set in a random sampling mode by using a resampling technology, and further, the splitting points are determined to carry out iterative splitting in an information gain mode, so that a plurality of decision trees are obtained, and a preset random forest model is obtained.
The resampling technology is to sample the sample with the back in the training set, the probability that each sample data in the training set is extracted every time is equal, the K rounds of extraction are repeated in the training set, the result of each round of extraction is used as a sub-training set to obtain K sub-training sets, and the number of training samples in the sub-training sets is smaller than or equal to the number of training samples in the training set.
Further, for each sub-training set, the information entropy of each feature dimension is calculated according to formula (1):
formula (1);
wherein, the liquid crystal display device comprises a liquid crystal display device,for using feature dimension->For information entropy with feature dimension, +.>,/>Is->Characteristic dimension sign->Is->The feature value probabilities for the feature dimensions.
Further, according to the information entropy calculated by the formula (1), the information gain of each characteristic dimension is calculated according to the formula (2):formula (2)
Wherein, the liquid crystal display device comprises a liquid crystal display device,information gain for feature dimension, +.>To be according to feature dimension->Information entropy before splitting, ++>To be according to feature dimension->Information entropy after splitting.
Further, the information gain calculated according to the formula (2) is calculated according to the information gain ratio of each characteristic dimension of the formula (3) and the formula (4):formula (3)
Formula (4);
wherein, the liquid crystal display device comprises a liquid crystal display device,penalty factor for feature dimension, +_>For the total amount of training samples in the sub-training set, +.>Training sample number for first data in feature dimension, +.>Information gain ratio for feature dimension.
Further, a decision tree is constructed by using a C4.5 algorithm, penalty factors of feature dimensions are calculated according to a formula (4), an information gain ratio of each feature dimension is calculated by using a formula (3), and splitting is performed according to the feature dimension corresponding to the maximum information gain ratio as a splitting node.
If splitting is performed according to the information gain as a splitting point, the construction of the decision tree tends to select the characteristic dimension with larger information gain as a splitting node, for example, the information gain of the characteristic dimension such as a network attack mode, a network attack purpose and the like is larger, but under the condition that a plurality of characteristic dimensions exist in a training set and a plurality of values exist, the prediction accuracy of the decision tree obtained by training is lower, the information gain ratio is calculated according to the penalty factor of the characteristic dimension, splitting is performed according to the characteristic dimension corresponding to the largest information gain ratio as the splitting node, adverse effects of the attribute with uniform distribution on splitting of the decision tree can be effectively avoided, and the construction quality of the decision tree is improved.
In the embodiment, the information gain ratio is adopted to select the splitting points, so that a random forest model is constructed, the construction quality of decision trees is improved, the classification of network attack characteristics is more reasonable, and the accuracy of subsequent network security detection is improved.
It should be understood that the sequence number of each step in the foregoing embodiment does not mean that the execution sequence of each process should be determined by the function and the internal logic, and should not limit the implementation process of the embodiment of the present invention.
Fig. 3 shows a schematic block diagram of a situation awareness based network security monitoring device in one-to-one correspondence with the situation awareness based network security monitoring method of the above embodiment. As shown in fig. 3, the network security monitoring device based on situation awareness includes a data collection module 31, a feature extraction module 32, a feature classification module 33 and a security evaluation module 34. The functional modules are described in detail as follows:
a data collection module 31 for collecting raw data, wherein the raw data includes security situation data and security event data;
the feature extraction module 32 is configured to combine the security event data, perform data preprocessing on the security situation data, and perform aggregation analysis to obtain a feature value corresponding to the security situation data;
the feature classification module 33 is configured to input a feature value into a preset random forest model, and train the feature value through the preset random forest model to obtain a target classification corresponding to the feature value;
the security evaluation module 34 is configured to obtain a security evaluation result based on the target classification and a preset event occurrence condition.
Optionally, the feature extraction module 32 includes:
a sample IP extraction unit for extracting a sample IP from each security event data by a sample IP extraction algorithm;
The aggregation unit is used for querying the RIR database for each sample IP, acquiring all IP address blocks related to the sample IP, and taking the sample IP and the IP address block corresponding to the sample IP as an aggregation unit;
and the characteristic value calculation unit is used for aggregating each aggregation unit with the security situation data to obtain aggregation data, calculating each difference data and each malicious data, and hitting the proportion of the IP address blocks contained in the aggregation unit to obtain the characteristic value.
Optionally, the sample IP extraction unit includes:
an initial site extraction subunit, configured to extract, from the security event data, each initial site associated with the event;
the abnormal IP address determination subunit is configured to detect an IP address of each initial site, if the IP address of the initial site is an intrusion point, use the IP address of the initial site as an intrusion IP, and if the IP address of the initial site is a target IP address to be attacked, use the IP address of the initial site as a target attack IP;
and the sample IP determining subunit is used for taking the intrusion IP and the target attack IP as sample IPs.
Optionally, the feature classification module 33 includes:
the characteristic value input unit is used for inputting the characteristic value into a preset random forest model;
The coefficient of the foundation calculates the unit, is used for through the random forest model of presetting, calculate the coefficient of the foundation value that each characteristic value corresponds;
the decision tree selection unit is used for determining a decision tree corresponding to the characteristic value in a preset random forest model according to the obtained coefficient value and the preset dimension number, and taking the decision tree as a target decision tree;
and the classification determining unit is used for determining the target classification corresponding to the characteristic value according to the target decision tree.
Optionally, the network security monitoring device based on situation awareness further comprises:
the data classification module is used for taking characteristic data corresponding to an attack target in the security event data as first data and taking characteristic data corresponding to a non-attack target as second data;
the model generation module is used for generating a preset random forest model according to the characteristic dimension of the first data and the characteristic dimension of the second data.
Optionally, the model generation module includes:
the sub-training set component unit is used for taking the first data and the second data as training sets, extracting training samples from the training sets by using a random sampling mode, and constructing K sub-training sets, wherein K is a positive integer;
the split parameter calculation unit is used for calculating the information entropy and the information gain of each characteristic dimension aiming at each sub-training set;
An information gain ratio determining unit for determining an information gain ratio of each feature dimension according to the information entropy and the information gain;
the cyclic splitting unit is used for selecting the feature dimension corresponding to the maximum information gain ratio as a splitting node to split, returning to calculate the information entropy and the information gain of each feature dimension aiming at each sub-training set, and continuously executing until each feature dimension is used as a splitting point to finish splitting, so as to generate K decision trees;
the model generation unit is used for constructing a random forest according to the K decision trees to obtain a preset random forest model.
Optionally, the network security monitoring device based on situation awareness further comprises:
and the storage module is used for storing the collected security situation data and the collected security event data into the blockchain.
For specific limitations on the situation-based network security monitoring device, reference may be made to the above limitation on the situation-based network security monitoring method, and no further description is given here. The modules in the network security monitoring device based on situation awareness can be all or partially implemented by software, hardware and a combination thereof. The above modules may be embedded in hardware or may be independent of a processor in the computer device, or may be stored in software in a memory in the computer device, so that the processor may call and execute operations corresponding to the above modules.
In order to solve the technical problems, the embodiment of the application also provides computer equipment. Referring specifically to fig. 4, fig. 4 is a basic structural block diagram of a computer device according to the present embodiment.
The computer device 4 comprises a memory 41, a processor 42, a network interface 43 communicatively connected to each other via a system bus. It is noted that only a computer device 4 having a component connection memory 41, a processor 42, a network interface 43 is shown in the figures, but it is understood that not all of the illustrated components are required to be implemented and that more or fewer components may be implemented instead. It will be appreciated by those skilled in the art that the computer device herein is a device capable of automatically performing numerical calculations and/or information processing in accordance with predetermined or stored instructions, the hardware of which includes, but is not limited to, microprocessors, application specific integrated circuits (Application Specific Integrated Circuit, ASICs), programmable gate arrays (fields-Programmable Gate Array, FPGAs), digital processors (Digital Signal Processor, DSPs), embedded devices, etc.
The computer equipment can be a desktop computer, a notebook computer, a palm computer, a cloud server and other computing equipment. The computer equipment can perform man-machine interaction with a user through a keyboard, a mouse, a remote controller, a touch pad or voice control equipment and the like.
The memory 41 includes at least one type of readable storage medium including flash memory, a hard disk, a multimedia card, a card type memory (e.g., SD or D interface display memory, etc.), a Random Access Memory (RAM), a Static Random Access Memory (SRAM), a read-only memory (ROM), an electrically erasable programmable read-only memory (EEPROM), a programmable read-only memory (PROM), a magnetic memory, a magnetic disk, an optical disk, etc. In some embodiments, the storage 41 may be an internal storage unit of the computer device 4, such as a hard disk or a memory of the computer device 4. In other embodiments, the memory 41 may also be an external storage device of the computer device 4, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash Card (Flash Card) or the like, which are provided on the computer device 4. Of course, the memory 41 may also comprise both an internal memory unit of the computer device 4 and an external memory device. In this embodiment, the memory 41 is typically used for storing an operating system and various application software installed on the computer device 4, such as program codes for controlling electronic files, etc. Further, the memory 41 may be used to temporarily store various types of data that have been output or are to be output.
The processor 42 may be a central processing unit (Central Processing Unit, CPU), controller, microcontroller, microprocessor, or other data processing chip in some embodiments. The processor 42 is typically used to control the overall operation of the computer device 4. In this embodiment, the processor 42 is configured to execute a program code stored in the memory 41 or process data, such as a program code for executing control of an electronic file.
The network interface 43 may comprise a wireless network interface or a wired network interface, which network interface 43 is typically used for establishing a communication connection between the computer device 4 and other electronic devices.
The present application also provides another embodiment, namely, a computer readable storage medium, where an interface display program is stored, where the interface display program is executable by at least one processor, so that the at least one processor performs the steps of the network security monitoring method based on situation awareness as described above.
From the above description of the embodiments, it will be clear to those skilled in the art that the above-described embodiment method may be implemented by means of software plus a necessary general hardware platform, but of course may also be implemented by means of hardware, but in many cases the former is a preferred embodiment. Based on such understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art in the form of a software product stored in a storage medium (e.g. ROM/RAM, magnetic disk, optical disk) comprising instructions for causing a terminal device (which may be a mobile phone, a computer, a server, an air conditioner, or a network device, etc.) to perform the method according to the embodiments of the present application.
It is apparent that the above-described embodiments are only some embodiments of the present application, but not all embodiments, and the preferred embodiments of the present application are shown in the drawings, which do not limit the scope of the patent claims. This application may be embodied in many different forms, but rather, embodiments are provided in order to provide a thorough and complete understanding of the present disclosure. Although the application has been described in detail with reference to the foregoing embodiments, it will be apparent to those skilled in the art that modifications may be made to the embodiments described in the foregoing description, or equivalents may be substituted for elements thereof. All equivalent structures made by the content of the specification and the drawings of the application are directly or indirectly applied to other related technical fields, and are also within the scope of the application.

Claims (8)

1. The network security monitoring method based on situation awareness is characterized by comprising the following steps of:
collecting original data, wherein the original data comprises security situation data and security event data, the security situation data is data influencing the occurrence of a security event, and the security event data is data collected when the security event occurs;
Carrying out data preprocessing and aggregation analysis on the security situation data by combining the security event data to obtain a characteristic value corresponding to the security situation data;
inputting the characteristic values into a preset random forest model, and training the characteristic values through the preset random forest model to obtain target classifications corresponding to the characteristic values;
based on the target classification and a preset event occurrence condition, a security evaluation result is obtained;
the security situation data comprises difference data and malicious data, the security situation data is subjected to data preprocessing and aggregation analysis by combining the security event data, and the obtaining of the characteristic value corresponding to the security situation data comprises the following steps:
extracting a sample IP from each security event data by a sample IP extraction algorithm;
for each sample IP, inquiring a RIR database, acquiring all IP address blocks related to the sample IP, and taking the sample IP and the IP address block corresponding to the sample IP as an aggregation unit, wherein the RIR refers to a regional Internet registration authority, and the RIR database contains associated service information of the local IP address block;
aggregating each aggregation unit with the security situation data to obtain aggregation data, calculating the proportion of each difference data and each malicious data hitting the IP address block contained in the aggregation unit to obtain the characteristic value;
Said extracting a sample IP from each of said security event data by a sample IP extraction algorithm comprises:
extracting each initial site associated with an event from the security event data;
detecting the IP address of each initial site, if the IP address of the initial site is an intrusion point, taking the IP address of the initial site as an intrusion IP, and if the IP address of the initial site is a target IP address to be attacked, taking the IP address of the initial site as a target attack IP;
and taking the intrusion IP and the target attack IP as the sample IP.
2. The situation awareness based network security monitoring method of claim 1, wherein the inputting the feature value into a preset random forest model, training the feature value through the preset random forest model, and obtaining the target classification corresponding to the feature value comprises:
inputting the characteristic value into a preset random forest model;
calculating a coefficient value of the foundation corresponding to each characteristic value through the preset random forest model;
determining a decision tree corresponding to the characteristic value in the preset random forest model according to the obtained coefficient value of the foundation and the preset dimension number, and taking the decision tree as a target decision tree;
And determining the target classification corresponding to the characteristic value according to the target decision tree.
3. The situation awareness based network security monitoring method according to any one of claims 1 or 2, wherein before the feature values are input into a preset random forest model, training the feature values through the preset random forest model to obtain the target classifications corresponding to the feature values, the situation awareness based network security monitoring method further comprises:
according to the characteristic data corresponding to the attack target in the security event data, the characteristic data is used as first data, and characteristic data corresponding to the non-attack target is used as second data;
and generating the preset random forest model according to the characteristic dimension of the first data and the characteristic dimension of the second data.
4. The situation awareness based network security monitoring method of claim 3 wherein generating the pre-set random forest model from the characteristic dimension of the first data and the characteristic dimension of the second data comprises:
taking the first data and the second data as training sets, and extracting training samples from the training sets by using a random sampling mode to construct K sub-training sets, wherein K is a positive integer;
Calculating the information entropy and the information gain of each feature dimension aiming at each sub training set;
according to the information entropy and the information gain, determining an information gain ratio of each characteristic dimension;
selecting a feature dimension corresponding to the maximum information gain ratio as a splitting node for splitting, returning to each sub-training set, and continuously executing the step of calculating the information entropy and the information gain of each feature dimension until each feature dimension is used as a splitting point to finish splitting, so as to generate K decision trees;
constructing a random forest according to the K decision trees to obtain the preset random forest model.
5. The situational awareness based network security monitoring method of claim 1, further comprising: and storing the collected security situation data and the collected security event data into a blockchain.
6. A situation awareness based network security monitoring device, characterized in that the situation awareness based network security monitoring device comprises:
the data collection module is used for collecting original data, wherein the original data comprises security situation data and security event data, the security situation data is data affecting occurrence of a security event, and the security event data is data collected when the security event occurs;
The feature extraction module is used for carrying out data preprocessing and aggregation analysis on the security situation data in combination with the security event data to obtain a feature value corresponding to the security situation data;
the feature classification module is used for inputting the feature value into a preset random forest model, and training the feature value through the preset random forest model to obtain target classification corresponding to the feature value;
the safety evaluation module is used for obtaining a safety evaluation result based on the target classification and a preset event occurrence condition;
the security situation data comprises difference data and malicious data, and the feature extraction module comprises:
a sample IP extraction unit, configured to extract a sample IP from each of the security event data by using a sample IP extraction algorithm;
the aggregation unit is used for inquiring a RIR database aiming at each sample IP, acquiring all IP address blocks related to the sample IP, and taking the sample IP and the IP address block corresponding to the sample IP as an aggregation unit, wherein the RIR refers to a regional Internet registry, and the RIR database contains associated service information of a local IP address block;
the characteristic value calculation unit is used for aggregating each aggregation unit with the security situation data to obtain aggregation data, calculating the proportion of each difference data and each malicious data hitting the IP address block contained in the aggregation unit to obtain the characteristic value;
The sample IP extraction unit includes:
an initial site extraction subunit, configured to extract, from the security event data, each initial site associated with an event;
an abnormal IP address determining subunit, configured to detect an IP address of each initial site, if the IP address of the initial site is an intrusion point, take the IP address of the initial site as an intrusion IP, and if the IP address of the initial site is a target IP address that is attacked, take the IP address of the initial site as a target attack IP;
and the sample IP determining subunit is used for taking the intrusion IP and the target attack IP as the sample IP.
7. A computer device comprising a memory, a processor and a computer program stored in the memory and executable on the processor, wherein the processor implements the situational awareness based network security monitoring method of any of claims 1 to 5 when executing the computer program.
8. A computer readable storage medium storing a computer program, wherein the computer program when executed by a processor implements the situation awareness based network security monitoring method of any of claims 1 to 5.
CN202010467167.4A 2020-05-28 2020-05-28 Network security monitoring method, device, equipment and medium based on situation awareness Active CN111786950B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010467167.4A CN111786950B (en) 2020-05-28 2020-05-28 Network security monitoring method, device, equipment and medium based on situation awareness

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010467167.4A CN111786950B (en) 2020-05-28 2020-05-28 Network security monitoring method, device, equipment and medium based on situation awareness

Publications (2)

Publication Number Publication Date
CN111786950A CN111786950A (en) 2020-10-16
CN111786950B true CN111786950B (en) 2023-10-27

Family

ID=72754216

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010467167.4A Active CN111786950B (en) 2020-05-28 2020-05-28 Network security monitoring method, device, equipment and medium based on situation awareness

Country Status (1)

Country Link
CN (1) CN111786950B (en)

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112235312B (en) * 2020-10-22 2022-04-26 新华三信息安全技术有限公司 Method and device for determining credibility of security event and electronic equipment
CN112380514B (en) * 2020-11-13 2022-11-22 支付宝(杭州)信息技术有限公司 Biological identification security situation prediction method and device and electronic equipment
CN112580788A (en) * 2020-12-25 2021-03-30 中国电子科技集团公司信息科学研究院 Situation cognition method, device, equipment and medium based on long-time and short-time memory network
CN112738107B (en) * 2020-12-30 2022-08-05 恒安嘉新(北京)科技股份公司 Network security evaluation method, device, equipment and storage medium
CN112817823A (en) * 2021-02-05 2021-05-18 杭州和利时自动化有限公司 Network state monitoring method, device and medium
CN113242218A (en) * 2021-04-23 2021-08-10 葛崇振 Network security monitoring method and system
CN115378653B (en) * 2022-07-25 2024-04-23 中国电子科技集团公司第三十研究所 Network security situation awareness and prediction method and system based on LSTM and random forest
CN115550077B (en) * 2022-12-02 2023-06-20 宁波华自智能科技有限公司 Real-time online detection dangerous source data and triggering automatic defense method
CN115659197A (en) * 2022-12-28 2023-01-31 湖南财政经济学院 Data security monitoring model training method, application method, device and storage medium
CN117633665B (en) * 2024-01-26 2024-05-28 深圳市互盟科技股份有限公司 Network data monitoring method and system

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106778836A (en) * 2016-11-29 2017-05-31 天津大学 A kind of random forest proposed algorithm based on constraints
CN108306894A (en) * 2018-03-19 2018-07-20 西安电子科技大学 A kind of network security situation evaluating method and system that confidence level occurring based on attack
CN108683663A (en) * 2018-05-14 2018-10-19 中国科学院信息工程研究所 A kind of appraisal procedure and device of network safety situation
WO2020046575A1 (en) * 2018-08-31 2020-03-05 Sophos Limited Enterprise network threat detection

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106778836A (en) * 2016-11-29 2017-05-31 天津大学 A kind of random forest proposed algorithm based on constraints
CN108306894A (en) * 2018-03-19 2018-07-20 西安电子科技大学 A kind of network security situation evaluating method and system that confidence level occurring based on attack
CN108683663A (en) * 2018-05-14 2018-10-19 中国科学院信息工程研究所 A kind of appraisal procedure and device of network safety situation
WO2020046575A1 (en) * 2018-08-31 2020-03-05 Sophos Limited Enterprise network threat detection

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
互联网下多元属性特征恶意停靠域名检测仿真;周梦源;《计算机仿真》;第406-409页 *

Also Published As

Publication number Publication date
CN111786950A (en) 2020-10-16

Similar Documents

Publication Publication Date Title
CN111786950B (en) Network security monitoring method, device, equipment and medium based on situation awareness
US20220124108A1 (en) System and method for monitoring security attack chains
US11792229B2 (en) AI-driven defensive cybersecurity strategy analysis and recommendation system
US11750659B2 (en) Cybersecurity profiling and rating using active and passive external reconnaissance
CN110380896B (en) Network security situation awareness system and method based on attack graph
US20210019674A1 (en) Risk profiling and rating of extended relationships using ontological databases
US20200389495A1 (en) Secure policy-controlled processing and auditing on regulated data sets
US20220078210A1 (en) System and method for collaborative cybersecurity defensive strategy analysis utilizing virtual network spaces
US20200412767A1 (en) Hybrid system for the protection and secure data transportation of convergent operational technology and informational technology networks
US20220210200A1 (en) Ai-driven defensive cybersecurity strategy analysis and recommendation system
US11570209B2 (en) Detecting and mitigating attacks using forged authentication objects within a domain
US11799900B2 (en) Detecting and mitigating golden ticket attacks within a domain
US11032323B2 (en) Parametric analysis of integrated operational technology systems and information technology systems
US20220014560A1 (en) Correlating network event anomalies using active and passive external reconnaissance to identify attack information
CN105556526B (en) Non-transitory machine readable media, the system and method that layering threatens intelligence are provided
US20220224723A1 (en) Ai-driven defensive cybersecurity strategy analysis and recommendation system
US20210360032A1 (en) Cybersecurity risk analysis and anomaly detection using active and passive external reconnaissance
US20230362200A1 (en) Dynamic cybersecurity scoring and operational risk reduction assessment
WO2021216163A2 (en) Ai-driven defensive cybersecurity strategy analysis and recommendation system
US20230283641A1 (en) Dynamic cybersecurity scoring using traffic fingerprinting and risk score improvement
JP2018196054A (en) Evaluation program, evaluation method and information processing device
CN117478433B (en) Network and information security dynamic early warning system
CN115119197B (en) Wireless network risk analysis method, device, equipment and medium based on big data
CN115827379A (en) Abnormal process detection method, device, equipment and medium
CN115174205A (en) Network space safety real-time monitoring method, system and computer storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant