CN112487208A - Network security data association analysis method, device, equipment and storage medium - Google Patents
Network security data association analysis method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN112487208A CN112487208A CN202011465359.8A CN202011465359A CN112487208A CN 112487208 A CN112487208 A CN 112487208A CN 202011465359 A CN202011465359 A CN 202011465359A CN 112487208 A CN112487208 A CN 112487208A
- Authority
- CN
- China
- Prior art keywords
- knowledge
- graph
- data
- rule
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/30—Information retrieval; Database structures therefor; File system structures therefor of unstructured textual data
- G06F16/36—Creation of semantic tools, e.g. ontology or thesauri
- G06F16/367—Ontology
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/24—Querying
- G06F16/245—Query processing
- G06F16/2455—Query execution
- G06F16/24564—Applying rules; Deductive queries
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/30—Information retrieval; Database structures therefor; File system structures therefor of unstructured textual data
- G06F16/31—Indexing; Data structures therefor; Storage structures
- G06F16/313—Selection or weighting of terms for indexing
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/30—Information retrieval; Database structures therefor; File system structures therefor of unstructured textual data
- G06F16/33—Querying
- G06F16/335—Filtering based on additional data, e.g. user or group profiles
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- Data Mining & Analysis (AREA)
- Databases & Information Systems (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computational Linguistics (AREA)
- Life Sciences & Earth Sciences (AREA)
- Animal Behavior & Ethology (AREA)
- Software Systems (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention discloses a method, a device, equipment and a storage medium for analyzing network security data association, wherein the method comprises the following steps: acquiring data capable of representing the current safety condition of a network as a sample, extracting corresponding information from the sample as knowledge according to preset service logic, and constructing a knowledge graph by using the knowledge; respectively extracting features from each preset rule to obtain corresponding rule features; wherein the rule is data indicating that a security threat exists on the network; and carrying out deep search on the knowledge graph, and identifying risks for knowledge matched with any rule characteristic if the knowledge graph is searched to have knowledge matched with any rule characteristic. According to the method and the device, the network security analysis time can be shortened, and meanwhile, the accuracy and effectiveness of the network security analysis are improved.
Description
Technical Field
The present invention relates to the field of network security technologies, and in particular, to a method, an apparatus, a device, and a storage medium for analyzing a network security data association.
Background
The network security related data is various and complex, and comprises security threat intelligence data, vulnerability information, network environment asset data, network security event data, security event response expert knowledge and the like. In the prior art, when the analysis of the network security related data is realized, an analyst usually analyzes each network security related data manually, but the method of analyzing respectively results in one-sided security analysis, and a large number of false alarms often exist, which not only wastes precious time of the analyst, but also has a high possibility of inundating the real security threat.
Disclosure of Invention
The invention aims to provide a method, a device, equipment and a storage medium for analyzing network security data association, which can reduce the time for analyzing network security and improve the accuracy and effectiveness of network security analysis.
In order to achieve the above purpose, the invention provides the following technical scheme:
a network security data association analysis method comprises the following steps:
acquiring data capable of representing the current safety condition of a network as a sample, extracting corresponding information from the sample as knowledge according to preset service logic, and constructing a knowledge graph by using the knowledge;
respectively extracting features from each preset rule to obtain corresponding rule features; wherein the rule is data indicating that a security threat exists on the network;
and carrying out deep search on the knowledge graph, and identifying risks for knowledge matched with any rule characteristic if the knowledge graph is searched to have knowledge matched with any rule characteristic.
Preferably, before constructing the knowledge graph by using the knowledge, the method further comprises:
if the knowledge graphs of a plurality of continuous time periods are constructed before the current moment, fitting the knowledge graphs to obtain a graph base line of one time period;
correspondingly, after the knowledge graph is constructed by using the knowledge, the method further comprises the following steps:
comparing the currently constructed knowledge graph with the graph baseline, and identifying risks for the knowledge different from the graph baseline if the knowledge different from the graph baseline exists in the currently constructed knowledge graph.
Preferably, extracting corresponding information from the sample as knowledge according to a preset service logic includes:
if the sample is log data, performing regular matching and/or word segmentation processing on the log data to obtain corresponding structured data as knowledge;
and if the sample is the flow data, performing regular matching and/or field extraction on the flow data to obtain corresponding structured data as knowledge.
Preferably, before constructing the knowledge graph by using the knowledge, the method further comprises:
and carrying out deduplication processing on the knowledge, and replacing different names with the same meaning in the knowledge with uniform names representing corresponding meanings.
Preferably, the knowledge is used for constructing a knowledge graph, and the method comprises the following steps:
and determining the ontology model corresponding to the current scene as the current model, and importing the knowledge into the current model to obtain a corresponding knowledge graph.
Preferably, fitting a plurality of knowledge-maps to a profile baseline for a time period comprises:
carrying out time superposition deduplication processing on a plurality of knowledge maps needing to be fitted;
analyzing the multiple knowledge graphs after time superposition and de-duplication processing to obtain the difference among the multiple knowledge graphs, and indicating the difference obtained by external processing to obtain a graph base line of a time period.
Preferably, the risk is identified for the corresponding knowledge, comprising:
the knowledge that the risk needs to be identified is set to a specified display color.
A network security data association analysis apparatus, comprising:
a map building module to: acquiring data capable of representing the current safety condition of a network as a sample, extracting corresponding information from the sample as knowledge according to preset service logic, and constructing a knowledge graph by using the knowledge;
a feature extraction module to: respectively extracting features from each preset rule to obtain corresponding rule features; wherein the rule is data indicating that a security threat exists on the network;
an association analysis module to: and carrying out deep search on the knowledge graph, and identifying risks for knowledge matched with any rule characteristic if the knowledge graph is searched to have knowledge matched with any rule characteristic.
A network security data association analysis device, comprising:
a memory for storing a computer program;
a processor for implementing the steps of the network security data association analysis method as described in any one of the above when the computer program is executed.
A computer readable storage medium having stored thereon a computer program which, when executed by a processor, carries out the steps of the network security data association analysis method as claimed in any one of the preceding claims.
The invention provides a method, a device, equipment and a storage medium for analyzing network security data association, wherein the method comprises the following steps: acquiring data capable of representing the current safety condition of a network as a sample, extracting corresponding information from the sample as knowledge according to preset service logic, and constructing a knowledge graph by using the knowledge; respectively extracting features from each preset rule to obtain corresponding rule features; wherein the rule is data indicating that a security threat exists on the network; and carrying out deep search on the knowledge graph, and identifying risks for knowledge matched with any rule characteristic if the knowledge graph is searched to have knowledge matched with any rule characteristic. According to the technical scheme, network security related data are collected as samples, knowledge is extracted from the samples to construct corresponding knowledge maps, rule features are extracted from rules representing the existence of security threats in the network, whether knowledge matched with the rule features exists in the knowledge maps is deeply searched, after the knowledge matched with the rule features is searched, the knowledge is determined to represent the existence of the security threats in the network, because risks are identified, otherwise, the knowledge is determined to represent the existence of the security threats in the network. It can be seen that, unlike the prior art, an analyst needs to manually analyze each kind of network security related data, but the network security knowledge graph is constructed based on the network security related data, and then fusion association analysis is performed based on the knowledge graph and corresponding rules indicating that the network has security threats, so that the occurrence of situations such as false alarm and inundation of security threats can be effectively reduced, and the network security analysis process is automatically realized, so that the network security analysis time can be effectively reduced, and the network security analysis efficiency is improved; in conclusion, the method and the device can reduce the time of network security analysis and improve the accuracy and effectiveness of the network security analysis.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a flowchart of a method for analyzing network security data association provided in an embodiment of the present invention;
FIG. 2 is an exemplary diagram of a knowledge graph in a network security data association analysis method according to an embodiment of the present invention;
fig. 3 is a block diagram of a network security data association analysis apparatus according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Referring to fig. 1, a flowchart of a network security data association analysis method provided in an embodiment of the present invention is shown, where the method may include:
s11: the method comprises the steps of collecting data capable of representing the current safety condition of the network as samples, extracting corresponding information from the samples as knowledge according to preset service logic, and constructing a knowledge graph by using the knowledge.
The execution main body of the network security data association analysis method provided by the embodiment of the invention can be a corresponding network security data association analysis device. It should be noted that, the data that can represent the current security condition of the network, that is, the network security related data, may be collected by the present application, so as to determine whether the network has a security threat currently by analyzing the data in the following; the network security related data can comprise security threat intelligence data, vulnerability information, network environment asset data, network security event data, security event response expert knowledge and the like; in particular, security threat intelligence data is authenticated knowledge information that can provide rich context information that aids in security threat detection; the vulnerability information is information such as bugs and weak passwords, and grasping the vulnerability condition in the network environment based on the vulnerability information can help better perform network security protection; the network environment asset data helps to carry out asset mapping and combing, and the most appropriate protective measures can be taken after the assets in the network environment are clearly known; the network security event data is a security event which occurs in real time in a network environment, and the association relationship in the network security event data can be discovered by combing the security event data, so that a latent security threat in the network environment can be discovered; the safety event response expert knowledge contained in the safety event response expert knowledge base is used for learning and sorting the expert emergency response process knowledge and can guide the automatic safety event response. In a specific implementation manner, when collecting network security related data as a sample, asset logs and data traffic containing the network security related data may be collected as a sample, and when collecting the asset logs, log source information of the asset logs, including but not limited to IP, asset type, asset log position, and the like, may be configured, and when collecting data traffic, asset traffic may be obtained by mirroring, and the configured information includes but not limited to IP, port, and the like; assets may include storage resources, computing resources, etc., and data traffic may include data related to the production traffic, such as IO data, etc.
After the samples are obtained, corresponding information can be extracted from the samples according to preset business logic to serve as knowledge; specifically, the content of knowledge includes, but is not limited to, entities, attributes, and relationships, such as SIP (source IP), start time, end time, operation content, data return, DIP (destination IP), and the like; the preset service logic may be that who does what at what time and where, or may only include part of the content of what who does at what time and where, such as who points to SIP, time pointing time category (start time, end time)/operation time, where points to DIP, what points to operation content and data return, and the like.
After extracting knowledge from the sample, a knowledge graph can be constructed based on the knowledge; specifically, the essence of the knowledge graph is a semantic network, the original world is described by a graph structure of nodes and edges, the nodes represent entities, and the edges represent relationships between the entities, so that the knowledge graph is a large semantic relationship network and is used for exploring implicit relationships between the entities and discovering potential knowledge behind the entities. The knowledge graph consists of a body layer and an example layer, wherein the body layer is a mode layer, is also the core of the whole knowledge graph, is used for expressing class, attribute relation and object relation, is an integral knowledge framework of the knowledge graph, and the example layer is a data layer and consists of a series of facts. The description of the entity and the relation in the knowledge graph adopts a triple (main, predicate, object), for example, as shown in fig. 2, when a fact is described by using the knowledge graph, the attack organization of the attack event a is Turla, and the vulnerability CVE-2018-; the example is the fact three-tuple data, wherein the attack event A belongs to the attack event class of the body layer, the attack organization class of the attack organization A belongs to the body layer, and the vulnerability CVE-2018 and 8120 belong to the vulnerability class of the body layer.
S12: respectively extracting features from each preset rule to obtain corresponding rule features; wherein a rule is data indicating that a security threat exists in the network.
After the knowledge graph is constructed, knowledge reasoning can be carried out according to the knowledge graph of the entity; specifically, all preset rules can be obtained, wherein the rules are data representing that the network has security threats and can be derived from a security knowledge experience library, and the security knowledge experience library comprises but is not limited to a security threat intelligence library and an asset vulnerability library; then extracting characteristics from each preset rule, wherein each rule has unique characteristics including but not limited to field values, attack means and attack results, each rule comprises a group of facts, or each rule also comprises content conforming to corresponding business logic, the logic is what to do is the attack means, the generated result is the attack result, the attack means matches rule conditions, the attack result matches rule results, and the rule means and the rule results are rule pairs in a corresponding knowledge base, and may be a one-to-many relationship, a many-to-many relationship or a many-to-one relationship.
S13: and carrying out deep search on the knowledge graph, and identifying risks for knowledge matched with any rule characteristic if the knowledge matched with any rule characteristic exists in the knowledge graph.
Wherein, the matching can be the same or corresponding; the method comprises the steps of carrying out deep search on a knowledge graph (for example, detecting according to longitudinal and transverse rules) to detect whether rule features are touched in the knowledge graph (namely, whether knowledge matched with any feature rule exists in the knowledge graph or whether a rule condition or a rule result touch behavior exists in the knowledge graph), if so, directly touching the knowledge of the rule features to identify risks, otherwise, identifying the risks.
According to the technical scheme, network security related data are collected as samples, knowledge is extracted from the samples to construct corresponding knowledge maps, rule features are extracted from rules representing the existence of security threats in the network, whether knowledge matched with the rule features exists in the knowledge maps is deeply searched, after the knowledge matched with the rule features is searched, the knowledge is determined to represent the existence of the security threats in the network, because risks are identified, otherwise, the knowledge is determined to represent the existence of the security threats in the network. It can be seen that, unlike the prior art, an analyst needs to manually analyze each kind of network security related data, but the network security knowledge graph is constructed based on the network security related data, and then fusion association analysis is performed based on the knowledge graph and corresponding rules indicating that the network has security threats, so that the occurrence of situations such as false alarm and inundation of security threats can be effectively reduced, and the network security analysis process is automatically realized, so that the network security analysis time can be effectively reduced, and the network security analysis efficiency is improved; in conclusion, the method and the device can reduce the time of network security analysis and improve the accuracy and effectiveness of the network security analysis.
Before the method for analyzing the network security data association provided by the embodiment of the invention utilizes knowledge to construct the knowledge graph, the method can further comprise the following steps:
if the knowledge graphs of a plurality of continuous time periods are constructed before the current moment, fitting the knowledge graphs to obtain a graph base line of one time period;
correspondingly, after the knowledge graph is constructed by using knowledge, the method further comprises the following steps:
and comparing the currently constructed knowledge graph with the graph baseline, and identifying risks for the knowledge different from the graph baseline if the knowledge different from the graph baseline exists in the currently constructed knowledge graph.
The time period can be set according to actual needs, such as a week, a day, and the like. After the network safety related data in a time period are collected, the knowledge graph can be constructed by utilizing the collected network safety related data in the time period; when the currently constructed knowledge graph needs to be analyzed, a plurality of knowledge graphs which are constructed before the knowledge graph constructed at the current moment can be acquired, the knowledge graphs are knowledge graphs when the network has no security threat, the knowledge graphs correspond to a plurality of continuous time periods one by one, and if the currently constructed knowledge graph corresponds to the fourth week in a month, the knowledge graphs for realizing the analysis of the knowledge graph corresponding to the fourth week can be respectively the knowledge graphs corresponding to the first week, the second week and the third week in the month. It should be noted that a plurality of knowledge graphs for analysis are fit to a knowledge graph in a time period, that is, a graph baseline, and the graph baseline can effectively embody the characteristics of relevant data when the network has no security threat before the current time, so that the currently constructed knowledge graph is compared with the graph baseline, and the place where the two are different is the knowledge which may represent the network has security threat in the constructed knowledge graph, so that corresponding risk identification is performed, and whether the network has security threat currently can be effectively detected based on the data characteristics when the network has no security threat.
In one specific implementation, fitting a plurality of knowledge-maps to obtain a map baseline for a time period may include:
carrying out time superposition deduplication processing on a plurality of knowledge maps needing to be fitted;
analyzing the multiple knowledge graphs after time superposition and de-duplication processing to obtain the difference among the multiple knowledge graphs, and indicating the difference obtained by external processing to obtain a graph base line of a time period.
After a plurality of knowledge maps which need to be fitted are obtained, the parts with the same time and knowledge in the knowledge maps can be subjected to duplicate removal treatment, namely, the parts with the same time and knowledge are only reserved; and for different parts in the knowledge maps, information can be output to prompt an external analyst to process the different parts, and the external analyst keeps one part after processing the different parts, so that the parts obtained by difference processing and the parts obtained by duplicate removal processing jointly form a map base line belonging to a time period, effective fitting of the knowledge maps to one knowledge map is realized, and the map base line obtained by fitting can effectively embody the data characteristics of the network when no security threat exists.
The method for analyzing the network security data association provided by the embodiment of the invention extracts corresponding information from a sample as knowledge according to a preset service logic, and may include:
if the sample is log data, performing regular matching and/or word segmentation processing on the log data to obtain corresponding structured data as knowledge;
and if the sample is the flow data, performing regular matching and/or field extraction on the flow data to obtain corresponding structured data as knowledge.
The method and the device for collecting the network security related data can be contained in log data and flow data, and the flow data and the data flow have the same meaning. When the knowledge is extracted from the sample, if the sample is log data, the log data can be participled to obtain corresponding structured data as the knowledge, and the log can be subjected to regular matching before the log data is participled; if the sample is flow data, field extraction can be performed on the flow data to obtain corresponding structured data as knowledge, and regular matching can be performed on the flow data before the field extraction is performed on the flow data. Therefore, the method and the device can be used for standardizing the samples through the steps, and finally, the effective extraction of knowledge is realized.
Before the method for analyzing the network security data association provided by the embodiment of the invention utilizes knowledge to construct the knowledge graph, the method can further comprise the following steps:
and carrying out deduplication processing on the knowledge, and replacing different names with the same meaning in the knowledge by uniform names representing corresponding meanings.
After the knowledge is extracted from the network security related data, the knowledge can be aligned, and then the knowledge is used for constructing a corresponding knowledge map after the alignment; specifically, since knowledge may have data conflicts, the present application may employ a bloom filter to delete duplicate data in the entire knowledge, thereby retaining only one of the duplicate data; for different definitions of contents in different knowledge, the method can uniformly reset the contents to a uniform known name, such as insert operation, some log data are named as insert and some are named as add, the method also comprises the step of uniformly resetting the contents to a uniform known name, such as a name, some log data are defined as A, some are A, and the method also comprises the step of uniformly resetting the contents to a uniform known name, such as insert operation, some log data are named as add, and some log data are defined as A. The alignment processing of knowledge is realized through the above mode, and the construction of the corresponding knowledge map can be conveniently realized by utilizing knowledge in the later stage.
The method for analyzing the network security data association provided by the embodiment of the invention utilizes knowledge to construct a knowledge graph, and can comprise the following steps:
and determining the ontology model corresponding to the current scene as the current model, and importing knowledge into the current model to obtain a corresponding knowledge graph.
Different ontology models can be defined for different scenes in the embodiment of the application, the ontology models are defined to define business logic, if the situation needs to analyze who and where to do what at what time, the corresponding ontology models can be defined as to who and where to do what at what time, and if the situation only needs to analyze who and what to do, the corresponding ontology models can be defined as to who and to do what. Therefore, when the knowledge graph needs to be constructed by using knowledge, the current scene can be determined, the ontology model corresponding to the current scene is further obtained, and the knowledge is imported into the ontology model to obtain the corresponding knowledge graph. The entity in the ontology model includes but is not limited to a system in SIP, DIP and asset, a user can view a knowledge graph of the corresponding entity according to needs, and the definition of the ontology model and the construction of the knowledge graph can be completed through prot g. Therefore, the generation of the corresponding knowledge graph can be realized aiming at different scenes, so that the generated knowledge graph can meet the requirements under different scenes, and the effectiveness of network security analysis is further ensured.
The method for analyzing the network security data association provided by the embodiment of the invention identifies risks for corresponding knowledge, and comprises the following steps:
the knowledge that the risk needs to be identified is set to a specified display color.
It should be noted that, in order to enable a person such as an external analyst to intuitively know knowledge indicating that a network has a safety risk, the knowledge may be displayed in a predetermined color, and other settings performed according to actual needs are also within the protection scope of the present invention.
In a specific application scenario, a method for analyzing network security data association provided in an embodiment of the present invention may include:
1. collecting a sample:
1.1 asset Log: configuring log source information including, but not limited to, IP, asset type, asset log location;
1.2 data flow: the mirror takes asset traffic and the configured information includes, but is not limited to, IP, port.
2. And (3) knowledge extraction: knowledge content includes but is not limited to entities, attributes, relationships, and specifically may include:
2.1 knowledge extraction is done according to business logic, such as who and what time and where to do what. The extracted knowledge includes, but is not limited to, SIP, start time, end time, operation content, data return, DIP, who points to SIP, time point time category (start time, end time)/operation time, where to point to DIP, what point to operation content and data return were done;
2.2 normalizing the content defined in step 2.1 in the sample:
2.2A, performing regular matching/word segmentation processing on the log data to obtain structured data;
and 2.2B, performing regular matching/field extraction on the stream data to obtain structured data.
3. Knowledge alignment: further processing the knowledge extracted in step 2, including but not limited to deduplication data and data alignment:
3.1 deduplication treatment: because data collision may occur in the flow data and the log data, a bloom filter can be adopted to delete repeated data in the flow data and the log data;
3.2 data alignment: different definitions of content in different assets may be uniformly reset to a well-known name.
4. And (3) map construction:
4.1 design ontology model: according to the knowledge extracted in the step 2, defining an ontology model, namely who does what at what time and what is done;
4.2 construction of a knowledge graph: importing the knowledge obtained in the step 3 into an ontology model to obtain a knowledge graph; the entity in the ontology model includes but is not limited to a system in SIP, DIP and assets, a user can check the knowledge graph of the corresponding entity according to requirements, and ontology model design and knowledge graph construction can be completed through prot g.
5. Knowledge reasoning: performing knowledge inference based on the knowledge graph of the entity, including but not limited to the following operations:
5.1 reasoning based on rules: the rules are derived from a security knowledge experience base, and the security knowledge experience base comprises but is not limited to a security threat intelligence base and an asset vulnerability base;
5.1A feature extraction: extracting features from the rules, wherein each rule has unique features including but not limited to field values, attack means and attack results; what the logic based on is for doing is the means of attack, what results are produced is the operational behavior results, which contains a set of facts; the attack means are matched with rule conditions, the attack result is matched with rule results, and the rule means and the rule results are rule pairs in the knowledge base, wherein the rule pairs can be one-to-many, many-to-many and many-to-one;
5.1B depth probing: carrying out deep search on the knowledge map of the entity, detecting whether rule features are touched in the map, and if so, identifying risks;
and 5.1A, performing longitudinal and transverse rule detection on the knowledge graph, detecting behaviors of touching rule conditions or results in the knowledge graph, and identifying the behaviors.
5.2 based on the consistency reasoning:
5.2A mapping: cutting the samples into n parts (taking time t as a unit) of samples to generate corresponding n parts of knowledge maps; wherein each sample corresponds to a time period;
5.2B fitting spectra: performing time superposition and de-duplication on a plurality of knowledge graphs generated in the step 5.2A, performing manual analysis on difference points, and finally fitting to obtain a graph base line;
5.2C correlation analysis: and (4) collecting samples in the (n + 1) th time period, drawing a corresponding knowledge graph, comparing the knowledge graph with a graph base line, and carrying out risk identification on the existing difference points.
The method and the system construct the network security knowledge graph based on security threat information data, vulnerability data, asset information data, network security data and the like, perform fusion association analysis, find asset vulnerability in a network environment in time, perform association analysis on network security events by combining the information data and the like, and deeply excavate asset vulnerabilities and perform early warning.
An embodiment of the present invention further provides a device for analyzing association of network security data, as shown in fig. 3, where the device may include:
a map building module 11 for: acquiring data capable of representing the current safety condition of a network as a sample, extracting corresponding information from the sample as knowledge according to preset service logic, and constructing a knowledge graph by using the knowledge;
a feature extraction module 12 configured to: respectively extracting features from each preset rule to obtain corresponding rule features; wherein, the rule is data indicating that the network has security threat;
a correlation analysis module 13 configured to: and carrying out deep search on the knowledge graph, and identifying risks for knowledge matched with any rule characteristic if the knowledge matched with any rule characteristic exists in the knowledge graph.
The device for analyzing the network security data association provided by the embodiment of the invention may further include:
a fitting module to: before a knowledge graph is constructed by using knowledge, if a plurality of knowledge graphs in continuous time periods are constructed before the current moment, fitting the knowledge graphs to obtain a graph base line of one time period;
a comparison module for: and after the knowledge graph is constructed by using knowledge, comparing the currently constructed knowledge graph with a graph baseline, and identifying risks for the knowledge different from the graph baseline if the knowledge different from the graph baseline exists in the currently constructed knowledge graph.
In an embodiment of the apparatus for analyzing network security data association provided in the present invention, the graph building module may include:
an extraction unit for: if the sample is log data, performing regular matching and/or word segmentation processing on the log data to obtain corresponding structured data as knowledge; and if the sample is the flow data, performing regular matching and/or field extraction on the flow data to obtain corresponding structured data as knowledge.
The device for analyzing the network security data association provided by the embodiment of the invention may further include:
a processing module to: before the knowledge graph is constructed by using knowledge, the knowledge is subjected to duplicate removal processing, and different names with the same meaning in the knowledge are replaced by uniform names representing corresponding meanings.
In an embodiment of the apparatus for analyzing network security data association provided in the present invention, the graph building module may include:
a building unit for: and determining the ontology model corresponding to the current scene as the current model, and importing knowledge into the current model to obtain a corresponding knowledge graph.
In an embodiment of the apparatus for analyzing network security data association provided in the present invention, a fitting module may include:
a fitting unit for: carrying out time superposition deduplication processing on a plurality of knowledge maps needing to be fitted; analyzing the multiple knowledge graphs after time superposition and de-duplication processing to obtain the difference among the multiple knowledge graphs, and indicating the difference obtained by external processing to obtain a graph base line of a time period.
In the device for analyzing the network security data association provided in the embodiment of the present invention, the association analysis module and the comparison module may both include:
an identification unit to: the knowledge that the risk needs to be identified is set to a specified display color.
An embodiment of the present invention further provides a network security data association analysis device, which may include:
a memory for storing a computer program;
a processor for implementing the steps of the network security data association analysis method as described in any one of the above when executing the computer program.
An embodiment of the present invention further provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the steps of the network security data association analysis method as described above.
It should be noted that, for descriptions of relevant parts in the network security data association analysis apparatus, the device and the storage medium provided in the embodiment of the present invention, reference is made to detailed descriptions of corresponding parts in the network security data association analysis method provided in the embodiment of the present invention, and details are not described herein again. In addition, parts of the technical solutions provided in the embodiments of the present invention that are consistent with the implementation principles of the corresponding technical solutions in the prior art are not described in detail, so as to avoid redundant description.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (10)
1. A method for analyzing association of network security data is characterized by comprising the following steps:
acquiring data capable of representing the current safety condition of a network as a sample, extracting corresponding information from the sample as knowledge according to preset service logic, and constructing a knowledge graph by using the knowledge;
respectively extracting features from each preset rule to obtain corresponding rule features; wherein the rule is data indicating that a security threat exists on the network;
and carrying out deep search on the knowledge graph, and identifying risks for knowledge matched with any rule characteristic if the knowledge graph is searched to have knowledge matched with any rule characteristic.
2. The method of claim 1, wherein prior to using the knowledge to construct a knowledge-graph, further comprising:
if the knowledge graphs of a plurality of continuous time periods are constructed before the current moment, fitting the knowledge graphs to obtain a graph base line of one time period;
correspondingly, after the knowledge graph is constructed by using the knowledge, the method further comprises the following steps:
comparing the currently constructed knowledge graph with the graph baseline, and identifying risks for the knowledge different from the graph baseline if the knowledge different from the graph baseline exists in the currently constructed knowledge graph.
3. The method of claim 2, wherein extracting the corresponding information from the sample as knowledge according to a predetermined business logic comprises:
if the sample is log data, performing regular matching and/or word segmentation processing on the log data to obtain corresponding structured data as knowledge;
and if the sample is the flow data, performing regular matching and/or field extraction on the flow data to obtain corresponding structured data as knowledge.
4. The method of claim 3, wherein prior to using the knowledge to construct a knowledge-graph, further comprising:
and carrying out deduplication processing on the knowledge, and replacing different names with the same meaning in the knowledge with uniform names representing corresponding meanings.
5. The method of claim 4, wherein building a knowledge graph using the knowledge comprises:
and determining the ontology model corresponding to the current scene as the current model, and importing the knowledge into the current model to obtain a corresponding knowledge graph.
6. The method of claim 5, wherein fitting a plurality of knowledge-maps to a profile baseline for a time period comprises:
carrying out time superposition deduplication processing on a plurality of knowledge maps needing to be fitted;
analyzing the multiple knowledge graphs after time superposition and de-duplication processing to obtain the difference among the multiple knowledge graphs, and indicating the difference obtained by external processing to obtain a graph base line of a time period.
7. The method of claim 6, wherein identifying a risk for the respective knowledge comprises:
the knowledge that the risk needs to be identified is set to a specified display color.
8. A network security data association analysis apparatus, comprising:
a map building module to: acquiring data capable of representing the current safety condition of a network as a sample, extracting corresponding information from the sample as knowledge according to preset service logic, and constructing a knowledge graph by using the knowledge;
a feature extraction module to: respectively extracting features from each preset rule to obtain corresponding rule features; wherein the rule is data indicating that a security threat exists on the network;
an association analysis module to: and carrying out deep search on the knowledge graph, and identifying risks for knowledge matched with any rule characteristic if the knowledge graph is searched to have knowledge matched with any rule characteristic.
9. A network security data association analysis device, comprising:
a memory for storing a computer program;
a processor for implementing the steps of the network security data association analysis method as claimed in any one of claims 1 to 7 when executing the computer program.
10. A computer-readable storage medium, characterized in that the computer-readable storage medium has stored thereon a computer program which, when being executed by a processor, carries out the steps of the network security data association analysis method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011465359.8A CN112487208B (en) | 2020-12-14 | 2020-12-14 | Network security data association analysis method, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011465359.8A CN112487208B (en) | 2020-12-14 | 2020-12-14 | Network security data association analysis method, device, equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112487208A true CN112487208A (en) | 2021-03-12 |
| CN112487208B CN112487208B (en) | 2023-06-30 |
Family
ID=74917956
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011465359.8A Active CN112487208B (en) | 2020-12-14 | 2020-12-14 | Network security data association analysis method, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112487208B (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113158189A (en) * | 2021-04-28 | 2021-07-23 | 绿盟科技集团股份有限公司 | Method, device, equipment and medium for generating malicious software analysis report |
| CN113242236A (en) * | 2021-05-08 | 2021-08-10 | 国家计算机网络与信息安全管理中心 | Method for constructing network entity threat map |
| CN113726784A (en) * | 2021-08-31 | 2021-11-30 | 平安医疗健康管理股份有限公司 | Network data security monitoring method, device, equipment and storage medium |
| CN114676266A (en) * | 2022-03-29 | 2022-06-28 | 建信金融科技有限责任公司 | Conflict identification method, device, equipment and medium based on multilayer relation graph |
| CN115098705A (en) * | 2022-08-25 | 2022-09-23 | 成都航空职业技术学院 | Network security event analysis method and system based on knowledge graph reasoning |
Citations (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080104039A1 (en) * | 2004-11-24 | 2008-05-01 | Linda Lowson | System and method for resource management |
| US20140372447A1 (en) * | 2013-06-12 | 2014-12-18 | Electronics And Telecommunications Research Institute | Knowledge index system and method of providing knowledge index |
| CN104903886A (en) * | 2012-07-23 | 2015-09-09 | 脸谱公司 | Structured search queries based on social-graph information |
| CN107783973A (en) * | 2016-08-24 | 2018-03-09 | 慧科讯业有限公司 | The methods, devices and systems being monitored based on domain knowledge spectrum data storehouse to the Internet media event |
| CN108596439A (en) * | 2018-03-29 | 2018-09-28 | 北京中兴通网络科技股份有限公司 | A kind of the business risk prediction technique and system of knowledge based collection of illustrative plates |
| US10142359B1 (en) * | 2016-04-22 | 2018-11-27 | Awake Security, Inc. | System and method for identifying security entities in a computing environment |
| CN109064318A (en) * | 2018-08-24 | 2018-12-21 | 苏宁消费金融有限公司 | A kind of internet financial risks monitoring system of knowledge based map |
| CN109922075A (en) * | 2019-03-22 | 2019-06-21 | 中国南方电网有限责任公司 | Network security knowledge map construction method and apparatus, computer equipment |
| CN110611651A (en) * | 2019-07-19 | 2019-12-24 | 中国工商银行股份有限公司 | Network monitoring method, network monitoring device and electronic equipment |
| CN111126828A (en) * | 2019-12-19 | 2020-05-08 | 浙江邦盛科技有限公司 | Knowledge graph-based multilayer fund abnormal flow direction monitoring method |
| CN111368095A (en) * | 2020-02-28 | 2020-07-03 | 河海大学 | Decision support system architecture and method based on water conservancy knowledge-affair coupling network |
| CN111641621A (en) * | 2020-05-21 | 2020-09-08 | 杭州安恒信息技术股份有限公司 | Internet of things security event identification method and device and computer equipment |
| US20200327223A1 (en) * | 2019-04-09 | 2020-10-15 | International Business Machines Corporation | Affectedness scoring engine for cyber threat intelligence services |
| CN111897969A (en) * | 2020-07-27 | 2020-11-06 | 武汉大学 | Method and system for analyzing correlation between food components and nutritional health based on knowledge graph |
-
2020
- 2020-12-14 CN CN202011465359.8A patent/CN112487208B/en active Active
Patent Citations (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080104039A1 (en) * | 2004-11-24 | 2008-05-01 | Linda Lowson | System and method for resource management |
| CN104903886A (en) * | 2012-07-23 | 2015-09-09 | 脸谱公司 | Structured search queries based on social-graph information |
| US20140372447A1 (en) * | 2013-06-12 | 2014-12-18 | Electronics And Telecommunications Research Institute | Knowledge index system and method of providing knowledge index |
| US10142359B1 (en) * | 2016-04-22 | 2018-11-27 | Awake Security, Inc. | System and method for identifying security entities in a computing environment |
| CN107783973A (en) * | 2016-08-24 | 2018-03-09 | 慧科讯业有限公司 | The methods, devices and systems being monitored based on domain knowledge spectrum data storehouse to the Internet media event |
| CN108596439A (en) * | 2018-03-29 | 2018-09-28 | 北京中兴通网络科技股份有限公司 | A kind of the business risk prediction technique and system of knowledge based collection of illustrative plates |
| CN109064318A (en) * | 2018-08-24 | 2018-12-21 | 苏宁消费金融有限公司 | A kind of internet financial risks monitoring system of knowledge based map |
| CN109922075A (en) * | 2019-03-22 | 2019-06-21 | 中国南方电网有限责任公司 | Network security knowledge map construction method and apparatus, computer equipment |
| US20200327223A1 (en) * | 2019-04-09 | 2020-10-15 | International Business Machines Corporation | Affectedness scoring engine for cyber threat intelligence services |
| CN110611651A (en) * | 2019-07-19 | 2019-12-24 | 中国工商银行股份有限公司 | Network monitoring method, network monitoring device and electronic equipment |
| CN111126828A (en) * | 2019-12-19 | 2020-05-08 | 浙江邦盛科技有限公司 | Knowledge graph-based multilayer fund abnormal flow direction monitoring method |
| CN111368095A (en) * | 2020-02-28 | 2020-07-03 | 河海大学 | Decision support system architecture and method based on water conservancy knowledge-affair coupling network |
| CN111641621A (en) * | 2020-05-21 | 2020-09-08 | 杭州安恒信息技术股份有限公司 | Internet of things security event identification method and device and computer equipment |
| CN111897969A (en) * | 2020-07-27 | 2020-11-06 | 武汉大学 | Method and system for analyzing correlation between food components and nutritional health based on knowledge graph |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113158189A (en) * | 2021-04-28 | 2021-07-23 | 绿盟科技集团股份有限公司 | Method, device, equipment and medium for generating malicious software analysis report |
| CN113158189B (en) * | 2021-04-28 | 2023-12-26 | 绿盟科技集团股份有限公司 | Method, device, equipment and medium for generating malicious software analysis report |
| CN113242236A (en) * | 2021-05-08 | 2021-08-10 | 国家计算机网络与信息安全管理中心 | Method for constructing network entity threat map |
| CN113726784A (en) * | 2021-08-31 | 2021-11-30 | 平安医疗健康管理股份有限公司 | Network data security monitoring method, device, equipment and storage medium |
| CN113726784B (en) * | 2021-08-31 | 2023-05-12 | 深圳平安医疗健康科技服务有限公司 | Network data security monitoring method, device, equipment and storage medium |
| CN114676266A (en) * | 2022-03-29 | 2022-06-28 | 建信金融科技有限责任公司 | Conflict identification method, device, equipment and medium based on multilayer relation graph |
| CN114676266B (en) * | 2022-03-29 | 2024-02-27 | 建信金融科技有限责任公司 | Conflict identification method, device, equipment and medium based on multi-layer relation graph |
| CN115098705A (en) * | 2022-08-25 | 2022-09-23 | 成都航空职业技术学院 | Network security event analysis method and system based on knowledge graph reasoning |
| CN115098705B (en) * | 2022-08-25 | 2022-11-11 | 成都航空职业技术学院 | Network security event analysis method and system based on knowledge graph reasoning |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112487208B (en) | 2023-06-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112487208B (en) | Network security data association analysis method, device, equipment and storage medium | |
| CN109347801B (en) | Vulnerability exploitation risk assessment method based on multi-source word embedding and knowledge graph | |
| CN109816397B (en) | Fraud discrimination method, device and storage medium | |
| CN111177417B (en) | Security event correlation method, system and medium based on network security knowledge graph | |
| CN109902297B (en) | Threat information generation method and device | |
| CN108092962A (en) | A kind of malice URL detection method and device | |
| US10915625B2 (en) | Graph model for alert interpretation in enterprise security system | |
| CN112468347B (en) | Security management method and device for cloud platform, electronic equipment and storage medium | |
| CN111813960B (en) | Knowledge graph-based data security audit model device, method and terminal equipment | |
| JP7120350B2 (en) | SECURITY INFORMATION ANALYSIS METHOD, SECURITY INFORMATION ANALYSIS SYSTEM AND PROGRAM | |
| CN111538842A (en) | Intelligent sensing and predicting method and device for network space situation and computer equipment | |
| CN109688137A (en) | A kind of detection method, system and the associated component of SQL injection attack | |
| CN110020687B (en) | Abnormal behavior analysis method and device based on operator situation perception portrait | |
| CN113642023A (en) | Data security detection model training method, data security detection device and equipment | |
| CN113032794A (en) | Method, device, equipment and storage medium for constructing security vulnerability knowledge graph | |
| CN115544519A (en) | Method for carrying out security association analysis on threat information of metering automation system | |
| CN112801359A (en) | Industrial internet security situation prediction method and device, electronic equipment and medium | |
| CN115514558A (en) | Intrusion detection method, device, equipment and medium | |
| RU148692U1 (en) | COMPUTER SECURITY EVENTS MONITORING SYSTEM | |
| WO2021056731A1 (en) | Log data analysis-based behavior detection method, apparatus, device, and medium | |
| CN113886829A (en) | Method and device for detecting defect host, electronic equipment and storage medium | |
| CN117009832A (en) | Abnormal command detection method and device, electronic equipment and storage medium | |
| CN112989403B (en) | Database damage detection method, device, equipment and storage medium | |
| CN114817928A (en) | Network space data fusion analysis method and system, electronic device and storage medium | |
| CN109558418B (en) | Method for automatically identifying information |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |