CN112653669B - Network terminal security threat early warning method, system and network terminal management device - Google Patents
Network terminal security threat early warning method, system and network terminal management device Download PDFInfo
- Publication number
- CN112653669B CN112653669B CN202011411519.0A CN202011411519A CN112653669B CN 112653669 B CN112653669 B CN 112653669B CN 202011411519 A CN202011411519 A CN 202011411519A CN 112653669 B CN112653669 B CN 112653669B
- Authority
- CN
- China
- Prior art keywords
- network
- terminal
- vulnerability
- network terminal
- dangerous
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a network terminal security threat early warning method, a system and a network terminal management device, wherein the method comprises the following steps: monitoring network flow data of each network terminal, and finding dangerous terminals; acquiring vulnerability conditions or/and behavior data of the dangerous terminal and other network terminals in the same community; and respectively calculating the vulnerability similarity or/and behavior similarity of the dangerous terminal and other network terminals in the same community, and if the vulnerability similarity between the network terminal and the dangerous terminal reaches a preset first threshold value or/and the behavior similarity reaches a preset second threshold value, judging that the network terminal has a safety risk. The method can early warn whether the other network terminals have safety risks or not after the dangerous terminals are found, can reduce the loss caused by safety threats in the network, has no limit on the frequency of accessing the position source files by the user, and has good user experience.
Description
Technical Field
The invention relates to the technical field of information security, in particular to a network terminal security threat early warning method, a network terminal security threat early warning system and a network terminal management device.
Background
When using network services, network terminals often suffer from information security threats from external networks, such as vulnerability attacks, extortion software attacks, virus attacks, and the like. The existing network terminal security threat coping means comprises: (1) monitoring all network terminals in real time, and if large-flow abnormal access is found, judging that risks possibly exist; (2) the behavior of accessing data without authorization is prevented, and files or links from unknown sources are prevented from being opened by random clicking; (3) and deploying anti-malicious software and security programs, and keeping the update state of the software in time.
According to the method, corresponding processing is performed only after the security threat is generated, loss caused by the security threat cannot be completely avoided, or a user is required to reduce access to files with unknown sources as much as possible, so that user experience is greatly influenced.
Disclosure of Invention
In view of the above problems, it is necessary to provide a method for early warning of security threats of a network terminal to solve or partially solve the above problems, and the technical solution provided by the present invention is as follows:
a network terminal security threat early warning method comprises the following steps:
monitoring network flow data of each network terminal, and finding dangerous terminals;
acquiring vulnerability conditions or/and behavior data of the dangerous terminal and other network terminals in the same community;
and respectively calculating the vulnerability similarity or/and the behavior similarity of the dangerous terminal and other network terminals in the same community, and if the vulnerability similarity between the network terminal and the dangerous terminal reaches a preset first threshold TH1 or/and the behavior similarity reaches a preset second threshold TH2, judging that the network terminal has a safety risk.
Further, after the dangerous terminals are found, classifying the network terminals into different communities by using a community discovery algorithm;
or classifying the network terminals into different communities by utilizing a community discovery algorithm according to a preset time interval.
Further, network traffic data of each network terminal is obtained, and when it is determined that the network traffic data contains preset malicious data, the network terminal containing the malicious data is judged to be a dangerous terminal.
Further, the content of dividing each network terminal into different communities by using a community discovery algorithm includes:
the venturi algorithm, or the label propagation algorithm, or the connected components algorithm, or the strongly connected components, or the balanced trigonometric algorithm.
Further, the method for dividing each network terminal into different communities by using the community discovery algorithm specifically includes:
extracting preset attribute information from network flow data, wherein the preset attribute information at least comprises a source IP address and a destination IP address;
obtaining the node degree of each network terminal according to preset attribute information, and calculating the number of times of pairwise access of the network terminals;
and if the modularity range value obtained according to the node degrees and the pairwise access times of the two network terminals meets the preset range, judging that the two network terminals belong to the same community.
Further, the content of calculating the vulnerability similarity between the dangerous terminal and each of the other network terminals includes:
respectively generating a vulnerability set for the vulnerability condition of each network terminal according to the vulnerability scanning result;
respectively carrying out intersection processing and union processing on the dangerous terminal and a vulnerability set of a network terminal to obtain a vulnerability intersection set and a vulnerability union set of the dangerous terminal and the network terminal;
and dividing the vulnerability number in the vulnerability intersection set by the vulnerability number in the vulnerability union set to obtain the vulnerability similarity between the dangerous terminal and the network terminal.
Further, when the vulnerability conditions of the dangerous terminal and other network terminals in the same community are obtained, marking the risk level of each vulnerability condition according to a preset rule;
and if the obtained vulnerability similarity between the dangerous terminal and a network terminal is smaller than the difference value between the preset first threshold value and a preset adjusting value and the vulnerability with high risk level exists in the network terminal, judging that the network terminal has the safety risk.
Further, the behavior data at least includes behavior dimensions and access habit data for different behavior dimensions, the behavior dimensions at least include all destination IP addresses and source IP addresses within a preset time period, the access habit data at least includes one of access duration, access frequency and flow behavior values, and calculating behavior similarity between the dangerous terminal and each of the other network terminals includes:
calculating the similarity according to a preset rule by using the behavior data of the dangerous terminal and any other network terminal, wherein the preset rule is as follows:
a, B represents a dangerous terminal and any other network terminal, n represents the dimension number of the behavior data, A i The access habit data value of the dangerous terminal in each behavioral dimension is represented,mean value of access habit data, B, representing dangerous terminal in all dimensions i The access habit data value of any other network terminal in each behavior dimension is represented,and the average value of the access habit data of any rest network terminal in all dimensions is represented.
Further, the network terminal security threat early warning method further includes:
when a network terminal has a safety risk, all destination IP addresses and source IP addresses in the log information of the dangerous terminal are judged as dangerous addresses, and the dangerous addresses and the network terminal with the safety risk are prevented from accessing each other by a firewall.
In a second aspect, the present invention also discloses a network terminal management apparatus, including: monitoring module, community discovery module, data acquisition module, security threat early warning module, wherein:
the monitoring module is used for monitoring the network flow data of each network terminal and finding dangerous terminals;
the data acquisition module is used for acquiring vulnerability situations or/and behavior data of the dangerous terminal and other network terminals in the same community, wherein the behavior data at least comprises all destination IP addresses and source IP addresses in a preset time period and access habit data aiming at different destination IP addresses and source IP addresses, and the access habit data at least comprises one of access duration, access frequency and flow behavior values;
and the safety threat early warning module is used for respectively calculating the vulnerability similarity or/and the behavior similarity of the dangerous terminal and other network terminals in the same community, and if the vulnerability similarity between the network terminal and the dangerous terminal reaches a preset first threshold TH1 or/and the behavior similarity reaches a preset second threshold TH2, judging that the network terminal has safety risk.
In a third aspect, the invention further discloses a network terminal security threat early warning system, which comprises a network flow monitoring device and the network terminal management device, wherein the network flow monitoring device is used for acquiring network flow data of each network terminal and sending the network flow data to the network terminal management device, and the vulnerability scanning device is used for scanning vulnerability data of the network terminals according to a preset vulnerability library and sending the vulnerability data to the network terminal management device.
Compared with the prior art, the invention has the beneficial effects that: the invention monitors the network flow data of each network terminal based on the idea that the information security threat is easier to spread in the associated network, and if a dangerous terminal is found, the network terminal with the security risk possibly exists in the community where the dangerous terminal is located. The vulnerability similarity or/and behavior similarity between the dangerous terminal and each of the other network terminals is calculated by obtaining vulnerability conditions and behavior data of all the network terminals in the community, if the vulnerability similarity or the behavior similarity is high, the network terminal and the dangerous terminal can be considered to have the same characteristics and are easy to be subjected to safety risks, and therefore if the vulnerability similarity between the network terminal and the dangerous terminal reaches a preset first threshold value or/and the behavior similarity reaches a preset second threshold value, the network terminal is judged to have the safety risks, and safety threat early warning is carried out on the network terminal.
The method and the system can early warn whether the other network terminals have safety risks or not after the dangerous terminals are found, can reduce the loss caused by safety threats in the network, and have no limitation on the frequency of accessing the position source files by the user, thereby having good user experience.
Drawings
Fig. 1 is a schematic flowchart of a network terminal security threat early warning method according to a first embodiment of the present invention;
fig. 2 is a schematic flowchart of a method for dividing each network terminal into different communities according to a first embodiment of the present invention;
fig. 3 is a schematic diagram of a node degree concept of a network terminal according to a first embodiment of the present invention;
fig. 4 is a flowchart illustrating a method for calculating vulnerability similarity between a dangerous terminal and each of the other network terminals according to a first embodiment of the present invention;
fig. 5 is a schematic structural diagram of a network terminal security threat early warning system according to a second embodiment of the present invention;
fig. 6 is a schematic structural diagram of a network terminal management apparatus according to a second embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
Example one
In some embodiments, a network terminal security threat early warning method, as shown in fig. 1, includes the following steps:
and S01, monitoring the network flow data of each network terminal and finding dangerous terminals.
In this embodiment, the network terminal may be a server or a client, and may be a PC or a mobile terminal device. These network terminals are mainly managed by a network terminal management device, and network traffic data is monitored by using a hardware probe, a traffic image analyzer or a traffic analyzer based on SNMP (simple network management protocol). Specifically, the hardware probe is connected in series in a link which needs to capture the flow, and the flow data is obtained by shunting the digital signal on the link. The flow mirror analysis is to mirror the flow of a certain link of the network terminal to a protocol analyzer, and monitor the network flow through 7-layer protocol decoding. SNMP (simple network management protocol) based traffic analysis is essentially a test instrument that collects some specific device and traffic information related variables by extracting MIB (management object information base) provided by a network device agent.
Generating log information according to the network traffic data obtained through monitoring, and judging whether the log information contains preset malicious data such as traffic alarm, data traffic characteristic value alarm, malicious behavior, malicious domain name, malicious alarm and the like by combining a preset alarm library and a characteristic library (mainly malicious attack type characteristics), wherein if the log information contains the preset malicious data, the network terminal is judged to be a dangerous terminal. The log information generally includes at least a source IP address, a destination IP address, an original port, a destination port, a communication protocol, various kinds of alarm information, and the like.
And S02, dividing each network terminal into different communities by using a community discovery algorithm.
It is understood that the sequence of steps S01 and S02 may be exchanged or even performed simultaneously, and the purpose is to find other network terminals with high association with the dangerous terminal. Specifically, for example, after a dangerous terminal is found, each network terminal may be classified into different communities by using a community discovery algorithm. Or classifying the network terminals into different communities by using a community discovery algorithm at preset time intervals, and then executing the steps S01, S03, and S04. If the network terminals access each other frequently and result of discovery of different communities is easily generated, it is generally recommended that the network terminals are classified into different communities by using a community discovery algorithm after dangerous terminals are discovered.
Based on the idea that the information security threat is easier to spread in the associated network, each network terminal is divided into different communities by using a community discovery algorithm, and the risk of the security threat existing in other network terminals in the communities is higher. The community discovery algorithm mainly comprises a Venturi algorithm, or a label propagation algorithm, or a connected component algorithm, or a strongly connected component, or a balanced triangulation algorithm.
The luwen Algorithm (luvain Algorithm) is a community discovery Algorithm based on modularity, which is better in efficiency and effect compared with a common modularity Algorithm, and can discover a hierarchical community structure, and the optimization goal of the Algorithm is to maximize the modularity of the whole graph structure. The modularity degree Q is a measurement method for evaluating the division quality of a community network, the physical meaning of the modularity degree Q is the difference between the weight sum of the connected edges of nodes in the community and the weight sum of the connected edges under random conditions, the value range of the modularity degree Q is [ -1/2,1), and the modularity degree Q is defined as the following formula (1):
wherein, ki and kj represent the degrees of the node i and the node j, Aij represents the number of times of pairwise access of the network terminal (including i accessing j or j accessing i, considering two access directions), m is the sum of the weights of the connecting edges of the nodes,δ (ci, cj) is used to determine whether node i and node j are in the same community, where δ (ci, cj) is 1 in the same community, otherwise δ (cv, cw) is 0.
In this embodiment, as shown in fig. 2, dividing each network terminal into different communities by using the venturi algorithm specifically includes:
s021, extracting preset attribute information from the log information of each network terminal, wherein the preset attribute information at least comprises a source IP address and a destination IP address. Of course, in some embodiments, the use of an original port, a destination port, is also contemplated.
S022, obtaining the node degree of each network terminal according to the preset attribute information, and calculating the number of times of pairwise access of the network terminals.
The node degree of each network terminal is the number of edges associated with the network terminal, and the number of times of two-by-two access of the network terminal needs to be counted into the number of times of two access directions.
Referring to fig. 3, there are four nodes a, b, c, d, and e, the access direction is shown by an arrow, the node degree of the node a is 4, and the node degree of the node b is 3.
S023, if the modularity range value obtained according to the node degrees and the access times of two network terminals satisfies the preset range, it is determined that the two network terminals belong to the same community.
The node degrees of each network terminal in the step S022 are ki and kj in the formula (1), and the number of times of pairwise access of the network terminals is Aij in the formula (1). The clustering effect is better when the range of the general modularity Q is 0.3-0.7. The larger the modularity Q value is, the stronger the relevance of the two network terminals is, and the more the same community is favored.
And S03, acquiring the vulnerability condition or/and behavior data of the dangerous terminal and other network terminals in the same community.
Vulnerability scanning refers to detecting the security vulnerability of a specified computer system by means of scanning and the like based on a vulnerability database to find available vulnerabilities. The existing vulnerability scanning tool can be directly utilized to obtain the vulnerability conditions of the dangerous terminal and other network terminals in the same community. Common vulnerabilities are:
oracle MySQL remote security vulnerability (CVE-2016-. For convenience of description, bugs in the following text are replaced by Bug1 and Bug2 … ….
The behavior data at least comprises behavior dimensions and access habit data aiming at different behavior dimensions, and can be obtained according to log information. The behavior dimension at least comprises all destination IP addresses and source IP addresses in a preset time period, and the access habit data at least comprises one of access duration, access frequency and flow behavior values. In practical applications, since there are generally many destination IP addresses and source IP addresses involved, it is preferable to classify the types of the various IP addresses and count the access habit data according to the address types. For example, each IP address is divided into: protocol classes (e.g., http, UDP, TCP), application classes (e.g., social, content, game, tool, platform), etc. Of course, the access habit data of the http protocol, the UDP protocol, and the TCP protocol may be counted separately. In addition, the behavior data dimension may also include access time, such as access time divided into 0-12 hours, 13-24 hours, or divided by weekday, holiday, etc.
In some embodiments, the behavior data may be as shown in table 1, with specific IP address types and access times in the horizontal direction and corresponding access habit data in the vertical direction.
TABLE 1
S04, calculating vulnerability similarity or/and behavior similarity of the dangerous terminal and other network terminals in the same community, and if the vulnerability similarity between the network terminal and the dangerous terminal reaches a preset first threshold TH1 or/and the behavior similarity reaches a preset second threshold TH2, judging that the network terminal has a safety risk.
Specifically, with reference to fig. 4, the content of calculating the vulnerability similarity between the dangerous terminal and each of the other network terminals includes:
and S041, respectively generating a vulnerability set according to the vulnerability scanning result and the vulnerability condition of each network terminal.
And discovering the vulnerability data of each network terminal by means of scanning and the like based on a preset vulnerability database. For example, if a dangerous terminal a is found, and a network terminal B and a network terminal C exist in the same community, the generated vulnerability set is:
the vulnerability set of the dangerous terminal U1 ═ big 1, big 2, big 3, big 4, big 5, big 6 };
the vulnerability set U2 of the network terminal B is { Bug1, Bug2, Bug6, Bug7, Bug8, Bug9 };
the vulnerability set U3 of the network terminal C is { Bug1, Bug2, Bug3, Bug4, Bug5, Bug7 }.
And S042, performing intersection processing and union processing on the dangerous terminal and the vulnerability set of a network terminal respectively to obtain the vulnerability intersection set and vulnerability union set of the dangerous terminal and the network terminal.
Intersection processing and union processing are respectively carried out on the vulnerability set of the dangerous terminal A and the vulnerability set of the network terminal B, and a vulnerability intersection set J1 ═ { Bug1 and Bug2} is obtained, and a vulnerability union set J'1 ═ Bug1, Bug2, Bug3, Bug4, Bug5, Bug6, Bug7, Bug8 and Bug9} is obtained.
Intersection processing and union processing are respectively carried out on the vulnerability sets of the dangerous terminals and the vulnerability sets of the network terminals C, a vulnerability intersection set J2 is obtained, wherein the vulnerability intersection set J2 is { Bug1, Bug2, Bug3, Bug4 and Bug5}, and a vulnerability union set J' 2 is { Bug1, Bug2, Bug3, Bug4, Bug5, Bug6, Bug7, Bug8 and Bug9 }.
And S043, dividing the vulnerability number in the vulnerability intersection set by the vulnerability number in the vulnerability union set to obtain the vulnerability similarity between the dangerous terminal and the network terminal.
The vulnerability similarity between the dangerous terminal A and the network terminal B is as follows: J1/B1-2/9-22.2%;
the vulnerability similarity between the dangerous terminal A and the network terminal C is as follows: J2/B2-5/9-55.6%.
If the preset first threshold TH1 is 50%, it is determined that the vulnerability similarity between the network terminal C and the dangerous terminal a is high, the risk that the network terminal C is attacked by the vulnerability is large, and a safety hazard early warning needs to be performed on the network terminal C.
In other embodiments, it may be found through a lot of experiments that the similarity between the network terminal and the dangerous terminal sometimes does not reach the preset first threshold TH1, but if the network terminal has a high-risk vulnerability, the network terminal generally has a great security risk, and therefore the similarity threshold needs to be combined with the vulnerability risk level to determine the risk of the network terminal. Specifically, when the vulnerability conditions of the dangerous terminal and the rest of the network terminals in the same community are obtained in step S03, the risk level of each vulnerability condition is also marked according to a preset rule. If the vulnerability similarity between the dangerous terminal and a network terminal obtained in the step S043 is smaller than the difference between the preset first threshold TH1 and a preset adjustment value a, that is, the vulnerability similarity < (TH1-a), for example, a is 5%, and the vulnerability existing in the network terminal is a pre-marked high-risk vulnerability, it is also determined that the network terminal has a security risk, and a security threat early warning needs to be performed on the network terminal.
The content for calculating the behavior similarity between the dangerous terminal and the rest network terminals in the same community comprises the following steps: calculating the similarity according to a preset rule by using the behavior data of the dangerous terminal and any other network terminal, wherein the preset rule is shown as a formula (2), namely, the product sigma of the covariance cov (A, B) of the behavior values of the dangerous terminal and any network terminal divided by the standard deviation of the behavior values of the dangerous terminal and any network terminal A σ B :
A, B represents a dangerous terminal and any other network terminal, n represents the dimension number of the behavior data, A i The access habit data value of the dangerous terminal in each behavioral dimension is represented,mean value of access habit data, B, representing dangerous terminal in all dimensions i The access habit data value of any other network terminal in each behavior dimension is represented,and the average value of the access habit data of any rest network terminal in all dimensions is represented.
Specifically, the behavior data shown in table 1 is taken as an example, and it is assumed that table 1 is the behavior data of the dangerous terminal a in one week, and mainly includes "http", "UDP", "TCP", "social", "content", "game", "tool", "platform", "day", and "night", which have 10 dimensions, 8 are related to the IP address, and 2 are related to the access time period, so n in formula (2) is 10. A. the i An access duration value indicating that the dangerous terminal accesses and is accessed to the above-mentioned 8 IP addresses and 2 access periods,an average value of access time periods of the dangerous terminal at each destination IP address and source IP address, B i An access duration value indicating that any of the remaining terminals accesses and is accessed to the above 8 IP addresses and 2 access periods,the average value of the access time periods at each destination IP address and source IP address is shown. Namely, the dangerous terminal A visits the Https website for 12min (recorded as A1) in one week, visits the UDP website for 20min (recorded as A2) and … … visits the website for 50min (recorded as A2) in the eveningA10),
Similarly, the access duration B of the network terminal B in the above 10 dimensions can be obtained i Average access time lengthA is to be i 、B i 、Substituting the calculated behavior similarity into a formula (2) to calculate the behavior similarity between the dangerous terminal A and the network terminal B, if the behavior similarity reaches a preset second threshold TH2, judging that the network terminal has a safety risk, and performing safety threat early warning on the network terminal.
In order to improve the judgment accuracy, similarity calculation can be performed on the dangerous terminal and any network terminal based on the access time length, the access frequency and the flow behavior value, if the similarity of at least two behaviors can reach a preset second threshold value, the risk of the network terminal is judged, safety threat early warning is performed on the network terminal, and the adopted safety hazard early warning means can comprise popping up an early warning window, voice broadcasting and the like.
Because relevant workers may not be in the site and cannot take corresponding safety measures in time during safety threat early warning, preferably when a network terminal has safety risks, all destination IP addresses and source IP addresses in log information of the dangerous terminal are judged as dangerous addresses, a firewall is utilized to temporarily prevent the dangerous addresses and the network terminal with the safety risks from accessing each other, and the network terminal is guaranteed not to be attacked as maliciously as the dangerous terminal as far as possible until the workers repair the safety risks. For example, when the destination IP1, the destination IP2, the destination IP3, the source IP1, the source IP2, and the source IP3 are recorded in the log information of the dangerous terminal a, the network terminal B and the network terminals corresponding to the destination IP1, the destination IP2, the destination IP3, the source IP1, the source IP2, and the source IP3 are prevented from accessing each other by the firewall.
In practical application, the network terminal can be judged to have risks as long as the vulnerability similarity or behavior similarity of the network terminal and the dangerous terminal meets a preset threshold value. If the early warning accuracy needs to be improved as much as possible, the risk of the network terminal can be judged sometimes when the vulnerability similarity and the behavior similarity of the network terminal and the dangerous terminal simultaneously meet the preset threshold value.
The invention monitors the network flow data of each network terminal based on the idea that the information security threat is easier to spread in the associated network, and if a dangerous terminal is found, the network terminal with the security risk possibly exists in the community where the dangerous terminal is located. The vulnerability similarity or/and behavior similarity between the dangerous terminal and each of the other network terminals is calculated by obtaining vulnerability conditions and behavior data of all the network terminals in the community, if the vulnerability similarity or the behavior similarity is high, the network terminal and the dangerous terminal can be considered to have the same characteristics and are easy to be subjected to safety risks, and therefore if the vulnerability similarity between the network terminal and the dangerous terminal reaches a preset first threshold value TH1 or/and the behavior similarity reaches a preset second threshold value TH2, the network terminal is judged to have the safety risks, and safety threat early warning is carried out on the network terminal.
The method and the system can early warn whether the other network terminals have safety risks or not after the dangerous terminals are found, can reduce the loss caused by safety threats in the network, and have no limitation on the frequency of accessing the position source files by the user, thereby having good user experience.
Example two
As shown in fig. 5, a network terminal security threat early warning system includes a plurality of network traffic monitoring devices 300, a vulnerability scanning device 200, a network terminal management device 100, and a firewall 400, and the whole network terminal security threat early warning system belongs to an intranet. The network traffic monitoring device 300 is configured to obtain network traffic data of each network terminal and send the network traffic data to the network terminal management device 100, and the network traffic monitoring device 300 may be a hardware probe, a traffic mirror analyzer, or a traffic analyzer based on a simple network management protocol. The vulnerability scanning device 200 is used for scanning vulnerability data of the network terminal according to a preset vulnerability database and sending the vulnerability data to the network terminal management device 100. The network terminal management apparatus 100 can also control the operation of the firewall 400 and restrict access behavior.
The network terminal management device 100 can receive network traffic data sent by the network traffic monitoring device, and analyze the network traffic data according to a preset rule to determine whether the network terminal is a dangerous terminal; whether a network terminal with a security risk still exists in the network topology can be judged according to the condition of the dangerous terminal, and security threat early warning is carried out before the network terminal is attacked, so that loss caused by security threat in the network is reduced.
Specifically, referring to fig. 6, a network terminal management apparatus 100 includes a monitoring module 10, a community discovery module 20, a data acquisition module 30, and a security threat early warning module 40, where:
and the monitoring module 10 is used for monitoring network traffic data of each network terminal and finding dangerous terminals.
The monitoring module 10 is used for connecting with an external network traffic monitoring device, and is used for acquiring network traffic data sent by the external network traffic monitoring device, generating log information, and analyzing the network traffic data according to a preset rule to determine whether the network terminal is a dangerous terminal.
And a community discovery module 20, configured to divide the network terminals into different communities by using a community discovery algorithm.
Based on the idea that the information security threat is easier to spread in the associated network, each network terminal is divided into different communities by using a community discovery algorithm, and the risk of the security threat existing in other network terminals in the communities is higher. The community discovery algorithm mainly comprises a Venturi algorithm, or a label propagation algorithm, or a connected component algorithm, or a strongly connected component, or a balanced triangulation algorithm. The community discovery module 20 may classify each network terminal into different communities by using a community discovery algorithm after the monitoring module 10 discovers a dangerous terminal, and transmit the classification result of the communities to the data acquisition module 30. Or when the monitoring module 10 works normally, all the network terminals may be classified into different communities according to a preset time interval by using a community discovery algorithm, and the latest community classification result may be sent to the data acquisition module 30 only after the monitoring module 10 discovers a dangerous terminal.
And the data acquisition module 30 is configured to acquire vulnerability statuses or/and behavior data of the dangerous terminal and other network terminals in the same community.
Vulnerability scanning refers to detecting the security vulnerability of a specified computer system by means of scanning and the like based on a vulnerability database to find available vulnerabilities. The existing vulnerability scanning tool can be directly utilized to obtain the vulnerability conditions of the dangerous terminal and other network terminals in the same community.
The behavior data at least includes behavior dimensions and access habit data for different behavior dimensions, and can be directly obtained from log information in the monitoring module 10. The behavior dimension at least comprises all destination IP addresses and source IP addresses in a preset time period, and the access habit data at least comprises one of access duration, access frequency and flow behavior values. In practical applications, since the destination IP addresses to be accessed are generally many, it is preferable to classify the types of the destination IP addresses and count the access habit data according to the address types. For example, the destination IP address is divided into: protocol classes (e.g., http, UDP, TCP), application classes (e.g., social, content, game, tool, platform), etc. Of course, the access habit data of the http protocol, the UDP protocol, and the TCP protocol may be counted separately. In addition, the behavior data may also include access times, such as access times divided into 0-12 hours, 13-24 hours, or divided by weekday, holiday, etc.
And the security threat early warning module 40 is configured to calculate vulnerability similarity or/and behavior similarity between the dangerous terminal and each of the other network terminals in the same community, determine that a security risk exists in the network terminal if the vulnerability similarity between the network terminal and the dangerous terminal reaches a preset first threshold TH1 or/and the behavior similarity reaches a preset second threshold TH2, and perform security threat early warning on the network terminal. The safety hazard early warning means that can be adopted can include popping up an early warning window, voice broadcasting and the like.
Specifically, referring to fig. 3, the content of calculating the vulnerability similarity between the dangerous terminal and each of the other network terminals by the security threat early warning module 40 includes:
and S041, respectively generating a vulnerability set according to the vulnerability scanning result and the vulnerability condition of each network terminal.
For example, a dangerous terminal a is found, and a network terminal B and a network terminal C exist in the same community, wherein a vulnerability set U1 of the dangerous terminal is { Bug1, Bug2, Bug3, Bug4, Bug5, Bug6 };
the vulnerability set U2 of the network terminal B is { Bug1, Bug2, Bug6, Bug7, Bug8, Bug9 };
the vulnerability set U3 of the network terminal C is { Bug1, Bug2, Bug3, Bug4, Bug5, Bug7 }.
And S042, performing intersection processing and union processing on the dangerous terminal and the vulnerability set of a network terminal respectively to obtain the vulnerability intersection set and vulnerability union set of the dangerous terminal and the network terminal.
Intersection processing and union processing are respectively carried out on the vulnerability set of the dangerous terminal A and the vulnerability set of the network terminal B, and a vulnerability intersection set J1 ═ { Bug1 and Bug2} is obtained, and a vulnerability union set J'1 ═ Bug1, Bug2, Bug3, Bug4, Bug5, Bug6, Bug7, Bug8 and Bug9} is obtained.
Intersection processing and union processing are respectively carried out on the vulnerability sets of the dangerous terminals and the vulnerability sets of the network terminals C, a vulnerability intersection set J2 is obtained, wherein the vulnerability intersection set J2 is { Bug1, Bug2, Bug3, Bug4 and Bug5}, and a vulnerability union set J' 2 is { Bug1, Bug2, Bug3, Bug4, Bug5, Bug6, Bug7, Bug8 and Bug9 }.
And S043, dividing the vulnerability number in the vulnerability intersection set by the vulnerability number in the vulnerability union set to obtain the vulnerability similarity between the dangerous terminal and the network terminal.
The vulnerability similarity between the dangerous terminal A and the network terminal B is as follows: J1/B1-2/9-22.2%;
the vulnerability similarity between the dangerous terminal A and the network terminal C is as follows: J2/B2-5/9-55.6%.
If the preset first threshold TH1 is 50%, it is determined that the vulnerability similarity between the network terminal C and the dangerous terminal a is high, the risk that the network terminal C is attacked by the vulnerability is large, and a safety hazard early warning needs to be performed on the network terminal C.
In other embodiments, it may be found through a lot of experiments that the similarity between the network terminal and the dangerous terminal sometimes does not reach the preset first threshold TH1, but if the network terminal has a high-risk vulnerability, the network terminal generally has a great security risk, and therefore the similarity threshold needs to be combined with the vulnerability risk level to determine the risk of the network terminal. Specifically, when the security threat early warning module 40 obtains the vulnerability conditions of the dangerous terminal and the rest of network terminals in the same community, the security threat early warning module is further used for marking the risk level of each vulnerability condition according to a preset rule. If the obtained vulnerability similarity between the dangerous terminal and a certain network terminal is smaller than the difference value between a preset first threshold value TH1 and a preset adjustment value a, namely the vulnerability similarity is less than (TH1-a), for example, a is 5%, and the vulnerability existing in the network terminal is a pre-marked high-risk vulnerability, then the network terminal is also judged to have a security risk, and security threat early warning needs to be performed on the network terminal.
The content of the security threat early warning module 40 calculating the behavior similarity between the dangerous terminal and the rest network terminals in the same community includes: calculating the similarity according to a preset rule by using the behavior data of the dangerous terminal and any other network terminal, wherein the preset rule is shown as a formula (2), namely, the product sigma of the covariance cov (A, B) of the behavior values of the dangerous terminal and any network terminal divided by the standard deviation of the behavior values of the dangerous terminal and any network terminal A σ B :
A, B represents a dangerous terminal and any other network terminal, n represents the dimension number of the behavior data, A i The access habit data value of the dangerous terminal in each behavioral dimension is represented,mean value of access habit data, B, representing dangerous terminal in all dimensions i The access habit data value of any other network terminal in each behavior dimension is represented,and the average value of the access habit data of any rest network terminal in all dimensions is represented.
Specifically, the behavior data shown in table 1 is taken as an example, and it is assumed that table 1 is the behavior data of the dangerous terminal a in one week, and mainly includes "http", "UDP", "TCP", "social", "content", "game", "tool", "platform", "day", and "night", which have 10 dimensions, 8 are related to the IP address, and 2 are related to the access time period, so n in formula (2) is 10. A. the i An access duration value indicating that the dangerous terminal accesses and is accessed to the above-mentioned 8 IP addresses and 2 access periods,an average value of access time periods of the dangerous terminal at each destination IP address and source IP address, B i An access duration value representing that any of the remaining terminals accesses and is accessed to the 8 IP addresses and 2 access time periods,the average value of the access time periods at each destination IP address and source IP address is shown. Namely, the dangerous terminal A visits the http website 12min (marked as A1), visits the UDP website 20min (marked as A2), visits the website … … in the evening 50min (marked as A10),
similarly, the access duration B of the network terminal B in the above 10 dimensions can be obtained i Access time averageA is to be i 、B i 、Substituting the calculated behavior similarity into a formula (2) to calculate the behavior similarity between the dangerous terminal A and the network terminal B, if the behavior similarity reaches a preset second threshold TH2, judging that the network terminal has a safety risk, and performing safety threat early warning on the network terminal.
In some embodiments, the network terminal management apparatus 100 further includes a processing module 50, where the processing module 50 is configured to determine all destination IP addresses and source IP addresses in the log information of the dangerous terminal as dangerous addresses when the security threat early warning module 40 determines that the network terminal has a security risk, and temporarily prevent, by using a firewall, the dangerous addresses and the network terminal having the security risk from accessing each other, so as to ensure that the network terminal is not attacked as maliciously as the dangerous terminal.
For a specific work flow of the network terminal management device 100, reference may be made to embodiment one, and details are not described herein.
The method and the system can early warn whether the other network terminals have safety risks or not after the dangerous terminals are found, can reduce the loss caused by safety threats in the network, and have no limitation on the frequency of accessing the position source files by the user, thereby having good user experience.
In the foregoing detailed description, various features are grouped together in a single embodiment for the purpose of streamlining the disclosure. This method of disclosure is not to be interpreted as reflecting an intention that the claimed embodiments of the subject matter require more features than are expressly recited in each claim. Rather, as the following claims reflect, invention lies in less than all features of a single disclosed embodiment. Thus, the following claims are hereby expressly incorporated into the detailed description, with each claim standing on its own as a separate preferred embodiment of the invention.
What has been described above includes examples of one or more embodiments. It is, of course, not possible to describe every conceivable combination of components or methodologies for purposes of describing the aforementioned embodiments, but one of ordinary skill in the art may recognize that many further combinations and permutations of various embodiments are possible. Accordingly, the embodiments described herein are intended to embrace all such alterations, modifications and variations that fall within the scope of the appended claims. Furthermore, to the extent that the term "includes" is used in either the detailed description or the claims, such term is intended to be inclusive in a manner similar to the term "comprising" as "comprising" is interpreted when employed as a transitional word in a claim. Furthermore, any use of the term "or" in the specification of the claims is intended to mean a "non-exclusive or".
Claims (8)
1. A network terminal security threat early warning method is characterized by comprising the following steps:
monitoring network flow data of each network terminal, and finding dangerous terminals;
classifying the network terminals into different communities by utilizing a community discovery algorithm;
acquiring vulnerability conditions or/and behavior data of the dangerous terminal and other network terminals in the same community;
marking risk levels of all vulnerability conditions according to preset rules, and classifying behavior data; respectively calculating vulnerability similarity and/or behavior similarity of various behavior data of the dangerous terminal and other network terminals in the same community;
if the similarity of the obtained loophole between the dangerous terminal and a network terminal is smaller than the difference value between a preset first threshold value and a preset adjusting value, and a loophole with a high risk level exists in the network terminal, judging that the network terminal has a safety risk; or, if the similarity of at least two behaviors can reach a preset second threshold, judging that the network terminal has a risk.
2. The network terminal security threat early warning method of claim 1, wherein the monitoring of the network traffic data of each network terminal and the discovery of the dangerous terminal specifically comprises:
the method comprises the steps of obtaining network flow data of each network terminal, and judging the network terminal containing malicious data to be a dangerous terminal when the network flow data contain preset malicious data.
3. The network terminal security threat early warning method of claim 1, wherein the dividing each network terminal into different communities by using a community discovery algorithm specifically comprises:
extracting preset attribute information from network traffic data, wherein the preset attribute information at least comprises a source IP address and a destination IP address;
obtaining the node degree of each network terminal according to preset attribute information, and calculating the number of times of pairwise access of the network terminals;
and if the modularity range value obtained according to the node degrees and the access times of every two network terminals meets the preset range, judging that the two network terminals belong to the same community.
4. The network terminal security threat early warning method of claim 1, wherein calculating vulnerability similarities of the dangerous terminal and the rest of the network terminals specifically comprises:
respectively generating a vulnerability set for the vulnerability condition of each network terminal according to the vulnerability scanning result;
respectively carrying out intersection processing and union processing on the dangerous terminal and a vulnerability set of a network terminal to obtain a vulnerability intersection set and a vulnerability union set of the dangerous terminal and the network terminal;
and dividing the vulnerability number in the vulnerability intersection set by the vulnerability number in the vulnerability union set to obtain the vulnerability similarity between the dangerous terminal and the network terminal.
5. The network terminal security threat early warning method of claim 1, wherein the behavior data at least includes behavior dimensions and access habit data for different behavior dimensions, the behavior dimensions at least include all destination IP addresses and source IP addresses within a preset time period, the access habit data at least includes one of access duration, access frequency and flow behavior values, and calculating the behavior similarity of the dangerous terminal and each of the other network terminals includes:
calculating the similarity according to a preset rule by using the behavior data of the dangerous terminal and any other network terminal, wherein the preset rule is as follows:
a, B respectively represents a dangerous terminal and any other network terminal, n represents the dimension number of the behavior data, A i The access habit data value of the dangerous terminal in each behavioral dimension is represented,mean value of access habit data, B, representing dangerous terminal in all dimensions i The access habit data value of any other network terminal in each behavior dimension is represented,and the average value of the access habit data of any rest network terminal in all dimensions is represented.
6. The network terminal security threat early warning method of claim 1, wherein the network terminal security threat early warning method further comprises:
when a network terminal has a safety risk, all destination IP addresses and source IP addresses in dangerous terminal log information are judged as dangerous addresses, a firewall is used for preventing the dangerous addresses and the network terminal from accessing each other, and the log information is generated by network flow data of the network terminal.
7. The utility model provides a network terminal management device which characterized in that, includes monitoring module, data acquisition module, security threat early warning module, wherein:
the monitoring module is used for monitoring the network flow data of each network terminal and finding dangerous terminals;
the community discovery module is used for dividing each network terminal into different communities by utilizing a community discovery algorithm;
the data acquisition module is used for acquiring the vulnerability conditions or/and behavior data of the dangerous terminal and other network terminals in the same community, marking risk levels according to preset rules for each vulnerability condition and classifying the behavior data;
the security threat early warning module is used for respectively calculating the vulnerability similarity of the dangerous terminal and other network terminals in the same community and/or the behavior similarity of various behavior data; if the obtained vulnerability similarity between the dangerous terminal and a network terminal is smaller than the difference value between a preset first threshold value and a preset adjusting value, and a vulnerability with high risk level exists in the network terminal, judging that the network terminal has a safety risk; or, if the similarity of at least two behaviors can reach a preset second threshold, judging that the network terminal has a risk.
8. A network terminal security threat early warning system is characterized by comprising a network flow monitoring device, a vulnerability scanning device and the network terminal management device according to claim 7, wherein the network flow monitoring device is used for acquiring network flow data of each network terminal and sending the network flow data to the network terminal management device, and the vulnerability scanning device is used for scanning vulnerability data of the network terminals according to a preset vulnerability library and sending the vulnerability data to the network terminal management device.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011411519.0A CN112653669B (en) | 2020-12-04 | 2020-12-04 | Network terminal security threat early warning method, system and network terminal management device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011411519.0A CN112653669B (en) | 2020-12-04 | 2020-12-04 | Network terminal security threat early warning method, system and network terminal management device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN112653669A CN112653669A (en) | 2021-04-13 |
CN112653669B true CN112653669B (en) | 2022-08-12 |
Family
ID=75350248
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202011411519.0A Active CN112653669B (en) | 2020-12-04 | 2020-12-04 | Network terminal security threat early warning method, system and network terminal management device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN112653669B (en) |
Families Citing this family (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113411302B (en) * | 2021-05-11 | 2023-04-18 | 银雁科技服务集团股份有限公司 | Network security early warning method and device for local area network equipment |
CN113987515B (en) * | 2021-11-02 | 2022-04-01 | 长春嘉诚信息技术股份有限公司 | Vulnerability threat discovery method and system based on intelligent matching |
CN116112930A (en) * | 2021-11-11 | 2023-05-12 | 华为技术有限公司 | Method for obtaining security grading result and communication device |
CN114598513B (en) * | 2022-02-24 | 2023-08-01 | 烽台科技(北京)有限公司 | Industrial control threat event response method and device, industrial control equipment and medium |
CN114598514A (en) * | 2022-02-24 | 2022-06-07 | 烽台科技(北京)有限公司 | Industrial control threat detection method and device |
CN116455672B (en) * | 2023-05-25 | 2023-12-01 | 南京天谷电气科技有限公司 | New energy station network security monitoring and early warning system |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105868638A (en) * | 2016-03-23 | 2016-08-17 | 南京中科龙脉物联网技术有限公司 | Intelligent terminal vulnerability mining and malicious behavior detection method |
CN107438050A (en) * | 2016-05-26 | 2017-12-05 | 北京京东尚科信息技术有限公司 | Identify the method and system of the potential malicious user of website |
US9998484B1 (en) * | 2016-03-28 | 2018-06-12 | EMC IP Holding Company LLC | Classifying potentially malicious and benign software modules through similarity analysis |
US10116680B1 (en) * | 2016-06-21 | 2018-10-30 | Symantec Corporation | Systems and methods for evaluating infection risks based on profiled user behaviors |
CN111565390A (en) * | 2020-07-16 | 2020-08-21 | 深圳市云盾科技有限公司 | Internet of things equipment risk control method and system based on equipment portrait |
CN111767571A (en) * | 2020-06-25 | 2020-10-13 | 物鼎安全科技(武汉)有限公司 | Detection method for medical data leakage |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10033752B2 (en) * | 2014-11-03 | 2018-07-24 | Vectra Networks, Inc. | System for implementing threat detection using daily network traffic community outliers |
CN107590504A (en) * | 2017-07-31 | 2018-01-16 | 阿里巴巴集团控股有限公司 | Abnormal main body recognition methods and device, server |
CN111091385B (en) * | 2019-12-13 | 2024-02-27 | 南京三百云信息科技有限公司 | Weight-based object identification method and device and electronic equipment |
-
2020
- 2020-12-04 CN CN202011411519.0A patent/CN112653669B/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105868638A (en) * | 2016-03-23 | 2016-08-17 | 南京中科龙脉物联网技术有限公司 | Intelligent terminal vulnerability mining and malicious behavior detection method |
US9998484B1 (en) * | 2016-03-28 | 2018-06-12 | EMC IP Holding Company LLC | Classifying potentially malicious and benign software modules through similarity analysis |
CN107438050A (en) * | 2016-05-26 | 2017-12-05 | 北京京东尚科信息技术有限公司 | Identify the method and system of the potential malicious user of website |
US10116680B1 (en) * | 2016-06-21 | 2018-10-30 | Symantec Corporation | Systems and methods for evaluating infection risks based on profiled user behaviors |
CN111767571A (en) * | 2020-06-25 | 2020-10-13 | 物鼎安全科技(武汉)有限公司 | Detection method for medical data leakage |
CN111565390A (en) * | 2020-07-16 | 2020-08-21 | 深圳市云盾科技有限公司 | Internet of things equipment risk control method and system based on equipment portrait |
Also Published As
Publication number | Publication date |
---|---|
CN112653669A (en) | 2021-04-13 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN112653669B (en) | Network terminal security threat early warning method, system and network terminal management device | |
CN112651006B (en) | Power grid security situation sensing system | |
CN110149350B (en) | Network attack event analysis method and device associated with alarm log | |
US10187409B1 (en) | Anomaly detection in dynamically evolving data and systems | |
EP2953298B1 (en) | Log analysis device, information processing method and program | |
Estevez-Tapiador et al. | Anomaly detection methods in wired networks: a survey and taxonomy | |
CN107579956B (en) | User behavior detection method and device | |
CN112511561A (en) | Network attack path determination method, equipment, storage medium and device | |
CN110210213A (en) | The method and device of filtering fallacious sample, storage medium, electronic device | |
CN116451215A (en) | Correlation analysis method and related equipment | |
CN114640548A (en) | Network security sensing and early warning method and system based on big data | |
CN111030887B (en) | Web server discovery method and device and electronic equipment | |
CN115795330A (en) | Medical information anomaly detection method and system based on AI algorithm | |
CN114598506B (en) | Industrial control network security risk tracing method and device, electronic equipment and storage medium | |
CN114666101B (en) | Attack tracing detection system and method | |
CN117478433A (en) | Network and information security dynamic early warning system | |
US20190007439A1 (en) | Analysis method, analysis device, and analysis program | |
CN110912933B (en) | Equipment identification method based on passive measurement | |
CN117201273A (en) | Automatic analysis and noise reduction method and device for safety alarm and server | |
Protic et al. | WK-FNN design for detection of anomalies in the computer network traffic | |
KR20140014784A (en) | A method for detecting abnormal patterns of network traffic by analyzing linear patterns and intensity features | |
JP2006115129A (en) | Network abnormality detection system | |
CN113032774A (en) | Training method, device and equipment of anomaly detection model and computer storage medium | |
Morgese | Stepping out of the MUD: contextual network threat information for IoT devices with manufacturer-provided behavioural profiles | |
Du et al. | A Multi-source Alarm Information Fusion Processing Method for Network Attack Situation |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
PE01 | Entry into force of the registration of the contract for pledge of patent right | ||
PE01 | Entry into force of the registration of the contract for pledge of patent right |
Denomination of invention: Network terminal security threat warning method, system and network terminal management device Effective date of registration: 20230223 Granted publication date: 20220812 Pledgee: Bank of China Limited Wuhan provincial branch Pledgor: Smart net Anyun (Wuhan) Information Technology Co.,Ltd. Registration number: Y2023420000071 |