CN114679338A - Network risk assessment method based on network security situation awareness - Google Patents
Network risk assessment method based on network security situation awareness Download PDFInfo
- Publication number
- CN114679338A CN114679338A CN202210577874.8A CN202210577874A CN114679338A CN 114679338 A CN114679338 A CN 114679338A CN 202210577874 A CN202210577874 A CN 202210577874A CN 114679338 A CN114679338 A CN 114679338A
- Authority
- CN
- China
- Prior art keywords
- network
- threat
- analysis
- data
- detection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/142—Network analysis or design using statistical or mathematical methods
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Mathematical Optimization (AREA)
- Mathematical Physics (AREA)
- Probability & Statistics with Applications (AREA)
- Pure & Applied Mathematics (AREA)
- Physics & Mathematics (AREA)
- Mathematical Analysis (AREA)
- General Physics & Mathematics (AREA)
- Algebra (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a network risk assessment method based on network security situation awareness, which comprises the steps that a data acquisition platform collects data based on a threat latency probe and an EDR (enhanced data Rate); the big data analysis platform combines feature detection and behavior detection by adopting user and entity behavior analysis, threat modeling and machine learning technologies, analyzes the data and receives threat information; the big data analysis platform carries out network risk assessment according to the analysis result of the data and the received threat information, and sends the network risk assessment result to an alarm and control center; the problems that the existing network security event analysis is difficult, security threat processing is trapped in a trouble, network attack is more and more complex, and security problems are difficult to detect can be effectively solved.
Description
Technical Field
The invention relates to the technical field of networks, in particular to a network risk assessment method based on network security situation awareness.
Background
With the continuous deepening of the network informatization work, the trend of leading the information to police is increasingly obvious, the data exchange amount between an information communication network and an external access unit is gradually increased, various types of security threats such as network attack, intrusion, viruses, trojans and the like are increasingly increased, and the challenges of the integrity and the security of the information on the information communication network are more and more. Currently, network risk assessment mainly faces the following challenges: 1) the security event analysis difficulty is large, and the security threat processing is trapped in a dilemma. With the continuous extension and expansion of communication networks, the number of devices and service types in the networks are more and more, a large number of security event logs are generated by key security devices and service servers in the networks, security operation and maintenance personnel operate console interfaces and alarm windows of various products facing to the huge and mutually-split security information, the working efficiency is extremely low, and the real potential safety hazards are difficult to find. 2) Network attacks are increasingly complex and security problems are difficult to detect. The development of the cloud computing technology continuously migrates the IT assets to virtualization, the increase, deletion, inspection and change of services are large, the evolution of the IT services to the Internet, the mobile Internet and the public cloud provides more attack vectors for attackers, the security boundary becomes more fuzzy, the traditional security defense mode still stays in a network and an application system, the asset change, the service access relation and the internal transverse attack, abnormal access and illegal operation are not clearly seen, and once a hacker breaks through the boundary, the hacker often uses the legal user identity to permeate other internal service systems to steal core data. Therefore, there is a need to provide a network risk assessment method based on network security situation awareness to solve the above problems.
Disclosure of Invention
The invention aims to provide a network risk assessment method based on network security situation awareness, and aims to solve the problems that the existing network security event analysis is difficult, security threat processing is trapped in trouble, network attacks are more and more complex, and security problems are difficult to detect.
The invention provides a network risk assessment method based on network security situation awareness, which is characterized by comprising the following steps: the data acquisition platform collects data based on the threat latency probe and the EDR; the big data analysis platform combines feature detection and behavior detection by adopting user and entity behavior analysis, threat modeling and machine learning technologies, analyzes the data and receives threat information; the big data analysis platform carries out network risk assessment according to the analysis result of the data and the received threat information, and sends the network risk assessment result to an alarm and control center; wherein, big data analysis platform carries out the network risk assessment according to the analysis result to the data and the threat intelligence of receiving, includes: selecting indexes from network performance indexes to carry out experiments; analyzing through a Bayesian network, determining the dependency relationship among all indexes, and drawing a Bayesian network topology structure chart; normalizing the analysis result of the data and the received threat information to obtain a time sequence chart of a certain time period of the corresponding index, then carrying out statistical analysis, and calculating the prior probability of each index and the posterior probability of each index; and finally, calculating the network risk rate, and checking the network risk level at the current moment by combining the risk level table.
Further, in the step of collecting data based on the threat latency probe and the EDR, the data comprises network equipment, network services, URLs, IP addresses, port numbers, session reorganization, asset identification information, application parsing information, access history information, protocol parsing information, attack records and system information in a network; deploying latent threat probes at important aggregation nodes of the city-level network and a district-county network core exchange bypass; the threat latency probe separates the data processing of a network layer and an application layer through software design, identifies data received by all network cards on the basis of an application identification module at the bottom layer, and captures application data messages needing to be processed to the application layer through a capture packet driver; if the application layer fails to process data, the forwarding of the data of the network layer is not influenced; the threat latency probe is constructed on a 64-bit multi-core concurrent high-speed hardware platform, a forwarding plane and a security plane are operated on the multi-core platform in parallel, multi-plane concurrent processing is carried out, a lock-free parallel processing technology is adopted in the design of a computing instruction, and simultaneous processing of multiple pipelines is achieved.
Further, in the step of collecting data by the data collection platform based on the threat latency probe and the EDR, the threat latency probe adopts a single analysis architecture to realize one-time analysis and one-time matching of messages, the efficiency of an application layer is improved, the threat latency probe realizes plane separation of a network layer and the application layer through software architecture design, and data is extracted to the application plane through a '0' copy technology to realize unified analysis and unified detection of threat characteristics; the threat latency probe marks all data packets passing through the probe with application labels through a private protocol on a kernel driving layer by using an application identification technology, when the data packets are extracted to a content detection plane for detection, the equipment finds corresponding application threat characteristics, and skips irrelevant application threat detection characteristics by using a skip scanning technology; the threat latency probe is used for restoring and recording network communication behaviors so as to be used for security personnel to carry out forensics analysis, and the restoration content comprises the following steps: TCP session record, Web access record, SQL access record, DNS analysis record, file transmission behavior and LDAP login behavior; the threat latency probe is used for realizing IP fragment recombination, TCP stream recombination and application layer protocol identification and analysis, has a plurality of intrusion attack modes or malicious URL monitoring modes, completes mode matching and generates events, extracts URL records and domain name records, and records original messages based on quintuple and dytuple when characteristic events are triggered; the threat latency probe adopts a regular engine to improve the matching speed of the regular expression.
Furthermore, a big data analysis platform adopts user and entity behavior analysis, threat modeling and machine learning technologies, combines feature detection and behavior detection, analyzes the data and receives threat information, and analyzes the data by adopting context correlation analysis, abnormal protocol analysis, feature detection, illegal access analysis, abnormal behavior detection, access correlation analysis, intelligent linkage analysis, asset detection, security situation analysis, whole network flow analysis and attack detection; sources of threat intelligence include Silorder threat intelligence, CNVD, CNCERT, Virus-Total, CNNVD, ANVA, Exploit DB, MAPP, CVE.
Further, a big data analysis platform combines feature detection and behavior detection by adopting user and entity behavior analysis, threat modeling and machine learning technologies, analyzes the data and receives threat intelligence, and is used for asset service management, wherein the asset service management comprises the following steps: according to the function division, the intranet equipment is divided into assets and services, the big data analysis platform actively identifies the intranet assets and actively discovers the IP addresses of the equipment assets of the intranet, which are not defined; identifying the IP address, the operating system, the open port and the transmission use protocol and application of the intranet server asset through an asset configuration detail display module; and combining the service and asset relationship display modules into a specific service group according to the asset IP address/address field.
Further, the big data analysis platform adopts user and entity behavior analysis, threat modeling and machine learning technology, combines feature detection and behavior detection, analyzes the data and receives the step of threat information, the big data analysis platform is used for intranet flow display, the intranet flow display comprises: displaying the access relation among the user, the service system and the Internet through an access relation display module, and identifying who, what, where and how of the access relation; distinguishing users and service systems with different danger levels through colors; and displaying the normal access, the illegal access, the attack behavior and the abnormal flow of the intranet aiming at different business assets in a graphical way, and distinguishing the normal access, the illegal access, the attack behavior and the abnormal flow by using different colors.
Furthermore, a big data analysis platform adopts user and entity behavior analysis, threat modeling and machine learning technologies, combines feature detection and behavior detection, analyzes the data and receives threat information, a detection and identification knowledge base is built in the big data analysis platform, and intrusion protection vulnerability features covered by the detection and identification knowledge base have Chinese introduction and comprise vulnerability description, vulnerability name, danger level, influence system, corresponding CVE number, reference information and suggested solution; the detection and recognition knowledge base is provided with an independent zombie host recognition feature base and a malicious software recognition feature base.
Furthermore, in the step of combining feature detection and behavior detection by a big data analysis platform by adopting user and entity behavior analysis, threat modeling and machine learning technologies, analyzing the data and receiving threat information, the big data analysis platform collects and analyzes the next generation firewall, endpoint security system related logs and alarm information of a company, performs corresponding analysis and association, and calls the security risks and attack codes of blocking and killing responses of the protection systems for the security risks discovered by platform analysis; for third-party security devices supporting syslog, the big data analysis platform supports collection, storage and query services of relevant logs.
Furthermore, a big data analysis platform combines feature detection and behavior detection by adopting user and entity behavior analysis, threat modeling and machine learning technologies, analyzes the data and receives threat information, and performs map display and visual display of the whole network security event and attack through a visual platform; counting and displaying according to the attack event, the attack source, the attack target, the attack type and the damage level; the visualization platform supports the visualization of the whole network service and presents the access relation of the whole network service object and the graphical display of the invaded service; the visualization of user-defined business asset management is supported; the method supports the analysis of the flow passing through the equipment and discovers the loophole of the protected object; the business is connected with a large monitoring screen externally, assets and real-time dynamic maps of the business attacked by the external network are displayed, and the real-time dynamic maps are displayed in a graphical large screen; the branch safety monitoring can show the safety state of a branch mechanism/a supervised mechanism in a map topology mode, and rank and list the safety trend of the branch mechanism/the supervised mechanism; the safety log display supports the safety log summarization of all safety equipment, and the log is queried and filtered according to a plurality of conditions such as time, type, severity level, action, region, IP, user, characteristic/vulnerability ID, reply status code, domain name/URL, equipment name and the like; displaying risk details with user groups as granularity and influence conditions on a service system, visually displaying high-risk users by the risk users, visually displaying risk operations, attack behaviors, violation behaviors and influence services of the high-risk users, and classifying the high-risk users into lost users, high-risk users and suspicious users according to certainty; and (4) visualizing the risk service, visually displaying the high-risk service, graphically and visually displaying the effective attack and tampering of the service and the attack path of the backdoor, and classifying the service into a lost service, a high-risk service and a suspicious service according to certainty.
Furthermore, in the step of combining feature detection and behavior detection by a big data analysis platform through user and entity behavior analysis, threat modeling and machine learning technologies, analyzing the data and receiving threat information, the big data analysis platform big data is used for realizing various detection capabilities and big data association analysis capabilities through an analysis engine, the analysis engine comprises a data preprocessing module, a data fusion module, a model construction module, a model fusion module and an analysis result generation module, and by taking MapReduce as a bottom layer calculation framework and taking MLib and Tensorflow as main machine learning frameworks, SVM, Bayesian network, randomness, forest A, DGA, Markov cluster, iForest and RNN machine learning algorithms are realized, and UEBA, lost host detection and big data association analysis safety capabilities are supported.
The invention has the beneficial effects that: the invention provides a network risk assessment method based on network security situation awareness, which comprises the steps of collecting data based on a threat latency probe and an EDR (enhanced data rate) through a data acquisition platform; the big data analysis platform combines feature detection and behavior detection by adopting user and entity behavior analysis, threat modeling and machine learning technologies, analyzes the data and receives threat information; the big data analysis platform carries out network risk assessment according to the analysis result of the data and the received threat information, and sends the network risk assessment result to an alarm and control center; the problems that the existing network security event analysis is difficult, security threat processing is trapped in a trouble, network attack is more and more complex, and security problems are difficult to detect can be effectively solved.
Drawings
FIG. 1 is a flowchart of a network risk assessment method based on network security situation awareness according to the present invention;
FIG. 2 is a system architecture diagram of a security awareness platform according to a network risk assessment method based on network security situation awareness according to the present invention;
FIG. 3 is a data flow diagram of a security awareness platform of a network risk assessment method based on network security situation awareness according to the present invention;
fig. 4 is a deployment logic topology diagram of a security awareness platform of the network risk assessment method based on network security situation awareness provided by the present invention.
Detailed Description
Referring to fig. 1 to 4, an embodiment of the present invention provides a network risk assessment method based on network security situation awareness, where the method is implemented based on a security awareness platform, and the method includes:
and S101, collecting data by the data acquisition platform based on the threat latency probe and the EDR.
In this embodiment, the data collection platform is as the collection layer and carries out data collection based on threat latency probe, EDR and other safety equipment, and data sources are more complete. The data comprises network equipment, network services, URLs, IP addresses, port numbers, session reorganization, asset identification information, application parsing information, access history information, protocol parsing information, attack records and system information in the network; and arranging latent threat probes at important convergence nodes of the urban network and district-county network core switching bypasses.
The threat latency probe separates the data processing of a network layer and an application layer through software design, identifies the data received by all network cards on the basis of an application identification module at the bottom layer, and captures the application data message to be processed to the application layer through a packet capturing driver; if the application layer fails to process data, the forwarding of the data of the network layer is not influenced; therefore, the efficient and reliable data message processing is realized. The threat latency probe is constructed on a 64-bit multi-core concurrent high-speed hardware platform, a forwarding plane and a security plane are operated on the multi-core platform in parallel, multi-plane concurrent processing is performed, close cooperation is achieved, and the security processing performance of a network data packet is greatly improved. And a lock-free parallel processing technology is adopted in the design of the calculation instruction, so that the simultaneous processing of multiple pipelines is realized. The system throughput is improved in multiples, the performance is excellent under a multi-core system, and the multi-core parallel processing architecture is real.
The threat latency probe realizes one-time analysis and one-time matching of messages by adopting a single-time analysis architecture, the efficiency of an application layer is improved, the threat latency probe realizes plane separation of a network layer and the application layer through software architecture design, and data is extracted to the application plane through a '0' copy technology to realize unified analysis and unified detection of threat characteristics; redundant data packet encapsulation is reduced, and high-performance data processing is achieved. The threat latency probe marks all data packets passing through the probe with application labels through a private protocol on an inner core driving layer by using an application identification technology, when the data packets are extracted to a content detection plane for detection, the device finds corresponding application threat characteristics, and skips irrelevant application threat detection characteristics by using a skip scanning technology; invalid scanning is reduced, and scanning efficiency is improved. Such as: when the traffic is identified as HTTP traffic, the relevant vulnerability attack characteristics of the FTP server-u do not threaten the system, so that the detection can be temporarily skipped for forwarding, and the forwarding efficiency is improved.
The threat latency probe is used for restoring and recording network communication behaviors so as to be used for security personnel to carry out forensics analysis, and the restoration content comprises the following steps: TCP session record, Web access record, SQL access record, DNS analysis record, file transmission behavior and LDAP login behavior; the threat latency probe is used for realizing IP fragment recombination, TCP stream recombination and application layer protocol identification and analysis, has a plurality of intrusion attack modes or malicious URL monitoring modes, completes mode matching and generates events, extracts URL records and domain name records, and records original messages based on quintuple and dytuple when the characteristic events are triggered; the threat latency probe adopts the regular engine to improve the matching speed of the regular expression, the engine of the threat latency probe greatly reduces the CPU occupancy rate, and the overall throughput of the threat latency probe is effectively improved, so that the service data of customers can be processed at a higher speed.
And S102, the big data analysis platform combines feature detection and behavior detection by adopting user and entity behavior analysis, threat modeling and machine learning technologies, analyzes data and receives threat information.
In this embodiment, the big data analysis platform analyzes data by context correlation analysis, abnormal protocol analysis, feature detection, illegal access analysis, abnormal behavior detection, access correlation analysis, intelligent linkage analysis, asset detection, security situation analysis, whole network traffic analysis and attack detection; sources of threat intelligence include Silorder threat intelligence, CNVD, CNCERT, Virus-Total, CNNVD, ANVA, Exploit DB, MAPP, CVE.
The big data analysis platform is used for asset business management, and the asset business management comprises the following steps: according to the function division, the intranet equipment is divided into assets and services, the big data analysis platform actively identifies the intranet assets and actively discovers the IP addresses of the equipment assets of the intranet, which are not defined; identifying the IP address, the operating system, the open port and the transmission use protocol and application of the intranet server asset through an asset configuration detail display module; and combining the service and asset relationship display modules into a specific service group according to the asset IP address/address field.
Big data analysis platform is used for the demonstration of intranet flow, and the demonstration of intranet flow includes: displaying the access relation among the user, the service system and the Internet through an access relation display module, and identifying who, what, where and how of the access relation; distinguishing users and service systems with different danger levels through colors; and displaying the normal access, the illegal access, the attack behavior and the abnormal flow of the intranet aiming at different business assets in a graphical way, and distinguishing the normal access, the illegal access, the attack behavior and the abnormal flow by using different colors.
The big data analysis platform is internally provided with a detection and identification knowledge base, the detection and identification knowledge base covers more than 1100 application types, the total number of application identification rules exceeds 3000, and the big data analysis platform has the capability of identifying hundreds of millions of URLs; the number of the intrusion protection vulnerability rule feature libraries covered by the knowledge base exceeds 4000, and the intrusion protection vulnerability features covered by the knowledge base are detected and identified to have Chinese introduction, wherein the Chinese introduction comprises vulnerability description, vulnerability names, danger levels, influence systems, corresponding CVE numbers, reference information and suggested solutions; the detection and recognition knowledge base is provided with an independent zombie host recognition feature base and a malicious software recognition feature base.
The big data analysis platform collects and analyzes the next-generation firewall and endpoint security system related logs and alarm information of a company, performs corresponding analysis and association, and calls the security risks and attack codes of blocking, checking and killing responses of the protection systems for the security risks discovered by platform analysis; for third-party security devices supporting syslog, the big data analysis platform supports collection, storage and query services of relevant logs.
The big data analysis platform performs map display and visual display of the whole network security event and attack through the visual platform; counting and displaying according to the attack event, the attack source, the attack target, the attack type and the damage level; the visualization platform supports the visualization of the whole network service and presents the access relation of the whole network service object and the graphical display of the invaded service; the visualization of user-defined business asset management is supported; the method supports the analysis of the flow passing through the equipment and discovers the loophole of the protected object; the business is connected with a large monitoring screen externally, assets and real-time dynamic maps of the business attacked by the external network are displayed, and the real-time dynamic maps are displayed in a graphical large screen; the branch safety monitoring can show the safety state of a branch mechanism/a supervised mechanism in a map topology mode, and rank and list the safety trend of the branch mechanism/the supervised mechanism; the safety log display supports the safety log summarization of all safety equipment, and the log is queried and filtered according to a plurality of conditions such as time, type, severity level, action, region, IP, user, feature/vulnerability ID, reply status code, domain name/URL, equipment name and the like; displaying risk details with user groups as granularity and influence conditions on a service system, visually displaying high-risk users by the risk users, visually displaying risk operation, attack behavior, violation behavior and influence service of the high-risk users, and classifying the high-risk users into lost users, high-risk users and suspicious users according to certainty; and the risk service visualization is used for visually displaying the high-risk service, graphically and visually displaying the effective attack, tampering and backdoor attack path of the service, and classifying the service into a defect service, a high-risk service and a suspicious service according to certainty.
The big data analysis platform big data is used for realizing various detection capabilities and big data correlation analysis capabilities through an analysis engine, the analysis engine comprises a data preprocessing module, a data fusion module, a model construction module, a model fusion module and an analysis result generation module, and by taking MapReduce as a bottom layer calculation frame and MLib and Tensorflow as main machine learning frames, SVM, Bayesian network, random forest, LDA, DGA, Markov cluster, iForest and RNN machine learning algorithms are realized, and UEBA, lost host detection and big data correlation analysis safety capabilities are supported.
And step S103, the big data analysis platform carries out network risk evaluation according to the analysis result of the data and the received threat information, and sends the network risk evaluation result to an alarm and control center.
In this embodiment, the performing, by the big data analysis platform, the cyber risk assessment according to the analysis result of the data and the received threat intelligence includes:
and identifying risk factors. And selecting indexes from the network performance indexes to carry out experiments. During the operation of the network, the network performance may be reduced due to user misuse or network attack, and a network risk is generated, and the network risk may be caused by the interaction of various risk factors. The invention selects 3 risk factors of flow, CPU and memory.
And constructing a network topology structure. And analyzing through a Bayesian network, determining the dependency relationship among the indexes, and drawing a Bayesian network topology structure chart.
By means of an adjacency matrixConstructing a network structure, when the node i is the parent node of the node j,1 is ═ 1; otherwise0. The final matrix is then determined by the matrix diagonal elements. If the diagonal elements of the adjacency matrix are not all 0, then the network structure does not conform to a directed acyclic graph, and vice versa. In the network operation process, the overproof of the flow, the CPU and the memory can cause network risks, so that direct dependency relationship exists among the network risks, the flow, the CPU and the memory. The exceeding of the flow rate can also cause the exceeding of the CPU and the memory, so that the CPU, the memory and the flow rate have direct dependence. Thus, the following adjacency matrix is obtained:
all diagonal elements in the adjacency matrix LJ are 0, so the structure is a directed acyclic graph and meets the requirement of a model. Thus, a bayesian network structure is obtained, with node "1" pointing to node "2", node "3", and node "4", respectively, and node "2", and node "3" pointing to node "4", respectively. Wherein, the node "1" represents the flow, the node "2" represents the CPU, the node "3" represents the memory, and the node "4" represents the network risk.
And calculating the probability of the risk factors. And normalizing the analysis result of the data and the received threat information to obtain a time sequence chart corresponding to the index in a certain time period, and then performing statistical analysis to calculate the prior probability of each index and the posterior probability of each index. Through experiments, network performance index conditions under the conditions of video watching, webpage watching, downloading and network attack in a period of time are respectively monitored, time sequence diagrams of flow, a CPU and a memory are obtained, and normalization is carried out. Assuming that the critical values of the flow, the CPU and the memory exceeding the standard are 0.7, 0.6 and 0.6 respectively, carrying out statistics from a large amount of data respectively to obtain a conditional probability table of each index. And obtaining prior probability distribution according to the conditional probability table, and then inputting the conditional probability of flow, CPU and memory through a BNT tool box to obtain the posterior probability of each index.
And (4) evaluating network risks. And finally, calculating the network risk rate, and checking the network risk level at the current moment by combining the risk level table. Through the discussion of the main factors causing the risk of the network, a reference coefficient is given as the maximum allowable amount of probability change of a certain risk factor, which is expressed as follows
Wherein the content of the first and second substances,is a factor in the risk of, indicating the occurrence of a cyber risk,indicating that there is no risk of the network occurring,is the state of the risk factor(s),getOr。
The above formula is combined to obtain the result of the above calculation、、Size and ordering of (d). Wherein the content of the first and second substances,respectively represent the flow, the CPU and the memory,the higher the probability that it will pose a cyber risk. Therefore, it can be seen from the above ranking that the risk factor is most likely to cause the cyber risk during the period of time. After the posterior probabilities of the flow, the CPU and the memory are obtained, a network risk ratio is given as follows:
wherein the content of the first and second substances,the probability of occurrence of a risk is represented by a traffic flow, a CPU, and a memory. The above calculation results are substituted into the above formula to obtain,the value of (c). And checking the network risk level at the current moment by combining the risk level table. Because a plurality of uncertain factors exist in the aspect of network risk assessment, the risk in the network operation process is assessed by using the Bayesian network method, so that the big data analysis platform can effectively assess the network risk according to the analysis result of the data and the received threat information.
According to the embodiment, the network risk assessment method based on network security situation awareness provided by the invention collects data through a data acquisition platform based on a threat latency probe and an EDR; the big data analysis platform combines feature detection and behavior detection by adopting user and entity behavior analysis, threat modeling and machine learning technologies, analyzes the data and receives threat information; the big data analysis platform carries out network risk assessment according to the analysis result of the data and the received threat information, and sends the network risk assessment result to an alarm and control center; the problems that the existing network security event analysis is difficult, security threat processing is trapped in a trouble, network attack is more and more complex, and security problems are difficult to detect can be effectively solved.
The embodiment of the present invention further provides a storage medium, and the storage medium stores a computer program, and when the computer program is executed by a processor, the computer program implements part or all of the steps of the network risk assessment method based on network security situation awareness provided by the present invention. The storage medium may be a magnetic disk, an optical disk, a Read-only memory (ROM) or a Random Access Memory (RAM).
Those skilled in the art will readily appreciate that the techniques of the embodiments of the present invention may be implemented as software plus a required general purpose hardware platform. Based on such understanding, the technical solutions in the embodiments of the present invention may be essentially or partially implemented in the form of a software product, which may be stored in a storage medium, such as ROM/RAM, magnetic disk, optical disk, etc., and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method according to the embodiments or some parts of the embodiments.
The above-described embodiments of the present invention should not be construed as limiting the scope of the present invention.
Claims (10)
1. A network risk assessment method based on network security situation awareness is characterized by comprising the following steps:
the data acquisition platform collects data based on the threat latency probe and the EDR;
the big data analysis platform combines feature detection and behavior detection by adopting user and entity behavior analysis, threat modeling and machine learning technologies, analyzes the data and receives threat information;
the big data analysis platform carries out network risk assessment according to the analysis result of the data and the received threat information, and sends the network risk assessment result to an alarm and control center;
wherein, big data analysis platform carries out the network risk assessment according to the analysis result to the data and the threat intelligence of receiving, includes: selecting indexes from network performance indexes to carry out experiments; analyzing through a Bayesian network, determining the dependency relationship among all indexes, and drawing a Bayesian network topology structure chart; normalizing the analysis result of the data and the received threat information to obtain a time sequence chart of a certain time period of the corresponding index, then carrying out statistical analysis, and calculating the prior probability of each index and the posterior probability of each index; and finally, calculating the network risk rate, and checking the network risk level at the current moment by combining the risk level table.
2. The network risk assessment method based on network security situation awareness according to claim 1, wherein in the step of collecting data based on the threat latency probe and the EDR, the data includes network devices, network services, URLs, IP addresses, port numbers, session reorganization, asset identification information, application parsing information, access history information, protocol parsing information, attack records, and system information in the network; deploying latent threat probes at important aggregation nodes of the city-level network and a district-county network core exchange bypass;
the threat latency probe separates the data processing of a network layer and an application layer through software design, identifies data received by all network cards on the basis of an application identification module at the bottom layer, and captures application data messages needing to be processed to the application layer through a capture packet driver; if the application layer fails to process data, the forwarding of the data of the network layer is not influenced;
the threat latency probe is constructed on a 64-bit multi-core concurrent high-speed hardware platform, a forwarding plane and a security plane are operated on the multi-core platform in parallel, multi-plane concurrent processing is carried out, a lock-free parallel processing technology is adopted in the design of a computing instruction, and simultaneous processing of multiple pipelines is achieved.
3. The network risk assessment method based on network security situation awareness according to claim 1, wherein in the step of collecting data based on a threat latency probe and an EDR, the threat latency probe adopts a single parsing architecture to realize one parsing and one matching of a message, so as to improve efficiency of an application layer, the threat latency probe realizes plane separation of a network layer and the application layer through software architecture design, and extracts data to the application plane through a "0" copy technology to realize unified parsing and unified detection of threat features;
the threat latency probe marks all data packets passing through the probe with application labels through a private protocol on an inner core driving layer by using an application identification technology, when the data packets are extracted to a content detection plane for detection, the device finds corresponding application threat characteristics, and skips irrelevant application threat detection characteristics by using a skip scanning technology;
the threat latency probe is used for restoring and recording network communication behaviors so as to be used for security personnel to carry out forensics analysis, and the restoration content comprises the following steps: TCP session record, Web access record, SQL access record, DNS analysis record, file transmission behavior and LDAP login behavior;
the threat latency probe is used for realizing IP fragment recombination, TCP stream recombination and application layer protocol identification and analysis, has various intrusion attack modes or malicious URL monitoring modes, completes mode matching and generates events, extracts URL records and domain name records, and records an original message based on quintuple and dytuple when a characteristic event is triggered; the threat latency probe adopts a regular engine to improve the matching speed of the regular expression.
4. The network risk assessment method based on network security situation awareness according to claim 1, wherein in the step of analyzing the data and receiving threat information, the big data analysis platform analyzes the data by using context correlation analysis, abnormal protocol analysis, feature detection, illegal access analysis, abnormal behavior detection, access correlation analysis, intelligent linkage analysis, asset detection, security situation analysis, whole network traffic analysis and attack detection by combining feature detection and behavior detection by using user and entity behavior analysis, threat modeling and machine learning technologies; sources of threat intelligence include Silorder threat intelligence, CNVD, CNCERT, Virus-Total, CNNVD, ANVA, Exploit DB, MAPP, CVE.
5. The network risk assessment method based on network security situation awareness according to claim 1, wherein a big data analysis platform adopts user and entity behavior analysis, threat modeling and machine learning technologies, combines feature detection and behavior detection, analyzes the data and receives threat intelligence in the step, the big data analysis platform is used for asset business management, and the asset business management comprises: according to the function division, the intranet equipment is divided into assets and services, the big data analysis platform actively identifies the intranet assets and actively discovers the IP addresses of the equipment assets of the intranet, which are not defined; identifying an IP address, an operating system, an open port and a transmission use protocol and application of the intranet server asset through an asset configuration detail display module; and combining the service and asset relationship display modules into a specific service group according to the asset IP address/address field.
6. The network risk assessment method based on network security situation awareness according to claim 1, wherein a big data analysis platform adopts user and entity behavior analysis, threat modeling and machine learning technologies, combines feature detection and behavior detection, analyzes the data and receives threat information in the step, the big data analysis platform is used for intranet flow display, and the intranet flow display comprises: displaying the access relation among the user, the service system and the Internet through an access relation display module, and identifying who, what, where and how of the access relation; distinguishing users and service systems with different danger levels through colors; and displaying the normal access, the illegal access, the attack behavior and the abnormal flow of the intranet aiming at different business assets in a graphical way, and distinguishing the normal access, the illegal access, the attack behavior and the abnormal flow by using different colors.
7. The network risk assessment method based on network security situation awareness according to claim 1, characterized in that a big data analysis platform adopts user and entity behavior analysis, threat modeling and machine learning technologies, combines feature detection and behavior detection, analyzes the data and receives threat information, a detection and identification knowledge base is built in the big data analysis platform, and intrusion protection vulnerability characteristics covered by the detection and identification knowledge base have Chinese introduction, including vulnerability description, vulnerability name, danger level, influence system, corresponding CVE number, reference information and suggested solution; the detection and recognition knowledge base is provided with an independent zombie host recognition feature base and a malicious software recognition feature base.
8. The network risk assessment method based on network security situation awareness according to claim 1, characterized in that a big data analysis platform adopts user and entity behavior analysis, threat modeling and machine learning technologies, combines feature detection and behavior detection, analyzes the data and receives threat information, collects and analyzes next-generation firewall, endpoint security system related logs and alarm information of a company, performs corresponding analysis and association, and calls security risks found by platform analysis and attack codes of blocking, searching and killing responses of the protection systems; for third-party security devices supporting syslog, the big data analysis platform supports collection, storage and query services of relevant logs.
9. The network risk assessment method based on network security situation awareness is characterized in that a big data analysis platform adopts user and entity behavior analysis, threat modeling and machine learning technologies, combines feature detection and behavior detection, analyzes the data and receives threat information in the step, and the big data analysis platform performs map display and visual display of whole network security events and attacks through a visual platform; counting and displaying according to the attack event, the attack source, the attack target, the attack type and the damage level; the visualization platform supports the visualization of the whole network service and presents the access relation of the whole network service object and the graphical display of the invaded service; the visualization of user-defined business asset management is supported; the method supports the analysis of the flow passing through the equipment and discovers the loopholes of the protected object; the business is connected with a large monitoring screen externally, assets and real-time dynamic maps of the business attacked by the external network are displayed, and the real-time dynamic maps are displayed in a graphical large screen; the branch safety monitoring can show the safety state of a branch mechanism/a supervised mechanism in a map topology mode, and rank and list the safety trend of the branch mechanism/the supervised mechanism; the safety log display supports the safety log summarization of all safety equipment, and the log is queried and filtered according to a plurality of conditions such as time, type, severity level, action, region, IP, user, feature/vulnerability ID, reply status code, domain name/URL, equipment name and the like; displaying risk details with user groups as granularity and influence conditions on a service system, visually displaying high-risk users by the risk users, visually displaying risk operation, attack behavior, violation behavior and influence service of the high-risk users, and classifying the high-risk users into lost users, high-risk users and suspicious users according to certainty; and the risk service visualization is used for visually displaying the high-risk service, graphically and visually displaying the effective attack, tampering and backdoor attack path of the service, and classifying the service into a defect service, a high-risk service and a suspicious service according to certainty.
10. The network risk assessment method based on network security situation awareness as claimed in claim 1, wherein a big data analysis platform adopts user and entity behavior analysis, threat modeling and machine learning technologies, combines feature detection and behavior detection, analyzes the data and receives threat information, the big data analysis platform big data is used for realizing various detection capabilities and big data association analysis capabilities through an analysis engine, the analysis engine comprises a data preprocessing module, a data fusion module, a model construction module, a model fusion module and an analysis result generation module, the analysis engine uses MapReduce as a bottom layer calculation framework and MLib and Tensorflow as main machine learning frameworks to realize SVM, Bayesian network, random forest, LDA, DGA, Markov clustering, iForest and RNN machine learning algorithms, support UEBA, trapped host detection and lost host detection, And big data correlation analysis security capability.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210577874.8A CN114679338A (en) | 2022-05-26 | 2022-05-26 | Network risk assessment method based on network security situation awareness |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210577874.8A CN114679338A (en) | 2022-05-26 | 2022-05-26 | Network risk assessment method based on network security situation awareness |
Publications (1)
Publication Number | Publication Date |
---|---|
CN114679338A true CN114679338A (en) | 2022-06-28 |
Family
ID=82079959
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202210577874.8A Pending CN114679338A (en) | 2022-05-26 | 2022-05-26 | Network risk assessment method based on network security situation awareness |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN114679338A (en) |
Cited By (16)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN115118525A (en) * | 2022-08-23 | 2022-09-27 | 天津天元海科技开发有限公司 | Internet of things safety protection system and protection method thereof |
CN115150195A (en) * | 2022-09-01 | 2022-10-04 | 珠海市鸿瑞信息技术股份有限公司 | Real-time dynamic early warning system and method based on network security situation awareness system |
CN115189970A (en) * | 2022-09-13 | 2022-10-14 | 珠海市鸿瑞信息技术股份有限公司 | Network security analysis system and method of security situation awareness system |
CN115361185A (en) * | 2022-08-10 | 2022-11-18 | 重庆电子工程职业学院 | Network security discrimination and study system and method |
CN115460023A (en) * | 2022-11-14 | 2022-12-09 | 国能大渡河大数据服务有限公司 | Method and system for integrally guaranteeing network security |
CN115834219A (en) * | 2022-11-29 | 2023-03-21 | 中国联合网络通信集团有限公司 | Network asset evaluation processing method, device, server and medium |
CN116074113A (en) * | 2023-03-06 | 2023-05-05 | 成都市以太节点科技有限公司 | Security protection method, device and storage medium based on business process constraint |
CN116488912A (en) * | 2023-04-27 | 2023-07-25 | 徐州医科大学 | Network traffic monitoring method and system based on mutation model finite state |
CN116527628A (en) * | 2023-07-03 | 2023-08-01 | 北京左江科技股份有限公司 | Network address conversion method and system based on security situation awareness |
CN116599767A (en) * | 2023-07-12 | 2023-08-15 | 深圳市光网世纪科技有限公司 | Network threat monitoring system based on machine learning |
CN116915459A (en) * | 2023-07-13 | 2023-10-20 | 上海戎磐网络科技有限公司 | Network threat analysis method based on large language model |
CN117081851A (en) * | 2023-10-10 | 2023-11-17 | 网思科技股份有限公司 | Display method, system and medium of network security situation awareness information |
CN117194588A (en) * | 2023-11-07 | 2023-12-08 | 江苏龙虎网信息科技股份有限公司 | Business data integrated supervision system and method based on big data |
CN117527861A (en) * | 2024-01-05 | 2024-02-06 | 四川盛邦润达科技有限公司 | Equipment access method, internet of things gateway and Internet of things visualization platform |
CN117857221A (en) * | 2024-03-07 | 2024-04-09 | 北京谷器数据科技有限公司 | Authority management method and system for remote service platform |
CN117857221B (en) * | 2024-03-07 | 2024-06-04 | 北京谷器数据科技有限公司 | Authority management method and system for remote service platform |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107196910A (en) * | 2017-04-18 | 2017-09-22 | 国网山东省电力公司电力科学研究院 | Threat early warning monitoring system, method and the deployment framework analyzed based on big data |
CN111191683A (en) * | 2019-12-13 | 2020-05-22 | 南京邮电大学 | Network security situation assessment method based on random forest and Bayesian network |
CN111541658A (en) * | 2020-04-14 | 2020-08-14 | 许艺明 | PCIE prevents hot wall |
CN114357677A (en) * | 2021-12-31 | 2022-04-15 | 国网安徽省电力有限公司经济技术研究院 | Method for evaluating out-of-limit risk of node voltage of charging and discharging distribution network of electric automobile |
-
2022
- 2022-05-26 CN CN202210577874.8A patent/CN114679338A/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107196910A (en) * | 2017-04-18 | 2017-09-22 | 国网山东省电力公司电力科学研究院 | Threat early warning monitoring system, method and the deployment framework analyzed based on big data |
CN111191683A (en) * | 2019-12-13 | 2020-05-22 | 南京邮电大学 | Network security situation assessment method based on random forest and Bayesian network |
CN111541658A (en) * | 2020-04-14 | 2020-08-14 | 许艺明 | PCIE prevents hot wall |
CN114357677A (en) * | 2021-12-31 | 2022-04-15 | 国网安徽省电力有限公司经济技术研究院 | Method for evaluating out-of-limit risk of node voltage of charging and discharging distribution network of electric automobile |
Non-Patent Citations (5)
Title |
---|
李军: "基于贝叶斯网络的网络风险评估研究", 《软件导刊》 * |
林健: "网络安全态势评估与预测技术研究", 《电子技术与软件工程》 * |
汪华: "安全态势感知平台在气象局信息安全中的应用", 《网络安全和信息化》 * |
深信服: "深信服 下一代防火墙关术白皮书", 《HTTPS://WWW.SANGFOR.COM.CN/DOCUMENT/》 * |
莫禹钧: "医院网络安全态势感知系统构建", 《医学信息学杂志》 * |
Cited By (26)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN115361185A (en) * | 2022-08-10 | 2022-11-18 | 重庆电子工程职业学院 | Network security discrimination and study system and method |
CN115118525A (en) * | 2022-08-23 | 2022-09-27 | 天津天元海科技开发有限公司 | Internet of things safety protection system and protection method thereof |
CN115118525B (en) * | 2022-08-23 | 2022-12-13 | 天津天元海科技开发有限公司 | Internet of things safety protection system and protection method thereof |
CN115150195B (en) * | 2022-09-01 | 2022-12-20 | 珠海市鸿瑞信息技术股份有限公司 | Real-time dynamic early warning system and method based on network security situation awareness system |
CN115150195A (en) * | 2022-09-01 | 2022-10-04 | 珠海市鸿瑞信息技术股份有限公司 | Real-time dynamic early warning system and method based on network security situation awareness system |
CN115189970A (en) * | 2022-09-13 | 2022-10-14 | 珠海市鸿瑞信息技术股份有限公司 | Network security analysis system and method of security situation awareness system |
CN115460023A (en) * | 2022-11-14 | 2022-12-09 | 国能大渡河大数据服务有限公司 | Method and system for integrally guaranteeing network security |
CN115834219B (en) * | 2022-11-29 | 2024-05-17 | 中国联合网络通信集团有限公司 | Network asset evaluation processing method, device, server and medium |
CN115834219A (en) * | 2022-11-29 | 2023-03-21 | 中国联合网络通信集团有限公司 | Network asset evaluation processing method, device, server and medium |
CN116074113A (en) * | 2023-03-06 | 2023-05-05 | 成都市以太节点科技有限公司 | Security protection method, device and storage medium based on business process constraint |
CN116074113B (en) * | 2023-03-06 | 2023-08-15 | 成都市以太节点科技有限公司 | Security protection method, device and storage medium based on business process constraint |
CN116488912A (en) * | 2023-04-27 | 2023-07-25 | 徐州医科大学 | Network traffic monitoring method and system based on mutation model finite state |
CN116527628A (en) * | 2023-07-03 | 2023-08-01 | 北京左江科技股份有限公司 | Network address conversion method and system based on security situation awareness |
CN116527628B (en) * | 2023-07-03 | 2023-09-29 | 北京左江科技股份有限公司 | Network address conversion method and system based on security situation awareness |
CN116599767A (en) * | 2023-07-12 | 2023-08-15 | 深圳市光网世纪科技有限公司 | Network threat monitoring system based on machine learning |
CN116599767B (en) * | 2023-07-12 | 2023-11-03 | 深圳市光网世纪科技有限公司 | Network threat monitoring system based on machine learning |
CN116915459B (en) * | 2023-07-13 | 2024-03-08 | 上海戎磐网络科技有限公司 | Network threat analysis method based on large language model |
CN116915459A (en) * | 2023-07-13 | 2023-10-20 | 上海戎磐网络科技有限公司 | Network threat analysis method based on large language model |
CN117081851A (en) * | 2023-10-10 | 2023-11-17 | 网思科技股份有限公司 | Display method, system and medium of network security situation awareness information |
CN117081851B (en) * | 2023-10-10 | 2024-03-19 | 网思科技股份有限公司 | Display method, system and medium of network security situation awareness information |
CN117194588A (en) * | 2023-11-07 | 2023-12-08 | 江苏龙虎网信息科技股份有限公司 | Business data integrated supervision system and method based on big data |
CN117194588B (en) * | 2023-11-07 | 2024-01-19 | 江苏龙虎网信息科技股份有限公司 | Business data integrated supervision system and method based on big data |
CN117527861A (en) * | 2024-01-05 | 2024-02-06 | 四川盛邦润达科技有限公司 | Equipment access method, internet of things gateway and Internet of things visualization platform |
CN117527861B (en) * | 2024-01-05 | 2024-03-22 | 四川盛邦润达科技有限公司 | Equipment access method, internet of things gateway and Internet of things visualization platform |
CN117857221A (en) * | 2024-03-07 | 2024-04-09 | 北京谷器数据科技有限公司 | Authority management method and system for remote service platform |
CN117857221B (en) * | 2024-03-07 | 2024-06-04 | 北京谷器数据科技有限公司 | Authority management method and system for remote service platform |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN114679338A (en) | Network risk assessment method based on network security situation awareness | |
US10721243B2 (en) | Apparatus, system and method for identifying and mitigating malicious network threats | |
US20210273961A1 (en) | Apparatus and method for a cyber-threat defense system | |
Hoque et al. | An implementation of intrusion detection system using genetic algorithm | |
CN103685575B (en) | A kind of web portal security monitoring method based on cloud framework | |
Liao et al. | Network forensics based on fuzzy logic and expert system | |
CA3041871A1 (en) | System and method for monitoring security attack chains | |
US20190372934A1 (en) | Aggregating alerts of malicious events for computer security | |
Seufert et al. | Machine learning for automatic defence against distributed denial of service attacks | |
Kumar et al. | A robust intelligent zero-day cyber-attack detection technique | |
US20230012220A1 (en) | Method for determining likely malicious behavior based on abnormal behavior pattern comparison | |
CN111726342B (en) | Method and system for improving alarm output accuracy of honeypot system | |
GhasemiGol et al. | E‐correlator: an entropy‐based alert correlation system | |
Hammad et al. | Intrusion detection system using feature selection with clustering and classification machine learning algorithms on the unsw-nb15 dataset | |
Frye et al. | An ontology-based system to identify complex network attacks | |
Meng et al. | Adaptive non-critical alarm reduction using hash-based contextual signatures in intrusion detection | |
Alavizadeh et al. | A survey on threat situation awareness systems: framework, techniques, and insights | |
CN110213301B (en) | Method, server and system for transferring network attack plane | |
Dalmazo et al. | Triple-similarity mechanism for alarm management in the cloud | |
Kamatchi et al. | An efficient security framework to detect intrusions at virtual network layer of cloud computing | |
Sulaiman et al. | Big data analytic of intrusion detection system | |
Roponena et al. | Towards a Human-in-the-Loop Intelligent Intrusion Detection System. | |
Jain et al. | The role of decision tree technique for automating intrusion detection system | |
Kayacik et al. | Using self-organizing maps to build an attack map for forensic analysis | |
CN106993005A (en) | The method for early warning and system of a kind of webserver |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20220628 |
|
RJ01 | Rejection of invention patent application after publication |