CN114679338A - Network risk assessment method based on network security situation awareness - Google Patents

Network risk assessment method based on network security situation awareness Download PDF

Info

Publication number
CN114679338A
CN114679338A CN202210577874.8A CN202210577874A CN114679338A CN 114679338 A CN114679338 A CN 114679338A CN 202210577874 A CN202210577874 A CN 202210577874A CN 114679338 A CN114679338 A CN 114679338A
Authority
CN
China
Prior art keywords
network
threat
analysis
data
detection
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210577874.8A
Other languages
Chinese (zh)
Inventor
刘山林
秦笑天
王男
左瑞山
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shandong Lintian Information Technology Co ltd
Original Assignee
Shandong Lintian Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shandong Lintian Information Technology Co ltd filed Critical Shandong Lintian Information Technology Co ltd
Priority to CN202210577874.8A priority Critical patent/CN114679338A/en
Publication of CN114679338A publication Critical patent/CN114679338A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/142Network analysis or design using statistical or mathematical methods

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Mathematical Optimization (AREA)
  • Mathematical Physics (AREA)
  • Probability & Statistics with Applications (AREA)
  • Pure & Applied Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Mathematical Analysis (AREA)
  • General Physics & Mathematics (AREA)
  • Algebra (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a network risk assessment method based on network security situation awareness, which comprises the steps that a data acquisition platform collects data based on a threat latency probe and an EDR (enhanced data Rate); the big data analysis platform combines feature detection and behavior detection by adopting user and entity behavior analysis, threat modeling and machine learning technologies, analyzes the data and receives threat information; the big data analysis platform carries out network risk assessment according to the analysis result of the data and the received threat information, and sends the network risk assessment result to an alarm and control center; the problems that the existing network security event analysis is difficult, security threat processing is trapped in a trouble, network attack is more and more complex, and security problems are difficult to detect can be effectively solved.

Description

Network risk assessment method based on network security situation awareness
Technical Field
The invention relates to the technical field of networks, in particular to a network risk assessment method based on network security situation awareness.
Background
With the continuous deepening of the network informatization work, the trend of leading the information to police is increasingly obvious, the data exchange amount between an information communication network and an external access unit is gradually increased, various types of security threats such as network attack, intrusion, viruses, trojans and the like are increasingly increased, and the challenges of the integrity and the security of the information on the information communication network are more and more. Currently, network risk assessment mainly faces the following challenges: 1) the security event analysis difficulty is large, and the security threat processing is trapped in a dilemma. With the continuous extension and expansion of communication networks, the number of devices and service types in the networks are more and more, a large number of security event logs are generated by key security devices and service servers in the networks, security operation and maintenance personnel operate console interfaces and alarm windows of various products facing to the huge and mutually-split security information, the working efficiency is extremely low, and the real potential safety hazards are difficult to find. 2) Network attacks are increasingly complex and security problems are difficult to detect. The development of the cloud computing technology continuously migrates the IT assets to virtualization, the increase, deletion, inspection and change of services are large, the evolution of the IT services to the Internet, the mobile Internet and the public cloud provides more attack vectors for attackers, the security boundary becomes more fuzzy, the traditional security defense mode still stays in a network and an application system, the asset change, the service access relation and the internal transverse attack, abnormal access and illegal operation are not clearly seen, and once a hacker breaks through the boundary, the hacker often uses the legal user identity to permeate other internal service systems to steal core data. Therefore, there is a need to provide a network risk assessment method based on network security situation awareness to solve the above problems.
Disclosure of Invention
The invention aims to provide a network risk assessment method based on network security situation awareness, and aims to solve the problems that the existing network security event analysis is difficult, security threat processing is trapped in trouble, network attacks are more and more complex, and security problems are difficult to detect.
The invention provides a network risk assessment method based on network security situation awareness, which is characterized by comprising the following steps: the data acquisition platform collects data based on the threat latency probe and the EDR; the big data analysis platform combines feature detection and behavior detection by adopting user and entity behavior analysis, threat modeling and machine learning technologies, analyzes the data and receives threat information; the big data analysis platform carries out network risk assessment according to the analysis result of the data and the received threat information, and sends the network risk assessment result to an alarm and control center; wherein, big data analysis platform carries out the network risk assessment according to the analysis result to the data and the threat intelligence of receiving, includes: selecting indexes from network performance indexes to carry out experiments; analyzing through a Bayesian network, determining the dependency relationship among all indexes, and drawing a Bayesian network topology structure chart; normalizing the analysis result of the data and the received threat information to obtain a time sequence chart of a certain time period of the corresponding index, then carrying out statistical analysis, and calculating the prior probability of each index and the posterior probability of each index; and finally, calculating the network risk rate, and checking the network risk level at the current moment by combining the risk level table.
Further, in the step of collecting data based on the threat latency probe and the EDR, the data comprises network equipment, network services, URLs, IP addresses, port numbers, session reorganization, asset identification information, application parsing information, access history information, protocol parsing information, attack records and system information in a network; deploying latent threat probes at important aggregation nodes of the city-level network and a district-county network core exchange bypass; the threat latency probe separates the data processing of a network layer and an application layer through software design, identifies data received by all network cards on the basis of an application identification module at the bottom layer, and captures application data messages needing to be processed to the application layer through a capture packet driver; if the application layer fails to process data, the forwarding of the data of the network layer is not influenced; the threat latency probe is constructed on a 64-bit multi-core concurrent high-speed hardware platform, a forwarding plane and a security plane are operated on the multi-core platform in parallel, multi-plane concurrent processing is carried out, a lock-free parallel processing technology is adopted in the design of a computing instruction, and simultaneous processing of multiple pipelines is achieved.
Further, in the step of collecting data by the data collection platform based on the threat latency probe and the EDR, the threat latency probe adopts a single analysis architecture to realize one-time analysis and one-time matching of messages, the efficiency of an application layer is improved, the threat latency probe realizes plane separation of a network layer and the application layer through software architecture design, and data is extracted to the application plane through a '0' copy technology to realize unified analysis and unified detection of threat characteristics; the threat latency probe marks all data packets passing through the probe with application labels through a private protocol on a kernel driving layer by using an application identification technology, when the data packets are extracted to a content detection plane for detection, the equipment finds corresponding application threat characteristics, and skips irrelevant application threat detection characteristics by using a skip scanning technology; the threat latency probe is used for restoring and recording network communication behaviors so as to be used for security personnel to carry out forensics analysis, and the restoration content comprises the following steps: TCP session record, Web access record, SQL access record, DNS analysis record, file transmission behavior and LDAP login behavior; the threat latency probe is used for realizing IP fragment recombination, TCP stream recombination and application layer protocol identification and analysis, has a plurality of intrusion attack modes or malicious URL monitoring modes, completes mode matching and generates events, extracts URL records and domain name records, and records original messages based on quintuple and dytuple when characteristic events are triggered; the threat latency probe adopts a regular engine to improve the matching speed of the regular expression.
Furthermore, a big data analysis platform adopts user and entity behavior analysis, threat modeling and machine learning technologies, combines feature detection and behavior detection, analyzes the data and receives threat information, and analyzes the data by adopting context correlation analysis, abnormal protocol analysis, feature detection, illegal access analysis, abnormal behavior detection, access correlation analysis, intelligent linkage analysis, asset detection, security situation analysis, whole network flow analysis and attack detection; sources of threat intelligence include Silorder threat intelligence, CNVD, CNCERT, Virus-Total, CNNVD, ANVA, Exploit DB, MAPP, CVE.
Further, a big data analysis platform combines feature detection and behavior detection by adopting user and entity behavior analysis, threat modeling and machine learning technologies, analyzes the data and receives threat intelligence, and is used for asset service management, wherein the asset service management comprises the following steps: according to the function division, the intranet equipment is divided into assets and services, the big data analysis platform actively identifies the intranet assets and actively discovers the IP addresses of the equipment assets of the intranet, which are not defined; identifying the IP address, the operating system, the open port and the transmission use protocol and application of the intranet server asset through an asset configuration detail display module; and combining the service and asset relationship display modules into a specific service group according to the asset IP address/address field.
Further, the big data analysis platform adopts user and entity behavior analysis, threat modeling and machine learning technology, combines feature detection and behavior detection, analyzes the data and receives the step of threat information, the big data analysis platform is used for intranet flow display, the intranet flow display comprises: displaying the access relation among the user, the service system and the Internet through an access relation display module, and identifying who, what, where and how of the access relation; distinguishing users and service systems with different danger levels through colors; and displaying the normal access, the illegal access, the attack behavior and the abnormal flow of the intranet aiming at different business assets in a graphical way, and distinguishing the normal access, the illegal access, the attack behavior and the abnormal flow by using different colors.
Furthermore, a big data analysis platform adopts user and entity behavior analysis, threat modeling and machine learning technologies, combines feature detection and behavior detection, analyzes the data and receives threat information, a detection and identification knowledge base is built in the big data analysis platform, and intrusion protection vulnerability features covered by the detection and identification knowledge base have Chinese introduction and comprise vulnerability description, vulnerability name, danger level, influence system, corresponding CVE number, reference information and suggested solution; the detection and recognition knowledge base is provided with an independent zombie host recognition feature base and a malicious software recognition feature base.
Furthermore, in the step of combining feature detection and behavior detection by a big data analysis platform by adopting user and entity behavior analysis, threat modeling and machine learning technologies, analyzing the data and receiving threat information, the big data analysis platform collects and analyzes the next generation firewall, endpoint security system related logs and alarm information of a company, performs corresponding analysis and association, and calls the security risks and attack codes of blocking and killing responses of the protection systems for the security risks discovered by platform analysis; for third-party security devices supporting syslog, the big data analysis platform supports collection, storage and query services of relevant logs.
Furthermore, a big data analysis platform combines feature detection and behavior detection by adopting user and entity behavior analysis, threat modeling and machine learning technologies, analyzes the data and receives threat information, and performs map display and visual display of the whole network security event and attack through a visual platform; counting and displaying according to the attack event, the attack source, the attack target, the attack type and the damage level; the visualization platform supports the visualization of the whole network service and presents the access relation of the whole network service object and the graphical display of the invaded service; the visualization of user-defined business asset management is supported; the method supports the analysis of the flow passing through the equipment and discovers the loophole of the protected object; the business is connected with a large monitoring screen externally, assets and real-time dynamic maps of the business attacked by the external network are displayed, and the real-time dynamic maps are displayed in a graphical large screen; the branch safety monitoring can show the safety state of a branch mechanism/a supervised mechanism in a map topology mode, and rank and list the safety trend of the branch mechanism/the supervised mechanism; the safety log display supports the safety log summarization of all safety equipment, and the log is queried and filtered according to a plurality of conditions such as time, type, severity level, action, region, IP, user, characteristic/vulnerability ID, reply status code, domain name/URL, equipment name and the like; displaying risk details with user groups as granularity and influence conditions on a service system, visually displaying high-risk users by the risk users, visually displaying risk operations, attack behaviors, violation behaviors and influence services of the high-risk users, and classifying the high-risk users into lost users, high-risk users and suspicious users according to certainty; and (4) visualizing the risk service, visually displaying the high-risk service, graphically and visually displaying the effective attack and tampering of the service and the attack path of the backdoor, and classifying the service into a lost service, a high-risk service and a suspicious service according to certainty.
Furthermore, in the step of combining feature detection and behavior detection by a big data analysis platform through user and entity behavior analysis, threat modeling and machine learning technologies, analyzing the data and receiving threat information, the big data analysis platform big data is used for realizing various detection capabilities and big data association analysis capabilities through an analysis engine, the analysis engine comprises a data preprocessing module, a data fusion module, a model construction module, a model fusion module and an analysis result generation module, and by taking MapReduce as a bottom layer calculation framework and taking MLib and Tensorflow as main machine learning frameworks, SVM, Bayesian network, randomness, forest A, DGA, Markov cluster, iForest and RNN machine learning algorithms are realized, and UEBA, lost host detection and big data association analysis safety capabilities are supported.
The invention has the beneficial effects that: the invention provides a network risk assessment method based on network security situation awareness, which comprises the steps of collecting data based on a threat latency probe and an EDR (enhanced data rate) through a data acquisition platform; the big data analysis platform combines feature detection and behavior detection by adopting user and entity behavior analysis, threat modeling and machine learning technologies, analyzes the data and receives threat information; the big data analysis platform carries out network risk assessment according to the analysis result of the data and the received threat information, and sends the network risk assessment result to an alarm and control center; the problems that the existing network security event analysis is difficult, security threat processing is trapped in a trouble, network attack is more and more complex, and security problems are difficult to detect can be effectively solved.
Drawings
FIG. 1 is a flowchart of a network risk assessment method based on network security situation awareness according to the present invention;
FIG. 2 is a system architecture diagram of a security awareness platform according to a network risk assessment method based on network security situation awareness according to the present invention;
FIG. 3 is a data flow diagram of a security awareness platform of a network risk assessment method based on network security situation awareness according to the present invention;
fig. 4 is a deployment logic topology diagram of a security awareness platform of the network risk assessment method based on network security situation awareness provided by the present invention.
Detailed Description
Referring to fig. 1 to 4, an embodiment of the present invention provides a network risk assessment method based on network security situation awareness, where the method is implemented based on a security awareness platform, and the method includes:
and S101, collecting data by the data acquisition platform based on the threat latency probe and the EDR.
In this embodiment, the data collection platform is as the collection layer and carries out data collection based on threat latency probe, EDR and other safety equipment, and data sources are more complete. The data comprises network equipment, network services, URLs, IP addresses, port numbers, session reorganization, asset identification information, application parsing information, access history information, protocol parsing information, attack records and system information in the network; and arranging latent threat probes at important convergence nodes of the urban network and district-county network core switching bypasses.
The threat latency probe separates the data processing of a network layer and an application layer through software design, identifies the data received by all network cards on the basis of an application identification module at the bottom layer, and captures the application data message to be processed to the application layer through a packet capturing driver; if the application layer fails to process data, the forwarding of the data of the network layer is not influenced; therefore, the efficient and reliable data message processing is realized. The threat latency probe is constructed on a 64-bit multi-core concurrent high-speed hardware platform, a forwarding plane and a security plane are operated on the multi-core platform in parallel, multi-plane concurrent processing is performed, close cooperation is achieved, and the security processing performance of a network data packet is greatly improved. And a lock-free parallel processing technology is adopted in the design of the calculation instruction, so that the simultaneous processing of multiple pipelines is realized. The system throughput is improved in multiples, the performance is excellent under a multi-core system, and the multi-core parallel processing architecture is real.
The threat latency probe realizes one-time analysis and one-time matching of messages by adopting a single-time analysis architecture, the efficiency of an application layer is improved, the threat latency probe realizes plane separation of a network layer and the application layer through software architecture design, and data is extracted to the application plane through a '0' copy technology to realize unified analysis and unified detection of threat characteristics; redundant data packet encapsulation is reduced, and high-performance data processing is achieved. The threat latency probe marks all data packets passing through the probe with application labels through a private protocol on an inner core driving layer by using an application identification technology, when the data packets are extracted to a content detection plane for detection, the device finds corresponding application threat characteristics, and skips irrelevant application threat detection characteristics by using a skip scanning technology; invalid scanning is reduced, and scanning efficiency is improved. Such as: when the traffic is identified as HTTP traffic, the relevant vulnerability attack characteristics of the FTP server-u do not threaten the system, so that the detection can be temporarily skipped for forwarding, and the forwarding efficiency is improved.
The threat latency probe is used for restoring and recording network communication behaviors so as to be used for security personnel to carry out forensics analysis, and the restoration content comprises the following steps: TCP session record, Web access record, SQL access record, DNS analysis record, file transmission behavior and LDAP login behavior; the threat latency probe is used for realizing IP fragment recombination, TCP stream recombination and application layer protocol identification and analysis, has a plurality of intrusion attack modes or malicious URL monitoring modes, completes mode matching and generates events, extracts URL records and domain name records, and records original messages based on quintuple and dytuple when the characteristic events are triggered; the threat latency probe adopts the regular engine to improve the matching speed of the regular expression, the engine of the threat latency probe greatly reduces the CPU occupancy rate, and the overall throughput of the threat latency probe is effectively improved, so that the service data of customers can be processed at a higher speed.
And S102, the big data analysis platform combines feature detection and behavior detection by adopting user and entity behavior analysis, threat modeling and machine learning technologies, analyzes data and receives threat information.
In this embodiment, the big data analysis platform analyzes data by context correlation analysis, abnormal protocol analysis, feature detection, illegal access analysis, abnormal behavior detection, access correlation analysis, intelligent linkage analysis, asset detection, security situation analysis, whole network traffic analysis and attack detection; sources of threat intelligence include Silorder threat intelligence, CNVD, CNCERT, Virus-Total, CNNVD, ANVA, Exploit DB, MAPP, CVE.
The big data analysis platform is used for asset business management, and the asset business management comprises the following steps: according to the function division, the intranet equipment is divided into assets and services, the big data analysis platform actively identifies the intranet assets and actively discovers the IP addresses of the equipment assets of the intranet, which are not defined; identifying the IP address, the operating system, the open port and the transmission use protocol and application of the intranet server asset through an asset configuration detail display module; and combining the service and asset relationship display modules into a specific service group according to the asset IP address/address field.
Big data analysis platform is used for the demonstration of intranet flow, and the demonstration of intranet flow includes: displaying the access relation among the user, the service system and the Internet through an access relation display module, and identifying who, what, where and how of the access relation; distinguishing users and service systems with different danger levels through colors; and displaying the normal access, the illegal access, the attack behavior and the abnormal flow of the intranet aiming at different business assets in a graphical way, and distinguishing the normal access, the illegal access, the attack behavior and the abnormal flow by using different colors.
The big data analysis platform is internally provided with a detection and identification knowledge base, the detection and identification knowledge base covers more than 1100 application types, the total number of application identification rules exceeds 3000, and the big data analysis platform has the capability of identifying hundreds of millions of URLs; the number of the intrusion protection vulnerability rule feature libraries covered by the knowledge base exceeds 4000, and the intrusion protection vulnerability features covered by the knowledge base are detected and identified to have Chinese introduction, wherein the Chinese introduction comprises vulnerability description, vulnerability names, danger levels, influence systems, corresponding CVE numbers, reference information and suggested solutions; the detection and recognition knowledge base is provided with an independent zombie host recognition feature base and a malicious software recognition feature base.
The big data analysis platform collects and analyzes the next-generation firewall and endpoint security system related logs and alarm information of a company, performs corresponding analysis and association, and calls the security risks and attack codes of blocking, checking and killing responses of the protection systems for the security risks discovered by platform analysis; for third-party security devices supporting syslog, the big data analysis platform supports collection, storage and query services of relevant logs.
The big data analysis platform performs map display and visual display of the whole network security event and attack through the visual platform; counting and displaying according to the attack event, the attack source, the attack target, the attack type and the damage level; the visualization platform supports the visualization of the whole network service and presents the access relation of the whole network service object and the graphical display of the invaded service; the visualization of user-defined business asset management is supported; the method supports the analysis of the flow passing through the equipment and discovers the loophole of the protected object; the business is connected with a large monitoring screen externally, assets and real-time dynamic maps of the business attacked by the external network are displayed, and the real-time dynamic maps are displayed in a graphical large screen; the branch safety monitoring can show the safety state of a branch mechanism/a supervised mechanism in a map topology mode, and rank and list the safety trend of the branch mechanism/the supervised mechanism; the safety log display supports the safety log summarization of all safety equipment, and the log is queried and filtered according to a plurality of conditions such as time, type, severity level, action, region, IP, user, feature/vulnerability ID, reply status code, domain name/URL, equipment name and the like; displaying risk details with user groups as granularity and influence conditions on a service system, visually displaying high-risk users by the risk users, visually displaying risk operation, attack behavior, violation behavior and influence service of the high-risk users, and classifying the high-risk users into lost users, high-risk users and suspicious users according to certainty; and the risk service visualization is used for visually displaying the high-risk service, graphically and visually displaying the effective attack, tampering and backdoor attack path of the service, and classifying the service into a defect service, a high-risk service and a suspicious service according to certainty.
The big data analysis platform big data is used for realizing various detection capabilities and big data correlation analysis capabilities through an analysis engine, the analysis engine comprises a data preprocessing module, a data fusion module, a model construction module, a model fusion module and an analysis result generation module, and by taking MapReduce as a bottom layer calculation frame and MLib and Tensorflow as main machine learning frames, SVM, Bayesian network, random forest, LDA, DGA, Markov cluster, iForest and RNN machine learning algorithms are realized, and UEBA, lost host detection and big data correlation analysis safety capabilities are supported.
And step S103, the big data analysis platform carries out network risk evaluation according to the analysis result of the data and the received threat information, and sends the network risk evaluation result to an alarm and control center.
In this embodiment, the performing, by the big data analysis platform, the cyber risk assessment according to the analysis result of the data and the received threat intelligence includes:
and identifying risk factors. And selecting indexes from the network performance indexes to carry out experiments. During the operation of the network, the network performance may be reduced due to user misuse or network attack, and a network risk is generated, and the network risk may be caused by the interaction of various risk factors. The invention selects 3 risk factors of flow, CPU and memory.
And constructing a network topology structure. And analyzing through a Bayesian network, determining the dependency relationship among the indexes, and drawing a Bayesian network topology structure chart.
By means of an adjacency matrix
Figure 686929DEST_PATH_IMAGE001
Constructing a network structure, when the node i is the parent node of the node j,
Figure 833877DEST_PATH_IMAGE002
1 is ═ 1; otherwise
Figure 658613DEST_PATH_IMAGE002
0. The final matrix is then determined by the matrix diagonal elements. If the diagonal elements of the adjacency matrix are not all 0, then the network structure does not conform to a directed acyclic graph, and vice versa. In the network operation process, the overproof of the flow, the CPU and the memory can cause network risks, so that direct dependency relationship exists among the network risks, the flow, the CPU and the memory. The exceeding of the flow rate can also cause the exceeding of the CPU and the memory, so that the CPU, the memory and the flow rate have direct dependence. Thus, the following adjacency matrix is obtained:
Figure 840196DEST_PATH_IMAGE003
all diagonal elements in the adjacency matrix LJ are 0, so the structure is a directed acyclic graph and meets the requirement of a model. Thus, a bayesian network structure is obtained, with node "1" pointing to node "2", node "3", and node "4", respectively, and node "2", and node "3" pointing to node "4", respectively. Wherein, the node "1" represents the flow, the node "2" represents the CPU, the node "3" represents the memory, and the node "4" represents the network risk.
And calculating the probability of the risk factors. And normalizing the analysis result of the data and the received threat information to obtain a time sequence chart corresponding to the index in a certain time period, and then performing statistical analysis to calculate the prior probability of each index and the posterior probability of each index. Through experiments, network performance index conditions under the conditions of video watching, webpage watching, downloading and network attack in a period of time are respectively monitored, time sequence diagrams of flow, a CPU and a memory are obtained, and normalization is carried out. Assuming that the critical values of the flow, the CPU and the memory exceeding the standard are 0.7, 0.6 and 0.6 respectively, carrying out statistics from a large amount of data respectively to obtain a conditional probability table of each index. And obtaining prior probability distribution according to the conditional probability table, and then inputting the conditional probability of flow, CPU and memory through a BNT tool box to obtain the posterior probability of each index.
And (4) evaluating network risks. And finally, calculating the network risk rate, and checking the network risk level at the current moment by combining the risk level table. Through the discussion of the main factors causing the risk of the network, a reference coefficient is given as the maximum allowable amount of probability change of a certain risk factor, which is expressed as follows
Figure 764290DEST_PATH_IMAGE004
Wherein the content of the first and second substances,
Figure 336217DEST_PATH_IMAGE005
is a factor in the risk of,
Figure 636748DEST_PATH_IMAGE006
Figure 735154DEST_PATH_IMAGE007
indicating the occurrence of a cyber risk,
Figure 830149DEST_PATH_IMAGE008
indicating that there is no risk of the network occurring,
Figure 138639DEST_PATH_IMAGE009
is the state of the risk factor(s),
Figure 242862DEST_PATH_IMAGE010
get
Figure 930195DEST_PATH_IMAGE011
Or
Figure 461670DEST_PATH_IMAGE012
The above formula is combined to obtain the result of the above calculation
Figure 241145DEST_PATH_IMAGE013
Figure 149058DEST_PATH_IMAGE014
Figure 956477DEST_PATH_IMAGE015
Size and ordering of (d). Wherein the content of the first and second substances,
Figure 658854DEST_PATH_IMAGE016
respectively represent the flow, the CPU and the memory,
Figure 754986DEST_PATH_IMAGE018
the higher the probability that it will pose a cyber risk. Therefore, it can be seen from the above ranking that the risk factor is most likely to cause the cyber risk during the period of time. After the posterior probabilities of the flow, the CPU and the memory are obtained, a network risk ratio is given as follows:
Figure 387962DEST_PATH_IMAGE019
wherein the content of the first and second substances,
Figure 987570DEST_PATH_IMAGE020
the probability of occurrence of a risk is represented by a traffic flow, a CPU, and a memory. The above calculation results are substituted into the above formula to obtain,
Figure 923165DEST_PATH_IMAGE021
the value of (c). And checking the network risk level at the current moment by combining the risk level table. Because a plurality of uncertain factors exist in the aspect of network risk assessment, the risk in the network operation process is assessed by using the Bayesian network method, so that the big data analysis platform can effectively assess the network risk according to the analysis result of the data and the received threat information.
According to the embodiment, the network risk assessment method based on network security situation awareness provided by the invention collects data through a data acquisition platform based on a threat latency probe and an EDR; the big data analysis platform combines feature detection and behavior detection by adopting user and entity behavior analysis, threat modeling and machine learning technologies, analyzes the data and receives threat information; the big data analysis platform carries out network risk assessment according to the analysis result of the data and the received threat information, and sends the network risk assessment result to an alarm and control center; the problems that the existing network security event analysis is difficult, security threat processing is trapped in a trouble, network attack is more and more complex, and security problems are difficult to detect can be effectively solved.
The embodiment of the present invention further provides a storage medium, and the storage medium stores a computer program, and when the computer program is executed by a processor, the computer program implements part or all of the steps of the network risk assessment method based on network security situation awareness provided by the present invention. The storage medium may be a magnetic disk, an optical disk, a Read-only memory (ROM) or a Random Access Memory (RAM).
Those skilled in the art will readily appreciate that the techniques of the embodiments of the present invention may be implemented as software plus a required general purpose hardware platform. Based on such understanding, the technical solutions in the embodiments of the present invention may be essentially or partially implemented in the form of a software product, which may be stored in a storage medium, such as ROM/RAM, magnetic disk, optical disk, etc., and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method according to the embodiments or some parts of the embodiments.
The above-described embodiments of the present invention should not be construed as limiting the scope of the present invention.

Claims (10)

1. A network risk assessment method based on network security situation awareness is characterized by comprising the following steps:
the data acquisition platform collects data based on the threat latency probe and the EDR;
the big data analysis platform combines feature detection and behavior detection by adopting user and entity behavior analysis, threat modeling and machine learning technologies, analyzes the data and receives threat information;
the big data analysis platform carries out network risk assessment according to the analysis result of the data and the received threat information, and sends the network risk assessment result to an alarm and control center;
wherein, big data analysis platform carries out the network risk assessment according to the analysis result to the data and the threat intelligence of receiving, includes: selecting indexes from network performance indexes to carry out experiments; analyzing through a Bayesian network, determining the dependency relationship among all indexes, and drawing a Bayesian network topology structure chart; normalizing the analysis result of the data and the received threat information to obtain a time sequence chart of a certain time period of the corresponding index, then carrying out statistical analysis, and calculating the prior probability of each index and the posterior probability of each index; and finally, calculating the network risk rate, and checking the network risk level at the current moment by combining the risk level table.
2. The network risk assessment method based on network security situation awareness according to claim 1, wherein in the step of collecting data based on the threat latency probe and the EDR, the data includes network devices, network services, URLs, IP addresses, port numbers, session reorganization, asset identification information, application parsing information, access history information, protocol parsing information, attack records, and system information in the network; deploying latent threat probes at important aggregation nodes of the city-level network and a district-county network core exchange bypass;
the threat latency probe separates the data processing of a network layer and an application layer through software design, identifies data received by all network cards on the basis of an application identification module at the bottom layer, and captures application data messages needing to be processed to the application layer through a capture packet driver; if the application layer fails to process data, the forwarding of the data of the network layer is not influenced;
the threat latency probe is constructed on a 64-bit multi-core concurrent high-speed hardware platform, a forwarding plane and a security plane are operated on the multi-core platform in parallel, multi-plane concurrent processing is carried out, a lock-free parallel processing technology is adopted in the design of a computing instruction, and simultaneous processing of multiple pipelines is achieved.
3. The network risk assessment method based on network security situation awareness according to claim 1, wherein in the step of collecting data based on a threat latency probe and an EDR, the threat latency probe adopts a single parsing architecture to realize one parsing and one matching of a message, so as to improve efficiency of an application layer, the threat latency probe realizes plane separation of a network layer and the application layer through software architecture design, and extracts data to the application plane through a "0" copy technology to realize unified parsing and unified detection of threat features;
the threat latency probe marks all data packets passing through the probe with application labels through a private protocol on an inner core driving layer by using an application identification technology, when the data packets are extracted to a content detection plane for detection, the device finds corresponding application threat characteristics, and skips irrelevant application threat detection characteristics by using a skip scanning technology;
the threat latency probe is used for restoring and recording network communication behaviors so as to be used for security personnel to carry out forensics analysis, and the restoration content comprises the following steps: TCP session record, Web access record, SQL access record, DNS analysis record, file transmission behavior and LDAP login behavior;
the threat latency probe is used for realizing IP fragment recombination, TCP stream recombination and application layer protocol identification and analysis, has various intrusion attack modes or malicious URL monitoring modes, completes mode matching and generates events, extracts URL records and domain name records, and records an original message based on quintuple and dytuple when a characteristic event is triggered; the threat latency probe adopts a regular engine to improve the matching speed of the regular expression.
4. The network risk assessment method based on network security situation awareness according to claim 1, wherein in the step of analyzing the data and receiving threat information, the big data analysis platform analyzes the data by using context correlation analysis, abnormal protocol analysis, feature detection, illegal access analysis, abnormal behavior detection, access correlation analysis, intelligent linkage analysis, asset detection, security situation analysis, whole network traffic analysis and attack detection by combining feature detection and behavior detection by using user and entity behavior analysis, threat modeling and machine learning technologies; sources of threat intelligence include Silorder threat intelligence, CNVD, CNCERT, Virus-Total, CNNVD, ANVA, Exploit DB, MAPP, CVE.
5. The network risk assessment method based on network security situation awareness according to claim 1, wherein a big data analysis platform adopts user and entity behavior analysis, threat modeling and machine learning technologies, combines feature detection and behavior detection, analyzes the data and receives threat intelligence in the step, the big data analysis platform is used for asset business management, and the asset business management comprises: according to the function division, the intranet equipment is divided into assets and services, the big data analysis platform actively identifies the intranet assets and actively discovers the IP addresses of the equipment assets of the intranet, which are not defined; identifying an IP address, an operating system, an open port and a transmission use protocol and application of the intranet server asset through an asset configuration detail display module; and combining the service and asset relationship display modules into a specific service group according to the asset IP address/address field.
6. The network risk assessment method based on network security situation awareness according to claim 1, wherein a big data analysis platform adopts user and entity behavior analysis, threat modeling and machine learning technologies, combines feature detection and behavior detection, analyzes the data and receives threat information in the step, the big data analysis platform is used for intranet flow display, and the intranet flow display comprises: displaying the access relation among the user, the service system and the Internet through an access relation display module, and identifying who, what, where and how of the access relation; distinguishing users and service systems with different danger levels through colors; and displaying the normal access, the illegal access, the attack behavior and the abnormal flow of the intranet aiming at different business assets in a graphical way, and distinguishing the normal access, the illegal access, the attack behavior and the abnormal flow by using different colors.
7. The network risk assessment method based on network security situation awareness according to claim 1, characterized in that a big data analysis platform adopts user and entity behavior analysis, threat modeling and machine learning technologies, combines feature detection and behavior detection, analyzes the data and receives threat information, a detection and identification knowledge base is built in the big data analysis platform, and intrusion protection vulnerability characteristics covered by the detection and identification knowledge base have Chinese introduction, including vulnerability description, vulnerability name, danger level, influence system, corresponding CVE number, reference information and suggested solution; the detection and recognition knowledge base is provided with an independent zombie host recognition feature base and a malicious software recognition feature base.
8. The network risk assessment method based on network security situation awareness according to claim 1, characterized in that a big data analysis platform adopts user and entity behavior analysis, threat modeling and machine learning technologies, combines feature detection and behavior detection, analyzes the data and receives threat information, collects and analyzes next-generation firewall, endpoint security system related logs and alarm information of a company, performs corresponding analysis and association, and calls security risks found by platform analysis and attack codes of blocking, searching and killing responses of the protection systems; for third-party security devices supporting syslog, the big data analysis platform supports collection, storage and query services of relevant logs.
9. The network risk assessment method based on network security situation awareness is characterized in that a big data analysis platform adopts user and entity behavior analysis, threat modeling and machine learning technologies, combines feature detection and behavior detection, analyzes the data and receives threat information in the step, and the big data analysis platform performs map display and visual display of whole network security events and attacks through a visual platform; counting and displaying according to the attack event, the attack source, the attack target, the attack type and the damage level; the visualization platform supports the visualization of the whole network service and presents the access relation of the whole network service object and the graphical display of the invaded service; the visualization of user-defined business asset management is supported; the method supports the analysis of the flow passing through the equipment and discovers the loopholes of the protected object; the business is connected with a large monitoring screen externally, assets and real-time dynamic maps of the business attacked by the external network are displayed, and the real-time dynamic maps are displayed in a graphical large screen; the branch safety monitoring can show the safety state of a branch mechanism/a supervised mechanism in a map topology mode, and rank and list the safety trend of the branch mechanism/the supervised mechanism; the safety log display supports the safety log summarization of all safety equipment, and the log is queried and filtered according to a plurality of conditions such as time, type, severity level, action, region, IP, user, feature/vulnerability ID, reply status code, domain name/URL, equipment name and the like; displaying risk details with user groups as granularity and influence conditions on a service system, visually displaying high-risk users by the risk users, visually displaying risk operation, attack behavior, violation behavior and influence service of the high-risk users, and classifying the high-risk users into lost users, high-risk users and suspicious users according to certainty; and the risk service visualization is used for visually displaying the high-risk service, graphically and visually displaying the effective attack, tampering and backdoor attack path of the service, and classifying the service into a defect service, a high-risk service and a suspicious service according to certainty.
10. The network risk assessment method based on network security situation awareness as claimed in claim 1, wherein a big data analysis platform adopts user and entity behavior analysis, threat modeling and machine learning technologies, combines feature detection and behavior detection, analyzes the data and receives threat information, the big data analysis platform big data is used for realizing various detection capabilities and big data association analysis capabilities through an analysis engine, the analysis engine comprises a data preprocessing module, a data fusion module, a model construction module, a model fusion module and an analysis result generation module, the analysis engine uses MapReduce as a bottom layer calculation framework and MLib and Tensorflow as main machine learning frameworks to realize SVM, Bayesian network, random forest, LDA, DGA, Markov clustering, iForest and RNN machine learning algorithms, support UEBA, trapped host detection and lost host detection, And big data correlation analysis security capability.
CN202210577874.8A 2022-05-26 2022-05-26 Network risk assessment method based on network security situation awareness Pending CN114679338A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210577874.8A CN114679338A (en) 2022-05-26 2022-05-26 Network risk assessment method based on network security situation awareness

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210577874.8A CN114679338A (en) 2022-05-26 2022-05-26 Network risk assessment method based on network security situation awareness

Publications (1)

Publication Number Publication Date
CN114679338A true CN114679338A (en) 2022-06-28

Family

ID=82079959

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210577874.8A Pending CN114679338A (en) 2022-05-26 2022-05-26 Network risk assessment method based on network security situation awareness

Country Status (1)

Country Link
CN (1) CN114679338A (en)

Cited By (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115118525A (en) * 2022-08-23 2022-09-27 天津天元海科技开发有限公司 Internet of things safety protection system and protection method thereof
CN115150195A (en) * 2022-09-01 2022-10-04 珠海市鸿瑞信息技术股份有限公司 Real-time dynamic early warning system and method based on network security situation awareness system
CN115189970A (en) * 2022-09-13 2022-10-14 珠海市鸿瑞信息技术股份有限公司 Network security analysis system and method of security situation awareness system
CN115361185A (en) * 2022-08-10 2022-11-18 重庆电子工程职业学院 Network security discrimination and study system and method
CN115460023A (en) * 2022-11-14 2022-12-09 国能大渡河大数据服务有限公司 Method and system for integrally guaranteeing network security
CN115834219A (en) * 2022-11-29 2023-03-21 中国联合网络通信集团有限公司 Network asset evaluation processing method, device, server and medium
CN116074113A (en) * 2023-03-06 2023-05-05 成都市以太节点科技有限公司 Security protection method, device and storage medium based on business process constraint
CN116488912A (en) * 2023-04-27 2023-07-25 徐州医科大学 Network traffic monitoring method and system based on mutation model finite state
CN116527628A (en) * 2023-07-03 2023-08-01 北京左江科技股份有限公司 Network address conversion method and system based on security situation awareness
CN116599767A (en) * 2023-07-12 2023-08-15 深圳市光网世纪科技有限公司 Network threat monitoring system based on machine learning
CN116915459A (en) * 2023-07-13 2023-10-20 上海戎磐网络科技有限公司 Network threat analysis method based on large language model
CN117081851A (en) * 2023-10-10 2023-11-17 网思科技股份有限公司 Display method, system and medium of network security situation awareness information
CN117194588A (en) * 2023-11-07 2023-12-08 江苏龙虎网信息科技股份有限公司 Business data integrated supervision system and method based on big data
CN117527861A (en) * 2024-01-05 2024-02-06 四川盛邦润达科技有限公司 Equipment access method, internet of things gateway and Internet of things visualization platform
CN117857221A (en) * 2024-03-07 2024-04-09 北京谷器数据科技有限公司 Authority management method and system for remote service platform
CN117857221B (en) * 2024-03-07 2024-06-04 北京谷器数据科技有限公司 Authority management method and system for remote service platform

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107196910A (en) * 2017-04-18 2017-09-22 国网山东省电力公司电力科学研究院 Threat early warning monitoring system, method and the deployment framework analyzed based on big data
CN111191683A (en) * 2019-12-13 2020-05-22 南京邮电大学 Network security situation assessment method based on random forest and Bayesian network
CN111541658A (en) * 2020-04-14 2020-08-14 许艺明 PCIE prevents hot wall
CN114357677A (en) * 2021-12-31 2022-04-15 国网安徽省电力有限公司经济技术研究院 Method for evaluating out-of-limit risk of node voltage of charging and discharging distribution network of electric automobile

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107196910A (en) * 2017-04-18 2017-09-22 国网山东省电力公司电力科学研究院 Threat early warning monitoring system, method and the deployment framework analyzed based on big data
CN111191683A (en) * 2019-12-13 2020-05-22 南京邮电大学 Network security situation assessment method based on random forest and Bayesian network
CN111541658A (en) * 2020-04-14 2020-08-14 许艺明 PCIE prevents hot wall
CN114357677A (en) * 2021-12-31 2022-04-15 国网安徽省电力有限公司经济技术研究院 Method for evaluating out-of-limit risk of node voltage of charging and discharging distribution network of electric automobile

Non-Patent Citations (5)

* Cited by examiner, † Cited by third party
Title
李军: "基于贝叶斯网络的网络风险评估研究", 《软件导刊》 *
林健: "网络安全态势评估与预测技术研究", 《电子技术与软件工程》 *
汪华: "安全态势感知平台在气象局信息安全中的应用", 《网络安全和信息化》 *
深信服: "深信服 下一代防火墙关术白皮书", 《HTTPS://WWW.SANGFOR.COM.CN/DOCUMENT/》 *
莫禹钧: "医院网络安全态势感知系统构建", 《医学信息学杂志》 *

Cited By (26)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115361185A (en) * 2022-08-10 2022-11-18 重庆电子工程职业学院 Network security discrimination and study system and method
CN115118525A (en) * 2022-08-23 2022-09-27 天津天元海科技开发有限公司 Internet of things safety protection system and protection method thereof
CN115118525B (en) * 2022-08-23 2022-12-13 天津天元海科技开发有限公司 Internet of things safety protection system and protection method thereof
CN115150195B (en) * 2022-09-01 2022-12-20 珠海市鸿瑞信息技术股份有限公司 Real-time dynamic early warning system and method based on network security situation awareness system
CN115150195A (en) * 2022-09-01 2022-10-04 珠海市鸿瑞信息技术股份有限公司 Real-time dynamic early warning system and method based on network security situation awareness system
CN115189970A (en) * 2022-09-13 2022-10-14 珠海市鸿瑞信息技术股份有限公司 Network security analysis system and method of security situation awareness system
CN115460023A (en) * 2022-11-14 2022-12-09 国能大渡河大数据服务有限公司 Method and system for integrally guaranteeing network security
CN115834219B (en) * 2022-11-29 2024-05-17 中国联合网络通信集团有限公司 Network asset evaluation processing method, device, server and medium
CN115834219A (en) * 2022-11-29 2023-03-21 中国联合网络通信集团有限公司 Network asset evaluation processing method, device, server and medium
CN116074113A (en) * 2023-03-06 2023-05-05 成都市以太节点科技有限公司 Security protection method, device and storage medium based on business process constraint
CN116074113B (en) * 2023-03-06 2023-08-15 成都市以太节点科技有限公司 Security protection method, device and storage medium based on business process constraint
CN116488912A (en) * 2023-04-27 2023-07-25 徐州医科大学 Network traffic monitoring method and system based on mutation model finite state
CN116527628A (en) * 2023-07-03 2023-08-01 北京左江科技股份有限公司 Network address conversion method and system based on security situation awareness
CN116527628B (en) * 2023-07-03 2023-09-29 北京左江科技股份有限公司 Network address conversion method and system based on security situation awareness
CN116599767A (en) * 2023-07-12 2023-08-15 深圳市光网世纪科技有限公司 Network threat monitoring system based on machine learning
CN116599767B (en) * 2023-07-12 2023-11-03 深圳市光网世纪科技有限公司 Network threat monitoring system based on machine learning
CN116915459B (en) * 2023-07-13 2024-03-08 上海戎磐网络科技有限公司 Network threat analysis method based on large language model
CN116915459A (en) * 2023-07-13 2023-10-20 上海戎磐网络科技有限公司 Network threat analysis method based on large language model
CN117081851A (en) * 2023-10-10 2023-11-17 网思科技股份有限公司 Display method, system and medium of network security situation awareness information
CN117081851B (en) * 2023-10-10 2024-03-19 网思科技股份有限公司 Display method, system and medium of network security situation awareness information
CN117194588A (en) * 2023-11-07 2023-12-08 江苏龙虎网信息科技股份有限公司 Business data integrated supervision system and method based on big data
CN117194588B (en) * 2023-11-07 2024-01-19 江苏龙虎网信息科技股份有限公司 Business data integrated supervision system and method based on big data
CN117527861A (en) * 2024-01-05 2024-02-06 四川盛邦润达科技有限公司 Equipment access method, internet of things gateway and Internet of things visualization platform
CN117527861B (en) * 2024-01-05 2024-03-22 四川盛邦润达科技有限公司 Equipment access method, internet of things gateway and Internet of things visualization platform
CN117857221A (en) * 2024-03-07 2024-04-09 北京谷器数据科技有限公司 Authority management method and system for remote service platform
CN117857221B (en) * 2024-03-07 2024-06-04 北京谷器数据科技有限公司 Authority management method and system for remote service platform

Similar Documents

Publication Publication Date Title
CN114679338A (en) Network risk assessment method based on network security situation awareness
US10721243B2 (en) Apparatus, system and method for identifying and mitigating malicious network threats
US20210273961A1 (en) Apparatus and method for a cyber-threat defense system
Hoque et al. An implementation of intrusion detection system using genetic algorithm
CN103685575B (en) A kind of web portal security monitoring method based on cloud framework
Liao et al. Network forensics based on fuzzy logic and expert system
CA3041871A1 (en) System and method for monitoring security attack chains
US20190372934A1 (en) Aggregating alerts of malicious events for computer security
Seufert et al. Machine learning for automatic defence against distributed denial of service attacks
Kumar et al. A robust intelligent zero-day cyber-attack detection technique
US20230012220A1 (en) Method for determining likely malicious behavior based on abnormal behavior pattern comparison
CN111726342B (en) Method and system for improving alarm output accuracy of honeypot system
GhasemiGol et al. E‐correlator: an entropy‐based alert correlation system
Hammad et al. Intrusion detection system using feature selection with clustering and classification machine learning algorithms on the unsw-nb15 dataset
Frye et al. An ontology-based system to identify complex network attacks
Meng et al. Adaptive non-critical alarm reduction using hash-based contextual signatures in intrusion detection
Alavizadeh et al. A survey on threat situation awareness systems: framework, techniques, and insights
CN110213301B (en) Method, server and system for transferring network attack plane
Dalmazo et al. Triple-similarity mechanism for alarm management in the cloud
Kamatchi et al. An efficient security framework to detect intrusions at virtual network layer of cloud computing
Sulaiman et al. Big data analytic of intrusion detection system
Roponena et al. Towards a Human-in-the-Loop Intelligent Intrusion Detection System.
Jain et al. The role of decision tree technique for automating intrusion detection system
Kayacik et al. Using self-organizing maps to build an attack map for forensic analysis
CN106993005A (en) The method for early warning and system of a kind of webserver

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20220628

RJ01 Rejection of invention patent application after publication