CN115277249B - Network security situation perception method based on cooperation of multi-layer heterogeneous network - Google Patents

Network security situation perception method based on cooperation of multi-layer heterogeneous network Download PDF

Info

Publication number
CN115277249B
CN115277249B CN202211154561.8A CN202211154561A CN115277249B CN 115277249 B CN115277249 B CN 115277249B CN 202211154561 A CN202211154561 A CN 202211154561A CN 115277249 B CN115277249 B CN 115277249B
Authority
CN
China
Prior art keywords
network
network security
security situation
heterogeneous network
threat detection
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202211154561.8A
Other languages
Chinese (zh)
Other versions
CN115277249A (en
Inventor
韩晓晖
刘伟华
左文波
刘广起
罗雪姣
徐正源
王志文
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shandong Computer Science Center National Super Computing Center in Jinan
Original Assignee
Shandong Computer Science Center National Super Computing Center in Jinan
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shandong Computer Science Center National Super Computing Center in Jinan filed Critical Shandong Computer Science Center National Super Computing Center in Jinan
Priority to CN202211154561.8A priority Critical patent/CN115277249B/en
Publication of CN115277249A publication Critical patent/CN115277249A/en
Application granted granted Critical
Publication of CN115277249B publication Critical patent/CN115277249B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/04Network management architectures or arrangements
    • H04L41/044Network management architectures or arrangements comprising hierarchical management structures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/04Network management architectures or arrangements
    • H04L41/046Network management architectures or arrangements comprising network management agents or mobile agents therefor
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/12Discovery or management of network topologies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/145Network analysis or design involving simulating, designing, planning or modelling of a network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0852Delays

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Environmental & Geological Engineering (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A network security situation perception method based on multi-layer heterogeneous network collaboration relates to the technical field of network security situation perception, and is characterized in that a network security situation perception task is decomposed and dispersed to devices of all levels of a heterogeneous network to be executed, namely the task with high requirements on light weight and real-time performance is executed at the edge and the end, a complex task is executed on the cloud, and a global situation perception result is finally generated through parameter transmission interaction and collaboration among the tasks. The method provided by the invention fully utilizes the computing resources of each level of equipment of the multilayer heterogeneous network, reduces the bandwidth occupation, improves the real-time performance and refines the analysis granularity.

Description

Network security situation perception method based on cooperation of multi-layer heterogeneous network
Technical Field
The invention relates to the technical field of network security situation awareness, in particular to a network security situation awareness method based on multi-layer heterogeneous network cooperation.
Background
With the development of novel network technologies such as 5G, internet of things, industrial internet and the like, a network space is not a single system structure but is formed by various heterogeneous networks (such as a traditional internet, a sensing network, an industrial control network and the like), access equipment is various, and multiple levels of cloud, edge and end are spanned. Some types of network structures and devices are designed without considering security factors, have significant hidden dangers, gradually become the main target of network attackers, and face a severe network security form.
The characteristics of multi-heterogeneous network interconnection and multi-layer spanning of a novel network structure and the development trend of complicated, concealed and distributed network attack means bring new challenges to network security situation perception. The network security situation awareness mainly comprises tasks of detecting attacks and predicting non-attacks. Because the edge and end computing resources are limited, the existing analysis method mainly analyzes the security situation of the whole network environment by collecting the global network data to the cloud end and using a deep learning and big data mining method. The disadvantages of this approach are: (1) A large amount of flow and log behavior data need to be uploaded to the cloud, and therefore bandwidth resources are occupied; (2) The data can be analyzed after being collected, and at the moment, the edge and end networks can be damaged or controlled by an attacker, so that the real-time performance is poor; (3) During cloud analysis, slight abnormalities of single edge and end equipment are easily submerged in mass data, and the analysis granularity is coarse.
Disclosure of Invention
In order to overcome the defects of the technologies, the invention provides the network security situation sensing method of the cooperation of the multilayer heterogeneous network, which fully utilizes the computing resources of the devices at each level of the multilayer heterogeneous network, reduces the bandwidth occupation, improves the real-time performance and refines the analysis granularity.
The technical scheme adopted by the invention for overcoming the technical problems is as follows:
a network security situation perception method based on multi-layer heterogeneous network cooperation comprises the following steps:
(a) Deploying a network security situation awareness watching agent on each type of equipment of a multi-layer heterogeneous network universe, and collecting equipment state parameters by the network security situation awareness watching agent;
(b) Transmitting the state parameters of each device collected by the network security situation perception on-duty agent to the cloud situation perception master controller, and establishing a structural diagram of the topology of the global device of the multilayer heterogeneous network by the cloud situation perception master controller according to the network information in the state parameters
Figure 100002_DEST_PATH_IMAGE001
Wherein
Figure 100002_DEST_PATH_IMAGE002
Is a collection of devices in a multi-layer heterogeneous network domain,
Figure 100002_DEST_PATH_IMAGE003
Figure 100002_DEST_PATH_IMAGE004
is as follows
Figure 100002_DEST_PATH_IMAGE005
The number of the devices is increased, and the device,
Figure 100002_DEST_PATH_IMAGE006
Figure 100002_DEST_PATH_IMAGE007
for the total number of devices in the entire domain of the multi-layered heterogeneous network,
Figure 100002_DEST_PATH_IMAGE008
is a set of edges that are to be considered,
Figure 100002_DEST_PATH_IMAGE009
of 1 at
Figure 641538DEST_PATH_IMAGE005
An apparatus
Figure 647802DEST_PATH_IMAGE004
And a first
Figure 100002_DEST_PATH_IMAGE010
An apparatus
Figure 100002_DEST_PATH_IMAGE011
There is a communication link between them, then
Figure 222484DEST_PATH_IMAGE005
An apparatus
Figure 158823DEST_PATH_IMAGE004
And a first
Figure 422576DEST_PATH_IMAGE010
An apparatus
Figure 929519DEST_PATH_IMAGE011
Constituting edge
Figure 100002_DEST_PATH_IMAGE012
Figure 100002_DEST_PATH_IMAGE013
Is a matrix of weights for the edges and,
Figure 100002_DEST_PATH_IMAGE014
Figure 100002_DEST_PATH_IMAGE015
is as follows
Figure 236389DEST_PATH_IMAGE005
An apparatus
Figure 761655DEST_PATH_IMAGE004
And a first
Figure 914419DEST_PATH_IMAGE010
An apparatus
Figure 643078DEST_PATH_IMAGE011
A communication delay value therebetween;
(c) Dividing all devices of the multi-layer heterogeneous network universe into multiple layers according to the condition whether device operation operating systems and hardware composition architectures are the same or not
Figure 100002_DEST_PATH_IMAGE017
Types, forming a set of types
Figure 100002_DEST_PATH_IMAGE018
Figure 100002_DEST_PATH_IMAGE019
Figure 100002_DEST_PATH_IMAGE020
Is as follows
Figure 510628DEST_PATH_IMAGE005
Type, for type
Figure 641133DEST_PATH_IMAGE020
All devices of (1) constructing a threat detection model
Figure 100002_DEST_PATH_IMAGE021
(d) Each device for multi-layer heterogeneous network universe
Figure 100002_DEST_PATH_IMAGE022
Computing using a corresponding threat detection model
Figure 100002_DEST_PATH_IMAGE023
The computational cost required for performing security analysis;
(e) The cloud situation perception master controller schedules network security situation perception on-duty agents to cooperatively sense global security situations, performs global cooperative calculation of equipment risk indexes, and each network security situation perception on-duty agent sends the risk indexes to the cloud situation perception master controller;
(f) The network security situation awareness on-duty agent regularly updates the state parameters of the devices according to a preset updating period and sends the updated state parameters to the cloud situation awareness master controller, and the cloud situation awareness master controller updates the set of the devices in the whole multi-layer heterogeneous network
Figure 100002_DEST_PATH_IMAGE024
Further, the device state parameters collected by the network security situation awareness watch agent in step (a) include: processor information, dynamic storage information, static storage information, file system information, network information;
the processor information includes: the processor load peak value is obtained by calculating the processor load peak value;
the dynamic storage information includes: the dynamic memory capacity value, the current occupation amount of the dynamic memory and the occupation amount peak value of the dynamic memory;
the statically stored information includes: the capacity size value of the static memory and the current occupied amount of the static memory;
the file system information includes: number of files, depth value of file path;
the network information includes: average hourly network traffic, network traffic peaks, delay values for other devices communicating with each other to reach the device within the multi-layered heterogeneous network.
Further, the cloud situation awareness master controller constructs a global device information base after the step (b), the global device information base is composed of a hash table containing device information description objects, each unit in the hash table is a device information description object, the device information description object describes information of one device in the multilayer heterogeneous network, a pointer which points a current device in the hash table to a connected device chain table is arranged in the device information description object, a plurality of nodes are arranged in the device chain table, each node is used for storing all devices with communication links existing between the current device in the hash table, each node in the device chain table comprises two domains, the first domain is used for recording the ID of the device, and the second domain is used for recording the communication delay from the current device in the hash table to the corresponding device in the device chain table.
Further, the information of one device in the multi-layer heterogeneous network described by the device information description object includes: the hash value of the equipment ID, the equipment model, the level of the equipment, the equipment model information, the physical position where the equipment is placed, the equipment attribute information, the state parameters of the equipment, which are acquired by a network security situation perception on duty agent, and the risk index of the equipment.
Further, the threat detection model in the step (c) is an anomaly detection algorithm based on density clustering or an anomaly detection model based on an automatic encoder, and after the threat detection model is constructed, a knowledge distillation method is used for carrying out lightweight operation on the threat detection model.
Further, the step (d) comprises the steps of:
(d-1) the first
Figure 811737DEST_PATH_IMAGE005
An apparatus
Figure 529157DEST_PATH_IMAGE004
Type of device (1)
Figure 609852DEST_PATH_IMAGE020
The corresponding threat detection model is
Figure 594863DEST_PATH_IMAGE023
From threat detection models
Figure 100002_DEST_PATH_IMAGE025
Parameter scale, number of times of execution of algorithm sentence, and
Figure 587965DEST_PATH_IMAGE005
an apparatus
Figure 323840DEST_PATH_IMAGE004
Using threat detection model to detect data volume
Figure 100002_DEST_PATH_IMAGE026
To the first
Figure 162220DEST_PATH_IMAGE005
An apparatus
Figure 532897DEST_PATH_IMAGE004
A cost required to perform threat detection, the cost comprising an amount of load of a processor
Figure 100002_DEST_PATH_IMAGE027
And dynamic memory footprint
Figure 100002_DEST_PATH_IMAGE028
(d-2) checking a set of multi-layered heterogeneous network global devices
Figure 920670DEST_PATH_IMAGE024
In each equipment, order
Figure 100002_DEST_PATH_IMAGE029
Is as follows
Figure 65212DEST_PATH_IMAGE005
An apparatus
Figure 18868DEST_PATH_IMAGE004
Processor information peak capability value of
Figure 100002_DEST_PATH_IMAGE030
Is as follows
Figure 368685DEST_PATH_IMAGE005
An apparatus
Figure 500327DEST_PATH_IMAGE004
Of the processor, instruction
Figure 100002_DEST_PATH_IMAGE031
Is as follows
Figure 647012DEST_PATH_IMAGE005
An apparatus
Figure 100002_DEST_PATH_IMAGE032
Processor load peak value ofLet us order
Figure 100002_DEST_PATH_IMAGE033
Is a first
Figure 296037DEST_PATH_IMAGE005
An apparatus
Figure 844567DEST_PATH_IMAGE004
Size of dynamic memory of, order
Figure 100002_DEST_PATH_IMAGE034
Is as follows
Figure 357499DEST_PATH_IMAGE005
An apparatus
Figure 506327DEST_PATH_IMAGE004
Dynamic memory current occupancy of
Figure 100002_DEST_PATH_IMAGE035
Is a first
Figure 240934DEST_PATH_IMAGE005
An apparatus
Figure 673665DEST_PATH_IMAGE004
Dynamic memory footprint peak of (1);
(d-3) if
Figure 100002_DEST_PATH_IMAGE036
And is
Figure 100002_DEST_PATH_IMAGE037
Performing step (d-4) if
Figure 100002_DEST_PATH_IMAGE038
Or
Figure 100002_DEST_PATH_IMAGE039
Performing step (d-5);
(d-4) at the present second
Figure 613021DEST_PATH_IMAGE005
An apparatus
Figure 265457DEST_PATH_IMAGE004
Locally performing a threat detection task, the first
Figure 836378DEST_PATH_IMAGE005
An apparatus
Figure 412632DEST_PATH_IMAGE004
The network security situation awareness agent updates the state parameters and sends the state parameters to the cloud situation awareness master controller, and the cloud situation awareness master controller updates the global device set of the multilayer heterogeneous network
Figure 778016DEST_PATH_IMAGE024
To middle
Figure 386590DEST_PATH_IMAGE005
An apparatus
Figure 758272DEST_PATH_IMAGE004
Information of (1) to
Figure 450416DEST_PATH_IMAGE005
An apparatus
Figure 764198DEST_PATH_IMAGE004
Is updated to
Figure 100002_DEST_PATH_IMAGE040
To make it first
Figure 814062DEST_PATH_IMAGE005
An apparatus
Figure 723856DEST_PATH_IMAGE004
Is updated to
Figure 100002_DEST_PATH_IMAGE041
Figure 100002_DEST_PATH_IMAGE042
Figure 100002_DEST_PATH_IMAGE043
(d-5) in a multi-tier heterogeneous network universe device set
Figure 100002_DEST_PATH_IMAGE044
To find all and the
Figure 100002_DEST_PATH_IMAGE045
An apparatus
Figure 507658DEST_PATH_IMAGE004
With communication link between them
Figure 100002_DEST_PATH_IMAGE046
Individual devices forming a set of devices
Figure 100002_DEST_PATH_IMAGE047
Will be
Figure 100002_DEST_PATH_IMAGE048
The device presses and sends
Figure 68040DEST_PATH_IMAGE005
An apparatus
Figure 903404DEST_PATH_IMAGE004
The communication delay of the queue is added into the priority queue from small to large
Figure 100002_DEST_PATH_IMAGE049
Figure 100002_DEST_PATH_IMAGE050
In which
Figure 100002_DEST_PATH_IMAGE051
Is as follows
Figure 676275DEST_PATH_IMAGE010
An apparatus;
(d-6) slave priority queue
Figure 811853DEST_PATH_IMAGE049
Get out the first equipment of the team
Figure 100002_DEST_PATH_IMAGE052
Figure 100002_DEST_PATH_IMAGE053
Head of line equipment
Figure 959167DEST_PATH_IMAGE052
The processor information peak capability value of
Figure 100002_DEST_PATH_IMAGE054
Head of line equipment
Figure 764050DEST_PATH_IMAGE052
Has a processor load peak of
Figure 100002_DEST_PATH_IMAGE055
Head of line equipment
Figure 983023DEST_PATH_IMAGE052
Is a current load value of the processor of
Figure 100002_DEST_PATH_IMAGE056
Head of line equipment
Figure 173440DEST_PATH_IMAGE052
Is loaded with a processor of
Figure 100002_DEST_PATH_IMAGE057
Head of line equipment
Figure 924227DEST_PATH_IMAGE052
Has a dynamic memory capacity of
Figure 100002_DEST_PATH_IMAGE058
Head of line equipment
Figure 668936DEST_PATH_IMAGE052
Has a peak dynamic memory occupancy of
Figure 100002_DEST_PATH_IMAGE059
Head of line equipment
Figure 715037DEST_PATH_IMAGE052
Dynamic memory of
Figure 100002_DEST_PATH_IMAGE060
Head of line equipment
Figure 100002_DEST_PATH_IMAGE061
Has a dynamic memory footprint of
Figure 100002_DEST_PATH_IMAGE062
(d-7) if
Figure 100002_DEST_PATH_IMAGE063
And is
Figure 100002_DEST_PATH_IMAGE064
Performing step d-8), the apparatus
Figure 586391DEST_PATH_IMAGE052
Is as follows
Figure 334511DEST_PATH_IMAGE005
An apparatus
Figure 146609DEST_PATH_IMAGE004
If the threat detection task execution apparatus of
Figure 100002_DEST_PATH_IMAGE065
Or
Figure 100002_DEST_PATH_IMAGE066
Time from priority queue
Figure 130221DEST_PATH_IMAGE049
Middle taking-out equipment
Figure 100002_DEST_PATH_IMAGE067
As the head of queue equipment, and returning to execute the step (d-6);
(d-8) head of line device
Figure 498492DEST_PATH_IMAGE052
The network security situation awareness agent updates the state parameters and sends the state parameters to the cloud situation awareness master controller, and the cloud situation awareness master controller updates the global device set of the multilayer heterogeneous network
Figure 440951DEST_PATH_IMAGE024
To middle
Figure 100002_DEST_PATH_IMAGE068
An apparatus
Figure 100002_DEST_PATH_IMAGE069
Information of (1) to
Figure 862049DEST_PATH_IMAGE068
An apparatus
Figure 527648DEST_PATH_IMAGE069
Is updated to
Figure 100002_DEST_PATH_IMAGE070
To make it first
Figure 311278DEST_PATH_IMAGE068
An apparatus
Figure 138551DEST_PATH_IMAGE069
Is updated to
Figure 100002_DEST_PATH_IMAGE071
Figure 100002_DEST_PATH_IMAGE072
Figure 100002_DEST_PATH_IMAGE073
(d-9) repeating the steps (d-1) to (d-8) until a multi-layered heterogeneous network global device set
Figure 732431DEST_PATH_IMAGE024
All devices in the system find the threat detection task execution device.
Further, the method comprises the step of collecting the multi-layer heterogeneous network global device after the step (d-9)
Figure 450988DEST_PATH_IMAGE024
Recording threat detection task execution device information of all devices in the situation-aware task allocation table, wherein a first column of the situation-aware task allocation table records a multi-layer heterogeneous network global device set
Figure 145185DEST_PATH_IMAGE024
The ID of the device in (1), and the ID of the threat detection task execution device corresponding to the second column record of the situation awareness task allocation table.
Further, the step (e) comprises the steps of:
(e-1) the first
Figure 408939DEST_PATH_IMAGE005
An apparatus
Figure 915881DEST_PATH_IMAGE004
The network security situation awareness on-duty agent starts a threat detection task;
(e-2) determining whether the threat detection task is on the second place
Figure 920353DEST_PATH_IMAGE005
An apparatus
Figure 697816DEST_PATH_IMAGE004
Is executed locally, if yes, by
Figure 395120DEST_PATH_IMAGE005
An apparatus
Figure 907135DEST_PATH_IMAGE004
The network security situation awareness on-duty agent executes a threat detection task, if not, the network security situation awareness on-duty agent executes a threat detection task
Figure 466030DEST_PATH_IMAGE005
An apparatus
Figure 376961DEST_PATH_IMAGE004
The threat detection task of (1) consists of
Figure 716938DEST_PATH_IMAGE010
An apparatus
Figure 100002_DEST_PATH_IMAGE074
If so, executing the step (e-3);
(e-3) the first
Figure 385423DEST_PATH_IMAGE005
An apparatus
Figure 482430DEST_PATH_IMAGE004
Network security situation aware gatekeeper agent and method
Figure 271305DEST_PATH_IMAGE010
An apparatus
Figure 31450DEST_PATH_IMAGE011
The network security situation awareness agent communicates and sends data required by threat detection to the first agent
Figure 983969DEST_PATH_IMAGE010
An apparatus
Figure 136864DEST_PATH_IMAGE011
Receiving a detection result;
(e-4) each device in the whole domain of the multi-layer heterogeneous network performs threat detection by using a threat model, calculates a device risk index, the first
Figure 241961DEST_PATH_IMAGE045
An apparatus
Figure 920811DEST_PATH_IMAGE004
Has a risk index of
Figure 100002_DEST_PATH_IMAGE075
Set of devices
Figure 100002_DEST_PATH_IMAGE076
The devices utilize the threat model to execute threat detection, calculate device risk index and device set
Figure 265686DEST_PATH_IMAGE076
To middle
Figure 222272DEST_PATH_IMAGE010
An apparatus
Figure 696722DEST_PATH_IMAGE011
Has a risk index of
Figure 100002_DEST_PATH_IMAGE077
(e-5) the first
Figure 969309DEST_PATH_IMAGE005
An apparatus
Figure 185437DEST_PATH_IMAGE004
Network security situation aware gatekeeper agent and device set
Figure 414556DEST_PATH_IMAGE076
To middle
Figure 258359DEST_PATH_IMAGE010
An apparatus
Figure 281941DEST_PATH_IMAGE011
The network security situation-aware gatekeeper agent establishes network connection, the first
Figure 447081DEST_PATH_IMAGE005
An apparatus
Figure 742540DEST_PATH_IMAGE004
The network security situation awareness on duty agent obtains
Figure 194512DEST_PATH_IMAGE010
An apparatus
Figure DEST_PATH_IMAGE078
Risk index of
Figure 854907DEST_PATH_IMAGE077
And storing;
(e-6) by the formula
Figure 100002_DEST_PATH_IMAGE080
Is calculated to obtain the first
Figure 100002_DEST_PATH_IMAGE081
Risk indices after round iterations
Figure 100002_DEST_PATH_IMAGE082
When is coming into contact with
Figure 347156DEST_PATH_IMAGE081
When the value is equal to 1, the reaction solution is,
Figure 100002_DEST_PATH_IMAGE083
Figure 100002_DEST_PATH_IMAGE084
in the formula
Figure 100002_DEST_PATH_IMAGE085
In order to balance the factors of the device,
Figure 100002_DEST_PATH_IMAGE086
to prevent a smoothing term with a risk index of 0,
Figure 100002_DEST_PATH_IMAGE087
is the weight of the device or devices,
Figure 100002_DEST_PATH_IMAGE088
is as follows
Figure 607759DEST_PATH_IMAGE010
An apparatus
Figure 911308DEST_PATH_IMAGE011
A set of devices between which a communication link exists,
Figure 100002_DEST_PATH_IMAGE089
is a set
Figure 8184DEST_PATH_IMAGE088
The number of the devices;
(e-7) checking whether the risk indexes of the devices in the whole domain of the multilayer heterogeneous network are updated in the iteration, if not, stopping the iteration, and if so, executing the step (e-8);
(e-8) judging whether the iteration times reach a preset maximum value, if so, stopping iteration, and if not, returning to execute the step (e-6);
(e-9) each network security situation perception on duty agent sends the risk index to the cloud situation perception master controller, and the cloud situation perception master controller is integrated in the universe equipment
Figure 665692DEST_PATH_IMAGE024
To be recorded and stored.
Further, the threat model in the step (e-4) is an anomaly detection algorithm based on density clustering, and is expressed by a formula
Figure 100002_DEST_PATH_IMAGE090
Is calculated to obtain
Figure 739172DEST_PATH_IMAGE005
An apparatus
Figure 165736DEST_PATH_IMAGE004
Risk index of
Figure 100002_DEST_PATH_IMAGE091
In the formula
Figure 100002_DEST_PATH_IMAGE092
Is as follows
Figure 96431DEST_PATH_IMAGE005
An apparatus
Figure 956415DEST_PATH_IMAGE004
A set of outliers in the generated data containing device logs and network traffic,
Figure 100002_DEST_PATH_IMAGE093
is the first in the abnormal point set
Figure 820204DEST_PATH_IMAGE010
The abnormal point is a point which is abnormal,
Figure 100002_DEST_PATH_IMAGE094
as a distance anomaly point
Figure 537493DEST_PATH_IMAGE093
The recent high density of clustering has led to the development of clusters,
Figure 100002_DEST_PATH_IMAGE095
is an Euclidean distance algorithm between abnormal points and is calculated by a formula
Figure 100002_DEST_PATH_IMAGE096
Is calculated to obtain
Figure 881231DEST_PATH_IMAGE010
An apparatus
Figure 244823DEST_PATH_IMAGE011
Risk index of
Figure 100002_DEST_PATH_IMAGE097
In the formula
Figure 100002_DEST_PATH_IMAGE098
Is as follows
Figure 902567DEST_PATH_IMAGE010
An apparatus
Figure 303724DEST_PATH_IMAGE011
A set of outliers in the generated data containing device logs and network traffic,
Figure 100002_DEST_PATH_IMAGE099
is the first in the abnormal point set
Figure 850986DEST_PATH_IMAGE005
The abnormal point is a point which is abnormal,
Figure 100002_DEST_PATH_IMAGE100
as a distance anomaly point
Figure 606934DEST_PATH_IMAGE099
More recently high density clustering.
Preferably, the device weight of the cloud layer in the step (e-6)
Figure 110728DEST_PATH_IMAGE087
Device weight of edge layer with value 1
Figure 629040DEST_PATH_IMAGE087
The value is 0.6, and the terminal equipmentWeight of
Figure 209189DEST_PATH_IMAGE087
The value is 0.3, and the maximum value preset in the step (e-8) is 200.
The invention has the beneficial effects that: the network security situation awareness tasks can be decomposed and dispersed to devices at all levels of the heterogeneous network to be executed, namely, the tasks with high requirements on light weight and real-time performance are executed at the sides and ends, the complex tasks are executed on the cloud, and the tasks are interacted and cooperated through transmission parameters to finally generate a global situation awareness result. The method provided by the invention fully utilizes the computing resources of each level of equipment of the multilayer heterogeneous network, reduces the bandwidth occupation, improves the real-time performance and refines the analysis granularity.
Drawings
FIG. 1 is a flow chart of a method of the present invention;
FIG. 2 is a diagram of a global device library data structure according to the present invention;
FIG. 3 is a situation aware task allocation table of the present invention;
FIG. 4 is a schematic diagram of an adaptive distribution process of threat detection tasks according to the present invention;
FIG. 5 is a schematic view of a calculation and update process of risk index of equipment according to the present invention;
fig. 6 is a diagram of a multi-layer heterogeneous network security situation awareness system according to the present invention.
Detailed Description
The invention is further described with reference to fig. 1 to 6.
As shown in fig. 1 and fig. 6, a method for sensing network security situation of multi-layer heterogeneous network cooperation includes the following steps:
(a) The network security situation awareness watch agent is deployed on all types of equipment of the universe of the multilayer heterogeneous network, and the network security situation awareness watch agent collects the equipment state parameters.
(b) Transmitting the state parameters of each device collected by the network security situation perception on-duty agent to the cloud situation perception master controller, and establishing a multilayer heterogeneous network by the cloud situation perception master controller according to the network information in the state parametersConstruction graph of network global device topology
Figure DEST_PATH_IMAGE101
Wherein
Figure 983591DEST_PATH_IMAGE002
Is a collection of devices in a multi-layer heterogeneous network domain,
Figure 307387DEST_PATH_IMAGE003
Figure 421753DEST_PATH_IMAGE004
is as follows
Figure 907223DEST_PATH_IMAGE005
The number of the devices is one,
Figure 686698DEST_PATH_IMAGE006
Figure 545676DEST_PATH_IMAGE007
is the total number of devices in the whole domain of the multilayer heterogeneous network,
Figure 494041DEST_PATH_IMAGE008
is a set of edges that are to be considered,
Figure 413062DEST_PATH_IMAGE009
first, of
Figure 210991DEST_PATH_IMAGE005
An apparatus
Figure 876590DEST_PATH_IMAGE004
And a first
Figure 410952DEST_PATH_IMAGE010
An apparatus
Figure 238225DEST_PATH_IMAGE011
There is a communication link between them, then
Figure 523450DEST_PATH_IMAGE005
An apparatus
Figure 255390DEST_PATH_IMAGE004
And a first
Figure 663500DEST_PATH_IMAGE010
An apparatus
Figure 400291DEST_PATH_IMAGE011
Constituting edge
Figure 425010DEST_PATH_IMAGE012
Figure 180214DEST_PATH_IMAGE013
Is a matrix of weights for the edges and,
Figure 439900DEST_PATH_IMAGE014
Figure 123823DEST_PATH_IMAGE015
is as follows
Figure 632908DEST_PATH_IMAGE005
An apparatus
Figure 926224DEST_PATH_IMAGE004
And a first
Figure 574505DEST_PATH_IMAGE010
An apparatus
Figure 442711DEST_PATH_IMAGE011
The value of the communication delay therebetween. And the cloud situation perception master controller further constructs a global device information base.
(c) Dividing all devices of the multi-layer heterogeneous network universe into multiple layers according to the condition whether device operation operating systems and hardware composition architectures are the same or not
Figure 425710DEST_PATH_IMAGE017
Types, forming a set of types
Figure 240826DEST_PATH_IMAGE018
Figure 491416DEST_PATH_IMAGE019
Figure 533453DEST_PATH_IMAGE020
Is as follows
Figure 774989DEST_PATH_IMAGE005
Type, for type
Figure 177151DEST_PATH_IMAGE020
All devices of (1) constructing a threat detection model
Figure 62674DEST_PATH_IMAGE021
(d) Each device for multi-layer heterogeneous network universe
Figure 275612DEST_PATH_IMAGE022
Computing using a corresponding threat detection model
Figure 200580DEST_PATH_IMAGE023
The computational cost required to perform the security analysis.
(e) The cloud situation perception master controller schedules network security situation perception on-duty agents to cooperatively sense global security situations, global cooperative calculation of equipment risk indexes is carried out, and each network security situation perception on-duty agent sends the risk indexes to the cloud situation perception master controller.
(f) The network security situation awareness on-duty agent regularly updates the state parameters of the devices according to a preset updating period and sends the updated state parameters to the cloud situation awareness master controller, and the cloud situation awareness master controller updates the set of the devices in the whole multi-layer heterogeneous network
Figure 888657DEST_PATH_IMAGE024
In the whole network security situation awareness task, only equipment state parameter information and a lightweight threat detection model are transmitted among the cloud, the edge equipment and the end equipment, a small amount of equipment operation data is transmitted among the equipment with optimal communication only when the current equipment cannot execute the threat detection task, and compared with a mode that a large amount of flow and log behavior data need to be uploaded to the cloud in the prior art, the bandwidth resource occupation is greatly reduced. Secondly, most of the devices complete threat detection tasks locally, and the detection tasks of a small number of devices with insufficient capacity are performed on connected devices with optimal communication and sufficient spare resources.
Specifically, the device state parameters collected by the network security situation awareness attendant agent in step (a) include: processor information, dynamic storage information, static storage information, file system information, network information.
The processor information includes: a processor peak capacity value, a processor current load value, a processor load peak value.
The dynamic storage information includes: the dynamic memory capacity size value, the current occupation amount of the dynamic memory and the peak value of the occupation amount of the dynamic memory.
The statically stored information includes: the capacity size value of the static memory and the current occupation amount of the static memory.
The file system information includes: number of files, file path depth value.
The network information includes: average hourly network traffic, network traffic peaks, delay values for other devices communicating with each other to reach the device within the multi-layered heterogeneous network.
Specifically, as shown in fig. 2, the cloud situation awareness master controller further constructs a global device information base after step (b), where the global device information base is formed by a hash table including a device information description object, each unit in the hash table is a device information description object, the device information description object describes information of one device in the multilayer heterogeneous network, a pointer is provided in the device information description object, the current device in the hash table points to a device link table, the device link table is provided with a plurality of nodes, each node is used to store all devices having a communication link with the current device in the hash table, each node in the device link table includes two domains, a first domain stores an ID for recording the device, and a second domain records a communication delay from the current device in the hash table to the corresponding device in the device link table.
Further preferably, the information of one device in the multi-layer heterogeneous network described by the device information description object includes: the hash value of the equipment ID, the equipment model, the level of the equipment, the equipment model information, the physical position where the equipment is placed, the equipment attribute information, the state parameters of the equipment, which are acquired by a network security situation perception on duty agent, and the risk index of the equipment.
Further preferably, the threat detection model in step (c) may be any existing machine learning model capable of detecting common or abnormal conditions, for example, an abnormal condition detection algorithm based on density clustering or an abnormal condition detection model based on an automatic encoder, and after the threat detection model is built, the threat detection model is subjected to a light-weight operation by using a knowledge distillation method.
Specifically, as shown in fig. 4, step (d) includes the following steps:
(d-1) the first
Figure 615305DEST_PATH_IMAGE005
An apparatus
Figure 996214DEST_PATH_IMAGE004
Type of device (1)
Figure 457414DEST_PATH_IMAGE020
The corresponding threat detection model is
Figure 168756DEST_PATH_IMAGE023
From threat detection models
Figure 28871DEST_PATH_IMAGE025
Radix Ginseng (radix Ginseng)Number scale, number of times of execution of arithmetic statement, and
Figure 301720DEST_PATH_IMAGE005
an apparatus
Figure 450548DEST_PATH_IMAGE004
Using threat detection model to detect data volume
Figure 254598DEST_PATH_IMAGE026
To the first
Figure 706570DEST_PATH_IMAGE005
An apparatus
Figure 429282DEST_PATH_IMAGE004
A cost required to perform threat detection, the cost comprising an amount of load of a processor
Figure 848762DEST_PATH_IMAGE027
And dynamic memory footprint
Figure 151174DEST_PATH_IMAGE028
(d-2) checking a set of multi-layered heterogeneous network global devices
Figure 408718DEST_PATH_IMAGE024
In each equipment, order
Figure 305261DEST_PATH_IMAGE029
Is a first
Figure 943528DEST_PATH_IMAGE005
An apparatus
Figure 318140DEST_PATH_IMAGE004
Processor information peak capability value of
Figure 741774DEST_PATH_IMAGE030
Is a first
Figure 291442DEST_PATH_IMAGE005
An apparatus
Figure 170668DEST_PATH_IMAGE004
Current load value of the processor, order
Figure 595308DEST_PATH_IMAGE031
Is as follows
Figure 79642DEST_PATH_IMAGE005
An apparatus
Figure 823648DEST_PATH_IMAGE032
Processor load peak of
Figure 452819DEST_PATH_IMAGE033
Is a first
Figure 434813DEST_PATH_IMAGE005
An apparatus
Figure 816728DEST_PATH_IMAGE004
Size of dynamic memory of
Figure 960396DEST_PATH_IMAGE034
Is a first
Figure 296437DEST_PATH_IMAGE005
An apparatus
Figure 813612DEST_PATH_IMAGE004
Dynamic memory of (2) currently occupied, order
Figure 69276DEST_PATH_IMAGE035
Is as follows
Figure 630182DEST_PATH_IMAGE005
An apparatus
Figure 705717DEST_PATH_IMAGE004
Dynamic memory footprint peak.
(d-3) if
Figure 777316DEST_PATH_IMAGE036
And is
Figure 618977DEST_PATH_IMAGE037
Performing step (d-4) if
Figure 370026DEST_PATH_IMAGE038
Or
Figure 202632DEST_PATH_IMAGE039
Step (d-5) is performed.
(d-4) at the present stage
Figure 798961DEST_PATH_IMAGE005
An apparatus
Figure 511440DEST_PATH_IMAGE004
Locally performing a threat detection task, the first
Figure 164881DEST_PATH_IMAGE005
An apparatus
Figure 464276DEST_PATH_IMAGE004
The network security situation awareness agent updates the state parameters and sends the state parameters to the cloud situation awareness master controller, and the cloud situation awareness master controller updates the global device set of the multilayer heterogeneous network
Figure 392524DEST_PATH_IMAGE024
To middle
Figure 162772DEST_PATH_IMAGE005
An apparatus
Figure 255624DEST_PATH_IMAGE004
Information of (1) to
Figure 55696DEST_PATH_IMAGE005
An apparatus
Figure 508674DEST_PATH_IMAGE004
Is updated to
Figure 445013DEST_PATH_IMAGE040
To make it first
Figure 974345DEST_PATH_IMAGE005
An apparatus
Figure 746867DEST_PATH_IMAGE004
Is updated to
Figure 774776DEST_PATH_IMAGE041
Figure 568551DEST_PATH_IMAGE042
Figure 249544DEST_PATH_IMAGE043
(d-5) in a multi-layer heterogeneous network global device set
Figure 495979DEST_PATH_IMAGE024
To find all and the
Figure 523716DEST_PATH_IMAGE005
An apparatus
Figure 903488DEST_PATH_IMAGE004
With communication link between
Figure 23891DEST_PATH_IMAGE046
Individual devices forming a set of devices
Figure DEST_PATH_IMAGE102
Will be
Figure 190912DEST_PATH_IMAGE048
The device presses and sends
Figure 540116DEST_PATH_IMAGE005
An apparatus
Figure 39974DEST_PATH_IMAGE004
The communication delay of the queue is added into the priority queue from small to large
Figure DEST_PATH_IMAGE103
Figure DEST_PATH_IMAGE104
Wherein
Figure 501917DEST_PATH_IMAGE051
Is as follows
Figure 306685DEST_PATH_IMAGE010
An apparatus.
(d-6) slave priority queue
Figure 722229DEST_PATH_IMAGE049
In and out queue head equipment
Figure 79524DEST_PATH_IMAGE052
Figure 538799DEST_PATH_IMAGE053
Head of line equipment
Figure 981544DEST_PATH_IMAGE052
The processor information peak capability value of
Figure DEST_PATH_IMAGE105
Head of line equipment
Figure 105839DEST_PATH_IMAGE052
Has a processor load peak of
Figure 566908DEST_PATH_IMAGE055
Head of line equipment
Figure 947817DEST_PATH_IMAGE052
Has a current processor load value of
Figure 877858DEST_PATH_IMAGE056
Head of line equipment
Figure 385938DEST_PATH_IMAGE052
Has a processor capacity of
Figure 714894DEST_PATH_IMAGE057
Head of line equipment
Figure 4056DEST_PATH_IMAGE052
Has a dynamic memory capacity of
Figure 487906DEST_PATH_IMAGE058
Head of line equipment
Figure 255136DEST_PATH_IMAGE052
Has a peak value of dynamic memory occupancy
Figure DEST_PATH_IMAGE106
Head of line equipment
Figure 671555DEST_PATH_IMAGE052
Has a current occupancy of
Figure DEST_PATH_IMAGE107
Head of line equipment
Figure 800792DEST_PATH_IMAGE061
Has a dynamic memory footprint of
Figure 439846DEST_PATH_IMAGE062
(d-7) if
Figure 758569DEST_PATH_IMAGE063
And is
Figure 796539DEST_PATH_IMAGE064
Performing step d-8), the apparatus
Figure 676770DEST_PATH_IMAGE052
Is as follows
Figure 800191DEST_PATH_IMAGE005
An apparatus
Figure 188184DEST_PATH_IMAGE004
If the threat detection task execution apparatus of
Figure 614749DEST_PATH_IMAGE065
Or
Figure 437122DEST_PATH_IMAGE066
Time from priority queue
Figure 300036DEST_PATH_IMAGE049
Middle taking-out equipment
Figure DEST_PATH_IMAGE108
And (4) serving as a head-of-queue device, and returning to execute the step (d-6).
(d-8) head of line device
Figure 177206DEST_PATH_IMAGE052
The network security situation awareness agent updates the state parameters and sends the state parameters to the cloud situation awareness master controller, and the cloud situation awareness master controller updates the global device set of the multilayer heterogeneous network
Figure 723856DEST_PATH_IMAGE024
To middle
Figure 959272DEST_PATH_IMAGE068
An apparatus
Figure 309482DEST_PATH_IMAGE069
Information of (1) to
Figure 711382DEST_PATH_IMAGE068
Is provided withPrepare for
Figure 47292DEST_PATH_IMAGE069
Is updated to
Figure 971386DEST_PATH_IMAGE070
To make it first
Figure 291115DEST_PATH_IMAGE068
An apparatus
Figure 76800DEST_PATH_IMAGE069
Is updated to
Figure 814686DEST_PATH_IMAGE071
Figure 149763DEST_PATH_IMAGE072
Figure 5724DEST_PATH_IMAGE073
(d-9) repeating the steps (d-1) to (d-8) until the multi-layer heterogeneous network global device set
Figure 795432DEST_PATH_IMAGE024
All devices in the system find the threat detection task execution device.
Specifically, as shown in fig. 3, the method further includes the step of collecting the multi-layer heterogeneous network global device after the step (d-9)
Figure 171181DEST_PATH_IMAGE024
Recording threat detection task execution device information of all devices in the situation-aware task allocation table, wherein a first column of the situation-aware task allocation table records a multi-layer heterogeneous network global device set
Figure 404454DEST_PATH_IMAGE024
The ID of the device in (1), and the ID of the threat detection task execution device corresponding to the second column record of the situation awareness task allocation table. Example (b)For example, in the example table, the threat detection task execution device of "device 1" is itself, and the threat detection task execution device of "device 2" is "device 5".
Specifically, as shown in fig. 5, step (e) includes the following steps:
(e-1) the first
Figure 229934DEST_PATH_IMAGE005
An apparatus
Figure 357421DEST_PATH_IMAGE004
The network security situation aware gatekeeper agent initiates a threat detection task.
(e-2) determining whether the threat detection task is on the second place
Figure 834014DEST_PATH_IMAGE005
An apparatus
Figure 755965DEST_PATH_IMAGE004
Is executed locally, if yes, by
Figure 22736DEST_PATH_IMAGE005
An apparatus
Figure 888667DEST_PATH_IMAGE004
The network security situation awareness on-duty agent executes a threat detection task, if not, the network security situation awareness on-duty agent executes a threat detection task
Figure 691538DEST_PATH_IMAGE005
An apparatus
Figure 781461DEST_PATH_IMAGE004
The threat detection task of (1) consists of
Figure 824544DEST_PATH_IMAGE010
An apparatus
Figure 293834DEST_PATH_IMAGE074
And (e) executing the step (e-3).
(e-3) the first
Figure 948282DEST_PATH_IMAGE005
An apparatus
Figure 212035DEST_PATH_IMAGE004
Network security situation aware gatekeeper agent and method
Figure 718978DEST_PATH_IMAGE010
An apparatus
Figure 723449DEST_PATH_IMAGE011
The network security situation awareness agent communicates and sends data required by threat detection to the first agent
Figure 517224DEST_PATH_IMAGE010
An apparatus
Figure 463796DEST_PATH_IMAGE011
And receiving the detection result.
And (e-4) each device in the whole multilayer heterogeneous network domain performs threat detection by using a threat model, calculates a device risk index, can calculate the risk index in different modes, and can be predefined by a network security administrator according to a specific applicable threat detection algorithm. First, the
Figure 710232DEST_PATH_IMAGE005
An apparatus
Figure 518394DEST_PATH_IMAGE004
Has a risk index of
Figure DEST_PATH_IMAGE109
Set of devices
Figure 868473DEST_PATH_IMAGE076
The devices utilize the threat model to execute threat detection, calculate device risk index and device set
Figure 923629DEST_PATH_IMAGE076
To middle
Figure 188520DEST_PATH_IMAGE010
An apparatus
Figure 558232DEST_PATH_IMAGE011
Has a risk index of
Figure 808822DEST_PATH_IMAGE077
(e-5) the first
Figure 585279DEST_PATH_IMAGE045
An apparatus
Figure 318224DEST_PATH_IMAGE004
Network security situation aware gatekeeper agent and device set
Figure 205540DEST_PATH_IMAGE076
To middle
Figure 825484DEST_PATH_IMAGE010
An apparatus
Figure 51804DEST_PATH_IMAGE011
The network security situation-aware gatekeeper agent establishes network connection, the first
Figure 494549DEST_PATH_IMAGE005
An apparatus
Figure 448205DEST_PATH_IMAGE004
The network security situation awareness on duty agent obtains
Figure 440432DEST_PATH_IMAGE010
An apparatus
Figure 555762DEST_PATH_IMAGE078
Risk index of
Figure 16961DEST_PATH_IMAGE077
And storing.
(e-6) based on the principle that the higher the risk of the device in the shower, the higher the risk itself, by the formula
Figure DEST_PATH_IMAGE111
Is calculated to obtain the first
Figure 155335DEST_PATH_IMAGE081
Risk indices after round iterations
Figure 487222DEST_PATH_IMAGE082
When is coming into contact with
Figure 39033DEST_PATH_IMAGE081
When the number is equal to 1, the number is,
Figure 469752DEST_PATH_IMAGE083
Figure 502561DEST_PATH_IMAGE084
in the formula
Figure 217183DEST_PATH_IMAGE085
In order to balance the factors of the device,
Figure 926513DEST_PATH_IMAGE086
to prevent a smoothing term with a risk index of 0,
Figure 828216DEST_PATH_IMAGE087
is a weight of the device or devices,
Figure 412519DEST_PATH_IMAGE088
is as follows
Figure 718998DEST_PATH_IMAGE010
An apparatus
Figure 347032DEST_PATH_IMAGE011
A set of devices between which a communication link exists,
Figure 988229DEST_PATH_IMAGE089
is a set
Figure 625490DEST_PATH_IMAGE088
The number of devices in the network.
(e-7) checking whether the risk indexes of the devices in the whole domain of the multilayer heterogeneous network are updated in the iteration, stopping the iteration if the risk indexes are not updated, and executing the step (e-8) if the risk indexes are updated.
(e-8) judging whether the iteration number reaches a preset maximum value, if so, stopping iteration, and if not, returning to execute the step (e-6).
(e-9) each network security situation perception on duty agent sends the risk index to the cloud situation perception master controller, and the cloud situation perception master controller is integrated in the universe equipment
Figure 292136DEST_PATH_IMAGE024
For recording and storing.
Specifically, the threat model in the step (e-4) is an anomaly detection algorithm based on density clustering, the sum of the distances between all anomaly points and the nearest high-density cluster is calculated, and a formula is used
Figure 562843DEST_PATH_IMAGE090
Is calculated to obtain the first
Figure 422827DEST_PATH_IMAGE005
An apparatus
Figure 866709DEST_PATH_IMAGE004
Risk index of
Figure 144850DEST_PATH_IMAGE091
In the formula
Figure 130998DEST_PATH_IMAGE092
Is as follows
Figure 497520DEST_PATH_IMAGE005
An apparatus
Figure 742163DEST_PATH_IMAGE004
A set of outliers in the generated data containing device logs and network traffic,
Figure 861429DEST_PATH_IMAGE093
is the first in the abnormal point set
Figure 267746DEST_PATH_IMAGE010
The abnormal point is a point which is abnormal,
Figure 869366DEST_PATH_IMAGE094
as a distance anomaly point
Figure 389472DEST_PATH_IMAGE093
The recent high density of clustering has led to the development of clusters,
Figure 376626DEST_PATH_IMAGE095
is an Euclidean distance algorithm between abnormal points and is calculated by a formula
Figure 206041DEST_PATH_IMAGE096
Is calculated to obtain
Figure 114584DEST_PATH_IMAGE010
An apparatus
Figure 389445DEST_PATH_IMAGE011
Risk index of
Figure 968456DEST_PATH_IMAGE097
In the formula
Figure 965844DEST_PATH_IMAGE098
Is as follows
Figure 263095DEST_PATH_IMAGE010
An apparatus
Figure 872806DEST_PATH_IMAGE011
A set of outliers in the generated data containing device logs and network traffic,
Figure 834552DEST_PATH_IMAGE099
is the first in the abnormal point set
Figure 756503DEST_PATH_IMAGE005
The abnormal point is a point which is abnormal,
Figure 52967DEST_PATH_IMAGE100
as a distance anomaly point
Figure 984145DEST_PATH_IMAGE099
More recently high density clustering.
Preferably, the device at the high level has a higher weight than the device at the low level according to the cloud, edge and end level settings where the device is located, and the device weight of the cloud layer in step (e-6)
Figure 65978DEST_PATH_IMAGE087
Device weight of edge layer with value 1
Figure 906632DEST_PATH_IMAGE087
Value of 0.6, terminal equipment weight
Figure 178476DEST_PATH_IMAGE087
The value is 0.3, and the maximum value preset in the step (e-8) is 200.
Finally, it should be noted that: although the present invention has been described in detail with reference to the foregoing embodiments, it will be apparent to those skilled in the art that changes may be made in the embodiments and/or equivalents thereof without departing from the spirit and scope of the invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (10)

1. A network security situation perception method based on multi-layer heterogeneous network cooperation is characterized by comprising the following steps:
(a) Deploying a network security situation awareness watching agent on each type of equipment of a multi-layer heterogeneous network universe, and collecting equipment state parameters by the network security situation awareness watching agent;
(b) Transmitting the state parameters of each device collected by the network security situation perception on-duty agent to the cloud situation perception master controller, and establishing a structural diagram of the topology of the global device of the multilayer heterogeneous network by the cloud situation perception master controller according to the network information in the state parameters
Figure DEST_PATH_IMAGE001
In which
Figure DEST_PATH_IMAGE002
Is a collection of devices in a multi-layer heterogeneous network domain,
Figure DEST_PATH_IMAGE003
Figure DEST_PATH_IMAGE004
is as follows
Figure DEST_PATH_IMAGE005
The number of the devices is increased, and the device,
Figure DEST_PATH_IMAGE006
Figure DEST_PATH_IMAGE007
is the total number of devices in the whole domain of the multilayer heterogeneous network,
Figure DEST_PATH_IMAGE008
is a set of edges that are to be considered,
Figure DEST_PATH_IMAGE009
of 1 at
Figure 172344DEST_PATH_IMAGE005
An apparatus
Figure 24238DEST_PATH_IMAGE004
And a first
Figure DEST_PATH_IMAGE010
An apparatus
Figure DEST_PATH_IMAGE011
There is a communication link between them, then
Figure 4308DEST_PATH_IMAGE005
An apparatus
Figure 859173DEST_PATH_IMAGE004
And a first step of
Figure 814491DEST_PATH_IMAGE010
An apparatus
Figure 322439DEST_PATH_IMAGE011
Constituting edge
Figure DEST_PATH_IMAGE012
Figure DEST_PATH_IMAGE013
Is a matrix of weights for the edges and,
Figure DEST_PATH_IMAGE014
Figure DEST_PATH_IMAGE015
is a first
Figure 507914DEST_PATH_IMAGE005
An apparatus
Figure 126721DEST_PATH_IMAGE004
And a first
Figure 733283DEST_PATH_IMAGE010
An apparatus
Figure 412132DEST_PATH_IMAGE011
A communication delay value therebetween;
(c) Dividing all devices of the multi-layer heterogeneous network universe into multiple layers according to the condition whether device operation operating systems and hardware composition architectures are the same or not
Figure DEST_PATH_IMAGE017
Types, forming a set of types
Figure DEST_PATH_IMAGE018
Figure DEST_PATH_IMAGE019
Figure DEST_PATH_IMAGE020
Is as follows
Figure 905079DEST_PATH_IMAGE005
A type, for the type
Figure 327576DEST_PATH_IMAGE020
All devices of (1) constructing a threat detection model
Figure DEST_PATH_IMAGE021
(d) Each device for multi-layer heterogeneous network universe
Figure DEST_PATH_IMAGE022
Computing using a corresponding threat detection model
Figure DEST_PATH_IMAGE023
The computational cost required for performing security analysis;
(e) The cloud situation perception master controller schedules network security situation perception on-duty agents to cooperatively sense global security situations, performs global cooperative calculation of equipment risk indexes, and each network security situation perception on-duty agent sends the risk indexes to the cloud situation perception master controller;
(f) The network security situation awareness attendance agent regularly updates the equipment state parameters according to a preset updating period and sends the equipment state parameters to the cloud situation awareness master controller, and the cloud situation awareness master controller updates the set of equipment in the whole multilayer heterogeneous network
Figure DEST_PATH_IMAGE024
2. The method for network security situation awareness in multi-layer heterogeneous network collaboration as claimed in claim 1, wherein the device state parameters collected by the network security situation awareness gatekeeper agent in step (a) include: processor information, dynamic storage information, static storage information, file system information, network information;
the processor information includes: the processor load peak value is obtained by calculating the processor load peak value;
the dynamic storage information includes: the dynamic memory capacity value, the current occupation amount of the dynamic memory and the occupation amount peak value of the dynamic memory;
the statically stored information includes: the capacity size value of the static memory and the current occupied amount of the static memory;
the file system information includes: number of files, depth value of file path;
the network information includes: average hourly network traffic, network traffic peaks, delay values for other devices that have intercommunication to reach the device within the multi-layer heterogeneous network.
3. The method for sensing network security situation of multi-layer heterogeneous network cooperation according to claim 1, wherein: the cloud situation perception master controller constructs a global device information base after the step (b), wherein the global device information base is composed of a hash table containing device information description objects, each unit in the hash table is a device information description object, the device information description object describes information of one device in the multilayer heterogeneous network, a pointer which points the current device in the hash table to a connected device chain table is arranged in the device information description object, a plurality of nodes are arranged in the device chain table, each node is used for storing all devices with communication links existing between the current device in the hash table, each node in the device chain table comprises two domains, the first domain is used for recording the ID of the device, and the second domain is used for recording the communication delay from the current device in the hash table to the corresponding device in the device chain table.
4. The method for sensing network security situation of multi-layer heterogeneous network cooperation according to claim 3, wherein: the information of one device in the multi-layer heterogeneous network described by the device information description object comprises: the device ID hash value, the device model, the device level, the device model information, the physical location of the device, the device attribute information, the state parameters of the device collected by the network security situation awareness watch agent, and the risk index of the device.
5. The method for sensing the network security situation of multi-layer heterogeneous network collaboration as claimed in claim 1, wherein: and (c) the threat detection model in the step (c) is an anomaly detection algorithm based on density clustering or an anomaly detection model based on an automatic encoder, and after the threat detection model is constructed, a knowledge distillation method is used for carrying out lightweight operation on the threat detection model.
6. The method for sensing the network security situation of multi-layer heterogeneous network collaboration as claimed in claim 3, wherein the step (d) comprises the following steps:
(d-1) the first
Figure 815409DEST_PATH_IMAGE005
An apparatus
Figure 182936DEST_PATH_IMAGE004
Type of device
Figure 906785DEST_PATH_IMAGE020
The corresponding threat detection model is
Figure 352548DEST_PATH_IMAGE023
According to threat detection models
Figure 684434DEST_PATH_IMAGE023
Parameter scale, number of times of execution of algorithm sentence, and
Figure 55871DEST_PATH_IMAGE005
an apparatus
Figure 676470DEST_PATH_IMAGE004
Using threat detection model to detect data volume
Figure DEST_PATH_IMAGE025
To the first
Figure 860677DEST_PATH_IMAGE005
An apparatus
Figure 47070DEST_PATH_IMAGE004
A cost required to perform threat detection, the cost comprising an amount of load of a processor
Figure DEST_PATH_IMAGE026
And dynamic memory footprint
Figure DEST_PATH_IMAGE027
(d-2) checking a set of multi-layered heterogeneous network global devices
Figure 894416DEST_PATH_IMAGE024
In each equipment, order
Figure DEST_PATH_IMAGE028
Is as follows
Figure 468223DEST_PATH_IMAGE005
An apparatus
Figure 52526DEST_PATH_IMAGE004
Processor information peak capability value of
Figure DEST_PATH_IMAGE029
Is a first
Figure 762600DEST_PATH_IMAGE005
An apparatus
Figure 679650DEST_PATH_IMAGE004
Of the processor, instruction
Figure DEST_PATH_IMAGE030
Is as follows
Figure 773377DEST_PATH_IMAGE005
An apparatus
Figure DEST_PATH_IMAGE031
Of processor load peak value, of
Figure DEST_PATH_IMAGE032
Is a first
Figure 722223DEST_PATH_IMAGE005
An apparatus
Figure 880279DEST_PATH_IMAGE004
Size of dynamic memory of, order
Figure DEST_PATH_IMAGE033
Is a first
Figure 616897DEST_PATH_IMAGE005
An apparatus
Figure 181608DEST_PATH_IMAGE004
Dynamic memory of (2) currently occupied, order
Figure DEST_PATH_IMAGE034
Is as follows
Figure 29085DEST_PATH_IMAGE005
An apparatus
Figure 575735DEST_PATH_IMAGE004
Dynamic memory footprint peak of (1);
(d-3) if
Figure DEST_PATH_IMAGE035
And is
Figure DEST_PATH_IMAGE036
Performing step (d-4) if
Figure DEST_PATH_IMAGE037
Or
Figure DEST_PATH_IMAGE038
Performing step (d-5);
(d-4) at the present
Figure 736719DEST_PATH_IMAGE005
An apparatus
Figure 352508DEST_PATH_IMAGE004
Locally performing a threat detection task, the first
Figure 800413DEST_PATH_IMAGE005
An apparatus
Figure 418214DEST_PATH_IMAGE004
The network security situation awareness agent updates the state parameters and sends the state parameters to the cloud situation awareness master controller, and the cloud situation awareness master controller updates the global device set of the multilayer heterogeneous network
Figure 827461DEST_PATH_IMAGE024
To middle
Figure 662037DEST_PATH_IMAGE005
An apparatus
Figure 713301DEST_PATH_IMAGE004
Information of (1) to
Figure 434876DEST_PATH_IMAGE005
An apparatus
Figure 255106DEST_PATH_IMAGE004
Is updated to
Figure DEST_PATH_IMAGE039
To make it first
Figure 344023DEST_PATH_IMAGE005
An apparatus
Figure 385928DEST_PATH_IMAGE004
Is updated to
Figure DEST_PATH_IMAGE040
Figure DEST_PATH_IMAGE041
Figure DEST_PATH_IMAGE042
(d-5) in a plurality of layersHeterogeneous network universal device set
Figure 552555DEST_PATH_IMAGE024
To find all and the
Figure 38025DEST_PATH_IMAGE005
An apparatus
Figure 83079DEST_PATH_IMAGE004
With communication link between
Figure DEST_PATH_IMAGE043
Individual devices forming a set of devices
Figure DEST_PATH_IMAGE044
Will be
Figure DEST_PATH_IMAGE045
The device presses and sends
Figure 315959DEST_PATH_IMAGE005
An apparatus
Figure 832301DEST_PATH_IMAGE004
The communication delay of the queue is added into the priority queue from small to large
Figure DEST_PATH_IMAGE046
Figure DEST_PATH_IMAGE047
Wherein
Figure DEST_PATH_IMAGE048
Is as follows
Figure 813639DEST_PATH_IMAGE010
An apparatus;
(d-6) slave priority queue
Figure DEST_PATH_IMAGE049
Get out the first equipment of the team
Figure DEST_PATH_IMAGE050
Figure DEST_PATH_IMAGE051
Head of line equipment
Figure 451382DEST_PATH_IMAGE050
The processor information peak capability value of
Figure DEST_PATH_IMAGE052
Head of line equipment
Figure 959724DEST_PATH_IMAGE050
Has a processor load peak of
Figure DEST_PATH_IMAGE053
Head of line equipment
Figure DEST_PATH_IMAGE054
Has a current processor load value of
Figure DEST_PATH_IMAGE055
Head of line equipment
Figure 921118DEST_PATH_IMAGE050
Has a processor capacity of
Figure DEST_PATH_IMAGE056
Head of line equipment
Figure 683144DEST_PATH_IMAGE054
Has a dynamic memory capacity of a value of
Figure DEST_PATH_IMAGE057
Head of line equipment
Figure 125627DEST_PATH_IMAGE050
Has a peak dynamic memory occupancy of
Figure DEST_PATH_IMAGE058
Head of line equipment
Figure 529670DEST_PATH_IMAGE050
Has a current occupancy of
Figure DEST_PATH_IMAGE059
Head of line equipment
Figure 105489DEST_PATH_IMAGE050
Has a dynamic memory footprint of
Figure DEST_PATH_IMAGE060
(d-7) if
Figure DEST_PATH_IMAGE061
And is
Figure DEST_PATH_IMAGE062
Performing the step (d-8), the apparatus
Figure 763652DEST_PATH_IMAGE050
Is as follows
Figure 5015DEST_PATH_IMAGE005
An apparatus
Figure 746837DEST_PATH_IMAGE004
If the threat detection task execution apparatus of
Figure DEST_PATH_IMAGE063
Or
Figure DEST_PATH_IMAGE064
From the priority queue
Figure 442742DEST_PATH_IMAGE049
Middle taking out equipment
Figure DEST_PATH_IMAGE065
As the head of queue equipment, and returning to execute the step (d-6);
(d-8) head of line device
Figure 828462DEST_PATH_IMAGE050
The network security situation awareness attendance agent updates the state parameters of the network security situation awareness attendance agent and sends the updated state parameters to the cloud situation awareness master controller, and the cloud situation awareness master controller updates the multi-layer heterogeneous network global device set
Figure 790077DEST_PATH_IMAGE024
To middle
Figure DEST_PATH_IMAGE066
An apparatus
Figure DEST_PATH_IMAGE067
Information of (1) to
Figure DEST_PATH_IMAGE068
An apparatus
Figure 394978DEST_PATH_IMAGE067
Is updated to
Figure DEST_PATH_IMAGE069
To make a first
Figure 814499DEST_PATH_IMAGE068
An apparatus
Figure 636699DEST_PATH_IMAGE067
Is updated to
Figure DEST_PATH_IMAGE070
Figure DEST_PATH_IMAGE071
Figure DEST_PATH_IMAGE072
(d-9) repeating the steps (d-1) to (d-8) until a multi-layered heterogeneous network global device set
Figure 741403DEST_PATH_IMAGE024
All devices in the system find the threat detection task execution device.
7. The method for sensing the network security situation of multi-layer heterogeneous network collaboration as claimed in claim 6, wherein: further comprising aggregating a plurality of layers of heterogeneous network global devices after step (d-9)
Figure 103989DEST_PATH_IMAGE024
Recording threat detection task execution device information of all devices in the situation-aware task allocation table, wherein a first column of the situation-aware task allocation table records a multi-layer heterogeneous network global device set
Figure 338268DEST_PATH_IMAGE024
The ID of the device in (1), and the ID of the threat detection task execution device corresponding to the second column record of the situation awareness task allocation table.
8. The method for sensing the network security situation of multi-layer heterogeneous network collaboration as claimed in claim 3, wherein the step (e) comprises the following steps:
(e-1) the first
Figure 911463DEST_PATH_IMAGE005
An apparatus
Figure 847670DEST_PATH_IMAGE004
The network security situation awareness on-duty agent starts a threat detection task;
(e-2) determining whether the threat detection task is on the second place
Figure 734986DEST_PATH_IMAGE005
An apparatus
Figure 840083DEST_PATH_IMAGE004
Is executed locally, if yes, by
Figure 120449DEST_PATH_IMAGE005
An apparatus
Figure 546882DEST_PATH_IMAGE004
The network security situation awareness on-duty agent executes a threat detection task, if not, the network security situation awareness on-duty agent executes a threat detection task
Figure 766118DEST_PATH_IMAGE005
An apparatus
Figure 509077DEST_PATH_IMAGE004
The threat detection task of (1) consists of
Figure 109560DEST_PATH_IMAGE010
An apparatus
Figure DEST_PATH_IMAGE073
If so, executing the step (e-3);
(e-3) the first
Figure 239934DEST_PATH_IMAGE005
An apparatus
Figure 262860DEST_PATH_IMAGE004
Network security situation aware gatekeeper agent and method
Figure 594747DEST_PATH_IMAGE010
An apparatus
Figure 100552DEST_PATH_IMAGE011
The network security situation awareness agent communicates and sends data required by threat detection to the first agent
Figure 311697DEST_PATH_IMAGE010
An apparatus
Figure 328195DEST_PATH_IMAGE011
Receiving a detection result;
(e-4) each device in the entire domain of the multi-layered heterogeneous network performs threat detection using a threat model, calculates a device risk index, the first
Figure 246079DEST_PATH_IMAGE005
An apparatus
Figure 237300DEST_PATH_IMAGE031
Has a risk index of
Figure DEST_PATH_IMAGE074
Set of devices
Figure DEST_PATH_IMAGE075
The devices perform threat detection by using a threat model, calculate a device risk index and a device set
Figure 801921DEST_PATH_IMAGE075
To middle
Figure 901071DEST_PATH_IMAGE010
An apparatus
Figure 473129DEST_PATH_IMAGE011
Has a risk index of
Figure DEST_PATH_IMAGE076
(e-5) the first
Figure 865277DEST_PATH_IMAGE005
An apparatus
Figure 726048DEST_PATH_IMAGE004
Network security situation aware gatekeeper agent and device set
Figure 81419DEST_PATH_IMAGE075
To middle
Figure 242404DEST_PATH_IMAGE010
An apparatus
Figure 572498DEST_PATH_IMAGE011
The network security situation-aware gatekeeper agent establishes network connection, the first
Figure 668367DEST_PATH_IMAGE005
An apparatus
Figure 581091DEST_PATH_IMAGE004
The network security situation awareness on duty agent obtains
Figure 866358DEST_PATH_IMAGE010
An apparatus
Figure DEST_PATH_IMAGE077
Risk index of
Figure 744184DEST_PATH_IMAGE076
And storing;
(e-6) by the formula
Figure DEST_PATH_IMAGE079
Is calculated to obtain
Figure DEST_PATH_IMAGE080
Risk indices after round iterations
Figure DEST_PATH_IMAGE081
When it comes to
Figure 698322DEST_PATH_IMAGE080
When the value is equal to 1, the reaction solution is,
Figure DEST_PATH_IMAGE082
Figure DEST_PATH_IMAGE083
in the formula
Figure DEST_PATH_IMAGE084
In order to balance the factors of the device,
Figure DEST_PATH_IMAGE085
to prevent a smoothing term with a risk index of 0,
Figure DEST_PATH_IMAGE086
is the weight of the device or devices,
Figure DEST_PATH_IMAGE087
is as follows
Figure 602953DEST_PATH_IMAGE010
An apparatus
Figure 424016DEST_PATH_IMAGE011
A set of devices between which a communication link exists,
Figure DEST_PATH_IMAGE088
is a set
Figure DEST_PATH_IMAGE089
The number of devices in the system;
(e-7) checking whether the risk indexes of the devices in the whole domain of the multilayer heterogeneous network are updated in the iteration, if not, stopping the iteration, and if so, executing the step (e-8);
(e-8) judging whether the iteration times reach a preset maximum value, if so, stopping iteration, and if not, returning to execute the step (e-6);
(e-9) each network security situation perception on duty agent sends the risk index to the cloud situation perception master controller, and the cloud situation perception master controller is integrated in the universe equipment
Figure 987591DEST_PATH_IMAGE024
To be recorded and stored.
9. The method for sensing network security situation of multi-layer heterogeneous network cooperation according to claim 8, wherein: the threat model in the step (e-4) is an anomaly detection algorithm based on density clustering and is expressed by a formula
Figure DEST_PATH_IMAGE090
Is calculated to obtain
Figure 743538DEST_PATH_IMAGE005
An apparatus
Figure 794802DEST_PATH_IMAGE004
Risk index of (2)
Figure DEST_PATH_IMAGE091
In the formula
Figure DEST_PATH_IMAGE092
Is as follows
Figure 890279DEST_PATH_IMAGE005
An apparatus
Figure 936339DEST_PATH_IMAGE004
A set of outliers in the generated data containing device logs and network traffic,
Figure DEST_PATH_IMAGE093
is the first in the abnormal point set
Figure 501222DEST_PATH_IMAGE010
The abnormal point is a point which is abnormal,
Figure DEST_PATH_IMAGE094
as a distance anomaly point
Figure 995658DEST_PATH_IMAGE093
The recent high density of clustering has led to the development of clusters,
Figure DEST_PATH_IMAGE095
is an Euclidean distance algorithm between abnormal points and adopts a formula
Figure DEST_PATH_IMAGE096
Is calculated to obtain
Figure 414482DEST_PATH_IMAGE010
An apparatus
Figure 897023DEST_PATH_IMAGE011
Risk index of
Figure DEST_PATH_IMAGE097
In the formula
Figure DEST_PATH_IMAGE098
Is as follows
Figure 614181DEST_PATH_IMAGE010
An apparatus
Figure 958312DEST_PATH_IMAGE011
A set of outliers in the generated data containing device logs and network traffic,
Figure DEST_PATH_IMAGE099
is the first in the abnormal point set
Figure 388900DEST_PATH_IMAGE005
The abnormal point is a point which is abnormal,
Figure DEST_PATH_IMAGE100
as a distance anomaly point
Figure 19774DEST_PATH_IMAGE099
More recently high density clustering.
10. The method for sensing the network security situation of multi-layer heterogeneous network collaboration as claimed in claim 8, wherein: the device weight of the cloud layer in the step (e-6)
Figure 817704DEST_PATH_IMAGE086
Device weight of edge layer with value 1
Figure 683635DEST_PATH_IMAGE086
Value of 0.6, terminal equipment weight
Figure 17664DEST_PATH_IMAGE086
The value is 0.3, and the maximum value preset in the step (e-8) is 200.
CN202211154561.8A 2022-09-22 2022-09-22 Network security situation perception method based on cooperation of multi-layer heterogeneous network Active CN115277249B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211154561.8A CN115277249B (en) 2022-09-22 2022-09-22 Network security situation perception method based on cooperation of multi-layer heterogeneous network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211154561.8A CN115277249B (en) 2022-09-22 2022-09-22 Network security situation perception method based on cooperation of multi-layer heterogeneous network

Publications (2)

Publication Number Publication Date
CN115277249A CN115277249A (en) 2022-11-01
CN115277249B true CN115277249B (en) 2022-12-20

Family

ID=83756898

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211154561.8A Active CN115277249B (en) 2022-09-22 2022-09-22 Network security situation perception method based on cooperation of multi-layer heterogeneous network

Country Status (1)

Country Link
CN (1) CN115277249B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116436666B (en) * 2023-04-11 2024-01-26 山东省计算中心(国家超级计算济南中心) Security situation awareness method for distributed heterogeneous network

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108923975A (en) * 2018-07-05 2018-11-30 中山大学 A kind of traffic behavior analysis method of Based on Distributed network
EP3492945A1 (en) * 2017-12-01 2019-06-05 Origin Wireless, Inc. Method, apparatus, and system for periodic motion detection and monitoring
CN111260525A (en) * 2020-01-16 2020-06-09 深圳市广道高新技术股份有限公司 Community security situation perception and early warning method, system and storage medium
CN111339297A (en) * 2020-02-21 2020-06-26 广州天懋信息系统股份有限公司 Network asset anomaly detection method, system, medium, and device
CN111885040A (en) * 2020-07-17 2020-11-03 中国人民解放军战略支援部队信息工程大学 Distributed network situation perception method, system, server and node equipment
CN112039862A (en) * 2020-08-21 2020-12-04 公安部第一研究所 Multi-dimensional stereo network-oriented security event early warning method
CN113965341A (en) * 2021-08-31 2022-01-21 天津七所精密机电技术有限公司 Intrusion detection system based on software defined network

Family Cites Families (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030065409A1 (en) * 2001-09-28 2003-04-03 Raeth Peter G. Adaptively detecting an event of interest
US8850565B2 (en) * 2005-01-10 2014-09-30 Hewlett-Packard Development Company, L.P. System and method for coordinating network incident response activities
US7930256B2 (en) * 2006-05-23 2011-04-19 Charles River Analytics, Inc. Security system for and method of detecting and responding to cyber attacks on large network systems
US20170124464A1 (en) * 2015-10-28 2017-05-04 Fractal Industries, Inc. Rapid predictive analysis of very large data sets using the distributed computational graph
US10452845B2 (en) * 2017-03-08 2019-10-22 General Electric Company Generic framework to detect cyber threats in electric power grid
US20180262525A1 (en) * 2017-03-09 2018-09-13 General Electric Company Multi-modal, multi-disciplinary feature discovery to detect cyber threats in electric power grid
CN108833397A (en) * 2018-06-08 2018-11-16 武汉思普崚技术有限公司 A kind of big data safety analysis plateform system based on network security
CN109302408B (en) * 2018-10-31 2020-07-28 西安交通大学 Network security situation assessment method
CN110913357B (en) * 2019-11-13 2020-10-09 绍兴文理学院 Sensing cloud double-layer network defense system and method based on security situation awareness
CN111756460A (en) * 2020-06-23 2020-10-09 常州工学院 Cooperative spectrum sensing method and device based on unsupervised learning in cognitive network
CN113783874B (en) * 2021-09-10 2023-08-29 国网数字科技控股有限公司 Network security situation assessment method and system based on security knowledge graph

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3492945A1 (en) * 2017-12-01 2019-06-05 Origin Wireless, Inc. Method, apparatus, and system for periodic motion detection and monitoring
CN108923975A (en) * 2018-07-05 2018-11-30 中山大学 A kind of traffic behavior analysis method of Based on Distributed network
CN111260525A (en) * 2020-01-16 2020-06-09 深圳市广道高新技术股份有限公司 Community security situation perception and early warning method, system and storage medium
CN111339297A (en) * 2020-02-21 2020-06-26 广州天懋信息系统股份有限公司 Network asset anomaly detection method, system, medium, and device
CN111885040A (en) * 2020-07-17 2020-11-03 中国人民解放军战略支援部队信息工程大学 Distributed network situation perception method, system, server and node equipment
CN112039862A (en) * 2020-08-21 2020-12-04 公安部第一研究所 Multi-dimensional stereo network-oriented security event early warning method
CN113965341A (en) * 2021-08-31 2022-01-21 天津七所精密机电技术有限公司 Intrusion detection system based on software defined network

Also Published As

Publication number Publication date
CN115277249A (en) 2022-11-01

Similar Documents

Publication Publication Date Title
CN108829494B (en) Container cloud platform intelligent resource optimization method based on load prediction
Ghobaei-Arani et al. A cost-efficient IoT service placement approach using whale optimization algorithm in fog computing environment
US10331490B2 (en) Scalable cloud-based time series analysis
TWI725744B (en) Method for establishing system resource prediction and resource management model through multi-layer correlations
Dos Santos et al. A localized algorithm for Structural Health Monitoring using wireless sensor networks
CN103595805A (en) Data placement method based on distributed cluster
CN110830570B (en) Resource equalization deployment method for robust finite controller in software defined network
CN115277249B (en) Network security situation perception method based on cooperation of multi-layer heterogeneous network
CN112463337B (en) Workflow task migration method used in mobile edge computing environment
Gupta et al. A supervised deep learning framework for proactive anomaly detection in cloud workloads
CN114936708A (en) Fault diagnosis optimization method based on edge cloud collaborative task unloading and electronic equipment
CN113158435B (en) Complex system simulation running time prediction method and device based on ensemble learning
EP4189542A1 (en) Sharing of compute resources between the virtualized radio access network (vran) and other workloads
CN109298989A (en) Operational indicator threshold value acquisition methods and device
KR102089450B1 (en) Data migration apparatus, and control method thereof
Balis et al. Execution management and efficient resource provisioning for flood decision support
CN112511649B (en) Multi-access edge calculation method and equipment
CN116302481A (en) Resource allocation method and system based on sparse knowledge graph link prediction
KR20160044623A (en) Load Balancing Method for a Linux Virtual Server
Zheng et al. An optimization model of Hadoop cluster performance prediction based on Markov process.
KR101617074B1 (en) Method and Apparatus for Context-aware Recommendation to Distribute Water in Smart Water Grid
Abdel Raouf et al. A predictive replication for multi‐tenant databases using deep learning
CN114595000B (en) Edge-intelligence-oriented high-elasticity multi-node collaborative model unloading method
CN108052922A (en) A kind of intelligent security guard training method, apparatus and system
CN112073239B (en) Distributed application performance prediction method for cloud computing environment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant