CN115277249B - Network security situation perception method based on cooperation of multi-layer heterogeneous network - Google Patents
Network security situation perception method based on cooperation of multi-layer heterogeneous network Download PDFInfo
- Publication number
- CN115277249B CN115277249B CN202211154561.8A CN202211154561A CN115277249B CN 115277249 B CN115277249 B CN 115277249B CN 202211154561 A CN202211154561 A CN 202211154561A CN 115277249 B CN115277249 B CN 115277249B
- Authority
- CN
- China
- Prior art keywords
- network
- network security
- security situation
- heterogeneous network
- threat detection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/04—Network management architectures or arrangements
- H04L41/044—Network management architectures or arrangements comprising hierarchical management structures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/04—Network management architectures or arrangements
- H04L41/046—Network management architectures or arrangements comprising network management agents or mobile agents therefor
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/12—Discovery or management of network topologies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/145—Network analysis or design involving simulating, designing, planning or modelling of a network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
- H04L43/0852—Delays
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Environmental & Geological Engineering (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
A network security situation perception method based on multi-layer heterogeneous network collaboration relates to the technical field of network security situation perception, and is characterized in that a network security situation perception task is decomposed and dispersed to devices of all levels of a heterogeneous network to be executed, namely the task with high requirements on light weight and real-time performance is executed at the edge and the end, a complex task is executed on the cloud, and a global situation perception result is finally generated through parameter transmission interaction and collaboration among the tasks. The method provided by the invention fully utilizes the computing resources of each level of equipment of the multilayer heterogeneous network, reduces the bandwidth occupation, improves the real-time performance and refines the analysis granularity.
Description
Technical Field
The invention relates to the technical field of network security situation awareness, in particular to a network security situation awareness method based on multi-layer heterogeneous network cooperation.
Background
With the development of novel network technologies such as 5G, internet of things, industrial internet and the like, a network space is not a single system structure but is formed by various heterogeneous networks (such as a traditional internet, a sensing network, an industrial control network and the like), access equipment is various, and multiple levels of cloud, edge and end are spanned. Some types of network structures and devices are designed without considering security factors, have significant hidden dangers, gradually become the main target of network attackers, and face a severe network security form.
The characteristics of multi-heterogeneous network interconnection and multi-layer spanning of a novel network structure and the development trend of complicated, concealed and distributed network attack means bring new challenges to network security situation perception. The network security situation awareness mainly comprises tasks of detecting attacks and predicting non-attacks. Because the edge and end computing resources are limited, the existing analysis method mainly analyzes the security situation of the whole network environment by collecting the global network data to the cloud end and using a deep learning and big data mining method. The disadvantages of this approach are: (1) A large amount of flow and log behavior data need to be uploaded to the cloud, and therefore bandwidth resources are occupied; (2) The data can be analyzed after being collected, and at the moment, the edge and end networks can be damaged or controlled by an attacker, so that the real-time performance is poor; (3) During cloud analysis, slight abnormalities of single edge and end equipment are easily submerged in mass data, and the analysis granularity is coarse.
Disclosure of Invention
In order to overcome the defects of the technologies, the invention provides the network security situation sensing method of the cooperation of the multilayer heterogeneous network, which fully utilizes the computing resources of the devices at each level of the multilayer heterogeneous network, reduces the bandwidth occupation, improves the real-time performance and refines the analysis granularity.
The technical scheme adopted by the invention for overcoming the technical problems is as follows:
a network security situation perception method based on multi-layer heterogeneous network cooperation comprises the following steps:
(a) Deploying a network security situation awareness watching agent on each type of equipment of a multi-layer heterogeneous network universe, and collecting equipment state parameters by the network security situation awareness watching agent;
(b) Transmitting the state parameters of each device collected by the network security situation perception on-duty agent to the cloud situation perception master controller, and establishing a structural diagram of the topology of the global device of the multilayer heterogeneous network by the cloud situation perception master controller according to the network information in the state parametersWhereinIs a collection of devices in a multi-layer heterogeneous network domain,,is as followsThe number of the devices is increased, and the device,,for the total number of devices in the entire domain of the multi-layered heterogeneous network,is a set of edges that are to be considered,of 1 atAn apparatusAnd a firstAn apparatusThere is a communication link between them, thenAn apparatusAnd a firstAn apparatusConstituting edge,Is a matrix of weights for the edges and,,is as followsAn apparatusAnd a firstAn apparatusA communication delay value therebetween;
(c) Dividing all devices of the multi-layer heterogeneous network universe into multiple layers according to the condition whether device operation operating systems and hardware composition architectures are the same or notTypes, forming a set of types,,Is as followsType, for typeAll devices of (1) constructing a threat detection model;
(d) Each device for multi-layer heterogeneous network universeComputing using a corresponding threat detection modelThe computational cost required for performing security analysis;
(e) The cloud situation perception master controller schedules network security situation perception on-duty agents to cooperatively sense global security situations, performs global cooperative calculation of equipment risk indexes, and each network security situation perception on-duty agent sends the risk indexes to the cloud situation perception master controller;
(f) The network security situation awareness on-duty agent regularly updates the state parameters of the devices according to a preset updating period and sends the updated state parameters to the cloud situation awareness master controller, and the cloud situation awareness master controller updates the set of the devices in the whole multi-layer heterogeneous network。
Further, the device state parameters collected by the network security situation awareness watch agent in step (a) include: processor information, dynamic storage information, static storage information, file system information, network information;
the processor information includes: the processor load peak value is obtained by calculating the processor load peak value;
the dynamic storage information includes: the dynamic memory capacity value, the current occupation amount of the dynamic memory and the occupation amount peak value of the dynamic memory;
the statically stored information includes: the capacity size value of the static memory and the current occupied amount of the static memory;
the file system information includes: number of files, depth value of file path;
the network information includes: average hourly network traffic, network traffic peaks, delay values for other devices communicating with each other to reach the device within the multi-layered heterogeneous network.
Further, the cloud situation awareness master controller constructs a global device information base after the step (b), the global device information base is composed of a hash table containing device information description objects, each unit in the hash table is a device information description object, the device information description object describes information of one device in the multilayer heterogeneous network, a pointer which points a current device in the hash table to a connected device chain table is arranged in the device information description object, a plurality of nodes are arranged in the device chain table, each node is used for storing all devices with communication links existing between the current device in the hash table, each node in the device chain table comprises two domains, the first domain is used for recording the ID of the device, and the second domain is used for recording the communication delay from the current device in the hash table to the corresponding device in the device chain table.
Further, the information of one device in the multi-layer heterogeneous network described by the device information description object includes: the hash value of the equipment ID, the equipment model, the level of the equipment, the equipment model information, the physical position where the equipment is placed, the equipment attribute information, the state parameters of the equipment, which are acquired by a network security situation perception on duty agent, and the risk index of the equipment.
Further, the threat detection model in the step (c) is an anomaly detection algorithm based on density clustering or an anomaly detection model based on an automatic encoder, and after the threat detection model is constructed, a knowledge distillation method is used for carrying out lightweight operation on the threat detection model.
Further, the step (d) comprises the steps of:
(d-1) the firstAn apparatusType of device (1)The corresponding threat detection model isFrom threat detection modelsParameter scale, number of times of execution of algorithm sentence, andan apparatusUsing threat detection model to detect data volumeTo the firstAn apparatusA cost required to perform threat detection, the cost comprising an amount of load of a processorAnd dynamic memory footprint;
(d-2) checking a set of multi-layered heterogeneous network global devicesIn each equipment, orderIs as followsAn apparatusProcessor information peak capability value ofIs as followsAn apparatusOf the processor, instructionIs as followsAn apparatusProcessor load peak value ofLet us orderIs a firstAn apparatusSize of dynamic memory of, orderIs as followsAn apparatusDynamic memory current occupancy ofIs a firstAn apparatusDynamic memory footprint peak of (1);
(d-4) at the present secondAn apparatusLocally performing a threat detection task, the firstAn apparatusThe network security situation awareness agent updates the state parameters and sends the state parameters to the cloud situation awareness master controller, and the cloud situation awareness master controller updates the global device set of the multilayer heterogeneous networkTo middleAn apparatusInformation of (1) toAn apparatusIs updated toTo make it firstAn apparatusIs updated to,,;
(d-5) in a multi-tier heterogeneous network universe device setTo find all and theAn apparatusWith communication link between themIndividual devices forming a set of devicesWill beThe device presses and sendsAn apparatusThe communication delay of the queue is added into the priority queue from small to large,In whichIs as followsAn apparatus;
(d-6) slave priority queueGet out the first equipment of the team,Head of line equipmentThe processor information peak capability value ofHead of line equipmentHas a processor load peak ofHead of line equipmentIs a current load value of the processor ofHead of line equipmentIs loaded with a processor ofHead of line equipmentHas a dynamic memory capacity ofHead of line equipmentHas a peak dynamic memory occupancy ofHead of line equipmentDynamic memory ofHead of line equipmentHas a dynamic memory footprint of;
(d-7) ifAnd isPerforming step d-8), the apparatusIs as followsAn apparatusIf the threat detection task execution apparatus ofOrTime from priority queueMiddle taking-out equipmentAs the head of queue equipment, and returning to execute the step (d-6);
(d-8) head of line deviceThe network security situation awareness agent updates the state parameters and sends the state parameters to the cloud situation awareness master controller, and the cloud situation awareness master controller updates the global device set of the multilayer heterogeneous networkTo middleAn apparatusInformation of (1) toAn apparatusIs updated toTo make it firstAn apparatusIs updated to,,;
(d-9) repeating the steps (d-1) to (d-8) until a multi-layered heterogeneous network global device setAll devices in the system find the threat detection task execution device.
Further, the method comprises the step of collecting the multi-layer heterogeneous network global device after the step (d-9)Recording threat detection task execution device information of all devices in the situation-aware task allocation table, wherein a first column of the situation-aware task allocation table records a multi-layer heterogeneous network global device setThe ID of the device in (1), and the ID of the threat detection task execution device corresponding to the second column record of the situation awareness task allocation table.
Further, the step (e) comprises the steps of:
(e-1) the firstAn apparatusThe network security situation awareness on-duty agent starts a threat detection task;
(e-2) determining whether the threat detection task is on the second placeAn apparatusIs executed locally, if yes, byAn apparatusThe network security situation awareness on-duty agent executes a threat detection task, if not, the network security situation awareness on-duty agent executes a threat detection taskAn apparatusThe threat detection task of (1) consists ofAn apparatusIf so, executing the step (e-3);
(e-3) the firstAn apparatusNetwork security situation aware gatekeeper agent and methodAn apparatusThe network security situation awareness agent communicates and sends data required by threat detection to the first agentAn apparatusReceiving a detection result;
(e-4) each device in the whole domain of the multi-layer heterogeneous network performs threat detection by using a threat model, calculates a device risk index, the firstAn apparatusHas a risk index ofSet of devicesThe devices utilize the threat model to execute threat detection, calculate device risk index and device setTo middleAn apparatusHas a risk index of;
(e-5) the firstAn apparatusNetwork security situation aware gatekeeper agent and device setTo middleAn apparatusThe network security situation-aware gatekeeper agent establishes network connection, the firstAn apparatusThe network security situation awareness on duty agent obtainsAn apparatusRisk index ofAnd storing;
(e-6) by the formula
Is calculated to obtain the firstRisk indices after round iterationsWhen is coming into contact withWhen the value is equal to 1, the reaction solution is,,in the formulaIn order to balance the factors of the device,to prevent a smoothing term with a risk index of 0,is the weight of the device or devices,is as followsAn apparatusA set of devices between which a communication link exists,is a setThe number of the devices;
(e-7) checking whether the risk indexes of the devices in the whole domain of the multilayer heterogeneous network are updated in the iteration, if not, stopping the iteration, and if so, executing the step (e-8);
(e-8) judging whether the iteration times reach a preset maximum value, if so, stopping iteration, and if not, returning to execute the step (e-6);
(e-9) each network security situation perception on duty agent sends the risk index to the cloud situation perception master controller, and the cloud situation perception master controller is integrated in the universe equipmentTo be recorded and stored.
Further, the threat model in the step (e-4) is an anomaly detection algorithm based on density clustering, and is expressed by a formulaIs calculated to obtainAn apparatusRisk index ofIn the formulaIs as followsAn apparatusA set of outliers in the generated data containing device logs and network traffic,is the first in the abnormal point setThe abnormal point is a point which is abnormal,as a distance anomaly pointThe recent high density of clustering has led to the development of clusters,is an Euclidean distance algorithm between abnormal points and is calculated by a formulaIs calculated to obtainAn apparatusRisk index ofIn the formulaIs as followsAn apparatusA set of outliers in the generated data containing device logs and network traffic,is the first in the abnormal point setThe abnormal point is a point which is abnormal,as a distance anomaly pointMore recently high density clustering.
Preferably, the device weight of the cloud layer in the step (e-6)Device weight of edge layer with value 1The value is 0.6, and the terminal equipmentWeight ofThe value is 0.3, and the maximum value preset in the step (e-8) is 200.
The invention has the beneficial effects that: the network security situation awareness tasks can be decomposed and dispersed to devices at all levels of the heterogeneous network to be executed, namely, the tasks with high requirements on light weight and real-time performance are executed at the sides and ends, the complex tasks are executed on the cloud, and the tasks are interacted and cooperated through transmission parameters to finally generate a global situation awareness result. The method provided by the invention fully utilizes the computing resources of each level of equipment of the multilayer heterogeneous network, reduces the bandwidth occupation, improves the real-time performance and refines the analysis granularity.
Drawings
FIG. 1 is a flow chart of a method of the present invention;
FIG. 2 is a diagram of a global device library data structure according to the present invention;
FIG. 3 is a situation aware task allocation table of the present invention;
FIG. 4 is a schematic diagram of an adaptive distribution process of threat detection tasks according to the present invention;
FIG. 5 is a schematic view of a calculation and update process of risk index of equipment according to the present invention;
fig. 6 is a diagram of a multi-layer heterogeneous network security situation awareness system according to the present invention.
Detailed Description
The invention is further described with reference to fig. 1 to 6.
As shown in fig. 1 and fig. 6, a method for sensing network security situation of multi-layer heterogeneous network cooperation includes the following steps:
(a) The network security situation awareness watch agent is deployed on all types of equipment of the universe of the multilayer heterogeneous network, and the network security situation awareness watch agent collects the equipment state parameters.
(b) Transmitting the state parameters of each device collected by the network security situation perception on-duty agent to the cloud situation perception master controller, and establishing a multilayer heterogeneous network by the cloud situation perception master controller according to the network information in the state parametersConstruction graph of network global device topologyWhereinIs a collection of devices in a multi-layer heterogeneous network domain,,is as followsThe number of the devices is one,,is the total number of devices in the whole domain of the multilayer heterogeneous network,is a set of edges that are to be considered,first, ofAn apparatusAnd a firstAn apparatusThere is a communication link between them, thenAn apparatusAnd a firstAn apparatusConstituting edge,Is a matrix of weights for the edges and,,is as followsAn apparatusAnd a firstAn apparatusThe value of the communication delay therebetween. And the cloud situation perception master controller further constructs a global device information base.
(c) Dividing all devices of the multi-layer heterogeneous network universe into multiple layers according to the condition whether device operation operating systems and hardware composition architectures are the same or notTypes, forming a set of types,,Is as followsType, for typeAll devices of (1) constructing a threat detection model。
(d) Each device for multi-layer heterogeneous network universeComputing using a corresponding threat detection modelThe computational cost required to perform the security analysis.
(e) The cloud situation perception master controller schedules network security situation perception on-duty agents to cooperatively sense global security situations, global cooperative calculation of equipment risk indexes is carried out, and each network security situation perception on-duty agent sends the risk indexes to the cloud situation perception master controller.
(f) The network security situation awareness on-duty agent regularly updates the state parameters of the devices according to a preset updating period and sends the updated state parameters to the cloud situation awareness master controller, and the cloud situation awareness master controller updates the set of the devices in the whole multi-layer heterogeneous network。
In the whole network security situation awareness task, only equipment state parameter information and a lightweight threat detection model are transmitted among the cloud, the edge equipment and the end equipment, a small amount of equipment operation data is transmitted among the equipment with optimal communication only when the current equipment cannot execute the threat detection task, and compared with a mode that a large amount of flow and log behavior data need to be uploaded to the cloud in the prior art, the bandwidth resource occupation is greatly reduced. Secondly, most of the devices complete threat detection tasks locally, and the detection tasks of a small number of devices with insufficient capacity are performed on connected devices with optimal communication and sufficient spare resources.
Specifically, the device state parameters collected by the network security situation awareness attendant agent in step (a) include: processor information, dynamic storage information, static storage information, file system information, network information.
The processor information includes: a processor peak capacity value, a processor current load value, a processor load peak value.
The dynamic storage information includes: the dynamic memory capacity size value, the current occupation amount of the dynamic memory and the peak value of the occupation amount of the dynamic memory.
The statically stored information includes: the capacity size value of the static memory and the current occupation amount of the static memory.
The file system information includes: number of files, file path depth value.
The network information includes: average hourly network traffic, network traffic peaks, delay values for other devices communicating with each other to reach the device within the multi-layered heterogeneous network.
Specifically, as shown in fig. 2, the cloud situation awareness master controller further constructs a global device information base after step (b), where the global device information base is formed by a hash table including a device information description object, each unit in the hash table is a device information description object, the device information description object describes information of one device in the multilayer heterogeneous network, a pointer is provided in the device information description object, the current device in the hash table points to a device link table, the device link table is provided with a plurality of nodes, each node is used to store all devices having a communication link with the current device in the hash table, each node in the device link table includes two domains, a first domain stores an ID for recording the device, and a second domain records a communication delay from the current device in the hash table to the corresponding device in the device link table.
Further preferably, the information of one device in the multi-layer heterogeneous network described by the device information description object includes: the hash value of the equipment ID, the equipment model, the level of the equipment, the equipment model information, the physical position where the equipment is placed, the equipment attribute information, the state parameters of the equipment, which are acquired by a network security situation perception on duty agent, and the risk index of the equipment.
Further preferably, the threat detection model in step (c) may be any existing machine learning model capable of detecting common or abnormal conditions, for example, an abnormal condition detection algorithm based on density clustering or an abnormal condition detection model based on an automatic encoder, and after the threat detection model is built, the threat detection model is subjected to a light-weight operation by using a knowledge distillation method.
Specifically, as shown in fig. 4, step (d) includes the following steps:
(d-1) the firstAn apparatusType of device (1)The corresponding threat detection model isFrom threat detection modelsRadix Ginseng (radix Ginseng)Number scale, number of times of execution of arithmetic statement, andan apparatusUsing threat detection model to detect data volumeTo the firstAn apparatusA cost required to perform threat detection, the cost comprising an amount of load of a processorAnd dynamic memory footprint。
(d-2) checking a set of multi-layered heterogeneous network global devicesIn each equipment, orderIs a firstAn apparatusProcessor information peak capability value ofIs a firstAn apparatusCurrent load value of the processor, orderIs as followsAn apparatusProcessor load peak ofIs a firstAn apparatusSize of dynamic memory ofIs a firstAn apparatusDynamic memory of (2) currently occupied, orderIs as followsAn apparatusDynamic memory footprint peak.
(d-4) at the present stageAn apparatusLocally performing a threat detection task, the firstAn apparatusThe network security situation awareness agent updates the state parameters and sends the state parameters to the cloud situation awareness master controller, and the cloud situation awareness master controller updates the global device set of the multilayer heterogeneous networkTo middleAn apparatusInformation of (1) toAn apparatusIs updated toTo make it firstAn apparatusIs updated to,,。
(d-5) in a multi-layer heterogeneous network global device setTo find all and theAn apparatusWith communication link betweenIndividual devices forming a set of devicesWill beThe device presses and sendsAn apparatusThe communication delay of the queue is added into the priority queue from small to large,WhereinIs as followsAn apparatus.
(d-6) slave priority queueIn and out queue head equipment,Head of line equipmentThe processor information peak capability value ofHead of line equipmentHas a processor load peak ofHead of line equipmentHas a current processor load value ofHead of line equipmentHas a processor capacity ofHead of line equipmentHas a dynamic memory capacity ofHead of line equipmentHas a peak value of dynamic memory occupancyHead of line equipmentHas a current occupancy ofHead of line equipmentHas a dynamic memory footprint of。
(d-7) ifAnd isPerforming step d-8), the apparatusIs as followsAn apparatusIf the threat detection task execution apparatus ofOrTime from priority queueMiddle taking-out equipmentAnd (4) serving as a head-of-queue device, and returning to execute the step (d-6).
(d-8) head of line deviceThe network security situation awareness agent updates the state parameters and sends the state parameters to the cloud situation awareness master controller, and the cloud situation awareness master controller updates the global device set of the multilayer heterogeneous networkTo middleAn apparatusInformation of (1) toIs provided withPrepare forIs updated toTo make it firstAn apparatusIs updated to,,。
(d-9) repeating the steps (d-1) to (d-8) until the multi-layer heterogeneous network global device setAll devices in the system find the threat detection task execution device.
Specifically, as shown in fig. 3, the method further includes the step of collecting the multi-layer heterogeneous network global device after the step (d-9)Recording threat detection task execution device information of all devices in the situation-aware task allocation table, wherein a first column of the situation-aware task allocation table records a multi-layer heterogeneous network global device setThe ID of the device in (1), and the ID of the threat detection task execution device corresponding to the second column record of the situation awareness task allocation table. Example (b)For example, in the example table, the threat detection task execution device of "device 1" is itself, and the threat detection task execution device of "device 2" is "device 5".
Specifically, as shown in fig. 5, step (e) includes the following steps:
(e-1) the firstAn apparatusThe network security situation aware gatekeeper agent initiates a threat detection task.
(e-2) determining whether the threat detection task is on the second placeAn apparatusIs executed locally, if yes, byAn apparatusThe network security situation awareness on-duty agent executes a threat detection task, if not, the network security situation awareness on-duty agent executes a threat detection taskAn apparatusThe threat detection task of (1) consists ofAn apparatusAnd (e) executing the step (e-3).
(e-3) the firstAn apparatusNetwork security situation aware gatekeeper agent and methodAn apparatusThe network security situation awareness agent communicates and sends data required by threat detection to the first agentAn apparatusAnd receiving the detection result.
And (e-4) each device in the whole multilayer heterogeneous network domain performs threat detection by using a threat model, calculates a device risk index, can calculate the risk index in different modes, and can be predefined by a network security administrator according to a specific applicable threat detection algorithm. First, theAn apparatusHas a risk index ofSet of devicesThe devices utilize the threat model to execute threat detection, calculate device risk index and device setTo middleAn apparatusHas a risk index of。
(e-5) the firstAn apparatusNetwork security situation aware gatekeeper agent and device setTo middleAn apparatusThe network security situation-aware gatekeeper agent establishes network connection, the firstAn apparatusThe network security situation awareness on duty agent obtainsAn apparatusRisk index ofAnd storing.
(e-6) based on the principle that the higher the risk of the device in the shower, the higher the risk itself, by the formulaIs calculated to obtain the firstRisk indices after round iterationsWhen is coming into contact withWhen the number is equal to 1, the number is,,in the formulaIn order to balance the factors of the device,to prevent a smoothing term with a risk index of 0,is a weight of the device or devices,is as followsAn apparatusA set of devices between which a communication link exists,is a setThe number of devices in the network.
(e-7) checking whether the risk indexes of the devices in the whole domain of the multilayer heterogeneous network are updated in the iteration, stopping the iteration if the risk indexes are not updated, and executing the step (e-8) if the risk indexes are updated.
(e-8) judging whether the iteration number reaches a preset maximum value, if so, stopping iteration, and if not, returning to execute the step (e-6).
(e-9) each network security situation perception on duty agent sends the risk index to the cloud situation perception master controller, and the cloud situation perception master controller is integrated in the universe equipmentFor recording and storing.
Specifically, the threat model in the step (e-4) is an anomaly detection algorithm based on density clustering, the sum of the distances between all anomaly points and the nearest high-density cluster is calculated, and a formula is usedIs calculated to obtain the firstAn apparatusRisk index ofIn the formulaIs as followsAn apparatusA set of outliers in the generated data containing device logs and network traffic,is the first in the abnormal point setThe abnormal point is a point which is abnormal,as a distance anomaly pointThe recent high density of clustering has led to the development of clusters,is an Euclidean distance algorithm between abnormal points and is calculated by a formulaIs calculated to obtainAn apparatusRisk index ofIn the formulaIs as followsAn apparatusA set of outliers in the generated data containing device logs and network traffic,is the first in the abnormal point setThe abnormal point is a point which is abnormal,as a distance anomaly pointMore recently high density clustering.
Preferably, the device at the high level has a higher weight than the device at the low level according to the cloud, edge and end level settings where the device is located, and the device weight of the cloud layer in step (e-6)Device weight of edge layer with value 1Value of 0.6, terminal equipment weightThe value is 0.3, and the maximum value preset in the step (e-8) is 200.
Finally, it should be noted that: although the present invention has been described in detail with reference to the foregoing embodiments, it will be apparent to those skilled in the art that changes may be made in the embodiments and/or equivalents thereof without departing from the spirit and scope of the invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (10)
1. A network security situation perception method based on multi-layer heterogeneous network cooperation is characterized by comprising the following steps:
(a) Deploying a network security situation awareness watching agent on each type of equipment of a multi-layer heterogeneous network universe, and collecting equipment state parameters by the network security situation awareness watching agent;
(b) Transmitting the state parameters of each device collected by the network security situation perception on-duty agent to the cloud situation perception master controller, and establishing a structural diagram of the topology of the global device of the multilayer heterogeneous network by the cloud situation perception master controller according to the network information in the state parametersIn whichIs a collection of devices in a multi-layer heterogeneous network domain,,is as followsThe number of the devices is increased, and the device,,is the total number of devices in the whole domain of the multilayer heterogeneous network,is a set of edges that are to be considered,of 1 atAn apparatusAnd a firstAn apparatusThere is a communication link between them, thenAn apparatusAnd a first step ofAn apparatusConstituting edge,Is a matrix of weights for the edges and,,is a firstAn apparatusAnd a firstAn apparatusA communication delay value therebetween;
(c) Dividing all devices of the multi-layer heterogeneous network universe into multiple layers according to the condition whether device operation operating systems and hardware composition architectures are the same or notTypes, forming a set of types,,Is as followsA type, for the typeAll devices of (1) constructing a threat detection model;
(d) Each device for multi-layer heterogeneous network universeComputing using a corresponding threat detection modelThe computational cost required for performing security analysis;
(e) The cloud situation perception master controller schedules network security situation perception on-duty agents to cooperatively sense global security situations, performs global cooperative calculation of equipment risk indexes, and each network security situation perception on-duty agent sends the risk indexes to the cloud situation perception master controller;
(f) The network security situation awareness attendance agent regularly updates the equipment state parameters according to a preset updating period and sends the equipment state parameters to the cloud situation awareness master controller, and the cloud situation awareness master controller updates the set of equipment in the whole multilayer heterogeneous network。
2. The method for network security situation awareness in multi-layer heterogeneous network collaboration as claimed in claim 1, wherein the device state parameters collected by the network security situation awareness gatekeeper agent in step (a) include: processor information, dynamic storage information, static storage information, file system information, network information;
the processor information includes: the processor load peak value is obtained by calculating the processor load peak value;
the dynamic storage information includes: the dynamic memory capacity value, the current occupation amount of the dynamic memory and the occupation amount peak value of the dynamic memory;
the statically stored information includes: the capacity size value of the static memory and the current occupied amount of the static memory;
the file system information includes: number of files, depth value of file path;
the network information includes: average hourly network traffic, network traffic peaks, delay values for other devices that have intercommunication to reach the device within the multi-layer heterogeneous network.
3. The method for sensing network security situation of multi-layer heterogeneous network cooperation according to claim 1, wherein: the cloud situation perception master controller constructs a global device information base after the step (b), wherein the global device information base is composed of a hash table containing device information description objects, each unit in the hash table is a device information description object, the device information description object describes information of one device in the multilayer heterogeneous network, a pointer which points the current device in the hash table to a connected device chain table is arranged in the device information description object, a plurality of nodes are arranged in the device chain table, each node is used for storing all devices with communication links existing between the current device in the hash table, each node in the device chain table comprises two domains, the first domain is used for recording the ID of the device, and the second domain is used for recording the communication delay from the current device in the hash table to the corresponding device in the device chain table.
4. The method for sensing network security situation of multi-layer heterogeneous network cooperation according to claim 3, wherein: the information of one device in the multi-layer heterogeneous network described by the device information description object comprises: the device ID hash value, the device model, the device level, the device model information, the physical location of the device, the device attribute information, the state parameters of the device collected by the network security situation awareness watch agent, and the risk index of the device.
5. The method for sensing the network security situation of multi-layer heterogeneous network collaboration as claimed in claim 1, wherein: and (c) the threat detection model in the step (c) is an anomaly detection algorithm based on density clustering or an anomaly detection model based on an automatic encoder, and after the threat detection model is constructed, a knowledge distillation method is used for carrying out lightweight operation on the threat detection model.
6. The method for sensing the network security situation of multi-layer heterogeneous network collaboration as claimed in claim 3, wherein the step (d) comprises the following steps:
(d-1) the firstAn apparatusType of deviceThe corresponding threat detection model isAccording to threat detection modelsParameter scale, number of times of execution of algorithm sentence, andan apparatusUsing threat detection model to detect data volumeTo the firstAn apparatusA cost required to perform threat detection, the cost comprising an amount of load of a processorAnd dynamic memory footprint;
(d-2) checking a set of multi-layered heterogeneous network global devicesIn each equipment, orderIs as followsAn apparatusProcessor information peak capability value ofIs a firstAn apparatusOf the processor, instructionIs as followsAn apparatusOf processor load peak value, ofIs a firstAn apparatusSize of dynamic memory of, orderIs a firstAn apparatusDynamic memory of (2) currently occupied, orderIs as followsAn apparatusDynamic memory footprint peak of (1);
(d-4) at the presentAn apparatusLocally performing a threat detection task, the firstAn apparatusThe network security situation awareness agent updates the state parameters and sends the state parameters to the cloud situation awareness master controller, and the cloud situation awareness master controller updates the global device set of the multilayer heterogeneous networkTo middleAn apparatusInformation of (1) toAn apparatusIs updated toTo make it firstAn apparatusIs updated to,,;
(d-5) in a plurality of layersHeterogeneous network universal device setTo find all and theAn apparatusWith communication link betweenIndividual devices forming a set of devicesWill beThe device presses and sendsAn apparatusThe communication delay of the queue is added into the priority queue from small to large,WhereinIs as followsAn apparatus;
(d-6) slave priority queueGet out the first equipment of the team,Head of line equipmentThe processor information peak capability value ofHead of line equipmentHas a processor load peak ofHead of line equipmentHas a current processor load value ofHead of line equipmentHas a processor capacity ofHead of line equipmentHas a dynamic memory capacity of a value ofHead of line equipmentHas a peak dynamic memory occupancy ofHead of line equipmentHas a current occupancy ofHead of line equipmentHas a dynamic memory footprint of;
(d-7) ifAnd isPerforming the step (d-8), the apparatusIs as followsAn apparatusIf the threat detection task execution apparatus ofOrFrom the priority queueMiddle taking out equipmentAs the head of queue equipment, and returning to execute the step (d-6);
(d-8) head of line deviceThe network security situation awareness attendance agent updates the state parameters of the network security situation awareness attendance agent and sends the updated state parameters to the cloud situation awareness master controller, and the cloud situation awareness master controller updates the multi-layer heterogeneous network global device setTo middleAn apparatusInformation of (1) toAn apparatusIs updated toTo make a firstAn apparatusIs updated to,,;
7. The method for sensing the network security situation of multi-layer heterogeneous network collaboration as claimed in claim 6, wherein: further comprising aggregating a plurality of layers of heterogeneous network global devices after step (d-9)Recording threat detection task execution device information of all devices in the situation-aware task allocation table, wherein a first column of the situation-aware task allocation table records a multi-layer heterogeneous network global device setThe ID of the device in (1), and the ID of the threat detection task execution device corresponding to the second column record of the situation awareness task allocation table.
8. The method for sensing the network security situation of multi-layer heterogeneous network collaboration as claimed in claim 3, wherein the step (e) comprises the following steps:
(e-1) the firstAn apparatusThe network security situation awareness on-duty agent starts a threat detection task;
(e-2) determining whether the threat detection task is on the second placeAn apparatusIs executed locally, if yes, byAn apparatusThe network security situation awareness on-duty agent executes a threat detection task, if not, the network security situation awareness on-duty agent executes a threat detection taskAn apparatusThe threat detection task of (1) consists ofAn apparatusIf so, executing the step (e-3);
(e-3) the firstAn apparatusNetwork security situation aware gatekeeper agent and methodAn apparatusThe network security situation awareness agent communicates and sends data required by threat detection to the first agentAn apparatusReceiving a detection result;
(e-4) each device in the entire domain of the multi-layered heterogeneous network performs threat detection using a threat model, calculates a device risk index, the firstAn apparatusHas a risk index ofSet of devicesThe devices perform threat detection by using a threat model, calculate a device risk index and a device setTo middleAn apparatusHas a risk index of;
(e-5) the firstAn apparatusNetwork security situation aware gatekeeper agent and device setTo middleAn apparatusThe network security situation-aware gatekeeper agent establishes network connection, the firstAn apparatusThe network security situation awareness on duty agent obtainsAn apparatusRisk index ofAnd storing;
(e-6) by the formula
Is calculated to obtainRisk indices after round iterationsWhen it comes toWhen the value is equal to 1, the reaction solution is,,in the formulaIn order to balance the factors of the device,to prevent a smoothing term with a risk index of 0,is the weight of the device or devices,is as followsAn apparatusA set of devices between which a communication link exists,is a setThe number of devices in the system;
(e-7) checking whether the risk indexes of the devices in the whole domain of the multilayer heterogeneous network are updated in the iteration, if not, stopping the iteration, and if so, executing the step (e-8);
(e-8) judging whether the iteration times reach a preset maximum value, if so, stopping iteration, and if not, returning to execute the step (e-6);
9. The method for sensing network security situation of multi-layer heterogeneous network cooperation according to claim 8, wherein: the threat model in the step (e-4) is an anomaly detection algorithm based on density clustering and is expressed by a formulaIs calculated to obtainAn apparatusRisk index of (2)In the formulaIs as followsAn apparatusA set of outliers in the generated data containing device logs and network traffic,is the first in the abnormal point setThe abnormal point is a point which is abnormal,as a distance anomaly pointThe recent high density of clustering has led to the development of clusters,is an Euclidean distance algorithm between abnormal points and adopts a formulaIs calculated to obtainAn apparatusRisk index ofIn the formulaIs as followsAn apparatusA set of outliers in the generated data containing device logs and network traffic,is the first in the abnormal point setThe abnormal point is a point which is abnormal,as a distance anomaly pointMore recently high density clustering.
10. The method for sensing the network security situation of multi-layer heterogeneous network collaboration as claimed in claim 8, wherein: the device weight of the cloud layer in the step (e-6)Device weight of edge layer with value 1Value of 0.6, terminal equipment weightThe value is 0.3, and the maximum value preset in the step (e-8) is 200.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202211154561.8A CN115277249B (en) | 2022-09-22 | 2022-09-22 | Network security situation perception method based on cooperation of multi-layer heterogeneous network |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202211154561.8A CN115277249B (en) | 2022-09-22 | 2022-09-22 | Network security situation perception method based on cooperation of multi-layer heterogeneous network |
Publications (2)
Publication Number | Publication Date |
---|---|
CN115277249A CN115277249A (en) | 2022-11-01 |
CN115277249B true CN115277249B (en) | 2022-12-20 |
Family
ID=83756898
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202211154561.8A Active CN115277249B (en) | 2022-09-22 | 2022-09-22 | Network security situation perception method based on cooperation of multi-layer heterogeneous network |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN115277249B (en) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN116436666B (en) * | 2023-04-11 | 2024-01-26 | 山东省计算中心(国家超级计算济南中心) | Security situation awareness method for distributed heterogeneous network |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108923975A (en) * | 2018-07-05 | 2018-11-30 | 中山大学 | A kind of traffic behavior analysis method of Based on Distributed network |
EP3492945A1 (en) * | 2017-12-01 | 2019-06-05 | Origin Wireless, Inc. | Method, apparatus, and system for periodic motion detection and monitoring |
CN111260525A (en) * | 2020-01-16 | 2020-06-09 | 深圳市广道高新技术股份有限公司 | Community security situation perception and early warning method, system and storage medium |
CN111339297A (en) * | 2020-02-21 | 2020-06-26 | 广州天懋信息系统股份有限公司 | Network asset anomaly detection method, system, medium, and device |
CN111885040A (en) * | 2020-07-17 | 2020-11-03 | 中国人民解放军战略支援部队信息工程大学 | Distributed network situation perception method, system, server and node equipment |
CN112039862A (en) * | 2020-08-21 | 2020-12-04 | 公安部第一研究所 | Multi-dimensional stereo network-oriented security event early warning method |
CN113965341A (en) * | 2021-08-31 | 2022-01-21 | 天津七所精密机电技术有限公司 | Intrusion detection system based on software defined network |
Family Cites Families (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20030065409A1 (en) * | 2001-09-28 | 2003-04-03 | Raeth Peter G. | Adaptively detecting an event of interest |
US8850565B2 (en) * | 2005-01-10 | 2014-09-30 | Hewlett-Packard Development Company, L.P. | System and method for coordinating network incident response activities |
US7930256B2 (en) * | 2006-05-23 | 2011-04-19 | Charles River Analytics, Inc. | Security system for and method of detecting and responding to cyber attacks on large network systems |
US20170124464A1 (en) * | 2015-10-28 | 2017-05-04 | Fractal Industries, Inc. | Rapid predictive analysis of very large data sets using the distributed computational graph |
US10452845B2 (en) * | 2017-03-08 | 2019-10-22 | General Electric Company | Generic framework to detect cyber threats in electric power grid |
US20180262525A1 (en) * | 2017-03-09 | 2018-09-13 | General Electric Company | Multi-modal, multi-disciplinary feature discovery to detect cyber threats in electric power grid |
CN108833397A (en) * | 2018-06-08 | 2018-11-16 | 武汉思普崚技术有限公司 | A kind of big data safety analysis plateform system based on network security |
CN109302408B (en) * | 2018-10-31 | 2020-07-28 | 西安交通大学 | Network security situation assessment method |
CN110913357B (en) * | 2019-11-13 | 2020-10-09 | 绍兴文理学院 | Sensing cloud double-layer network defense system and method based on security situation awareness |
CN111756460A (en) * | 2020-06-23 | 2020-10-09 | 常州工学院 | Cooperative spectrum sensing method and device based on unsupervised learning in cognitive network |
CN113783874B (en) * | 2021-09-10 | 2023-08-29 | 国网数字科技控股有限公司 | Network security situation assessment method and system based on security knowledge graph |
-
2022
- 2022-09-22 CN CN202211154561.8A patent/CN115277249B/en active Active
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP3492945A1 (en) * | 2017-12-01 | 2019-06-05 | Origin Wireless, Inc. | Method, apparatus, and system for periodic motion detection and monitoring |
CN108923975A (en) * | 2018-07-05 | 2018-11-30 | 中山大学 | A kind of traffic behavior analysis method of Based on Distributed network |
CN111260525A (en) * | 2020-01-16 | 2020-06-09 | 深圳市广道高新技术股份有限公司 | Community security situation perception and early warning method, system and storage medium |
CN111339297A (en) * | 2020-02-21 | 2020-06-26 | 广州天懋信息系统股份有限公司 | Network asset anomaly detection method, system, medium, and device |
CN111885040A (en) * | 2020-07-17 | 2020-11-03 | 中国人民解放军战略支援部队信息工程大学 | Distributed network situation perception method, system, server and node equipment |
CN112039862A (en) * | 2020-08-21 | 2020-12-04 | 公安部第一研究所 | Multi-dimensional stereo network-oriented security event early warning method |
CN113965341A (en) * | 2021-08-31 | 2022-01-21 | 天津七所精密机电技术有限公司 | Intrusion detection system based on software defined network |
Also Published As
Publication number | Publication date |
---|---|
CN115277249A (en) | 2022-11-01 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN108829494B (en) | Container cloud platform intelligent resource optimization method based on load prediction | |
Ghobaei-Arani et al. | A cost-efficient IoT service placement approach using whale optimization algorithm in fog computing environment | |
US10331490B2 (en) | Scalable cloud-based time series analysis | |
TWI725744B (en) | Method for establishing system resource prediction and resource management model through multi-layer correlations | |
Dos Santos et al. | A localized algorithm for Structural Health Monitoring using wireless sensor networks | |
CN103595805A (en) | Data placement method based on distributed cluster | |
CN110830570B (en) | Resource equalization deployment method for robust finite controller in software defined network | |
CN115277249B (en) | Network security situation perception method based on cooperation of multi-layer heterogeneous network | |
CN112463337B (en) | Workflow task migration method used in mobile edge computing environment | |
Gupta et al. | A supervised deep learning framework for proactive anomaly detection in cloud workloads | |
CN114936708A (en) | Fault diagnosis optimization method based on edge cloud collaborative task unloading and electronic equipment | |
CN113158435B (en) | Complex system simulation running time prediction method and device based on ensemble learning | |
EP4189542A1 (en) | Sharing of compute resources between the virtualized radio access network (vran) and other workloads | |
CN109298989A (en) | Operational indicator threshold value acquisition methods and device | |
KR102089450B1 (en) | Data migration apparatus, and control method thereof | |
Balis et al. | Execution management and efficient resource provisioning for flood decision support | |
CN112511649B (en) | Multi-access edge calculation method and equipment | |
CN116302481A (en) | Resource allocation method and system based on sparse knowledge graph link prediction | |
KR20160044623A (en) | Load Balancing Method for a Linux Virtual Server | |
Zheng et al. | An optimization model of Hadoop cluster performance prediction based on Markov process. | |
KR101617074B1 (en) | Method and Apparatus for Context-aware Recommendation to Distribute Water in Smart Water Grid | |
Abdel Raouf et al. | A predictive replication for multi‐tenant databases using deep learning | |
CN114595000B (en) | Edge-intelligence-oriented high-elasticity multi-node collaborative model unloading method | |
CN108052922A (en) | A kind of intelligent security guard training method, apparatus and system | |
CN112073239B (en) | Distributed application performance prediction method for cloud computing environment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |