CN101425936A - Macro network security status assessment method based on exception measurement - Google Patents

Macro network security status assessment method based on exception measurement Download PDF

Info

Publication number
CN101425936A
CN101425936A CNA2007101765119A CN200710176511A CN101425936A CN 101425936 A CN101425936 A CN 101425936A CN A2007101765119 A CNA2007101765119 A CN A2007101765119A CN 200710176511 A CN200710176511 A CN 200710176511A CN 101425936 A CN101425936 A CN 101425936A
Authority
CN
China
Prior art keywords
target variable
network
sample
data
principal component
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CNA2007101765119A
Other languages
Chinese (zh)
Other versions
CN101425936B (en
Inventor
赵东宾
邓炜
许金鹏
周涛
叶润国
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
BEIJING QIMING XINGCHEN INFORMATION TECHNOLOGY Co Ltd
Beijing Venus Information Technology Co Ltd
Original Assignee
BEIJING QIMING XINGCHEN INFORMATION TECHNOLOGY Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by BEIJING QIMING XINGCHEN INFORMATION TECHNOLOGY Co Ltd filed Critical BEIJING QIMING XINGCHEN INFORMATION TECHNOLOGY Co Ltd
Priority to CN2007101765119A priority Critical patent/CN101425936B/en
Publication of CN101425936A publication Critical patent/CN101425936A/en
Application granted granted Critical
Publication of CN101425936B publication Critical patent/CN101425936B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A macro network safety state grade method based on abnormal measurement comprises: defining modeling parameter and grade standard, collecting sample data, extracting index variable for describing network safety state; extracting regularity factor capable of reflecting network operation state, filtering contingency factor, establishing network normal operation state model according to index variable extracted from sample data; collecting data to be detected, computing intensity of abnormality of detecting data and normal model; computing the normalized grade of the index according to intensity of abnormality of every index variable , giving the normalize grade of network integral state according to significance of the index variable. The invention can regulate modeling parameter and grading standard of every index variable, describe present state of important index variable of present network and integral state of network according to different involvement of every index variable in different network environment; the invention has merits of real time, accuracy, quantification and configurability.

Description

Macro network security status assessment method based on exception measurement
Technical field
The present invention relates to information security field, be specifically related to a kind of method of the security state evaluation that is applied to macro network based on exception measurement.
Background technology
Along with the development of Internet, the information of computer network and network security are faced with unprecedented severe situation.Assessment to the safe condition of computer network becomes more and more important.Aspect the evaluation of network safe state, mainly concentrate in the risk assessment of network critical asset in the subrange little achievement in research that relates to macro network general safety state evaluation at present.
In the technology of in risk assessment at present, using; no matter be based on the network risks state estimation model of analytic hierarchy process (AHP); also be based on the network intruding danger estimating method of immunity; all be at the particular network environment; shielded machine is carried out key monitoring (some combines with vulnerability scanning and provides risk factor, and some distributes ample resources memory normal condition).These methods have good effect under LAN environment, but the main frame number reaches certain magnitude in network, owing to the restriction of computational resource, storage resources etc., can't specifically use.
The CAIDA of research organization of the U.S. (Cooperative Association for Internet Data Analysis, internet data is analyzed association) has proposed a kind of method of assessing Internet worm propagation situation on macro network.This method is mainly by 1,600 ten thousand routable host addresses of simulation, by continuously the access request from the Internet being monitored, collected and adds up, use the diffusing reasoning algorithm (Back-ScatterAlgorithm) in back to repair the positive and negative propagation condition of worm when outburst that push away.The data acquisition scope of this method is the host address that simulates, and real IP address on the non-backbone; Influence when its main purpose is the outburst of assessment Internet worm is difficult to use in the day-to-day operation state of assessing macro network.
Summary of the invention
The objective of the invention is to overcome the shortcoming of prior art, provide a kind of and in macro network, mass data is detected in real time, the method for assessment network general safety state.The present invention according to the regularity of proper network data variation, extracts target variable according to the observation of macro network system, can fine reflection network state, can lower dependence again to storage resources; Whether detect network condition safety based on exception measurement, in the modelling process, extract the main component that can reflect network operation state, the operating contingency factor of screen, thereby the overall safety state of accurate description macro network.
The objective of the invention is to be achieved through the following technical solutions:
A kind of macro network security status assessment method based on exception measurement said method comprising the steps of:
A, definition modeling parameters and standards of grading;
B, according to defined modeling parameters, gather sample data, extract the target variable that is used to describe network safe state;
The target variable that C, basis are extracted from sample data, extraction can reflect the regularity factor of network operation state, filters the contingency factor, sets up network normal operating condition model;
D, collection data to be tested calculate the intensity of anomaly between data to be tested and normal model;
E, according to defined standards of grading, the standardization scoring according to the intensity of anomaly of every kind of target variable calculates this index provides the standardization scoring of network integrality according to the significance level of target variable.
Preferably, described steps A comprises:
A1, self-defined modeling parameters: number of samples definable, sample principal component fluctuating range definable, sample contribution rate definable;
A2, self-defined standards of grading: the significance level definable of exception measurement standards of grading definable, target variable.
Preferably, described step B comprises:
B1, collection initial data;
B2, extraction target variable;
B3, the data cycle of carrying out is gathered at target variable;
B4, the target variable after gathering are as the modeling sample data.
Preferably, target variable includes but not limited among the described step B2: four-tuple (source ip, purpose ip, source port, the destination interface) entropy on tcp port flow, udp port flow, length flow, icmp sign flow, tcp sign flow, a plurality of sign distributes and the security incident frequency.
Preferably, set up model respectively for each target variable, principal component analytical method is used in the foundation of model.Described step C comprises:
A series of data of C1, certain target variable constitute sample matrix X;
C2, the covariance matrix M that calculates sample data, sample average vector μ;
The characteristic value of C3, compute matrix M and characteristic vector are extracted k according to characteristic value and are tieed up main composition, k<=m herein from the target variable of m dimension;
C4, calculating are tieed up main composition with sample data from k, the transition matrix UU of original m dimension sample data that remaps back T
C5, the residual error average μ of calculating sample data after mapping on the transition matrix U dWith the residual error standard deviation sigma d(wherein, vector is the Euclidean distance between the vector of before the mapping and mapping back on transformed space U, is referred to as residual error among the present invention), computational methods are identical with step D;
C6, sample average vector μ, residual error average μ d, the residual error standard deviation sigma dWith transition matrix UU TThe common model that constitutes certain target variable.
Alternatively, described step C3 comprises: the method for choosing principal component can be used but be not limited to: property period of waves (promptly regular) according to each principal component is chosen; According to the contribution rate of principal component (
Figure A200710176511D00061
λ wherein iBe characteristic value) choose.
Preferably, described step D comprises:
D1, vectorial t to be detected center is turned to φ: φ=t-μ
D2, with φ at space UU TLast mapping: φ f=UU Tφ
The residual error ξ of D3, calculating φ: ξ=‖ φ-φ f
Preferably, described step e comprises:
The scoring of E1, target variable i: compare residual error ξ and sample residual average μ dBetween gap q i: q i = | ξ - μd σd | ; Mark according to self-defining scoring module
E2, macro network general safety state scoring:, can select but be not limited to use weighted average method finally to mark according to self-defining target variable significance level scoring.
By above method step provided by the invention as can be seen, the present invention has following advantage:
1, the target variable chosen of the present invention is in the macro network environment, safe condition that can either fine embodiment network, data volume again can be too not huge, belong to system can process range in.
2, the present invention has used the principal component analysis algorithm in modeling process, in generating the principal component process, has removed the correlation between same component of a vector; Choose in the process in principal component and to have removed the noise in the data by the judgement of property period of waves (principal component of sample matrix is divided into normal principal component and unusual principal component, represented normal discharge and the abnormal flow in the network respectively, the difference of the two is mainly reflected on the variation tendency.Normal principal component is comparatively mild over time, presents obvious periodic; Amplitude is bigger over time for unusual principal component, presents stronger sudden).
3, this method has self-defined very flexibly system, can be according to the difference of real network or the variation of focus, and the target variable that adjustment is selected, the scoring module of single target variable, comprehensive grading standard etc.
Description of drawings
Fig. 1 is a safety evaluation method flow chart of the present invention;
Fig. 2 is target variable dimension reduction method explanation among the present invention;
Fig. 3 is that the single target variable methods of marking of the present invention is described;
Fig. 4 is a normal behaviour modelling flow chart of the present invention.
Describe the present invention in detail below in conjunction with accompanying drawing and specific implementation.
Embodiment
The secure state evaluating method that the present invention proposes is mainly used in the macro network environment.The idiographic flow of evaluation process as shown in Figure 1.
In order to make those skilled in the art person understand the present invention better, the present invention is described in further detail below in conjunction with flow chart shown in Figure 1.May further comprise the steps:
Step 101: all user-defined parameters of initialization specifically comprise:
The configurable information that the data modeling process is used:
Sample line number: begin to continue number of samples from gathering sample point;
Sample columns: the dimension of sample vector data itself;
Normal data fluctuation range: extract one of foundation of normal principal component;
Contribution rate: extract normal principal component foundation two;
The configurable information that the network safe state scoring process uses:
Scoring thresholding: can define 4, be used for single target variable score value and quantize;
Each target variable weights: network safe state TOP SCORES process foundation;
Step 102: raw data acquisition, directly read the initial data message from network interface card, carry out protocol analysis and matching operation, extract the data that need.
Step 103: generate all kinds of target variables (the target variable kind of extracting in the present embodiment illustrates referring to previous methods) according to the cycle, for influence and the minimizing number of processes that reduces bursty data, after the data that step 102 is extracted add up according to time window, offer follow-up flow processing.
Step 104: target variable dimension-reduction treatment (generation final variables), each target variable containing element of enumerating among the present invention is all many, pay close attention to some factor simultaneously in order to reduce resource consumption, each target variable is taked dimension-reduction treatment, concrete processing mode is referring to Fig. 2.
Step 105: whether judgment models is set up, if set up, forwards step 106 to; If do not set up as yet, forward step 110 to.
Step 106:, calculate the gap q between each real-time vectorial residual error and the sample residual average according to step C and step D-algorithm in the inventive method explanation i
Step 107: according to Fig. 3 illustration method this gap is quantized between the 0-100 branch, this score value is high more, illustrates that current network state is dangerous more.Wherein the X1-X4 definable obtains in step 101, and the default default value is X1:1, X2:3, X3:5, X4:10.
Step 108: use weighted average and algorithm computation network safe state comprehensive scores, wherein the weights definable of each target variable obtains in step 101.The score value that this step calculates is between 0-100, and this score value is high more, illustrates that current network state is dangerous more.
Step 109: the comprehensive scores, each target variable score value and the current target variable content that calculate are outputed in file, terminal or the shared drive.
Step 110: according to the sample line number that step 101 is obtained, whether judgement sample has been gathered is finished, if finish, forwards step 112 to, does not finish if gather, and forwards step 111 to.
Step 111: storing sample data.
Step 112: the sample data of operation store, set up the normal behaviour model according to Fig. 4 step.
Fig. 2 illustrates target variable dimension-reduction treatment process.
Step 201: with the dimension-reduction treatment of Tcp port flow.65536 dimensions are reduced to 16 dimensions, and wherein: well known port occupies one dimension alone, totally 14 ties up, and non-common port 0-1024 occupies one dimension, and 1025-65535 occupies one dimension.
Step 202: with the dimension-reduction treatment of udp port flow.65536 dimensions are reduced to 16 dimensions, and wherein: well known port occupies one dimension alone, totally 14 ties up, and non-common port 0-1024 occupies one dimension, and 1025-65535 occupies one dimension.
Step 203: with the dimension-reduction treatment of message length flow.The message length flow is reduced to 6 dimensions, and the dimensionality reduction foundation is as Fig. 2.
Step 204: Tcp is identified the flow dimension-reduction treatment.64 dimensions are reduced to 7 dimensions, and the dimensionality reduction foundation is as Fig. 2.
Step 205: with the dimension-reduction treatment of Icmp type flow.18 dimensions are reduced to 5 dimensions, and the dimensionality reduction foundation is as Fig. 2.
Fig. 3 illustrates the methods of marking of single target variable.
The q that step 106 is calculated iUse following rule to mark:
q i∈ [0, x1], the score value linearisation is between the 0-25;
q i∈ [x1, x2], the score value linearisation is between the 25-50;
q i∈ [x2, x3], the score value linearisation is between the 50-75;
q i∈ [x3, x4], the score value linearisation is between the 75-100;
q i∈ [x4 ,+∞), score value is 100.
Fig. 4 illustrates normal behaviour modelling process:
Step 401: calculate sample correlation matrix.Can use correlation matrix or covariance matrix (optional) according to the difference of sample data character.
Step 402: the eigen vector that calculates correlation matrix.In computation of characteristic values and characteristic vector process, calculate sample average vector and sample standard deviation vector simultaneously, and be stored in the model.
Step 403: choose principal component.Present embodiment uses contribution rate to choose principal component with the fluctuating range mode of combining.With eigenvalue iWith characteristic of correspondence vector L iAccording to descending.
Use contribution rate of accumulative total to choose the principal component algorithm:
1) to all characteristic value summations, promptly calculates
Figure A200710176511D00091
2) contribution rate of each principal component of cycle calculations, contribution rate of accumulative total reach user definition contribution rate (step 101 is obtained), i.e. end loop.
3) choosing the principal component number is num1;
Use fluctuating range to choose the principal component algorithm:
1) first principal component of n sampled data of calculating, n altogether.Calculate the average μ of this n numerical value 1And variances sigma 1, find out the element that departs from the average maximum in the first principal component, judge whether its degree that departs from average has surpassed definition threshold value (step 101 is obtained).If the maximum deviation of first principal component has surpassed threshold value, getting first principal component is normal principal component, and other principal components are unusual principal component, get principal component transition matrix U=[L 1]; If maximum deviation does not surpass threshold value, change step 2 over to;
2) calculate next principal component Z i, statistics Z iAverage μ iAnd variances sigma i, judge whether the maximum deviation of i principal component has surpassed threshold value.If the maximum deviation of this principal component has surpassed threshold value, getting the principal component transition matrix is U=[L 1, L, L I-1]; If maximum deviation does not surpass threshold value, then repeat this process until having verified last principal component.
3) choosing the principal component number is num2;
Select num1, minimum value is final principal component number n um among the num2, and the principal component transition matrix is U=[L 1, L, L Num], with UU TBe stored in the model.
Step 404: calculate sample residual average and residual error standard deviation according to the described method of step C in the method explanation, be stored in the model.
Step 405: modelling finishes.
More than technical scheme of the present invention and beneficial effect have been done to further describe.The present invention can have the various deformation scheme to realize that within the spirit and principles in the present invention all, any modification of being done, parameter replacement, improvement etc. all should be included within protection scope of the present invention.

Claims (9)

1. the macro network security status assessment method based on exception measurement is characterized in that, may further comprise the steps:
A, definition modeling parameters and standards of grading;
B, according to defined modeling parameters, gather sample data, extract the target variable that is used to describe network safe state;
The target variable that C, basis are extracted from sample data, extraction can reflect the regularity factor of network operation state, filters the contingency factor, sets up network normal operating condition model;
D, collection data to be tested calculate the intensity of anomaly between data to be tested and normal model;
E, according to defined standards of grading, the standardization scoring according to the intensity of anomaly of every kind of target variable calculates this index provides the standardization scoring of network integrality according to the significance level of target variable.
2. the macro network security status assessment method based on exception measurement according to claim 1 is characterized in that, described steps A comprises:
A1, self-defined modeling parameters: number of samples definable, sample principal component fluctuating range definable, sample contribution rate definable;
A2, self-defined standards of grading: the significance level definable of intensity of anomaly standards of grading definable, target variable.
3. the macro network security status assessment method based on exception measurement according to claim 1, it is characterized in that target variable comprises among the described step B: four-tuple (source ip, purpose ip, source port, the destination interface) entropy on tcp port flow, udp port flow, length flow, icmp sign flow, tcp sign flow, a plurality of sign distributes and the security incident frequency.
4. the macro network security status assessment method based on exception measurement according to claim 1 is characterized in that setting up model respectively for each target variable, and principal component analytical method is used in the foundation of model; Described step C comprises:
A series of data of C1, certain target variable constitute sample matrix X;
C2, the covariance matrix M that calculates sample data, sample average vector μ;
The characteristic value of C3, compute matrix M and characteristic vector are extracted k according to characteristic value and are tieed up main composition, k<=m herein from the target variable of m dimension;
C4, calculating are tieed up main composition with sample data from k, the transition matrix UU of original m dimension sample data that remaps back T
C5, the residual error average μ of calculating sample data after mapping on the transition matrix U dWith the residual error standard deviation sigma d(wherein, vector is the Euclidean distance between the vector of before the mapping and mapping back on transformed space U, is referred to as residual error among the present invention), computational methods are identical with step D;
C6, sample average vector μ, residual error average μ d, the residual error standard deviation sigma dWith transition matrix UU TThe common model that constitutes certain target variable.
5. the macro network security status assessment method based on exception measurement according to claim 4 is characterized in that described step C3 comprises: the method for choosing principal component can be used but be not limited to: property period of waves (promptly regular) according to each principal component is chosen; According to the contribution rate of principal component (
Figure A200710176511C00031
λ wherein iBe characteristic value) choose.
6. the macro network security status assessment method based on exception measurement according to claim 1 is characterized in that, described step D comprises:
D1, vectorial t to be detected center is turned to φ: φ=t-μ;
D2, with φ at space UU TLast mapping: φ f=UU Tφ;
The residual error ξ of D3, calculating φ: ξ=‖ φ-φ f ‖.
CN2007101765119A 2007-10-30 2007-10-30 Macro network security status assessment method based on exception measurement Expired - Fee Related CN101425936B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2007101765119A CN101425936B (en) 2007-10-30 2007-10-30 Macro network security status assessment method based on exception measurement

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2007101765119A CN101425936B (en) 2007-10-30 2007-10-30 Macro network security status assessment method based on exception measurement

Publications (2)

Publication Number Publication Date
CN101425936A true CN101425936A (en) 2009-05-06
CN101425936B CN101425936B (en) 2011-08-31

Family

ID=40616285

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2007101765119A Expired - Fee Related CN101425936B (en) 2007-10-30 2007-10-30 Macro network security status assessment method based on exception measurement

Country Status (1)

Country Link
CN (1) CN101425936B (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103607319A (en) * 2013-11-14 2014-02-26 福建伊时代信息科技股份有限公司 Method and system for network risk treatment
CN106100896A (en) * 2016-07-13 2016-11-09 焦点科技股份有限公司 A kind of flow method for early warning based on website user's access path
CN108062603A (en) * 2017-12-29 2018-05-22 国网福建省电力有限公司 Based on distribution power automation terminal life period of an equipment life-span prediction method and system
US10652255B2 (en) 2015-03-18 2020-05-12 Fortinet, Inc. Forensic analysis
US11032301B2 (en) 2017-05-31 2021-06-08 Fortinet, Inc. Forensic analysis

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6883101B1 (en) * 2000-02-08 2005-04-19 Harris Corporation System and method for assessing the security posture of a network using goal oriented fuzzy logic decision rules
CN100359495C (en) * 2003-09-04 2008-01-02 上海格尔软件股份有限公司 Information system auditing method based on data storehouse
CN101026502B (en) * 2007-04-09 2012-05-30 北京天勤信通科技有限公司 Broad band network comprehensive performance management flatform

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103607319A (en) * 2013-11-14 2014-02-26 福建伊时代信息科技股份有限公司 Method and system for network risk treatment
US10652255B2 (en) 2015-03-18 2020-05-12 Fortinet, Inc. Forensic analysis
CN106100896A (en) * 2016-07-13 2016-11-09 焦点科技股份有限公司 A kind of flow method for early warning based on website user's access path
CN106100896B (en) * 2016-07-13 2018-11-23 焦点科技股份有限公司 A kind of flow method for early warning based on website user's access path
US11032301B2 (en) 2017-05-31 2021-06-08 Fortinet, Inc. Forensic analysis
CN108062603A (en) * 2017-12-29 2018-05-22 国网福建省电力有限公司 Based on distribution power automation terminal life period of an equipment life-span prediction method and system

Also Published As

Publication number Publication date
CN101425936B (en) 2011-08-31

Similar Documents

Publication Publication Date Title
CN108595667B (en) Method for analyzing relevance of network abnormal data
Fraihat et al. Evaluating technology improvement in sustainable development goals by analysing financial development and energy consumption in Jordan
CN101425936B (en) Macro network security status assessment method based on exception measurement
CN103793854A (en) Multiple combination optimization overhead transmission line operation risk informatization assessment method
CN117371337B (en) Water conservancy model construction method and system based on digital twin
CN111292020A (en) Power grid real-time operation risk assessment method and system based on random forest
CN110335144B (en) Personal electronic bank account security detection method and device
CN116366374B (en) Security assessment method, system and medium for power grid network management based on big data
CN113221104A (en) User abnormal behavior detection method and user behavior reconstruction model training method
US20230118175A1 (en) Event analysis in an electric power system
CN106094749A (en) Based on the nonlinear fault detection method and the application that improve nuclear entropy component analysis
CN110619691A (en) Prediction method and device for slab surface cracks
Phillips et al. Boosting the hodrick-prescott filter
CN116094837A (en) Network terminal application acquisition analysis method, system and medium based on network big data
CN117992861B (en) Electric power data accuracy checking method and system
CN114118460A (en) Low-voltage transformer area line loss rate abnormity detection method and device based on variational self-encoder
CN115713403A (en) Enterprise risk identification method, device and equipment based on self-coding neural network
CN117390545A (en) Risk assessment method
CN116660761B (en) Lithium ion battery detection method and system
CN105787369A (en) Android software security analysis method based on slice measurement
Amini et al. Network-based intrusion detection using unsupervised adaptive resonance theory (ART)
CN107800575A (en) The appraisal procedure of electric power industrial control system information security
CN116485175A (en) Environment risk assessment method and device based on data mining
Wang et al. Innovative risk early warning model based on internet of things under big data technology
Moghim et al. Downscaling of the flood discharge in a probabilistic framework

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20110831

Termination date: 20161030