CN101425936B - Macro network security status assessment method based on exception measurement - Google Patents
Macro network security status assessment method based on exception measurement Download PDFInfo
- Publication number
- CN101425936B CN101425936B CN2007101765119A CN200710176511A CN101425936B CN 101425936 B CN101425936 B CN 101425936B CN 2007101765119 A CN2007101765119 A CN 2007101765119A CN 200710176511 A CN200710176511 A CN 200710176511A CN 101425936 B CN101425936 B CN 101425936B
- Authority
- CN
- China
- Prior art keywords
- network
- target variable
- sample
- index variable
- principal component
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Abstract
The present invention relates to a macro network safety state grade method based on abnormal measurement comprising: defining modeling parameter and grade standard, collecting sample data, extracting index variable for describing network safety state; extracting regularity factor capable of reflecting network operation state, filtering contingency factor, establishing network normal operation state model according to index variable extracted from sample data; collecting index variable test data, computing intensity of abnormality of the index variable test data and normal model; computing the normalized grade of the index according to intensity of abnormality of the index variable , giving the normalize grade of network integral state according to significance of the index variable. The invention can regulate modeling parameter and grading standard of every index variable, describe present state of important index variable of present network and integral state of network according to different involvement of every index variable in different network environment; the invention has merits of real time, accuracy, quantification and configurability.
Description
Technical field
The present invention relates to information security field, be specifically related to a kind of method of the security state evaluation that is applied to macro network based on exception measurement.
Background technology
Along with the development of Internet, the information of computer network and network security are faced with unprecedented severe situation.Assessment to the safe condition of computer network becomes more and more important.Aspect the evaluation of network safe state, mainly concentrate in the risk assessment of network critical asset in the subrange little achievement in research that relates to macro network general safety state evaluation at present.
In the technology of in risk assessment at present, using; no matter be based on the network risks state estimation model of analytic hierarchy process (AHP); also be based on the network intruding danger estimating method of immunity; all be at the particular network environment; shielded machine is carried out key monitoring (some combines with vulnerability scanning and provides risk factor, and some distributes ample resources memory normal condition).These methods have good effect under LAN environment, but the main frame number reaches certain magnitude in network, owing to the restriction of computational resource, storage resources etc., can't specifically use.
The CAIDA of research organization of the U.S. (Cooperative Association for Internet Data Analysis, internet data is analyzed association) has proposed a kind of method of assessing Internet worm propagation situation on macro network.This method is mainly by 1,600 ten thousand routable host addresses of simulation, by continuously the access request from the Internet being monitored, collected and adds up, use the diffusing reasoning algorithm (Back-ScatterAlgorithm) in back to repair the positive and negative propagation condition of worm when outburst that push away.The data acquisition scope of this method is the host address that simulates, and real IP address on the non-backbone; Influence when its main purpose is the outburst of assessment Internet worm is difficult to use in the day-to-day operation state of assessing macro network.
Summary of the invention
The objective of the invention is to overcome the shortcoming of prior art, provide a kind of and in macro network, mass data is detected in real time, the method for assessment network general safety state.The present invention according to the regularity of proper network data variation, extracts target variable according to the observation of macro network system, can fine reflection network state, can lower dependence again to storage resources; Whether detect network condition safety based on exception measurement, in the modelling process, extract the main component that can reflect network operation state, the operating contingency factor of screen, thereby the overall safety state of accurate description macro network.
The objective of the invention is to be achieved through the following technical solutions:
A kind of macro network security status assessment method based on exception measurement said method comprising the steps of:
A, definition modeling parameters and standards of grading;
B, according to defined modeling parameters, gather sample data, extract the target variable that is used to describe network safe state;
The target variable that C, basis are extracted from sample data, extraction can reflect the regularity factor of network operation state, filters the contingency factor, sets up network normal operating condition model;
D, acquisition index variable detect data, and the parameter variable detects the intensity of anomaly between data and normal model;
E, according to defined standards of grading, the standardization scoring according to the intensity of anomaly of described target variable calculates this index provides the standardization scoring of network integrality according to the significance level of target variable.
Preferably, described steps A comprises:
A1, self-defined modeling parameters: number of samples definable, sample principal component fluctuating range definable, sample contribution rate definable;
A2, self-defined standards of grading: the significance level definable of exception measurement standards of grading definable, target variable.
Preferably, described step B comprises:
B1, collection initial data;
B2, extraction target variable;
B3, the data cycle of carrying out is gathered at target variable;
B4, the target variable after gathering are as the modeling sample data.
Preferably, target variable includes but not limited among the described step B2: four-tuple (source ip, purpose ip, source port, the destination interface) entropy on tcp port flow, udp port flow, length flow, icmp sign flow, tcp sign flow, a plurality of sign distributes and the security incident frequency.
Preferably, set up model respectively for each target variable, principal component analytical method is used in the foundation of model.Described step C comprises:
A series of data of C1, certain target variable constitute sample matrix X;
C2, the covariance matrix M that calculates sample data, sample average vector μ;
The characteristic value of C3, compute matrix M and characteristic vector are extracted k according to characteristic value and are tieed up main composition, k<=m herein from the target variable of m dimension;
C4, calculating are tieed up main composition with sample data from k, the transition matrix UU of original m dimension sample data that remaps back
T
C5, the residual error average μ of calculating sample data after mapping on the transition matrix U
dWith the residual error standard deviation sigma
d(wherein, vector is the Euclidean distance between the vector of before the mapping and mapping back on transformed space U, is referred to as residual error among the present invention), computational methods are identical with step D;
C6, sample average vector μ, residual error average μ
d, the residual error standard deviation sigma
dWith transition matrix UU
TThe common model that constitutes certain target variable.
Alternatively, described step C3 comprises: the method for choosing principal component can be used but be not limited to: property period of waves (promptly regular) according to each principal component is chosen; According to the contribution rate of principal component (
λ wherein
iBe characteristic value) choose.
Preferably, described step D comprises:
D1, vectorial t to be detected center is turned to φ: φ=t-μ
D2, with φ at space UU
TLast mapping: φ
f=UU
Tφ
The residual error ξ of D3, calculating φ: ξ=‖ φ-φ f ‖
Preferably, described step e comprises:
The scoring of E1, target variable i: compare residual error ξ and sample residual average μ
dBetween gap q
i:
Mark according to self-defining scoring module
E2, macro network general safety state scoring:, can select but be not limited to use weighted average method finally to mark according to self-defining target variable significance level scoring.
By above method step provided by the invention as can be seen, the present invention has following advantage:
1, the target variable chosen of the present invention is in the macro network environment, safe condition that can either fine embodiment network, data volume again can be too not huge, belong to system can process range in.
2, the present invention has used the principal component analysis algorithm in modeling process, in generating the principal component process, has removed the correlation between same component of a vector; Choose in the process in principal component and to have removed the noise in the data by the judgement of property period of waves (principal component of sample matrix is divided into normal principal component and unusual principal component, represented normal discharge and the abnormal flow in the network respectively, the difference of the two is mainly reflected on the variation tendency.Normal principal component is comparatively mild over time, presents obvious periodic; Amplitude is bigger over time for unusual principal component, presents stronger sudden).
3, this method has self-defined very flexibly system, can be according to the difference of real network or the variation of focus, and the target variable that adjustment is selected, the scoring module of single target variable, comprehensive grading standard etc.
Description of drawings
Fig. 1 is a safety evaluation method flow chart of the present invention;
Fig. 2 is target variable dimension reduction method explanation among the present invention;
Fig. 3 is that the single target variable methods of marking of the present invention is described;
Fig. 4 is a normal behaviour modelling flow chart of the present invention.
Describe the present invention in detail below in conjunction with accompanying drawing and specific implementation.
Embodiment
The secure state evaluating method that the present invention proposes is mainly used in the macro network environment.The idiographic flow of evaluation process as shown in Figure 1.
In order to make those skilled in the art person understand the present invention better, the present invention is described in further detail below in conjunction with flow chart shown in Figure 1.May further comprise the steps:
Step 101: all user-defined parameters of initialization specifically comprise:
The configurable information that the data modeling process is used:
Sample line number: begin to continue number of samples from gathering sample point;
Sample columns: the dimension of sample vector data itself;
Normal data fluctuation range: extract one of foundation of normal principal component;
Contribution rate: extract normal principal component foundation two;
The configurable information that the network safe state scoring process uses:
Scoring thresholding: can define 4, be used for single target variable score value and quantize;
Each target variable weights: network safe state TOP SCORES process foundation;
Step 102: raw data acquisition, directly read the initial data message from network interface card, carry out protocol analysis and matching operation, extract the data that need.
Step 103: generate all kinds of target variables (the target variable kind of extracting in the present embodiment illustrates referring to previous methods) according to the cycle, for influence and the minimizing number of processes that reduces bursty data, after the data that step 102 is extracted add up according to time window, offer follow-up flow processing.
Step 104: target variable dimension-reduction treatment (generation final variables), each target variable containing element of enumerating among the present invention is all many, pay close attention to some factor simultaneously in order to reduce resource consumption, each target variable is taked dimension-reduction treatment, concrete processing mode is referring to Fig. 2.
Step 105: whether judgment models is set up, if set up, forwards step 106 to; If do not set up as yet, forward step 110 to.
Step 106:, calculate the gap q between each real-time vectorial residual error and the sample residual average according to step C and step D-algorithm in the inventive method explanation
i
Step 107: according to Fig. 3 illustration method this gap is quantized between the 0-100 branch, this score value is high more, illustrates that current network state is dangerous more.Wherein the X1-X4 definable obtains in step 101, and the default default value is X1:1, X2:3, X3:5, X4:10.
Step 108: use weighted average and algorithm computation network safe state comprehensive scores, wherein the weights definable of each target variable obtains in step 101.The score value that this step calculates is between 0-100, and this score value is high more, illustrates that current network state is dangerous more.
Step 109: the comprehensive scores, each target variable score value and the current target variable content that calculate are outputed in file, terminal or the shared drive.
Step 110: according to the sample line number that step 101 is obtained, whether judgement sample has been gathered is finished, if finish, forwards step 112 to, does not finish if gather, and forwards step 111 to.
Step 111: storing sample data.
Step 112: the sample data of operation store, set up the normal behaviour model according to Fig. 4 step.
Fig. 2 illustrates target variable dimension-reduction treatment process.
Step 201: with the dimension-reduction treatment of Tcp port flow.65536 dimensions are reduced to 16 dimensions, and wherein: well known port occupies one dimension alone, totally 14 ties up, and non-common port 0-1024 occupies one dimension, and 1025-65535 occupies one dimension.
Step 202: with the dimension-reduction treatment of udp port flow.65536 dimensions are reduced to 16 dimensions, and wherein: well known port occupies one dimension alone, totally 14 ties up, and non-common port 0-1024 occupies one dimension, and 1025-65535 occupies one dimension.
Step 203: with the dimension-reduction treatment of message length flow.The message length flow is reduced to 6 dimensions, and the dimensionality reduction foundation is as Fig. 2.
Step 204: Tcp is identified the flow dimension-reduction treatment.64 dimensions are reduced to 7 dimensions, and the dimensionality reduction foundation is as Fig. 2.
Step 205: with the dimension-reduction treatment of Icmp type flow.18 dimensions are reduced to 5 dimensions, and the dimensionality reduction foundation is as Fig. 2.
Fig. 3 illustrates the methods of marking of single target variable.
The q that step 106 is calculated
iUse following rule to mark:
q
i∈ [0, x1], the score value linearisation is between the 0-25;
q
i∈ [x1, x2], the score value linearisation is between the 25-50;
q
i∈ [x2, x3], the score value linearisation is between the 50-75;
q
i∈ [x3, x4], the score value linearisation is between the 75-100;
q
i∈ [x4 ,+∞), score value is 100.
Fig. 4 illustrates normal behaviour modelling process:
Step 401: calculate sample correlation matrix.Can use correlation matrix or covariance matrix (optional) according to the difference of sample data character.
Step 402: the eigen vector that calculates correlation matrix.In computation of characteristic values and characteristic vector process, calculate sample average vector and sample standard deviation vector simultaneously, and be stored in the model.
Step 403: choose principal component.Present embodiment uses contribution rate to choose principal component with the fluctuating range mode of combining.With eigenvalue
iWith characteristic of correspondence vector L
iAccording to descending.
Use contribution rate of accumulative total to choose the principal component algorithm:
1) to all characteristic value summations, promptly calculates
2) contribution rate of each principal component of cycle calculations, contribution rate of accumulative total reach user definition contribution rate (step 101 is obtained), i.e. end loop.
3) choosing the principal component number is num1;
Use fluctuating range to choose the principal component algorithm:
1) first principal component of n sampled data of calculating, n altogether.Calculate the average μ of this n numerical value
1And variances sigma
1, find out the element that departs from the average maximum in the first principal component, judge whether its degree that departs from average has surpassed definition threshold value (step 101 is obtained).If the maximum deviation of first principal component has surpassed threshold value, getting first principal component is normal principal component, and other principal components are unusual principal component, get principal component transition matrix U=[L
1]; If maximum deviation does not surpass threshold value, change step 2 over to;
2) calculate next principal component Z
i, statistics Z
iAverage μ
iAnd variances sigma
i, judge whether the maximum deviation of i principal component has surpassed threshold value.If the maximum deviation of this principal component has surpassed threshold value, get the master
The composition transition matrix is U=[L
1, L, L
I-1]; If maximum deviation does not surpass threshold value, then repeat this process until having verified last principal component.
3) choosing the principal component number is num2;
Select num1, minimum value is final principal component number n um among the num2, and the principal component transition matrix is U=[L
1, L, L
Num], with UU
TBe stored in the model.
Step 404: calculate sample residual average and residual error standard deviation according to the described method of step C in the method explanation, be stored in the model.
Step 405: modelling finishes.
More than technical scheme of the present invention and beneficial effect have been done to further describe.The present invention can have the various deformation scheme to realize that within the spirit and principles in the present invention all, any modification of being done, parameter replacement, improvement etc. all should be included within protection scope of the present invention.
Claims (6)
1. the macro network security status assessment method based on exception measurement is characterized in that, may further comprise the steps:
A, definition modeling parameters and standards of grading;
B, according to defined modeling parameters, gather sample data, extract the target variable that is used to describe network safe state;
The target variable that C, basis are extracted from sample data, extraction can reflect the regularity factor of network operation state, filters the contingency factor, sets up network normal operating condition model;
D, acquisition index variable detect data, and the parameter variable detects the intensity of anomaly between data and normal model;
E, according to defined standards of grading, the standardization scoring according to the intensity of anomaly of described target variable calculates this index provides the standardization scoring of network integrality according to the significance level of target variable.
2. the macro network security status assessment method based on exception measurement according to claim 1 is characterized in that, described steps A comprises:
A1, self-defined modeling parameters: number of samples definable, sample principal component fluctuating range definable, sample contribution rate definable;
A2, self-defined standards of grading: the significance level definable of intensity of anomaly standards of grading definable, target variable.
3. the macro network security status assessment method based on exception measurement according to claim 1, it is characterized in that, target variable comprises among the described step B: the four-tuple on tcp port flow, udp port flow, length flow, icmp sign flow, tcp sign flow, a plurality of sign, be source ip, purpose ip, source port, destination interface, entropy distributes and the security incident frequency.
4. the macro network security status assessment method based on exception measurement according to claim 1 is characterized in that setting up model respectively for each target variable, and principal component analytical method is used in the foundation of model; Described step C comprises:
A series of data of C1, certain target variable constitute sample matrix X;
C2, the covariance matrix M that calculates sample data, sample average vector μ;
Characteristic value and the characteristic vector of C3, calculating covariance matrix M are extracted k according to characteristic value and are tieed up main composition, k<=m herein from the target variable of m dimension;
C4, calculating are tieed up main composition with sample data from k, the transition matrix UU of original m dimension sample data that remaps back
T
C5, the residual error average μ of calculating sample data after mapping on the transition matrix U
dWith the residual error standard deviation sigma
d
C6, sample average vector μ, residual error average μ
d, the residual error standard deviation sigma
dWith transition matrix UU
TThe common model that constitutes certain target variable.
5. the macro network security status assessment method based on exception measurement according to claim 4, it is characterized in that described step C3 comprises: the method for choosing principal component is: property period of waves according to each principal component is chosen; Contribution rate according to principal component is chosen.
6. the macro network security status assessment method based on exception measurement according to claim 1 is characterized in that, described step D comprises:
D1, vectorial t to be detected center is turned to φ: φ=t-μ;
D2, with φ at space UU
TLast mapping: φ
f=UU
Tφ;
The residual error ξ of D3, calculating φ: ξ=|| φ-φ f||.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2007101765119A CN101425936B (en) | 2007-10-30 | 2007-10-30 | Macro network security status assessment method based on exception measurement |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2007101765119A CN101425936B (en) | 2007-10-30 | 2007-10-30 | Macro network security status assessment method based on exception measurement |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101425936A CN101425936A (en) | 2009-05-06 |
| CN101425936B true CN101425936B (en) | 2011-08-31 |
Family
ID=40616285
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2007101765119A Expired - Fee Related CN101425936B (en) | 2007-10-30 | 2007-10-30 | Macro network security status assessment method based on exception measurement |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101425936B (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103607319A (en) * | 2013-11-14 | 2014-02-26 | 福建伊时代信息科技股份有限公司 | Method and system for network risk treatment |
| GB201504612D0 (en) | 2015-03-18 | 2015-05-06 | Inquisitive Systems Ltd | Forensic analysis |
| CN106100896B (en) * | 2016-07-13 | 2018-11-23 | 焦点科技股份有限公司 | A kind of flow method for early warning based on website user's access path |
| GB201708671D0 (en) | 2017-05-31 | 2017-07-12 | Inquisitive Systems Ltd | Forensic analysis |
| CN108062603A (en) * | 2017-12-29 | 2018-05-22 | 国网福建省电力有限公司 | Based on distribution power automation terminal life period of an equipment life-span prediction method and system |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1492336A (en) * | 2003-09-04 | 2004-04-28 | 上海格尔软件股份有限公司 | Information system auditing method based on data storehouse |
| EP1254537B1 (en) * | 2000-02-08 | 2005-12-14 | Harris Corporation | System and method for assessing the security vulnerability of a network using fuzzy logic rules |
| CN101026502A (en) * | 2007-04-09 | 2007-08-29 | 北京天勤信通科技有限公司 | Broad band network comprehensive performance management flatform |
-
2007
- 2007-10-30 CN CN2007101765119A patent/CN101425936B/en not_active Expired - Fee Related
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1254537B1 (en) * | 2000-02-08 | 2005-12-14 | Harris Corporation | System and method for assessing the security vulnerability of a network using fuzzy logic rules |
| CN1492336A (en) * | 2003-09-04 | 2004-04-28 | 上海格尔软件股份有限公司 | Information system auditing method based on data storehouse |
| CN101026502A (en) * | 2007-04-09 | 2007-08-29 | 北京天勤信通科技有限公司 | Broad band network comprehensive performance management flatform |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101425936A (en) | 2009-05-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102340485B (en) | Network security situation awareness system and method based on information correlation | |
| Quah et al. | Application of neural networks for software quality prediction using object-oriented metrics | |
| CN101425936B (en) | Macro network security status assessment method based on exception measurement | |
| CN105139585A (en) | Intelligent early warning and prediction method for soil slope danger | |
| Feng et al. | Data mining for abnormal power consumption pattern detection based on local matrix reconstruction | |
| CN116366374B (en) | Security assessment method, system and medium for power grid network management based on big data | |
| CN113434859A (en) | Intrusion detection method, device, equipment and storage medium | |
| CN116112292A (en) | Abnormal behavior detection method, system and medium based on network flow big data | |
| CN116094837A (en) | Network terminal application acquisition analysis method, system and medium based on network big data | |
| CN111191720B (en) | Service scene identification method and device and electronic equipment | |
| Phillips et al. | Boosting the hodrick-prescott filter | |
| CN112463848A (en) | Method, system, device and storage medium for detecting abnormal user behavior | |
| CN110619691B (en) | Prediction method and device for slab surface cracks | |
| CN105516206A (en) | Network intrusion detection method and system based on partial least squares | |
| CN117371337B (en) | Water conservancy model construction method and system based on digital twin | |
| Amini et al. | Network-based intrusion detection using unsupervised adaptive resonance theory (ART) | |
| CN107800575A (en) | The appraisal procedure of electric power industrial control system information security | |
| CN105787369A (en) | Android software security analysis method based on slice measurement | |
| CN112651433B (en) | Abnormal behavior analysis method for privileged account | |
| Wang et al. | Innovative risk early warning model based on internet of things under big data technology | |
| CN116541698A (en) | XGBoost-based network anomaly intrusion detection method and system | |
| CN116660761B (en) | Lithium ion battery detection method and system | |
| Hassan et al. | Quantifying heteroskedasticity using slope of local variances index | |
| Schürz et al. | Reply to STOTEN 802 (2022) 149713: The fallacy in the use of the “best-fit” solution in hydrologic modeling | |
| CN117077140A (en) | Energy threat detection method and system for information energy system and electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20110831 Termination date: 20161030 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |