CN102801739A - Network risk determining and evidence obtaining method based on cloud computing environment - Google Patents

Network risk determining and evidence obtaining method based on cloud computing environment Download PDF

Info

Publication number
CN102801739A
CN102801739A CN2012103151216A CN201210315121A CN102801739A CN 102801739 A CN102801739 A CN 102801739A CN 2012103151216 A CN2012103151216 A CN 2012103151216A CN 201210315121 A CN201210315121 A CN 201210315121A CN 102801739 A CN102801739 A CN 102801739A
Authority
CN
China
Prior art keywords
risk
network
value
server
evaluation
Prior art date
Application number
CN2012103151216A
Other languages
Chinese (zh)
Inventor
杨进
刘唐
刘孙俊
刘才铭
王红军
杨鸿�
Original Assignee
乐山师范学院
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 乐山师范学院 filed Critical 乐山师范学院
Priority to CN2012103151216A priority Critical patent/CN102801739A/en
Publication of CN102801739A publication Critical patent/CN102801739A/en

Links

Abstract

The invention discloses a network risk determining and evidence obtaining method based on a cloud computing environment, and the method comprises following steps of firstly conducting the grid intrusion risk evaluation under the cloud computing environment, then establishing a layered quantitative risk evaluation system under the cloud computing environment, and finally obtaining the evidence in real time and conducting the strategic control. The network is monitored by detectors which are scattered in a network environment so as to quantitatively evaluate an overall comprehensive risk value of the current network in real time as well as a risk value of any host in the network suffering one kind of attack and multiple kinds of attack and to obtain the evidence in real time, and further a defense strategy of the entire system is initiatively changed according to a risk index. According to the method, evaluation and risk prediction are conducted for the network security state under the cloud computing environment, and effective network risk evaluation and evidence obtaining can be conducted for the attack behavior suffered by the monitored network, so that a purpose for realizing the network security can be achieved.

Description

基于云计算环境的网络风险测定取证方法 Evidence Based Risk Determination network cloud computing environment

技术领域 FIELD

[0001] 本发明属于网络风险技术领域,尤其涉及一种基于云计算环境的网络风险取证测定方法。 [0001] The present invention belongs to the technical field network risk, risk relates to an assay method for a network-based forensic particular cloud computing environment.

背景技术 Background technique

[0002] 云计算技术向着大规模、高性能、分布式方向,它带来信息技术的重大革新,成为了产业界、学术界、甚至政府均十分关注的焦点。 [0002] Cloud computing technology toward large-scale, high-performance, distributed direction, it brings significant innovation in information technology, has become the industry, academia, and even the government are the focus of great concern. 国家“十二五”规划纲要把云计算列为重点发展的战略性新兴产业。 National "five" Plan to cloud computing as a strategic focus on the development of new industries. 云计算的发展将改变CPU、存储、服务器、终端、操作应用软件的整条信息产业链,并深远地影响从生产到生活的信息化应用。 Development of cloud computing will change the entire information industry chain CPU, storage, servers, terminals, software application operations, and far-reaching impact on the application of information from production to life. 随着网络安全在云计算环境下的重要性逐步上升,安全问题已成为制约云计算发展的重要因素。 With the gradual increase in the importance of network security in a cloud computing environment, security has become an important factor restricting the development of cloud computing. 遗憾的是现有的网络安全模型,主要是基于异常检测、针对日志分析,规矩匹配等方法,而且主要是在攻击行为发生之后进行发现,也并不适应于云计算环境云计算的特征之一就是消除了网络边界。 Unfortunately, the existing network security model, mainly based anomaly detection for log analysis, rules matching method, and is found mainly after aggressive behavior, it does not adapt to the environment of one of the characteristics of cloud computing cloud computing elimination of the network boundaries. 传统的基于误用检测算法和异常检测算法的入侵检测方法在云计算环境下并不适用,缺少分布式和扩展性。 Traditional intrusion detection based on misuse detection algorithm and anomaly detection algorithm does not apply in a cloud computing environment, the lack of scalability and distributed.

发明内容 SUMMARY

[0003] 为了解决目前存在的问题,本发明提供了基于云计算环境的网络风险取证测定方法,提供了对云计算环境下所监控的网络所正在遭受的攻击行为进行有效分析和对网络危险度进行计算评估的方法。 [0003] In order to solve the existing problems, the present invention provides a method for measuring network risk forensics cloud-based computing environments, providing attacks against cloud computing environment monitoring networks are suffering for effective analysis and network risk a method of calculating an evaluation. 在云计算环境下建立分层的、定量的测度指标体系,对网络态势进行整体、全局的把握,并利用模糊计算有关理论分析,将资产评估与网络态势评估体系相结合,应用安全系统工程理论,对云计算环境下网络中固有或潜在的风险进行定性、定量分析,得出整个网络发生危险的可能性及其后果严重的程度。 Stratification was established under the cloud computing environment, a quantitative measure of the index system, the network overall situation, grasp the overall situation, and analysis, asset valuation and the network situation assessment system combined application of safety system engineering calculations related to the theory of fuzzy theory , network environment or potential risks inherent in cloud computing for qualitative and quantitative analysis, the possibility of danger and its consequences serious level throughout the network occur.

[0004] 本发明实施例的另一目的在于提供一种基于云计算环境的网络风险取证测定方法,其特征在于,该方法包括: [0004] Another object of an embodiment of the present invention to provide a method for measuring risk of network cloud-based forensic environments, characterized in that, the method comprising:

[0005] 首先进行云计算环境下网格入侵风险评估; [0005] First, the intrusion risk assessment grid cloud computing environment;

[0006] 建立云计算环境下分层定量风险度评估体系; [0006] Stratification was established for a quantitative risk assessment system cloud computing environment;

[0007] 进行实时取证和策略控制。 [0007] real-time forensics and policy control.

[0008] 进一步,该网络风险评估的方法为: [0008] Further, the method of risk assessment for the network:

[0009] 首先将检测器分散到网络各个节点,即安全服务器上,对网络进行监控,开始收集网络数据; [0009] First, the detector is distributed among the various nodes of the network, i.e. on a secure server, monitoring the network, begin collecting network data;

[0010] 数据中心服务器向辖下监控点收集风险信息; [0010] Data center server to collect risk information under the monitoring points;

[0011] 二级数据中心服务器将收集的信息统计分析,综合顶级数据中心服务器获取的相关信息,计算出直辖网络整体风险值; Information and Statistics [0011] secondary data center servers will collect the analysis, synthesis top data center server to obtain relevant information to calculate the overall risk directly under the value of the network;

[0012] 顶级数据中心服务器统计分析二级数据中心服务器评估的整体风险和顶级安全服务器风险,综合风险相关重要信息计算出整个系统的风险值; [0012] top-level data center servers and statistical analysis of the overall risk of the top security server risk assessment of secondary data center server, Integrated Risk important information to calculate the risk value of the whole system;

[0013] 顶级数据中心服务器分别从二级数据中心服务器收集安全服务器信息和整体风险信息,从顶级安全服务器收集风险信息,从本地获取风险相关重要信息。 [0013] top-level data center servers were collected from secondary data center server security server information and overall risk information, risk information collected from the top security server to obtain important information from the local risk.

[0014] 进一步,在风险统计模块中,所有数据中心服务器被看作相同的角色;数据中心服务器向辖下监控点收集风险信息,若辖下监控点属于下级数据中心服务器,则收集它的整体风险,若辖下监控点属于安全服务器,则收集它的自身风险;安全服务器实时监控获取自身的风险记录;二级数据中心服务器联系顶级数据中心服务器,获取风险相关的重要信息;二级数据中心服务器将直辖的监控安全服务器风险信息全部收集到本地。 [0014] Further, the risk statistics module, all data center server is seen as the same character; risk information to the data center server under the control point collection, if under the control point belonging to the lower data center server, its overall collection risk, if under the monitoring points belonging to a secure server, then collect its own risk; a secure server to obtain real-time monitoring their own risk register; a secondary data center server to contact the top data center server to obtain important information related to the risk; secondary data center server monitoring server security risk information directly under all collected locally.

[0015] 进一步,云计算环境下分层定量风险度评估方法包括: [0015] Further, quantitative risk assessment stratified cloud computing environment comprising:

[0016] 计算t时刻单个主机所面临单个攻击的危险度(t) ;t时刻第i个异常对第j个LCSA上的主机危险度值为= 其中,u表示该类攻击的危险程度; [0016] at time t is calculated single host individual faces of attack (t) hazard; at time t i-th abnormal risk to the host on the j-th value = LCSA wherein, u represents the degree of risk of such attacks;

[0017] 计算t时刻单个主机所面临多种攻击的综合危险度h(t),我们设参数Ui (O ^ Ui ^ I)代表第i (I≤i≤m)类攻击的危险性,那么第j个主机上的危险度 [0017] a single host computing time t attack faced more comprehensive risk H (t), we set the parameter Ui (O ^ Ui ^ I) represents the i hazard (I≤i≤m) type of attack, then j-th risk on the host

值r」(t)值为 Value r "(t) is

Figure CN102801739AD00061

值越大,系统越危险; The higher the value, the more dangerous the system;

[0018] 建立攻击危险性指标体系,将攻击按照行为特征分为四大类,若干小类,分类的目的是为了更好的确定每类攻击的危害程度,然后建立第i种攻击的危害性向量Di,即为 [0018] established attack risk index system, the attacks are divided into four categories according to behavioral characteristics, a number of subcategories, the classification of the purpose is to better determine the extent of the harm each type of attack, then attack the establishment of the dangers of the i-th vector Di, that is,

Figure CN102801739AD00062

将这m种攻击的危害性向量排列在一起,构成危害性矩阵D : M dangers of attacks these vectors are arranged together to form hazardous matrix D:

Figure CN102801739AD00063
Figure CN102801739AD00064

[0020] 计算攻击危险性,根据每台主机所提供的不同服务,用户对象,不同的系统软件,应用软件等等各自的属性,综合建立第j (I ^ j ^ N)个主机的网络带宽、服务、系统软件、应用软件、数据、信息这6类指标的相对重要性值,记为沪={巧,句,巧,£丨,£/,6丨;第j (I ^ j ^ N)个主机P的取值,是根据专家打分以及问卷调查综合评分;这样,第i个攻击对第j (I≤j≤N)台主机的危险程度u值,于是有:Ui = Di · Ej ;其中Di表示矩阵D的第i个分量,计算出4后可以求出rj(t); [0020] Calculation of risk of attack, provided for each host of different services, user objects, different system software, application software, and so the respective attributes of the network bandwidth to establish integrated j (I ^ j ^ N) of the hosts the relative importance value services, system software, application software, data, information iNDEX 6 which, referred to as Hu = {Qiao, sentences, Qiao, £ Shu, £ /, 6 Shu; of j (I ^ j ^ N ) hosts P values ​​are based on expert scoring and questionnaires composite score; so, the i-th degree of risk u attack value of j (I≤j≤N) hosts, so there are: Ui = Di · Ej ; wherein Di represents the i th component of the matrix D is calculated can be determined after 4 rj (t);

[0021] 计算网络危险度值;首先从树的最底层开始计算危险度值,然后向上递归计算,定义第j个主机的重要性值记为Importancej,该LCSA的危险度值为该LCSA上的所有主机危 [0021] Risk value computing network; first counted value from the most dangerous level in the tree, then the recursive calculation up, define the importance of the j-th value referred to as the host Importancej, the risk value on the LCSA the LCSA All hosts danger

险度值r」(t)的加权和Q (t):淡)=_(及气的风险Xlmportancej);第j个主机(Hostj)的危 Risk weighted value r '(t) and Q (t): light) = _ (and the risk of gas Xlmportancej); j-th master (Hostj) of risk

险度值为h(t) ; Importance为第j个主机的重要性值,然后再将Q (t)进行归一化计算,便可以最得该LCSA的危险度值; And danger value h (t); Importance importance value for the j-th host, then Q (t) are normalized calculations, you can obtain the most dangerous of the value of the LCSA;

[0022] 将这些指标进行量化,从多个层次建立主机重要性评价指标体系; [0022] These metrics to quantify the importance of the establishment of evaluation index system from the host multiple levels;

[0023] 采用多级关联灰度模型,假设已识别出网络中共有η种影响Importance指标,每种Importance共有m个属性,根据评价目的确定评价指标体系,对指标数据进行无量纲化的数据序列形成如下矩阵:[0024] [0023] The multi-level gray scale correlation model, assumes that the network identified species total impact Importance index η, there are m Importance of each attribute is determined based on the evaluation object of the evaluation system of dimensionless index data of the data sequence forming the following matrix: [0024]

Figure CN102801739AD00071

[0025] 其中, [0025] wherein,

Figure CN102801739AD00072

其中i = O,L…,11 ;k= 1,2, .",m.并逐个计算每个被评价 Where i = O, L ..., 11;.. K = 1,2, ", m and are individually calculated for each evaluation

对象指标序列与参考序列对应元素的绝对差值I Xtl (k)-Xi (k) !,并确定 Object indicator and reference sequences corresponding to the absolute difference element I Xtl (k) -Xi (k)!, And determines

Figure CN102801739AD00073
Figure CN102801739AD00074

. 通过计算每个比较序列与参考序列对应元素的关联系数。 The correlation coefficient was calculated for each element by comparing the reference sequence to the corresponding sequence.

[0026] [0026]

Figure CN102801739AD00075

[0027] 式中p为分辨系数,在(0,1)内取值,P越小,关联系数间的差异越大,区分能力越强.这里我们取P取O. 5 ; [0027] where p is the resolution factor, the value in the (0,1), P, the larger the difference between the correlation coefficient, the stronger ability to distinguish where we have chosen to take P O. 5.;

[0028] 对各评价对象分别计算其m个指标与参考序列对应元素的关联系数的均值,以反 [0028] calculate the mean correlation coefficient m which corresponds to a reference sequence indexes for each evaluation target elements, anti

映各评价对象与参考序列的关联关系,由于本系统中各指标在综合评价中所起的作用不 Mapping each evaluation target relationship to a reference sequence, since the present system in various indicators in the comprehensive evaluation role not

同,采用对关联系数求加权平均值即: With using weighted averaging correlation coefficient namely:

[0029] [0029]

Figure CN102801739AD00076

[0030] 最终依据各观察对象的关联序,得出评价结果;其中,Wk为各指标权重; [0030] The final sequence of the observer based on the associated object, the evaluation results obtained; wherein, Wk is the weight for the index;

[0031] 计算评估总目标;评估总目标=Σ (各指标分值X所对应权重),评估总目标为评估每个主机的重要性值,也就是计算Importance值的大小。 [0031] The overall evaluation calculated target; overall objective assessment = Σ (X each index value corresponding to the weight), the overall objective evaluation value for evaluating the importance of each host, i.e. Importance value calculated size. 这样,我们求得Importance In this way, we find Importance

值为: Value:

Figure CN102801739AD00077

[0032]评估整个网络风险度,SREC (System Risk Evaluation Center)从各个LCSA 搜集本地安全信息(例如主机上的抗体浓度,风险度值等),记第m个LCSAm的重要性为LCSA_ [0032] The risk assessment of the entire network, SREC (System Risk Evaluation Center) from the respective gathering the LCSA local security information (e.g. an antibody concentration on the host, the risk value, etc.), the importance of the m-th LCSAm referred to as LCSA_

Weightm,设网络共有N个LCSA Weightm, set up the network a total of N LCSA

Figure CN102801739AD00078

并进行 And

归一化处理,整个网络风险度值R(t)为: Normalization processing, the entire network of risk value R (t) is:

[0033] [0033]

Figure CN102801739AD00079

[0034] R(t)就是风险度评估中SREC最终所计算出的网络风险度值,其分值越高,说明网络风险度级别越高,系统越处于风险状况;反之分值越低,网络越安全。 [0034] R (t) is the risk assessment network exposure value calculated in the final SREC is, the higher the score, the higher the risk level of the network, the system is at risk of the condition; conversely the lower the score, the network more secure.

[0035] 进一步,该方法进一步包括: [0035] Further, the method further comprising:

[0036] 在步骤S1031中,WEB服务器监测取证或策略请求;客户端获取申请失败,每次周期都尝试获取,直至超时; [0036] In the step S1031, WEB server or monitoring policy request evidence; client access application fails, attempt to acquire each cycle, until timeout;

[0037] 在步骤S1032中,WEB服务器获取用户提交的取证或策略申请,存放允许执行的申请到数据库中;SWEB服务器数据库存储失败则执行步骤S1037 ;客户端获取申请失败,每次周期都尝试获取,直至超时;获取成功执行步骤S1033 ; [0037] In step S1032, WEB server application to obtain evidence or strategy submitted by the user, allowing the execution of the application is stored in the database; SWEB server database to store fails to step S1037; client access applications failed attempt to acquire each cycle until a timeout; succeed to step S1033;

[0038] 在步骤S1033中,SOCKET客户端向目的服务器端发起TCP连接请求;若连接失败,则运行步骤S1037程序结束,连接成功执行步骤S1034 ;[0039] 在步骤S1034中,客户端将检测到的取证或策略申请上报给服务器端,服务器端在自身运行申请的指令;若失败,运行步骤S1037服务器端程序结束,会话断开;成功则反馈执行结果到客户端,执行步骤S1035 ; [0038] In step S1033, SOCKET client sends a TCP connection request to the destination server; If the connection fails, the running step S1037 program ends successfully perform the step of connecting S1034; [0039] In step S1034, the client will be detected forensic or policies reported to the application server, the server-side commands run in its own application; if fails, run step S1037 server-side program ends, the session is disconnected; the successful implementation of the feedback results to the client, to step S1035;

[0040] 客户端接收服务器端的结果,若失败运行步骤S1037程序退出;成功则存储结果到数据库中,执行步骤S1036; [0040] The client receives the results of the server, if the failure to run the program exits step S1037; successful result is stored in the database, step S1036;

[0041] 在步骤S1036中,WEB服务器端监听取证或策略申请的执行结果,通过浏览器界面 [0041] In step S1036, WEB server listens evidence or policies apply the results of the browser interface

展示给用户。 Presented to the user.

[0042] 进一步,该方法进一步包括: [0042] Further, the method further comprising:

[0043] 时间序列X(t)是它的前期和前期的随机误差项以及前期值的线性函数,既可表示为: [0043] The time series X (t) is its early and pre-linear function of random errors, and the pre-value, it can be expressed as:

[0044] X (t) = Φ jX (t—I) + Φ 2X (t—2) +. . . + Φ pX (t—p) +u (t)— Θ jU (t—I)_ Θ 2u (t—2)' · · _ Θqu (tq) (I) ... [0044] X (t) = Φ jX (t-I) + Φ 2X (t-2) + + Φ pX (t-p) + u (t) - Θ jU (t-I) _ Θ 2u (t-2) '· · _ Θqu (tq) (I)

[0045]贝IJ该时间序列X(t)是自回归滑动平均序列,式⑴为(p,q)阶的自回归移动平均模型,记为ARMA(p,q)。 [0045] IJ shellfish in the time series X (t) is an autoregressive moving average sequences, autoregressive ⑴ of formula (p, q) of order moving average model, referred to as ARMA (p, q). 式中,Φ^ΐ = 1,2,3, . . . , ρ)为自回归参数,Θ j (i = 1,2,3,...,q)为滑动平均参数,u(t)为残差,式(I)能够正确地揭示时序的结构和规律时,则{u(t)} 为白噪声;式⑴成为具有P阶自回归部分、q阶滑动平均部分的ARMA(p,q)模型。 Where, Φ ^ ΐ = 1,2,3,..., Ρ) autoregressive parameters, Θ j (i = 1,2,3, ..., q) is the moving average parameter, u (t) when residuals of formula (I) can be accurately reveal the structure and timing laws, the {u (t)} is a white noise; P having the formula ⑴ become autoregressive ARMA section, q order moving average portion (p, q) model. 弓丨入滞后算子B,式(I)可简记为: Shu the bow lag operator B, of formula (I) can be abbreviated as:

[0046] φ (B) X ⑴=Θ (B) u (t) [0046] φ (B) X ⑴ = Θ (B) u (t)

[0047] ARMA(p, q)过程的平稳条件是滞后多项式Φ (B)的根均在单位圆外,可逆条件是Φ (B)的根都在单位圆外; [0047] stationary conditions ARMA (p, q) is the root process lag polynomial Φ (B) are outside the unit circle, with the proviso that the reversible root Φ (B) are outside the unit circle;

[0048] 所监控网络风险时间序列{R(t)}的预测值为非线性拟合时序{Y(t)}的预测值与残差时序{X(t)}的预测值之和= + The predicted values ​​[0048] of the monitored network Risk time series {R (t)} of the predictive value of nonlinear fitting sequence {Y (t)} with the value predicted residual sequence {X (t)} = + and

[0049] 本发明提供的基于云计算环境的网络风险评估取证方法,首先进行云计算环境下网格入侵风险评估,然后建立云计算环境下分层定量风险度评估体系,最后进行实时取证和策略控制。 [0049] Network-based risk assessment method forensics cloud computing environment provided by the present invention, first, the cloud computing grid environment intrusion risk assessment, and the establishment of quantitative risk stratification cloud computing environment evaluation system, and finally the real-time policy forensics control. 通过分散在网络环境中的检测器对网络进行监控,实时定量评估当前网络整体综合风险值以及网络中任意主机面临的某种攻击及多种攻击时的风险值及实时取证,进而依据危险度指标主动改变整个系统的防御策略。 By dispersing in a network environment detector for network monitoring, real-time quantitative risk assessment of the overall value of the current value of the network and integrated risk any host in the network faced an attack and a variety of attacks and real-time forensics, and then based on risk indicators initiative to change the whole system of defense strategy. 此方案对云计算环境下的网络安全态势进行评估及风险预测,实现对所监控的网络所遭受的攻击行为进行有效的网络风险评估及取证,从而达到实现网络安全目的。 This scheme of network security situation in the cloud computing environment assessment and risk prediction, to achieve the aggressive behavior of the monitored network suffered for effective risk assessment and network forensics, network security so as to achieve the purpose.

附图说明 BRIEF DESCRIPTION

[0050] 图I示出了本发明实施例提供的基于云计算环境的网络风险测定取证方法的流程图; [0050] FIG I shows the present invention based on the network risk cloud computing environment according to an embodiment of a method for measuring a flow chart forensics;

[0051] 图2出了本发明实施案例提供的网络风险评估的方法的流程图; [0051] FIG. 2 is a flowchart of a method for risk assessment network embodiment of the present invention provides a case;

[0052] 图3示出了本发明实施案例提供的云计算环境下分层定量风险度评估体系建立方法的流程图; [0052] FIG. 3 shows a flowchart of the hierarchical system of quantitative risk assessment cloud computing environment Case embodiment of the present invention provides a method for establishing;

[0053] 图4示出了本发明实施例提供的实时取证和策略控制的方法的流程图。 [0053] FIG. 4 shows a flowchart of a method of the present invention in real time and forensic control strategies provided embodiments. 具体实施方式 Detailed ways

[0054] 为了使本发明的目的、技术方案及优点更加清楚明白,以下结合附图及实施例,对本发明进行进一步详细说明。 [0054] To make the objectives, technical solutions and advantages of the present invention will become more apparent hereinafter in conjunction with the accompanying drawings and embodiments of the present invention will be further described in detail. 应当理解,此处所描述的具体实施例仅仅用以解释本发明,并不用于限定本发明。 It should be understood that the specific embodiments described herein are only intended to illustrate the present invention and are not intended to limit the present invention.

[0055] 图I示出了本发明实施案例提供的基于云计算环境的网络风险测定取证方法,该方法包括: [0055] Figure I illustrates a network cloud computing environment based on the risk embodiment of the present invention provides a case forensic assay, the method comprising:

[0056] 在步骤SlOl中,首先进行云计算环境下网格入侵风险评估。 [0056] In step SlOl, the first mesh intrusion risk assessment ambient cloud.

[0057] 在步骤S102中,建立云计算环境下分层定量风险度评估体系。 [0057] In step S102, the establishment of quantitative risk stratification cloud computing environment evaluation system.

[0058] 在步骤S103中,进行实时取证和策略控制。 [0058] In step S103, the real-time forensics and policy control.

[0059] 图2出了本发明实施案例提供的网络风险评估的方法,该方法包括: [0059] Figure 2 a method in a network risk assessment embodiment of the present invention provides a case, the method comprising:

[0060] 在步骤SlOll中,首先将检测器分散到网络各个节点(即安全服务器上),对网络进行监控,开始收集网络数据。 [0060] In step SlOll, the first detector is distributed to each node in the network (i.e. a secure server), monitoring the network, begin collecting network data.

[0061] 在步骤S1012中,数据中心服务器向辖下监控点收集风险信息。 [0061] In step S1012, the data center server collects information under the risk monitoring points. 在风险统计模块中,所有数据中心服务器(包括:顶级数据中心服务器和二级数据中心服务器)被看作相同的角色;数据中心服务器向辖下监控点收集风险信息,若辖下监控点属于下级数据中心服务器,则收集它的整体风险,若辖下监控点属于安全服务器,则收集它的自身风险;安全服务器实时监控获取自身的风险记录;二级数据中心服务器联系顶级数据中心服务器,获取风险相关的重要信息(如:主机权重,攻击类型权值等);二级数据中心服务器将直辖的监控安全服务器风险信息全部收集到本地。 Risk statistics module, all data center servers (including: top-level data center servers and secondary data center server) is regarded as the same character; risk information to the data center server under the control point collection, if under the lower part of the monitoring point data center server, to collect its overall risk, if under the monitoring points belonging to a secure server, then collect its own risk; a secure server to obtain real-time monitoring their own risk register; a secondary data center server to contact the top data center server to obtain risk important information about (such as: host weights, weights and other types of attacks); a secondary data center servers directly under the security server monitoring all risk information collected locally.

[0062] 在步骤S1013中,二级数据中心服务器将收集的信息统计分析,综合顶级数据中心服务器获取的相关信息,计算出直辖网络整体风险值。 [0062] In step S1013, the secondary data center server statistical information collected analysis, synthesis top data center server to obtain relevant information to calculate the overall risk value directly under the network.

[0063] 在步骤S1014中,顶级数据中心服务器统计分析二级数据中心服务器评估的整体风险和顶级安全服务器风险,综合风险相关重要信息计算出整个系统的风险值。 [0063] In step S1014, the top data center servers statistical analysis of secondary data center server overall risk assessment and risk top security server, Integrated Risk important information to calculate the risk value of the entire system.

[0064] 顶级数据中心服务器分别从二级数据中心服务器收集安全服务器信息和整体风险信息,从顶级安全服务器收集风险信息,从本地获取风险相关重要信息(如:主机权重,攻击类型权值等)。 [0064] top-level data center servers were collected from secondary data center server security server information and overall risk information, collect risk information from top security server for risks from the local important information (such as: host weight, type of attack weights, etc.) .

[0065] 图3示出了本发明实施案例提供的云计算环境下分层定量风险度评估的建立的方法,该方法包括: [0065] FIG. 3 illustrates a method for establishing a case evaluated embodiment the present invention provides cloud computing environment of the quantitative risk stratification, the method comprising:

[0066] 在步骤S1021中,计算t时刻单个主机所面临单个攻击的危险度A, j(t)。 [0066] In step S1021, the time t is calculated faced single host individual risk of attack A, j (t). t时刻第i个异常对第j个LCSA上的主机危险度值为: time t i-th abnormal risk to the host on the j-th value LCSA:

Figure CN102801739AD00091

[0067] 其中,u表示该类攻击的危险程度。 [0067] where, u indicates the degree of risk of such attacks.

[0068] 在步骤S1022中,计算t时刻单个主机所面临多种攻击的综合危险度r」(t)。 [0068] In step S1022, a single host at time t is calculated faced multiple attacks comprehensive risk r "(t). 我们设参数Ui (O ^ Ui ^ I)代表第i (I < i < m)类攻击W的危险性,那么第j个主机上的 We set the parameter Ui (O ^ Ui ^ I) represents the i (I <i <m) W dangerous type of attack, then the j-th host

危险度值1"」(1:)值为 Risk value 1 "" (1 value :)

Figure CN102801739AD00092

r」⑴值越大,系统越危险。 r "⑴ The larger the value, the risk of the system.

[0069] 在步骤S1023中,建立攻击危险性指标体系。 [0069] In step S1023, the establishment of the risk of attack indicator system.

[0070] 将攻击按照行为特征分为四大类,若干小类,分类的目的是为了更好的确定每类攻击的危害程度。 [0070] The attack divided into four categories according to behavioral characteristics, a number of subcategories, the classification of the purpose is to better determine the extent of the harm each type of attack. 然后建立第i种攻击的危害性向量D1,即为Z)' ={ _D丨,D11 ,D\,Di4, D15, /¾} (I≤i≤m)。 Then i Establishment of attacks dangers vector D1, that is, Z) '= {_D Shu, D11, D \, Di4, D15, / ¾} (I≤i≤m). 将这m种攻击的危害性向量排列在一起,构成危害性矩阵D : M dangers of attacks these vectors are arranged together to form hazardous matrix D:

Figure CN102801739AD00101

[0072] 在步骤S1024中,计算攻击危险性。 [0072] In step S1024, the calculated risk of attack.

[0073] 根据每台主机所提供的不同服务,用户对象,不同的系统软件,应用软件等等各自的属性,综合建立第j(l ^ j ^ N)个主机的网络带宽、服务、系统软件、应用软件、数据、信息这6类指标的相对重要性值,记为沪={£/,句,£/,£:,£/,£6'}。 [0073] provided for each host of different services, user objects, different system software, application software, and so their properties, integrated networking bandwidth services, the system software of j (l ^ j ^ N) of the hosts the relative importance value of the application software, data, information iNDEX 6 which, referred to as Hu = {£ /, sentences, £ /, £:, £ /, £ 6 '}. 第」(1 ^ j ^ N)个主机Ej的取值,是根据专家打分以及问卷调查综合评分。 The first "(1 ^ j ^ N) hosts Ej values, is based on expert evaluation and comprehensive evaluation questionnaire. 这样,第i个攻击对第j(l < j < N)台主机的危险程度u值,于是有:Ui = Di · 其中Di表示矩阵D的第i个分量。 Thus, the i-th on attack of j (l <j <N) the degree of danger host value of u, then there are: Ui = Di · where Di denotes the i th component of the matrix D. 计算出Ui后可以求出r」(t)。 Ui can be determined after the calculated r "(t).

[0074] 在步骤S1025中,计算网络危险度值。 [0074] In step S1025, the network calculates risk values.

[0075] 整个网络的危险度值应该全面反映每个主机的危险度,但是由于每个主机的地位并不等同,运行着不同的系统,面向不同的用户,提供不同的服务,有着不同的经济、社会甚至政治价值,它们具有不同的重要性。 [0075] the entire risk of the value of the network should fully reflect the degree of risk for each host, but because of the status of each host is not the same, running different systems, different user-oriented, provide different services, have different economic , social and even political values, they have different importance. 考虑到每个LCSA下面有可能又有子节点LCSA,形成树状结构,首先从树的最底层开始计算危险度值,然后向上递归计算。 LCSA considering that each child node below may have LCSA, form a tree structure, starting with the value calculated from the most dangerous level in the tree, then up recursive computation. 定义第j个主机的重要性值记为Importance」,这样,该LCSA的危险度值为该LCSA上的所有主机危险度值 The definition of the j-th value recorded as hosts of the importance of Importance ", so that the risk of the LCSA value of all hosts on the LCSA risk value

rj (t)的加权和Q(t) ⑴=£(报%的风险Xlmportancej)。 rj (t) weighted and Q (t) ⑴ = £ (% reported risk Xlmportancej). 第j个主机(Host )的危险度值 J-th master (the Host) risk value

7=1 7 = 1

为rj(t) ; Importancej为第j个主机的重要性值,然后再将Q (t)进行归一化计算,便可以最得该LCSA的危险度值。 Is rj (t); Importancej importance value for the j-th host, then Q (t) are normalized calculations, you can get the most LCSA risk value.

[0076] 在步骤S1026中,为了全面求得每个主机的重要性值(即Importance值),将这些指标进行量化,从多个层次建立主机重要性评价指标体系。 [0076] In step S1026, in order to obtain the full importance value (ie, Importance value) for each host, these metrics to quantify the importance of the establishment of evaluation index system from the host multiple levels.

[0077] 采用多级关联灰度模型,假设已识别出网络中共有η种影响Importance指标,每种Importance共有m个属性(或者说用m个指标来衡量)。 [0077] The multi-level gray scale correlation model, assumes that the network identified in the total index η species affect Importance, Importance of each attribute there are m (m-th or with indicators to measure). 根据评价目的确定评价指标体系,对指标数据进行无量纲化的数据序列形成如下矩阵: The evaluation system to determine the purpose of the evaluation, the data of the dimensionless index data sequence forming the following matrix:

Figure CN102801739AD00102

[0079] 这里我们无量纲化方法为均值化法: [0079] Here we Undimensionalization for the equalization method:

[0080]'丄其中并逐个计算每个被评 [0080] 'calculated one by one and Shang wherein each Review

价对象指标序列(比较序列)与参考序列对应元素的绝对差值IXtl(k)-XiGO |,并确定 Object price index sequence (sequence comparison) with the corresponding element of the reference sequence absolute difference IXtl (k) -XiGO |, and determining

Figure CN102801739AD00103

通过计算每个比较序列与参考序列对应元素的关联系数。 The correlation coefficient was calculated for each element by comparing the reference sequence to the corresponding sequence. [0081] [0081]

Figure CN102801739AD00111

[0082] 式中p为分辨系数,在(0,1)内取值,P越小,关联系数间的差异越大,区分能力越强.这里我们取P取O. 5。 [0082] where p is the resolution factor, the value in the (0,1), P is smaller, the greater the difference between the correlation coefficient, the stronger the ability to distinguish. Here we take P take O. 5.

[0083] 对各评价对象(比较序列)分别计算其m个指标与参考序列对应元素的关联系数的均值,以反映各评价对象与参考序列的关联关系,由于本系统中各指标在综合评价中所起的作用不同,采用对关联系数求加权平均值即:[其中,Wk为各指标权重。 [0083] with m indexes the reference sequence corresponding to the mean correlation coefficient of the element to reflect the association of each evaluation target and the reference sequence for each evaluation target (comparison of sequences) were calculated, since the comprehensive evaluation of the present system indexes different role, using weighted averaging i.e. correlation coefficient: [wherein, Wk is the weight for the index. ] ]

[0084] [0084]

Figure CN102801739AD00112

[0085] 最终依据各观察对象的关联序,得出评价结果。 [0085] The final sequence of the observer based on the associated object, the evaluation results obtained.

[0086] 在步骤S1027中,计算评估总目标。 [0086] In step S1027, it calculates a total evaluation target.

[0087] 评估总目标=Σ (各指标分值X所对应权重),评估总目标为评估每个主机的重要性值,也就是计算Importance值的大小。 [0087] The overall evaluation target = Σ (X each index value corresponding to the weight), the overall objective evaluation value for evaluating the importance of each host, the size of which is calculated Importance value. 这样,我们求得Importance值为: In this way, we obtain a value of Importance:

Figure CN102801739AD00113

[0088] 在步骤S1028中,评估整个网络风险度。 [0088] In step S1028, the risk assessment of the entire network.

[0089] SREC (System Risk Evaluation Center)从各个LCSA 搜集本地安全信息(例如主机上的抗体浓度,风险度值等),记第m个LCSAni的重要性为LCSA-Weightni,设网络共有N [0089] SREC (System Risk Evaluation Center) to collect local security information (e.g. an antibody concentration on the host, the risk value, etc.) from each of the LCSA, referred to the m-th LCSAni importance is LCSA-Weightni, provided a total of N network

个LCSA, 上计算出的风险值 A LCSA, on the calculated risk value

Figure CN102801739AD00114

并进行归一化处理,整个网络 And normalized, the entire network

风险度值R (t)为: Risk value R (t) is:

[0090] [0090]

Figure CN102801739AD00115

[0091] R(t)就是风险度评估中心SREC最终所计算出的网络风险度值,其分值越高,说明网络风险度级别越高,系统越处于风险状况;反之分值越低,网络越安全。 [0091] R (t) is the final risk assessment center SREC network calculated risk value, the higher the score, the higher the risk level of the network, the system is at risk of the condition; conversely the lower the score, the network more secure.

[0092] 图4示出了本发明实施案例提供的实时取证和策略控制的方法,该方法包括: [0092] FIG. 4 illustrates a method of policy control in real time and forensics embodiment of the present invention provides a case, the method comprising:

[0093] 在步骤S1031中,WEB服务器监测取证或策略请求。 [0093] In the step S1031, WEB server or a policy request to monitor evidence.

[0094] 客户端获取申请失败,每次周期都尝试获取,直至超时。 [0094] client access applications failed attempt to acquire each cycle until it times out.

[0095] 在步骤S1032中,WEB服务器获取用户提交的取证或策略申请,存放允许执行的申请到数据库中。 [0095] In step S1032, WEB server application to obtain evidence or strategy submitted by the user, allowing the execution of the application is stored in the database.

[0096] 若WEB服务器数据库存储失败则执行步骤S1037;客户端获取申请失败,每次周期都尝试获取,直至超时;获取成功执行步骤S1033。 [0096] If the WEB server database to store fails to step S1037; client access applications failed attempt to acquire each cycle, until a timeout; succeed to step S1033.

[0097] 在步骤S1033中,SOCKET客户端向目的服务器端发起TCP连接请求。 [0097] In the step S1033, SOCKET client sends a TCP connection request to the server object.

[0098] 若连接失败,则运行步骤S1037程序结束,连接成功执行步骤S1034。 [0098] If the connection fails, the end of the program run step S1037, the connection is successful to step S1034.

[0099] 在步骤S1034中,客户端将检测到的取证或策略申请上报给服务器端,服务器端在自身运行申请的指令。 [0099] In step S1034, client policy or detected evidence reported to the application server, the server itself is running instruction application. 若失败,运行步骤S1037服务器端程序结束,会话断开;成功则反馈执行结果到客户端,执行步骤S1035。 If fails, run step S1037 server-side program ends, the session is disconnected; the successful implementation of the feedback results to the client, to step S1035.

[0100] 在步骤S1035中,客户端接收服务器端的结果。 [0100] In step S1035, the client receives the result of the server side.

[0101] 若失败运行步骤S1037程序退出;成功则存储结果到数据库中,执行步骤S1036。 [0101] If the program fails to run step S1037 exit; successful result is stored in the database, to step S1036.

[0102] 在步骤S1036中,WEB服务器端监听取证或策略申请的执行结果,通过浏览器界面展示给用户。 [0102] In step S1036, WEB server listens evidence or policies apply the results of the browser interface to the user.

[0103] 首先进行云计算环境下网格入侵风险评估。 [0103] First mesh invasion risk assessment under the cloud computing environment. 将检测器分散到网络各个节点(即安全服务器上),对网络进行监控,开始收集网络数据;数据中心服务器向辖下监控点收集风险信息;二级数据中心服务器将收集的信息统计分析,综合顶级数据中心服务器获取的相关信息,计算出直辖网络整体风险值;顶级数据中心服务器统计分析二级数据中心服务器评估的整体风险和顶级安全服务器风险,综合风险相关重要信息计算出整个系统的风险值。 The detector is distributed to each node in the network (ie on a secure server), network monitoring, network began collecting data; data center server to collect risk information under the monitoring points; information statistical analysis of secondary data center servers will collect comprehensive top data center server to obtain relevant information to calculate the overall risk value directly under the network; top-level data center servers statistical analysis of secondary data center server overall risk assessment and risk top security server, integrated risk important information to calculate the risk value of the whole system .

[0104] 其次,建立云计算环境下分层定量风险度评估体系。 [0104] Secondly, a quantitative risk stratification cloud computing environment evaluation system.

[0105] 计算t时刻单个主机所面临单个攻击的危险度rq(t): 0 = tanhC'M' 唭中,u表示该类攻击的危险程度;计算t时刻单个主机所面临 [0105] at time t is calculated faced single host individual attack risk rq (t): 0 = tanhC'M 'Qi, u represents the degree of risk of such attacks; single host computing time t faced

多种攻击的综合危险度 Comprehensive risk more attacks

Figure CN102801739AD00121

建立攻击危险性指标体系;计 Build attack risk index system; count

算攻击危险性;每个LCSA下面有可能又有子节点LCSA,形成树状结构,首先从树的最底层开始计算危险度值,然后向上递归计算出整个网络危险度值;为了全面求得每个主机的重要性值(即Importance值),将这些指标进行量化,从多个层次建立主机重要性评价指标体系;计算评估总目标,评估总目标=Σ (各指标分值X所对应权重),评估总目标为评估每 Operator attack risk; LCSA below each child node may have LCSA, form a tree structure, starting with the value calculated from the most dangerous level in the tree, then the entire network is calculated recursively upwardly risk value; In order to fully achieve each an importance value (i.e. importance value) host, these metrics to quantify the importance of establishing a host system from a plurality of evaluation levels; calculated overall objective assessment, overall assessment target = Σ (X each index value corresponding to the weight) to assess the overall goal is to assess each

个主机的重要性值,也就是计算Importance值的大小:Importance = x^*);评估整个网 Hosts importance value, i.e. magnitude values ​​calculated Importance: Importance = x ^ *); evaluate the entire network

A=I A = I

络风险度,SREC (System Risk Evaluation Center)从各个LCSA搜集本地安全信息(例如主机上的抗体浓度,风险度值等),记第m个LCSAni的重要性为LCSA-Weightni,设网络共有N Network risk, SREC (System Risk Evaluation Center) to collect local security information (e.g. an antibody concentration on the host, the risk value, etc.) from each of the LCSA, referred to the m-th LCSAni importance is LCSA-Weightni, provided a total of N network

个LCSA, 上计算出的风险值=的风险xlmportancey)并进行归一化处理,整个网络 A the LCSA, the calculated value of risk risk = xlmportancey) and normalized, the entire network

M M

风险度值R (t)为: Risk value R (t) is:

[0106] [0106]

Figure CN102801739AD00122

[0107] R(t)就是风险度评估中心SREC最终所计算出的网络风险度值,其分值越高,说明网络风险度级别越高,系统越处于风险状况;反之分值越低,网络越安全。 [0107] R (t) is the final risk assessment center SREC network calculated risk value, the higher the score, the higher the risk level of the network, the system is at risk of the condition; conversely the lower the score, the network more secure.

[0108] 最后,进行实时取证和策略控制。 [0108] Finally, real-time forensics and policy control.

[0109] 若WEB服务器监测取证或策略请求失败,每次周期都尝试获取,直至超时;若WEB服务器获取用户提交的取证或策略申请,则存放允许执行的申请到数据库中。 [0109] If the evidence or WEB server monitoring policy request failed attempt to acquire each cycle, until a timeout; if the WEB server to obtain evidence or policy application submitted by the user, the application allows the execution of stored in the database. 然后SOCKET客户端向目的服务器端发起TCP连接请求,若连接失败,则运行程序结束;连接成功,客户端可将检测到的取证或策略申请上报给服务器端,服务器端申请在自身运行。 SOCKET client and the destination server initiates a TCP connection request if the connection fails, run the program ends; the connection is successful, the client can be detected evidence or policies reported to the application server, the server application itself runs. 若服务器端在自身运行申请失败,则服务器端程序结束,会话断开;成功则反馈执行结果到客户端,客户端接收服务器端的结果。 If the application runs in its own server fails, the server-side program ends, the session is disconnected; the successful implementation of the feedback results to the client, the client receives the results of the server. 若客户端接收服务器端的结果失败,则运行程序退出;若成功则存储结果到数据库中,WEB服务器端监听取证或策略申请的执行结果,通过浏览器界面展示给用户。 If the client receives the results of the server fails, run the program exits; if successful, stores the result in the results database, WEB server monitor application of evidence or policy, presented to the user through a browser interface.

[0110] 云计算环境下定量的网络的风险预测模型 [0110] Cloud quantitative risk prediction models in a network environment

[0111] 根据时间序列分析的有关理论,本发明提出一种新的用于网络风险预测的算法,拟将非平稳时间序列分解为确定项(标示趋势性或周期性规律)和随机项两个部分。 [0111] According to the theory of the time series analysis, the present invention proposes a new algorithm for the prediction of network risk, exploded proposed nonstationary time series to determine a term (or periodic law marked trend) and two stochastic section. 确定项可以用与时间有关的确定性函数表示(由于入侵行为与人的活动周期密切相关);随机项标示平稳的随机成分,用ARMA模型拟合。 Items can be determined by a deterministic function of time-related representation (closely related to the invasion behavior and human activity cycle); random items marked stationary random components, fits with the ARMA model. 两者预测的叠加以此提高预测的精度。 Both predicted superimposed in order to improve the accuracy of prediction.

[0112] 对于中长期的网络入侵行为受到社会发展、个人行为习惯、设备技术更新等复杂因素的综合影响,网络风险情况具有明显的趋势性和随机性(即非平稳的)。 [0112] For network intrusions by the long-term social development, the combined effects of complex factors, personal habits, equipment, technology updates and other network risk situation has obvious tendency and randomness (that is, non-stationary). 由于网络入侵行为大多按照一定的周期波动,例如月平均入侵行为按照12个月的周期波动,日平均入侵行为是按照24小时的周期波动,具有季节性。 Since network intrusion mostly fluctuate in a certain period, such as the monthly average of 12 months in accordance with the intrusion of cyclical fluctuations, the average daily intrusion is in accordance with a 24-hour cycle fluctuations, seasonal. 本项目将研究基于非平稳时间序列的网络风险预测方法。 The project will research network risk prediction method based on non-stationary time series. 我们根据时间序列X(t)是它的前期和前期的随机误差项以及前期值的线性函数,既可表示为: We time series X (t) is its early and pre-linear function of random errors, and the pre-value, it can be expressed as:

[0113] X (t) = Φ jX (t—I) + Φ 2X (t—2) +. . . + Φ pX (t—p) +u (t)— Θ jU (t—I)_ Θ 2u (t—2)' · · _ Θqu (tq) (I) ... [0113] X (t) = Φ jX (t-I) + Φ 2X (t-2) + + Φ pX (t-p) + u (t) - Θ jU (t-I) _ Θ 2u (t-2) '· · _ Θqu (tq) (I)

[0114]贝IJ该时间序列X(t)是自回归滑动平均序列,式⑴为(p,q)阶的自回归移动平均模型,记为ARMA(p,q)。 [0114] IJ shellfish in the time series X (t) is an autoregressive moving average sequences, autoregressive ⑴ of formula (p, q) of order moving average model, referred to as ARMA (p, q). 式中,Φ^ΐ = 1,2,3, . . . , ρ)为自回归参数,Θ j (i = 1,2,3,..., q)为滑动平均参数,u(t)为残差,式(I)能够正确地揭示时序的结构和规律时,则{u(t)}为白噪声。 Where, Φ ^ ΐ = 1,2,3,..., Ρ) autoregressive parameters, Θ j (i = 1,2,3, ..., q) is the moving average parameter, u (t) when residuals of formula (I) can be accurately reveal the structure and timing laws, {u (t)} is the white noise. 式⑴成为具有P阶自回归部分、q阶滑动平均部分的ARMA(p,q)模型。 ⑴ formula becomes ARMA (p, q) autoregressive model having a portion P, q order moving average portion. 引入滞后算子B,式(I)可简记为: Introducing hysteresis operator B, of formula (I) can be abbreviated as:

[0115] Φ (B)X(t) = Θ (B) u (t) [0115] Φ (B) X (t) = Θ (B) u (t)

[0116] ARMA(p, q)过程的平稳条件是滞后多项式Φ⑶的根均在单位圆外,可逆条件是Φ (B)的根都在单位圆外。 [0116] stationary conditions ARMA (p, q) is the process lag Φ⑶ polynomial roots are outside the unit circle, with the proviso that the reversible root Φ (B) are outside the unit circle.

[0117] 所监控网络风险时间序列{R(t)}的预测值为非线性拟合时序{Y(t)}的预测值与残差时序{X(t)}的预测值之和:左(0 =耶)+尤(O。 [0117] Risk time series of the monitored network {R (t)} of the predictive value predicted nonlinear fit values ​​{Y (t)} with the value predicted residual sequence {X (t)} and a sequence: Left (Jer = 0) + particular (O.

[0118] 本方案发明的基于云计算环境的网络风险评估取证方法,首先进行云计算环境下网格入侵风险评估,然后建立云计算环境下分层定量风险度评估体系,最后进行实时取证、策略控制及风险预测。 [0118] Network-based risk assessment method forensics cloud computing environment according to the present embodiment of the invention, first cloud computing grid environment intrusion risk assessment, and the establishment of quantitative risk stratification cloud computing environment assessment system, the last real-time forensics, policy control and risk prediction. 通过分散在网络环境中的检测器对网络进行监控,实时定量评估当前网络整体综合风险值以及网络中任意主机面临的某种攻击及多种攻击时的风险值及实时取证,获得实时的风险值。 By dispersing in a network environment detector for network monitoring, real-time quantitative risk assessment of the overall value of the current value of the network and integrated risk any host in the network faced an attack and a variety of attacks and real-time forensics, access to real-time risk value . 并依据平台的风险预测值能够提前主动调整防御策略,确保把风险控制在可接受的范围之内,必要情况下紧急关闭危险端口、增加预防措施、限制网络连接、调整网络流量、限制或停止高风险的服务、甚至在非常情形下紧急关闭主机服务器或网络互联设备等,进而依据危险度指标主动改变整个系统的防御策略。 The predicted value based on a risk platform that can proactively adjust defense strategy to ensure that the risks within acceptable limits, if necessary, emergency shutdown dangerous port, increase preventive measures to limit the network connection, adjust the network traffic, restricting or stopping high risk services, even in very urgent circumstances off the host server or networking equipment, then take the initiative to change the defense strategy of the entire system based on risk indicators. 此方案对云计算环境下的网络安全态势进行评估及风险预测,实现对所监控的网络所遭受的攻击行为进行有效的网络风险评估及取证,从而达到实现网络安全目的。 This scheme of network security situation in the cloud computing environment assessment and risk prediction, to achieve the aggressive behavior of the monitored network suffered for effective risk assessment and network forensics, network security so as to achieve the purpose.

[0119] 以上所述仅为本发明的较佳实施例而已,并不用以限制本发明,凡在本发明的精神和原则之内所作的任何修改、等同替换和改进等,均应包含在本发明的保护范围之内。 [0119] The foregoing is only preferred embodiments of the present invention but are not intended to limit the present invention, any modifications within the spirit and principle of the present invention, equivalent substitutions and improvements should be included in the present within the scope of the invention.

Claims (5)

1. 一种基于云计算环境的网络风险取证测定方法,其特征在于,该方法包括: 首先进行云计算环境下网络入侵风险测定; 建立云计算环境下分层定量风险度评估体系; 进行实时取证和策略控制。 1. A method of determining the risk of the network-based forensic cloud computing environment, characterized in that, the method comprising: measuring first network intrusion risk cloud computing environment; establishment of quantitative risk stratification cloud computing environment evaluation system; real-time forensics and policy control.
2.如权利要求I所述的基于云计算环境的网络风险测定方法,其特征在于, 在风险统计模块中,所有数据中心服务器被看作相同的角色;数据中心服务器向辖下监控点收集风险信息,若辖下监控点属于下级数据中心服务器,则收集它的整体风险,若辖下监控点属于安全服务器,则收集它的自身风险;安全服务器实时监控获取自身的风险记录;二级数据中心服务器联系顶级数据中心服务器,获取风险相关的重要信息;二级数据中心服务器将直辖的监控安全服务器风险信息全部收集到本地。 2. Determination of the network based on the risk I cloud computing environment as claimed in claim, wherein, in statistics module risk, all the data center server is regarded as the same character; data center server to collect under the risk monitoring point information, if under the control point belonging to the lower data center server, to collect its overall risk, if under the monitoring points belonging to a secure server, then collect its own risk; a secure server to obtain real-time monitoring their own risk register; a secondary data center contact top server data center server to obtain important information related to the risk; secondary data center servers directly under the security server monitoring all risk information collected locally. 具体过程如下: 首先将检测器分散到网络各个节点,即安全服务器上,对网络进行监控,开始收集网络数据; 数据中心服务器向辖下监控点收集风险信息; 二级数据中心服务器将收集的信息统计分析,综合顶级数据中心服务器获取的相关信息,计算出直辖网络整体风险值; 顶级数据中心服务器统计分析二级数据中心服务器评估的整体风险和顶级安全服务器风险,综合风险相关重要信息计算出整个系统的风险值; 顶级数据中心服务器分别从二级数据中心服务器收集安全服务器信息和整体风险信息,从顶级安全服务器收集风险信息,从本地获取风险相关重要信息。 Specific process is as follows: First, the detector is distributed to each node in the network, i.e. on a secure server, monitoring the network, begin collecting network data; data center server collects information under the risk monitoring points; secondary data center server information collected statistical analysis, synthesis top data center server to obtain relevant information to calculate the overall risk value directly under the network; top-level data center servers statistical analysis of secondary data center server overall risk assessment and risk top security server, integrated risk important information to calculate the entire risk value system; the top data center servers were collected from secondary data center server security server information and overall risk information, risk information collected from the top security server to obtain important information from the local risk.
3.如权利要求2所述的基于云计算环境的网络风险取评估方法,其特征在于,云计算环境下分层定量风险度评估方法包括: 计算t时刻单个主机所面临单个攻击的危险度(t) ;t时刻第i个异常对第j个LCSA上的主机危险度值为 3. The network-based risk assessment taking cloud computing environment according to the method as claimed in claim 2, characterized in that the quantitative risk stratification cloud computing environment evaluation method comprising: calculating a single host time t attack risk faced by a single ( t); t time the i-th abnormal risk to the host on the j-th value LCSA
Figure CN102801739AC00021
其中,u表示该类攻击的危险程度; 计算t时刻单个主机所面临多种攻击的综合危险度& (t),我们设参数Ui (0 ^ Ui ^ I)代表第i(l ^ i ^m)类攻击^广£(/)的危险性,那么第j个主机上的危险度值h(t)值为, Wherein, u represents the degree of risk of such attacks; calculating a time t of a single host more comprehensive risk & attack (t) face, we set the parameter Ui (0 ^ Ui ^ I) represents the i (l ^ i ^ m ) wide class of attacks £ ^ (/) risk, then the risk of a host on the j-th value h (t) values,
Figure CN102801739AC00022
)值越大,系统越危险; 建立攻击危险性指标体系,将攻击按照行为特征分为四大类,若干小类,分类的目的是为了更好的确定每类攻击的危害程度,然后建立第i种攻击的危害性向量Di,即为Di = {D;, Di2 , D丨,D\ , Di5, 1)丨丨(I彡i彡m)。 ) The larger the value, the more dangerous the system; the establishment of attacks risk index system, will attack divided into four categories according to behavioral characteristics, a number of subcategories, the classification of the purpose is to better determine the extent of the harm each type of attack, and then the establishment of the first i dangers of attacks vector Di, that is, Di = {D ;, Di2, D Shu, D \, Di5, 1) Shushu (i i San San m). 将这m种攻击的危害性向量排列在一起,构成危害性矩阵D : M dangers of attacks these vectors are arranged together to form hazardous matrix D:
Figure CN102801739AC00023
计算攻击危险性,根据每台主机所提供的不同服务,用户对象,不同的系统软件,应用软件等等各自的属性,综合建立第j(l ^ j ^ N)个主机的网络带宽、服务、系统软件、应用软件、数据、信息这6类指标的相对重要性值,记为P ={々,旬,£/,£:,句第j (I ^ j ^ N)个主机的取值,是根据专家打分以及问卷调查综合评分;这样,第i个攻击对第 Calculated attack risk, according to each host offered different services, user objects, different system software, application software, and so their property, build a comprehensive network bandwidth of j (l ^ j ^ N) hosts, services, system software, application software, data, information, six classes relative importance value index, referred to as P = {々, ten days, £ /, £ :, first sentence j (I ^ j ^ N) value of hosts, is based on expert evaluation and comprehensive questionnaire score; so, the first attack on the i-th
Figure CN102801739AC00031
台主机的危险程度u值,于是有:Ui = Di • Ej ;其中Di表示矩阵D的第i个分量,计算出4后可以求出rj(t); 计算网络危险度值;首先从树的最底层开始计算危险度值,然后向上递归计算,定义第j个主机的重要性值记为Importancej,该LCSA的危险度值为该LCSA上的所有主机危险度值r」(t)的加权和Q(t):淡)的风险xlmportance);第j个主机(Hostj)的危险度值为rj(t) ; Importancej为第j个主机的重要性值,然后再将Q (t)进行归一化计算,便可以最得该LCSA的危险度值; 将这些指标进行量化,从多个层次建立主机重要性评价指标体系; 采用多级关联灰度模型,假设已识别出网络中共有n种影响Importance指标,每种Importance共有m个属性,根据评价目的确定评价指标体系,对指标数据进行无量纲化的数据序列形成如下矩阵: U host degree of risk value, so there are: Ui = Di • Ej; wherein Di represents the i th component of the matrix D is calculated can be determined after 4 rj (t); risk value computing network; first from the tree bottom risk counted value, and then up the recursive computation, define the importance of the j-th value referred to as the host Importancej, the risk value LCSA LCSA all hosts on the risk value r '(t) and weighted Q (t): light) risk xlmportance); j-host (Hostj) the risk value of rj (t); Importancej importance for the j-th value of the host, then Q (t) are normalized computing, you can obtain the most dangerous of the value of the LCSA; these metrics to quantify the importance of establishing a host system from a plurality of evaluation levels; multi-level gray scale correlation model, assumes that the network identified a total of n Effect Importance indicators, there are m each Importance properties, determined according to the evaluation object of the evaluation system of dimensionless index data of the data sequence forming the following matrix:
Figure CN102801739AC00032
its
Figure CN102801739AC00033
其中i = 0,1,…,n ;k = 1,2, m.并逐个计算每个被评价对象指标序列与参考序列对应元素的绝对差值IxciGO-XiGO I,并确定 Where i = 0,1, ..., n; k = 1,2, m and individually calculated for each absolute difference IxciGO-XiGO I is the corresponding element indices evaluation target and reference sequences, and determined.
Figure CN102801739AC00034
and
Figure CN102801739AC00035
通过计算每个比较序列与参考序列对应元素的关联系数。 The correlation coefficient was calculated for each element by comparing the reference sequence to the corresponding sequence.
Figure CN102801739AC00036
式中p为分辨系数,在(o,i)内取值,P越小,关联系数间的差异越大,区分能力越强.这里我们取P取0. 5 ; 对各评价对象分别计算其m个指标与参考序列对应元素的关联系数的均值,以反映各评价对象与参考序列的关联关系,由于本系统中各指标在综合评价中所起的作用不同,采用对关联系数求加权平均值即: Wherein p is the resolution factor, the value of (o, i) the smaller P, the greater the difference between the correlation coefficient, the stronger ability to distinguish where we have chosen to take 0.5 P; respectively calculated for each evaluation target m indexes the reference sequence corresponding to the mean correlation coefficient of the element to reflect the association of each evaluation target and the reference sequence, due to the different systems present various indicators in the comprehensive evaluation role, using weighted averaging of the correlation coefficient which is:
Figure CN102801739AC00037
最终依据各观察对象的关联序,得出评价结果;其中,Wk为各指标权重; 计算评估总目标;评估总目标=E (各指标分值X所对应权重),评估总目标为评估每个主机的重要性值,也就是计算Importance值的大小。 The final sequence of each association based on the observation target, the evaluation results obtained; wherein, Wk is the weight for the index; calculating total evaluation target; overall objective assessment = E (X each index value corresponding to the weight), the overall objective of evaluating each evaluation the importance of the value of the host, that is, to calculate the size of the importance values. 这样,我们求得Importance值为: In this way, we obtain a value of Importance:
Figure CN102801739AC00038
评估整个网络风险度,SREC (System Risk Evaluation Center)从各个LCSA搜集本地安全信息(例如主机上的抗体浓度,风险度值等),记第m个LCSAm的重要性为LCSA—We i ghtm,设网络共有N个LCSA,LCSA上计算出的风险值 Risk assessment of the entire network, SREC (System Risk Evaluation Center) to collect local security information (e.g. an antibody concentration on the host, the risk value, etc.) from each of the LCSA, referred to the m-th LCSAm importance is LCSA-We i ghtm, provided a total of N network LCSA, the calculated risk value LCSA
Figure CN102801739AC00041
并进行m y=i 归一化处理,整个网络风险度值R(t)为: M y = i and normalized, the entire network of risk value R (t) is:
Figure CN102801739AC00042
R(t)就是风险度评估中心SREC最终所计算出的网络风险度值,其分值越高,说明网络风险度级别越高,系统越处于风险状况;反之分值越低,网络越安全。 R (t) is the final calculated value of risk network risk assessment center SREC is, the higher the score, the higher the risk level of the network, the system is at risk of the condition; conversely, the lower the score, the more secure network.
4.如权利要求I所述的基于云计算环境的网络风险取证方法,其特征在于,该方法进一步包括: 在步骤S1031中,WEB服务器监测取证或策略请求;客户端获取申请失败,每次周期都尝试获取,直至超时; 在步骤S1032中,WEB服务器获取用户提交的取证或策略申请,存放允许执行的申请到数据库中;SWEB服务器数据库存储失败则执行步骤S1037 ;客户端获取申请失败,每次周期都尝试获取,直至超时;获取成功执行步骤S1033 ; 在步骤S1033中,SOCKET客户端向目的服务器端发起TCP连接请求;若连接失败,则运行步骤S1037程序结束,连接成功执行步骤S1034 ; 在步骤S1034中,客户端将检测到的取证或策略申请上报给服务器端,服务器端在自身运行申请的指令;若失败,运行步骤S1037服务器端程序结束,会话断开;成功则反馈执行结果到客户端,执行步骤S1035 ; 客户端接收 4. The network-based forensic method, the risk of cloud computing environment as claimed in claim I, wherein the method further comprises: in step S1031, WEB server or monitoring policy request evidence; client access application fails, each cycle try to acquire, until a timeout; in step S1032, WEB server application to obtain evidence or strategy submitted by the user, allowing the execution of the application is stored in the database; SWEB server database to store fails to step S1037; client access applications fail, every time cycle attempt to acquire, until a timeout; for success steps S1033; in step S1033, SOCKET client sends a TCP connection request to the destination server; if the connection fails, the end of the run step S1037, linker step S1034 executed successfully; in step S1034, the client or the detected evidence is reported to the application server side policies, instructions in its own server application running; if it fails, the server program running step S1037 ends, the session is disconnected; successful execution result is fed back to the client , step S1035; client receives 服务器端的结果,若失败运行步骤S1037程序退出;成功则存储结果到数据库中,执行步骤S1036 ; 在步骤S1036中,WEB服务器端监听取证或策略申请的执行结果,通过浏览器界面展示给用户。 The results on the server side, if the failure to run the steps S1037 quits; if successful the result is stored in the database, step S1036; In step S1036, WEB server listens evidence or policy application of the results, presented to the user through a browser interface.
5.如权利要求I所述的基于云计算环境的网络风险取证方法,其特征在于,该方法进一步包括: 时间序列X(t)是它的前期和前期的随机误差项以及前期值的线性函数,既可表示为:X (t) = Cb1X (t—I) + cb2X (t—2) +. . . + cb pX (t—p) +u (t)— 9 jU (t—I)_ 9 2u (t—2)—. . . — 9 qu (t_q) (I) 则该时间序列X(t)是自回归滑动平均序列,式(I)为(P,q)阶的自回归移动平均模型,记为ARMA (p,q)。 5. The network-based forensic method, the risk of cloud computing environment as claimed in claim I, wherein the method further comprises: time series X (t) is a linear function of its early and pre-random errors and previous values , can be expressed as:... X (t) = Cb1X (t-I) + cb2X (t-2) + + cb pX (t-p) + u (t) - 9 jU (t-I) _ 9 2u (t-2) -... - 9 qu (t_q) (I) the time sequence X (t) is an autoregressive moving average sequence of formula (I) is (P, q) of order autoregressive moving The average model, referred to as ARMA (p, q). 式中,Ki = 1,2,3,• • •,p)为自回归参数,e^i = 1,2,3,... ,q)为滑动平均参数,u(t)为残差,式(I)能够正确地揭示时序的结构和规律时,则{u(t)}为白噪声;式(I)成为具有P阶自回归部分、q阶滑动平均部分的ARMA(p,q)模型。 Wherein, Ki = 1,2,3, • • •, p) autoregressive parameters, e ^ i = 1,2,3, ..., q) is the moving average parameter, u (t) is the residual when the formula (I) can be accurately reveal the structure and rules of timing, the {u (t)} is a white noise; of formula (I) becomes ARMA (p, q having P autoregressive portion, q order moving average portion )model. 引入滞后算子B,式(I)可简记为: 小(B) X (t) = 0 (B) u (t) ARMA(p,q)过程的平稳条件是滞后多项式0 (B)的根均在单位圆外,可逆条件是小(B)的根都在单位圆外; 所监控网络风险时间序列{R(t)}的预测值为非线性拟合时序{Y(t)}的预测值与残差时序{X⑴}的预测值之和:R(t) = R{t) + X{t)。 Introducing hysteresis operator B, of formula (I) can be abbreviated as: Small (B) X (t) = 0 (B) stationary conditions u (t) ARMA (p, q) process lag polynomial 0 (B) of roots are outside the unit circle, a small reversible condition (B) are roots outside the unit circle; risk monitored network time series {R (t)} of the predictive value of nonlinear fitting sequence {Y (t)} of the predicted value of the predicted value residual sequence {X⑴} and: R (t) = R {t) + X {t).
CN2012103151216A 2012-08-25 2012-08-25 Network risk determining and evidence obtaining method based on cloud computing environment CN102801739A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2012103151216A CN102801739A (en) 2012-08-25 2012-08-25 Network risk determining and evidence obtaining method based on cloud computing environment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2012103151216A CN102801739A (en) 2012-08-25 2012-08-25 Network risk determining and evidence obtaining method based on cloud computing environment

Publications (1)

Publication Number Publication Date
CN102801739A true CN102801739A (en) 2012-11-28

Family

ID=47200701

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2012103151216A CN102801739A (en) 2012-08-25 2012-08-25 Network risk determining and evidence obtaining method based on cloud computing environment

Country Status (1)

Country Link
CN (1) CN102801739A (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103106277A (en) * 2013-02-18 2013-05-15 浪潮(北京)电子信息产业有限公司 Evidence obtaining method based on cloud computing
CN103619012A (en) * 2013-12-02 2014-03-05 中国联合网络通信集团有限公司 Method and system for security assessment of mobile internet
CN103701810A (en) * 2013-12-26 2014-04-02 蓝盾信息安全技术股份有限公司 Automatic marking system of network attack and defense experiment
CN104125217A (en) * 2014-06-30 2014-10-29 复旦大学 Cloud data center real-time risk assessment method based on mainframe log analysis
CN104680028A (en) * 2015-03-13 2015-06-03 河南群智信息技术有限公司 Medical system case information optimal storage method on basis of cloud platform
CN106209831A (en) * 2016-07-08 2016-12-07 瑞达信息安全产业股份有限公司 A kind of network security index calculation method
CN107077398A (en) * 2014-10-23 2017-08-18 高通股份有限公司 System and method for carrying out dynamic bandwidth throttling based on the danger signal monitored by one or more elements using shared resource
CN107292174A (en) * 2016-03-31 2017-10-24 中国电子科技集团公司电子科学研究院 A kind of cloud computing system security assessment method and device

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1567853A (en) * 2004-03-29 2005-01-19 四川大学 Network safety risk detection system and method
US20060282893A1 (en) * 2005-06-10 2006-12-14 D-Link Corporation Network information security zone joint defense system
CN101005510A (en) * 2007-01-19 2007-07-25 南京大学 Network real time risk evaluating method for comprehensive loop hole
CN102263410A (en) * 2010-05-31 2011-11-30 河南军信开源科技发展有限公司 A security risk assessment model, assessment methods and evaluation parameters to determine the method
US20120124666A1 (en) * 2009-07-23 2012-05-17 Ahnlab, Inc. Method for detecting and preventing a ddos attack using cloud computing, and server

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1567853A (en) * 2004-03-29 2005-01-19 四川大学 Network safety risk detection system and method
US20060282893A1 (en) * 2005-06-10 2006-12-14 D-Link Corporation Network information security zone joint defense system
CN101005510A (en) * 2007-01-19 2007-07-25 南京大学 Network real time risk evaluating method for comprehensive loop hole
US20120124666A1 (en) * 2009-07-23 2012-05-17 Ahnlab, Inc. Method for detecting and preventing a ddos attack using cloud computing, and server
CN102263410A (en) * 2010-05-31 2011-11-30 河南军信开源科技发展有限公司 A security risk assessment model, assessment methods and evaluation parameters to determine the method

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
刘念等: ""基于免疫的网络安全态势感知关键技术研究"", 《四川大学学报(工程科学版)》 *

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103106277A (en) * 2013-02-18 2013-05-15 浪潮(北京)电子信息产业有限公司 Evidence obtaining method based on cloud computing
CN103619012A (en) * 2013-12-02 2014-03-05 中国联合网络通信集团有限公司 Method and system for security assessment of mobile internet
CN103619012B (en) * 2013-12-02 2017-04-12 中国联合网络通信集团有限公司 Method and system for security assessment of mobile internet
CN103701810A (en) * 2013-12-26 2014-04-02 蓝盾信息安全技术股份有限公司 Automatic marking system of network attack and defense experiment
CN104125217A (en) * 2014-06-30 2014-10-29 复旦大学 Cloud data center real-time risk assessment method based on mainframe log analysis
CN107077398A (en) * 2014-10-23 2017-08-18 高通股份有限公司 System and method for carrying out dynamic bandwidth throttling based on the danger signal monitored by one or more elements using shared resource
CN104680028A (en) * 2015-03-13 2015-06-03 河南群智信息技术有限公司 Medical system case information optimal storage method on basis of cloud platform
CN104680028B (en) * 2015-03-13 2017-07-21 河南群智信息技术有限公司 Medical system case information optimization storage method based on cloud platform
CN107292174A (en) * 2016-03-31 2017-10-24 中国电子科技集团公司电子科学研究院 A kind of cloud computing system security assessment method and device
CN106209831A (en) * 2016-07-08 2016-12-07 瑞达信息安全产业股份有限公司 A kind of network security index calculation method

Similar Documents

Publication Publication Date Title
Selakov et al. Hybrid PSO–SVM method for short-term load forecasting during periods with significant temperature variations in city of Burbank
Sheu Dynamic relief-demand management for emergency logistics operations under large-scale disasters
Kankal et al. Modeling and forecasting of Turkey’s energy consumption using socio-economic and demographic variables
Liu et al. Risk evaluation approaches in failure mode and effects analysis: A literature review
Chen et al. A hybrid fuzzy time series model based on granular computing for stock price forecasting
Su et al. Dependence assessment in human reliability analysis using evidence theory and AHP
Pao et al. Forecasting of CO2 emissions, energy consumption and economic growth in China using an improved grey model
Pao Forecast of electricity consumption and economic growth in Taiwan by state space modeling
Yang et al. A time efficient approach for detecting errors in big sensor data on cloud
Jin et al. A novel application of parallel betweenness centrality to power grid contingency analysis
CN101493913A (en) Method and system for assessing user credit in internet
CN101714273A (en) Rule engine-based method and system for monitoring exceptional service of bank
Guan et al. Ensemble of bayesian predictors and decision trees for proactive failure management in cloud computing systems
Rawat et al. Software defect prediction models for quality improvement: a literature study
Liu et al. A novel belief rule base representation, generation and its inference methodology
Torgo et al. Resampling strategies for regression
Liu et al. Fault diagnosis and cause analysis using fuzzy evidential reasoning approach and dynamic adaptive fuzzy Petri nets
Kaiser et al. Warning system for online market research–identifying critical situations in online opinion formation
EP2659437A1 (en) Automatic variable creation for adaptive analytical models
Wang et al. An ARIMA‐ANN hybrid model for time series forecasting
Chen et al. Earned value project management: Improving the predictive power of planned value
Nassif et al. Software effort estimation in the early stages of the software life cycle using a cascade correlation neural network model
Sun et al. Fault diagnosis of power transformers using computational intelligence: a review
Wei et al. Inoperability input‐output modeling (IIM) of disruptions to supply chain networks
Izakian et al. Anomaly detection and characterization in spatial time series data: A cluster-centric approach

Legal Events

Date Code Title Description
C06 Publication
C10 Entry into substantive examination
C02 Deemed withdrawal of patent application after publication (patent law 2001)