CN104601604A

CN104601604A - Network security situation analyzing method

Info

Publication number: CN104601604A
Application number: CN201510090101.7A
Authority: CN
Inventors: 陈连栋; 辛锐; 赵炜; 黄镜宇; 崔志坤; 王静; 宋峥峥; 孔明; 李井泉; 白涛; 付强; 刘成龙; 张磊; 王震; 周文芳
Original assignee: State Grid Corp of China SGCC; Information and Telecommunication Branch of State Grid Hebei Electric Power Co Ltd
Current assignee: State Grid Corp of China SGCC; Information and Telecommunication Branch of State Grid Hebei Electric Power Co Ltd
Priority date: 2014-06-12
Filing date: 2015-02-27
Publication date: 2015-05-06
Anticipated expiration: 2035-02-27
Also published as: CN104601604B

Abstract

The invention provides a network security situation analysis method. It involves the field of network security; it solves the problems of low accuracy and processing efficiency of the existing network security situation analysis methods. A. Collect the log information of each device in the network through the SYSLOG protocol and the Flow protocol, and extract the IP address information from it, and stratify the obtained IP addresses based on geographic information or business information to obtain multiple levels; B. Calculate the IP addresses of each level separately Address entropy value; C. Continuously calculate the value of global address entropy, calculate the reference point of address entropy value with a time period of 5 minutes, establish a long-term entropy value baseline with the collection of address entropy value reference point data for a long time in history, and use the latest time A collection of address entropy reference point data to establish a short-period entropy baseline; D. Convert the overall deviation between the measured value of the global address entropy and the long-period entropy baseline and short-period entropy baseline into a security situation indicator Data; E. When the security situation index exceeds the preset threshold, it is determined that the security situation is abnormal, and the abnormality is located by comparing the address entropy values of each level. Accurate and efficient security situation analysis is realized.

Description

Network Security Situation Analysis Method

技术领域technical field

本发明涉及网络安全领域，尤其涉及一种网络安全态势分析方法。The invention relates to the field of network security, in particular to a network security situation analysis method.

背景技术Background technique

随着电力信息网络环境规模的日益扩大，网络中各种设备的数量急剧增加，来自外部和内部的各种安全和攻击也在急剧增加，威胁着网络信息安全。为了不断应对新的安全挑战，电力信息网络先后部署了防病毒系统、防火墙、入侵检测系统、漏洞扫描系统、UTM等等。在这种复杂的安全体系下，网络具有资源分布共享化、用户分散化和管理分布化等特性，为实现多元化、智能信息服务提供了基础。然而，这种复杂的网络显示中安全问题已经成为制约其发展的一大障碍。安全态势评估技术能够从全面、宏观反映出网络动态安全状况，并对安全状况的发展趋势进行预测和预警，因此，针对电力信息网络的安全态势分析模型及关键技术已经成为目前网络安全领域的研究热点。With the increasing scale of the power information network environment, the number of various devices in the network has increased sharply, and various security and attacks from outside and inside have also increased sharply, threatening the network information security. In order to continuously respond to new security challenges, the power information network has deployed anti-virus systems, firewalls, intrusion detection systems, vulnerability scanning systems, UTM, and so on. Under this complex security system, the network has the characteristics of resource distribution and sharing, user decentralization and management distribution, which provides a basis for realizing diversified and intelligent information services. However, the security problem in this complex network display has become a major obstacle restricting its development. The security situation assessment technology can comprehensively and macroscopically reflect the dynamic security situation of the network, and predict and warn the development trend of the security situation. Therefore, the security situation analysis model and key technologies for the power information network have become the research field of network security hot spot.

目前，对电力信息网络进行安全态势分析已经开展了一些有价值理论和应用研究，例如：研究基于模糊理论的网络安全事件编群方法；建立基于模糊时间序列模型；研究支持向量机回归的网络安全态势预测方法等等。应用实践中，常见的安全态势分析方法包括：(1)态势可视化展示，该方法的主要是利用人对直观图像的敏锐性，以可视化视图的方式将网络互联状态呈现出来，从而使安全分析员对当前的网络状态有直观的了解，并通过经验去判断网络是否受到攻击威胁，但这种方法的缺点是对安全分析人员经验水平要求高，难以精确量化分析。(2)全面采集各类安全设备的安全日志，对计算机网络进行安全态势分析，通过数据挖掘的方案评估计算机网络的安全性，但这种方法的缺点是信息来源单一，只有安全日志信息，且性能低下，因为对异构安全事件的采集和处理效率较低。(3)利用安全日志信息和设备漏洞信息的结合，采用风险计算算法，得到直观的安全态势图，但此种选取的态势评估指标还不够全面，量化算法结果也不够准确，并且针对大型电力信息网络，安全日志信息和设备漏洞信息的采集难以全面，导致最终的计算结果失真。At present, some valuable theoretical and applied research has been carried out on the security situation analysis of power information network, such as: research on network security event grouping method based on fuzzy theory; establishment of fuzzy time series model; research on support vector machine regression network security Situation forecasting methods, etc. In practice, common security situation analysis methods include: (1) Situation visualization display, which mainly utilizes people’s sensitivity to intuitive images to present the network interconnection status in a visual view, so that security analysts Have an intuitive understanding of the current network status, and use experience to judge whether the network is threatened by attacks, but the disadvantage of this method is that it requires high experience levels for security analysts, and it is difficult to accurately quantify and analyze. (2) Comprehensively collect the security logs of various security devices, analyze the security situation of the computer network, and evaluate the security of the computer network through the data mining scheme, but the disadvantage of this method is that the information source is single, only the security log information, and Poor performance due to inefficient collection and processing of heterogeneous security events. (3) Using the combination of security log information and equipment vulnerability information, using a risk calculation algorithm to obtain an intuitive security situation map, but the situation evaluation indicators selected in this way are not comprehensive enough, and the results of the quantitative algorithm are not accurate enough, and for large-scale power information The collection of network, security log information, and device vulnerability information is difficult to be comprehensive, resulting in distortion of the final calculation results.

发明内容Contents of the invention

本发明提供了一种网络安全态势分析方法，解决了现有网络安全态势分析方式准确程度和处理效率低下的问题。The invention provides a network security situation analysis method, which solves the problems of low accuracy and processing efficiency of the existing network security situation analysis methods.

一种安全态势分析方法，包括：A security situation analysis method comprising:

A、通过SYSLOG协议和Flow协议采集网络中各设备日志信息，并从中提取IP地址信息，基于地理信息或业务信息对得到的IP地址进行分层，得到多个层级；A. Collect the log information of each device in the network through the SYSLOG protocol and the Flow protocol, and extract the IP address information from it, and stratify the obtained IP addresses based on geographic information or business information to obtain multiple levels;

B、分别计算各层级的地址熵值；B. Calculate the address entropy value of each level separately;

C、持续计算全局地址熵的值，以5分钟为时间周期计算地址熵值基准点，以历史较长时间地址熵值基准点数据的集合建立长周期熵值基线，以最近时间的地址熵值基准点数据的集合建立短周期熵值基线；C. Continuously calculate the value of the global address entropy, calculate the reference point of the address entropy value with a time period of 5 minutes, establish a long-term entropy value baseline based on the collection of historical address entropy value reference point data for a long time, and use the latest address entropy value The collection of benchmark data establishes a short-period entropy baseline;

D、将所述全局地址熵的实测值与所述长周期熵值基线和短周期熵值基线的综合偏差度转换为安全态势指标数据；D. Converting the comprehensive deviation between the measured value of the global address entropy and the long-period entropy baseline and the short-period entropy baseline into security situation index data;

E、当安全态势指标超过预置的阈值时，判定安全态势发生异常，通过各层级地址熵值的对比定位异常。E. When the security situation index exceeds the preset threshold, it is determined that the security situation is abnormal, and the abnormality is located by comparing the address entropy values of each level.

优选的，通过SYSLOG协议和Flow协议采集网络中各设备日志信息，并从中提取IP地址信息包括：Preferably, collecting the log information of each device in the network through the SYSLOG protocol and the Flow protocol, and extracting the IP address information therefrom includes:

分布式采集点从以下任一信息或任意多个信息中提取IP地址：Distributed collection points extract IP addresses from any or more of the following information:

网络安全设备日志，应用系统日志，路由交换设备flow信息，Network security device logs, application system logs, routing and switching device flow information,

所述IP地址包括源IP地址和目的IP地址。The IP address includes a source IP address and a destination IP address.

优选的，通过SYSLOG协议和Flow协议采集网络中各设备日志信息，并从中提取IP地址信息还包括：Preferably, collecting the log information of each device in the network through the SYSLOG protocol and the Flow protocol, and extracting the IP address information therefrom also includes:

获取所述IP地址的地理标记；obtain a geotag for said IP address;

将所述IP地址映射为整形数据结构，将所述整形数据结构和该IP地址的地理标记存储于多层嵌套HashMap数据结构中；Mapping the IP address into a plastic data structure, storing the geographical mark of the plastic data structure and the IP address in a multi-layer nested HashMap data structure;

将所述IP地址的整形数据结构加入IP映射缓存表，该IP映射缓存表存储了IP地址的整形数据结构和该IP地址被采集到的次数。The shaping data structure of the IP address is added to the IP mapping cache table, and the IP mapping cache table stores the shaping data structure of the IP address and the number of times the IP address is collected.

优选的，该方法还包括：Preferably, the method also includes:

根据预置的更新周期，周期性的对上一周期中所述IP映射缓存表中的IP地址依据各IP地址的流量进行排序；According to the preset update cycle, periodically sort the IP addresses in the IP mapping cache table in the previous cycle according to the traffic of each IP address;

对排序后排名较靠前的IP地址对应的被采集到的次数进行更新。The number of times of collection corresponding to the higher-ranked IP addresses after sorting is updated.

优选的，分别计算各层级的地址熵值包括：Preferably, calculating the address entropy values of each level respectively includes:

根据以下表达式计算基础层的源地址熵：The source address entropy of the base layer is calculated according to the following expression:

$H h ((SRC SRC)) = = \frac{((- - {Σ Σ}_{i i = = 11}^{N N} ((\frac{{n no}_{ipi ipi}}{s the s})) {log log}_{22} ((\frac{{n no}_{ipi ipi}}{s the s}))))}{{log log}_{22} s the s},,$

根据以下表达式计算基础层的目的地址熵：Calculate the destination address entropy of the base layer according to the following expression:

$H h ((DEST DEST)) = = \frac{((- - {Σ Σ}_{i i = = 11}^{N N} ((\frac{{n no}_{ipi ipi}}{s the s})) {log log}_{22} ((\frac{{n no}_{ipi ipi}}{s the s}))))}{{log log}_{22} s the s},,$

其中，表示观测时间段内的IP地址的总出现次数；in, Indicates the total number of occurrences of IP addresses during the observation period;

根据以下表达式计算中间层的熵：The entropy of the intermediate layer is calculated according to the following expression:

H(MIDDLE)＝a*H(SRC)+b*H(DEST)，H(MIDDLE)=a*H(SRC)+b*H(DEST),

其中，a、b的取值区间为[0，1]，且a+b＝1；Wherein, the value range of a and b is [0, 1], and a+b=1;

根据以下表达式计算全局层的熵：The entropy of the global layer is calculated according to the following expression:

优选的，以历史较长时间地址熵值基准点数据的集合建立长周期熵值基线包括：Preferably, establishing a long-period entropy baseline with a collection of historically long-term address entropy benchmark data includes:

以较长周期为循环时长，计算每经第一时间间隔后的全局熵值，形成一组有多个点的熵值数组；Taking a longer cycle as the cycle length, calculate the global entropy value after each first time interval, and form a group of entropy value arrays with multiple points;

对本较长周期的熵值与上一较长周期的基线熵值进行加权平均以获得新的基线熵值，多个所述基线熵值形成动态的长周期熵值基线。A weighted average is performed on the entropy value of this longer period and the baseline entropy value of the last longer period to obtain a new baseline entropy value, and a plurality of the baseline entropy values form a dynamic long-period entropy baseline.

优选的，所述较长周期为一天或一天以上的时间周期。Preferably, the longer period is a time period of one day or more.

优选的，以最近时间的地址熵值基准点数据的集合建立短周期熵值基线包括：Preferably, establishing a short-period entropy baseline with a collection of recent address entropy benchmark data includes:

按照较短周期周期性的计算全局熵值；Calculate the global entropy value periodically according to a shorter cycle;

以最近的多个周期的全局熵值形成熵值数据，所述熵值数据构成的曲线即为短周期熵值基线。The entropy data is formed by the global entropy values of the most recent multiple periods, and the curve formed by the entropy data is the short-period entropy baseline.

优选的，将所述地址熵值转换为安全态势指标数据包括：Preferably, converting the address entropy value into security situation indicator data includes:

从所述长周期熵值基线中提取当前时刻对应的熵值，即为当前时刻的长周期熵预测值；Extracting the entropy value corresponding to the current moment from the long-period entropy value baseline, which is the long-period entropy prediction value at the current moment;

根据以下表达式获得短周期基线对应的熵预测值：The entropy prediction value corresponding to the short-period baseline is obtained according to the following expression:

H_t+1＝H_t+a(y_t-H_t)，H _t+1 =H _t +a(y _t -H _t ),

设当前短周期基线中的熵值序列为：Let the entropy sequence in the current short-period baseline be:

y₁,y₂,y₃,y₄….y_t为当前短周期基线中的熵值序列，a是加权系统(0<a<1)，Ht是第t期的预测熵值；y ₁ , y ₂ , y ₃ , y ₄ ….y _t is the entropy value sequence in the current short-period baseline, a is the weighting system (0<a<1), Ht is the predicted entropy value in the t-th period;

根据以下表达式计算熵值偏差率μT：Calculate the entropy value deviation rate μT according to the following expression:

${μ μ}_{T T} = = \frac{11}{22} * * ((| | H h - - {H h}_{l l} | | / / {H h}_{l l} + + | | {H h - - H h}_{s the s} | | / / {H h}_{s the s})),,$

其中，H为实测全局熵值，H_l为基于长周期熵值基线获取的预测熵值，H_s是基于短周期熵值基线获取的预测熵值；Wherein, H is the measured global entropy value, H ₁ is the predicted entropy value obtained based on the long-period entropy value baseline, and H _s is the predicted entropy value obtained based on the short-period entropy value baseline;

根据以下表达式转换得到安全态势指标(SSI)：The Security Situation Indicator (SSI) is converted according to the following expression:

优选的，当SSI出现异常时，通过对各层级地址熵值进行排序，确定地址熵值最大的网络分层为网络安全态势异常所在位置。Preferably, when an abnormality occurs in the SSI, by sorting the address entropy values of each layer, the network layer with the largest address entropy value is determined as the location of the abnormal network security situation.

本发明提供了一种安全态势分析方法，A、通过SYSLOG协议和Flow协议采集网络中各设备日志信息，并从中提取IP地址信息，基于地理信息或业务信息对得到的IP地址进行分层，得到多个层级；B、分别计算各层级的地址熵值；C、持续计算全局地址熵的值，以5分钟为时间周期计算地址熵值基准点，以历史较长时间地址熵值基准点数据的集合建立长周期熵值基线，以最近时间的地址熵值基准点数据的集合建立短周期熵值基线；D、将所述全局地址熵的实测值与所述长周期熵值基线和短周期熵值基线的综合偏差度转换为安全态势指标数据；E、当安全态势指标超过预置的阈值时，判定安全态势发生异常，通过各层级地址熵值的对比定位异常。实现了准确高效的安全态势分析，解决了现有网络安全态势分析方式准确程度和处理效率低下的问题。The present invention provides a security situation analysis method. A. Collect the log information of each device in the network through the SYSLOG protocol and the Flow protocol, and extract IP address information therefrom, and layer the obtained IP addresses based on geographical information or business information to obtain Multiple levels; B. Calculate the address entropy value of each level separately; C. Continuously calculate the value of the global address entropy, calculate the reference point of the address entropy value with a time period of 5 minutes, and use the address entropy value reference point data for a long time in history Set up a long-period entropy baseline, and establish a short-period entropy baseline with a collection of address entropy reference point data at the latest time; D. Combine the measured value of the global address entropy with the long-period entropy baseline and short-period The comprehensive deviation degree of the value baseline is converted into security situation indicator data; E. When the security situation indicator exceeds the preset threshold, it is determined that the security situation is abnormal, and the abnormality is located by comparing the address entropy values of each level. Accurate and efficient security situation analysis is realized, and the problems of low accuracy and processing efficiency of the existing network security situation analysis methods are solved.

附图说明Description of drawings

图1为IP映射缓存表的建立与更新原理示意图。FIG. 1 is a schematic diagram of the principle of establishing and updating an IP mapping cache table.

具体实施方式Detailed ways

常见的安全态势分析方法包括：(1)态势可视化展示，该方法的主要是利用人对直观图像的敏锐性，以可视化视图的方式将网络互联状态呈现出来，从而使安全分析员对当前的网络状态有直观的了解，并通过经验去判断网络是否受到攻击威胁，但这种方法的缺点是对安全分析人员经验水平要求高，难以精确量化分析。(2)全面采集各类安全设备的安全日志，对计算机网络进行安全态势分析，通过数据挖掘的方案评估计算机网络的安全性，但这种方法的缺点是信息来源单一，只有安全日志信息，且性能低下，因为对异构安全事件的采集和处理效率较低。(3)利用安全日志信息和设备漏洞信息的结合，采用风险计算算法，得到直观的安全态势图，但此种选取的态势评估指标还不够全面，量化算法结果也不够准确，并且针对大型电力信息网络，安全日志信息和设备漏洞信息的采集难以全面，导致最终的计算结果失真。Common security situation analysis methods include: (1) Situation visualization display, which mainly uses people’s sensitivity to intuitive images to present the network interconnection status in a visual view, so that security analysts can understand the current network There is an intuitive understanding of the state, and through experience to judge whether the network is threatened by an attack, but the disadvantage of this method is that it requires a high level of experience for security analysts, and it is difficult to accurately quantify and analyze. (2) Comprehensively collect the security logs of various security devices, analyze the security situation of the computer network, and evaluate the security of the computer network through the data mining scheme, but the disadvantage of this method is that the information source is single, only the security log information, and Poor performance due to inefficient collection and processing of heterogeneous security events. (3) Using the combination of security log information and equipment vulnerability information, using a risk calculation algorithm to obtain an intuitive security situation map, but the situation evaluation indicators selected in this way are not comprehensive enough, and the results of the quantitative algorithm are not accurate enough, and for large-scale power information The collection of network, security log information, and device vulnerability information is difficult to be comprehensive, resulting in distortion of the final calculation results.

为了解决上述问题，本发明的实施例提供了一种网络安全态势分析方法。下文中将结合附图对本发明的实施例进行详细说明。需要说明的是，在不冲突的情况下，本申请中的实施例及实施例中的特征可以相互任意组合。In order to solve the above problems, an embodiment of the present invention provides a network security situation analysis method. Embodiments of the present invention will be described in detail below in conjunction with the accompanying drawings. It should be noted that, in the case of no conflict, the embodiments in the present application and the features in the embodiments can be combined arbitrarily with each other.

首先结合附图，对本发明的实施例一进行说明。First, Embodiment 1 of the present invention will be described with reference to the accompanying drawings.

本发明实施例提供了一种基于大规模地址熵模型计算、针对电力信息网络的网络安全态势分析方法，对电力信息网络进行全面、深入、指标化、层次化的安全态势分析。首先由各分布式采集点采集IP地址，再由中心态势分析系统对各分布式采集点采集得到的IP地址进行存储，并以地址熵模型的方式对安全态势进行分析。具体包括以下步骤：The embodiment of the present invention provides a network security situation analysis method for the electric power information network based on large-scale address entropy model calculation, and conducts a comprehensive, in-depth, indexed and hierarchical security situation analysis on the electric power information network. Firstly, IP addresses are collected by each distributed collection point, and then the central situation analysis system stores the IP addresses collected by each distributed collection point, and analyzes the security situation in the form of address entropy model. Specifically include the following steps:

A、IP信息的获取与分层：通过SYSLOG协议和Flow协议采集网络中各设备日志信息，并从中提取IP地址信息，对接收得到的IP地址进行分层，得到多个层级。A. Acquisition and stratification of IP information: Collect log information of each device in the network through the SYSLOG protocol and Flow protocol, and extract IP address information from it, and stratify the received IP addresses to obtain multiple levels.

C、构建全局熵值基线：持续计算全局熵值，以5分钟为单位获得全局熵值基准点，以历史较长时间熵值基准点数据的集合建立长周期熵值基线，以最近时间熵值基准点数据的集合建立短周期熵值基线；C. Construct the global entropy baseline: continuously calculate the global entropy value, obtain the global entropy benchmark point in units of 5 minutes, establish a long-term entropy baseline based on the collection of entropy benchmark data for a long time in history, and use the recent time entropy value The collection of benchmark data establishes a short-period entropy baseline;

D、计算安全态势指标值：将所述地址熵实测值与所述长周期熵值基线和短周期熵值基线的综合偏差度转换为安全态势指标数据。D. Calculating the security situation index value: converting the comprehensive deviation degree between the measured address entropy value and the long-period entropy baseline and short-period entropy baseline into security situation index data.

E、安全态势异常判定：当安全态势指标发生异常时，通过各层级地址熵值的对比定位异常。E. Judgment of security situation abnormality: When the security situation indicator is abnormal, the abnormality is located by comparing the address entropy values of each level.

优选地，步骤A中IP信息的获取，通过SYSLOG协议和Flow协议采集网络中各设备日志信息，并从中提取IP地址信息。Preferably, in the acquisition of IP information in step A, the log information of each device in the network is collected through the SYSLOG protocol and the Flow protocol, and the IP address information is extracted therefrom.

IP数据采集的数据源包括网络安全设备日志、应用系统日志、路由交换设备flow数据。IP信息提取方法如下：Data sources for IP data collection include network security device logs, application system logs, and routing and switching device flow data. The IP information extraction method is as follows:

电力信息网络中的IP地址数据格式化字段提取结构如下：The IP address data format field extraction structure in the power information network is as follows:

</block></block>

其中block字段定义如下：The block field is defined as follows:

index：对应信息提取的字段索引，对应日志或flow信息的Match中的正则表达式的组数，从1开始；index: The field index corresponding to the information extraction, the group number of the regular expression in the Match corresponding to the log or flow information, starting from 1;

name：对应字段名称；name: the corresponding field name;

type：对应字段类型，包括源地址、目的地址和时间三种类型；type: corresponds to the field type, including source address, destination address and time;

default：对于此字段直接赋值；default: direct assignment to this field;

如果直接采用提取的结果，就不需要配置field，如果需要根据提取的结果作二次提取，需要配置field。If you directly use the extracted result, you don’t need to configure the field. If you need to perform secondary extraction based on the extracted result, you need to configure the field.

field为IP解析规则，原始的信息如syslog日志包含的IP信息可以直接识别为IP数据，则不需要配置field；原始信息如netflow包含的IP信息是字节码，则需要配置field进行解析。The field is the IP parsing rule. The original information such as the IP information contained in the syslog log can be directly identified as IP data, so there is no need to configure the field; the original information such as the IP information contained in the netflow is bytecode, and the field needs to be configured for analysis.

field定义如下：field is defined as follows:

match：从已经提取的字段中进行提取该字段的正则表达式；match: extract the regular expression of the field from the extracted field;

value：字段赋值，根据Match匹配的结果赋值，如果为空，直接采用提取的结果。value: field assignment, assign according to the Match matching result, if it is empty, directly use the extracted result.

优选地，步骤A中IP地址信息的分层，基于地理层级对IP地址信息进行分层，并基于分层进行地址熵值计算，既可以达到分布式运行的目的，同时又可以在安全态势发送异常时可以对异常根源进行基于网络分层的定位，辅助安全管理人员分析问题。Preferably, in the layering of IP address information in step A, the IP address information is layered based on the geographical level, and the address entropy value is calculated based on the layering, which can not only achieve the purpose of distributed operation, but also can be sent in a safe situation. In case of anomalies, the source of the anomalies can be located based on network layers to assist security managers in analyzing problems.

本发明实施例构建分层的网络IP模型，基于IP所在的地理位置将网络分为基础层、中间层和全局层三个层次，并可以根据需要确定划分粒度，其中中间层可以根据实际情况分析继续分为多个层次。例如，对于南方电网这样的网络，其IP层级划分如表1所示。The embodiment of the present invention builds a layered network IP model, divides the network into three levels based on the geographical location of the IP, the basic layer, the middle layer and the global layer, and can determine the division granularity according to the needs, and the middle layer can be analyzed according to the actual situation Continue to divide into multiple levels. For example, for a network such as the China Southern Power Grid, its IP hierarchy division is shown in Table 1.

表1Table 1

全局层global layer 南方电网所有IPAll IPs of China Southern Power Grid 中间层middle layer 包括广东、广西、云南、贵州、海南各省IPIncluding Guangdong, Guangxi, Yunnan, Guizhou, and Hainan provinces IP 基础层base layer 各省地市级IPProvincial and municipal IP

该层级的划分依据IP地理信息或业务信息。The division of this level is based on IP geographic information or service information.

优选地，步骤A中IP地址信息的分层数据的实时构建与更新，由于电力信息网络规模庞大、设备复杂，电力信息网络中的IP数据是一种不可控的活动数据组成的高吞吐量数据流。针对IP数据的处理，传统的日志文件系统分析方法无法满足要求，为此，本发明实施例中采用了电力信息网络中的IP地址分区映射算法，以有效的提高IP相关运算效率和减少缓存空间，使得针对大规模IP地址的复杂计算成为可能。Preferably, the real-time construction and update of the layered data of IP address information in step A, due to the large scale of the power information network and complex equipment, the IP data in the power information network is a high-throughput data composed of uncontrollable activity data flow. For the processing of IP data, the traditional log file system analysis method cannot meet the requirements. Therefore, the embodiment of the present invention adopts the IP address partition mapping algorithm in the power information network to effectively improve the efficiency of IP-related operations and reduce the cache space , making complex calculations for large-scale IP addresses possible.

系统维护IP地址映射缓存表，当采集到IP地址数据时，根据电力信息网络规范提供的IP地理信息知识库，获得各个IP地址的地理标记并使用IP地址分区映射算法进行映射缓存。IP地址分区映射算法将String数据结构的IP地址数据映射为易于存储和计算的整形数据结构；IP地址的地理标记将IP地址在电力信息网络中所处的地理位置信息进行了标记。IP地址的整形数据结构存储于IP映射缓存表中。本发明实施例采用多层嵌套HashMap数据结构实现IP映射缓存表，该IP映射缓存表数据结构逐层分别为：The system maintains the IP address mapping cache table. When the IP address data is collected, according to the IP geographic information knowledge base provided by the power information network specification, the geographical mark of each IP address is obtained and the IP address partition mapping algorithm is used for mapping and caching. The IP address partition mapping algorithm maps the IP address data of the String data structure into an integer data structure that is easy to store and calculate; the geographical mark of the IP address marks the geographical location information of the IP address in the power information network. The shaping data structure of the IP address is stored in the IP mapping cache table. The embodiment of the present invention adopts the multi-layer nested HashMap data structure to realize the IP mapping cache table, and the data structure of the IP mapping cache table is respectively layer by layer:

HashMap<Integer，HashMap<String，Integer>>＝new HashMap<Integer，HashMap<String，Integer>>。HashMap<Integer, HashMap<String, Integer>> = new HashMap<Integer, HashMap<String, Integer>>.

其中第一层HashMap的key为Integer，内容对应地理标记，value为HashMap，内容对应该地理区域的IP地址数据映射表。The key of the first layer of HashMap is Integer, the content corresponds to the geographical mark, the value is HashMap, and the content corresponds to the IP address data mapping table of the geographical area.

第二层HashMap的key为String，内容对应IP地址，value是Integer，内容对应该IP的整形标记。The key of the second layer HashMap is String, the content corresponds to the IP address, the value is Integer, and the content corresponds to the shaping mark of the IP.

除记录IP地址的整形数据结构外，该IP映射缓存表还保存有IP地址对应的被采集次数。In addition to recording the shaping data structure of the IP address, the IP mapping cache table also saves the number of times the IP address is corresponding to being collected.

IP映射缓存表的建立与更新原理如图1所示。IP映射缓存表的建立是由采集引擎驱动，每接收到一条分布式采集点IP数据信息，中心态势分析系统都会将其中的IP地址加入IP映射缓存表，IP映射，直到映射缓存表规模达到100万(即其中存储的IP数量，为一可配置的值)，映射缓存表之外的IP统一识别为ELSE，这样既控制了IP复杂度，又保证IP信息总量不会有损耗。本发明中IP映射缓存表的建立时间基本可以忽略。The principle of establishing and updating the IP mapping cache table is shown in FIG. 1 . The establishment of the IP mapping cache table is driven by the acquisition engine. Every time a piece of IP data information of a distributed collection point is received, the central situation analysis system will add the IP address into the IP mapping cache table, and IP mapping until the scale of the mapping cache table reaches 100 Ten thousand (that is, the number of IPs stored in it, which is a configurable value), and the IPs outside the mapping cache table are uniformly identified as ELSE, which not only controls the IP complexity, but also ensures that the total amount of IP information will not be lost. The establishment time of the IP mapping cache table in the present invention can basically be ignored.

为了控制IP地址映射缓存表的规模和效率。当映射缓存表规模达到100万(即其中存储的IP数量，为一可配置的值)，映射缓存表之外的IP统一识别为ELSE，这样既控制了IP复杂度，又保证IP信息总量不会有损耗。本发明中IP映射缓存表的建立时间基本可以忽略。In order to control the scale and efficiency of the IP address mapping cache table. When the size of the mapping cache table reaches 1 million (that is, the number of IPs stored in it is a configurable value), the IPs outside the mapping cache table are uniformly identified as ELSE, which not only controls the IP complexity, but also ensures the total amount of IP information There will be no loss. The establishment time of the IP mapping cache table in the present invention can basically be ignored.

IP地址映射缓存表采用动态更新机制，根据上个周期的IP排序对IP对照表进行更新。基于效率的考虑，每周期不会对IP对照表进行全部更新，获取流量排序TOP 100的IP，如果IP对照表不包含这100个IP，则强制加入IP对照表。该方案保证IP对照表的更新时间在10ms以内。The IP address mapping cache table adopts a dynamic update mechanism to update the IP comparison table according to the IP sorting of the previous cycle. Based on efficiency considerations, the IP comparison table will not be fully updated every cycle to obtain the top 100 IPs in traffic ranking. If the IP comparison table does not include these 100 IPs, it will be forced to join the IP comparison table. This solution ensures that the update time of the IP comparison table is within 10ms.

优选地，步骤B分别计算各层级的地址熵值，在获得海量IP数据信息后，本发明以分层网络IP模型为基础上实施采用层级化地址熵算法。Preferably, step B calculates the address entropy values of each level respectively. After obtaining massive IP data information, the present invention adopts a hierarchical address entropy algorithm based on a layered network IP model.

IP地址作为电力信息网络的基础元素，如何量化分析地址的分布变化是进行安全态势分析的根基。地址熵模型利用信息熵来衡量地址分布的分散或集中程度。IP address is the basic element of power information network, how to quantify and analyze the distribution of addresses is the foundation of security situation analysis. The address entropy model uses information entropy to measure the degree of dispersion or concentration of address distribution.

信息熵(后续简称熵)是信息论之父C.E.Shannon在1948年提出的概念，他借鉴了热力学中的熵，把信息中排除了冗余后的平均信息量成为信息熵。信息熵是信息论中用来衡量信息量有序化程度的一个重要工具。信息熵的值与信息源有序化程度成反比：有序程度越高，信息熵值越低；有序程度越低，信息熵值越高。Information entropy (subsequently referred to as entropy) is a concept proposed by C.E. Shannon, the father of information theory, in 1948. He borrowed from the entropy in thermodynamics and made the average amount of information after excluding redundancy from information into information entropy. Information entropy is an important tool used in information theory to measure the degree of ordering of information. The value of information entropy is inversely proportional to the degree of ordering of information sources: the higher the degree of order, the lower the value of information entropy; the lower the degree of order, the higher the value of information entropy.

将信息熵的理论运用至信息网络分析中，本发明实施例设计了地址熵的计算模型。Applying the theory of information entropy to information network analysis, the embodiment of the present invention designs a calculation model of address entropy.

设IP统计集N_ip＝{N_ip1,，N_ip2,，N_ip3,，…，N_ipn}，N_ipn表示某一时间段内IP地址n出现的次数，定义底数为2，为了展示方便，此处可限制熵值的取值范围在0到1之间，所以需要对原熵值除以logN。因此，根据熵的定义公式可得：Set IP statistical set N _ip ={N _ip1 ,, N _ip2 ,, N _ip3 ,, ..., N _ipn }, N _ipn represents the number of occurrences of IP address n within a certain period of time, and the defined base is 2. For the convenience of display, Here, the value range of the entropy value can be limited between 0 and 1, so the original entropy value needs to be divided by logN. Therefore, according to the definition formula of entropy:

H(IP)＝H(N_ip)＝H(IP)=H(N _ip )=

其中，表示观测时间段内的IP地址的总出现次数。根据定义可知，熵值越小，IP地址分布越集中，熵值越大，IP地址分布越离散。in, Indicates the total number of occurrences of IP addresses during the observation period. According to the definition, the smaller the entropy value, the more concentrated the IP address distribution, and the larger the entropy value, the more discrete the IP address distribution.

根据IP分层结构，我们进行地址墒值计算。Based on the IP hierarchy, we perform address entropy calculations.

其中，基础层的计算公式为：Among them, the calculation formula of the base layer is:

源地址熵： $H (SRC) = \frac{(- Σ_{i = 1}^{N} (\frac{n_{ipi}}{s}) \log_{2} (\frac{n_{ipi}}{s}))}{\log_{2} s},$ Source address entropy: $h (SRC) = \frac{(- Σ_{i = 1}^{N} (\frac{{no}_{ipi}}{the s}) \log_{2} (\frac{{no}_{ipi}}{the s}))}{\log_{2} the s},$

目的地址熵： $H (DEST) = \frac{(- Σ_{i = 1}^{N} (\frac{n_{ipi}}{s}) \log_{2} (\frac{n_{ipi}}{s}))}{\log_{2} s} .$ Destination address entropy: $h (DEST) = \frac{(- Σ_{i = 1}^{N} (\frac{{no}_{ipi}}{the s}) \log_{2} (\frac{{no}_{ipi}}{the s}))}{\log_{2} the s} .$

其中，表示观测时间段内的IP地址的总出现次数。in, Indicates the total number of occurrences of IP addresses during the observation period.

中间层的计算公式为：The calculation formula of the middle layer is:

H(MIDDLE)＝a*H(SRC)+b*H(DEST)H(MIDDLE)＝a*H(SRC)+b*H(DEST)

其中，a、b的取值区间为[0，1]，且a+b＝1。a、b的取值根据网络具体实践进行设置。Wherein, the value range of a and b is [0, 1], and a+b=1. The values of a and b are set according to the specific practice of the network.

全局层，即全局地址熵值的计算公式为：The global layer, that is, the formula for calculating the global address entropy value is:

采用层级化的地址熵算法，可以快速获取网络全局IP活跃态势，也可逐层分析局部IP活跃态势“。IP地址网络的基本组成，IP活跃态势可以宏观反映网络活动情况，通过熵值表达IP活跃态势(H)，The hierarchical address entropy algorithm can quickly obtain the global IP active situation of the network, and can also analyze the local IP active situation layer by layer. The basic composition of the IP address network, the IP active situation can reflect the network activities macroscopically, and the IP can be expressed through the entropy value active state (H),

H值的变化是时序稳态的，SSI的计算是获取连续时间的多个H值，然后预测下一时刻的H值，通过预测值与实际值的偏差来获得SSI，从而表达网络安全态势。The change of H value is time-series steady-state. The calculation of SSI is to obtain multiple H values in continuous time, and then predict the H value at the next moment. The SSI is obtained by the deviation between the predicted value and the actual value, thereby expressing the network security situation.

优选地，步骤C持续计算全局地址熵值，周期性持续计算并记录全局地址熵值形成熵值基线，通过实测地址熵与基线预测熵值的偏差来观测和指标化分析全局地址熵值的波动情况。本发明实施例中采用建立长周期分析与短周期分析结合的方式构建熵值基线。Preferably, step C continuously calculates the global address entropy value, periodically and continuously calculates and records the global address entropy value to form an entropy baseline, and observes and indexes the fluctuation of the global address entropy value through the deviation between the measured address entropy and the baseline predicted entropy value Condition. In the embodiment of the present invention, the entropy baseline is constructed by combining long-period analysis and short-period analysis.

长周期基线分析是将较长周期分成多个时段并将每周期相同时段的全局地址熵计算其平均值，这些连续不同时段的全局地址熵的平均值便形成了基线；基线反映了网络正常行为下所呈现的全局地址熵值变化趋势，而一旦网络中有异常发生，将直接反映于全局地址熵值的变化上。Long-term baseline analysis is to divide a long period into multiple periods and calculate the average value of the global address entropy of the same period in each period. The average value of the global address entropy of these consecutive different periods forms the baseline; the baseline reflects the normal behavior of the network The change trend of the global address entropy value presented below, and once an abnormality occurs in the network, it will be directly reflected in the change of the global address entropy value.

短周期基线分析是当前时间向前推移若干个采样时点的实际测量值，是一组全局地址熵值组成的数据队列，代表了全网地址墒最近一段时间的趋势。通过预测算法可以计算下一周期的全局地址熵值，通过下一周期实测值与该预测值的比较情况，可以分析全局地址墒的短时间突变情况。The short-period baseline analysis is the actual measurement value of several sampling time points moving forward from the current time. It is a data queue composed of a set of global address entropy values, which represents the recent trend of the entire network address entropy. The global address entropy value of the next cycle can be calculated through the prediction algorithm, and the short-term sudden change of the global address entropy can be analyzed by comparing the measured value with the predicted value in the next cycle.

长周期熵值基线的建立方法为：以天为循环时长，计算每5分钟的全局熵值，形成一组有288个点的熵值数组，新的一天对应的时间点的熵值与原有的基线熵值进行加权平均以获得新的基线熵值，从而形成动态的长周期熵值基线。长周期熵值基线对应的预测值计算方法为：从长周期熵值基线中提取当前时刻对应的熵值，即为该时刻的长周期熵预测值。The method of establishing the long-term entropy baseline is as follows: take days as the cycle time, calculate the global entropy every 5 minutes, and form a set of entropy arrays with 288 points. The entropy value at the time point corresponding to the new day is the same as the original The weighted average of the baseline entropy values is obtained to obtain a new baseline entropy value, thus forming a dynamic long-period entropy baseline. The calculation method of the forecast value corresponding to the long-period entropy baseline is as follows: extract the entropy value corresponding to the current moment from the long-period entropy baseline, which is the long-period entropy forecast value at this moment.

短周期熵值基线的建立方法为：以分钟为周期计算全局熵值，实时更新，以最近10个周期的熵值形成一组有10个点的熵值数据，从而形成动态的短周期熵值基线。短周期熵值基线对应的预测值采用指数平滑法获得。The establishment method of the short-period entropy baseline is as follows: calculate the global entropy value every minute, update it in real time, and use the entropy values of the last 10 periods to form a set of entropy data with 10 points, thus forming a dynamic short-period entropy value baseline. The predicted value corresponding to the short-period entropy baseline is obtained by exponential smoothing method.

指数平滑法是在移动平均法基础上发展起来的一种时间序列分析预测法，它是通过计算指数平滑值，配合一定的时间序列预测模型对现象的未来进行预测。其原理是任一期的指数平滑值都是本期实际观察值与前一期指数平滑值的加权平均。The exponential smoothing method is a time series analysis and prediction method developed on the basis of the moving average method. It predicts the future of the phenomenon by calculating the exponential smoothing value and cooperating with a certain time series prediction model. The principle is that the exponential smoothing value of any period is the weighted average of the actual observed value in this period and the exponential smoothing value of the previous period.

短周期熵值基线对应的预测熵值计算公式为：The formula for calculating the predicted entropy value corresponding to the short-period entropy value baseline is:

设当前短周期基线中的熵值序列为Let the entropy value sequence in the current short-period baseline be

y₁,y₂,y₃,y₄….y_t,y ₁ ,y ₂ ,y ₃ ,y ₄ ….y _t ,

则预测熵值计算方法为：Then the calculation method of predicted entropy value is:

H_t+1＝H_t+a(y_t-H_t)。Ht ₊₁ = _Ht +a( _yt - _Ht ).

其中，a是加权系统(0<a<1),Ht是第t期的预测熵值。Among them, a is the weighting system (0<a<1), and Ht is the predicted entropy value of the tth period.

优选地，步骤D安全态势指标的计算，将所述全局地址熵实测值与所述长周期熵值基线和短周期熵值基线的综合偏差度转换为安全态势指标数据。Preferably, in the calculation of the security situation index in step D, the comprehensive deviation degree between the measured global address entropy value and the long-period entropy value baseline and the short-period entropy value baseline is converted into security situation index data.

本发明实施例中，计算安全态势指标(Secution Index，SSI)公式为：In the embodiment of the present invention, the formula for calculating the security situation index (Secution Index, SSI) is:

${μ μ}_{T T} = = \frac{11}{22} * * ((| | {H h - - H h}_{l l} | | / / {H h}_{l l} + + | | {H h - - H h}_{s the s} | | / / {H h}_{s the s})),,$

其中，H为实测全局熵值，H_l为基于长周期熵值基线获取的预测熵值，H_s是基于短周期熵值基线获取的预测熵值。Among them, H is the measured global entropy value, H _l is the predicted entropy value obtained based on the long-period entropy value baseline, and H _s is the predicted entropy value obtained based on the short-period entropy value baseline.

根据以下方法，计算安全态势指标SSI＝According to the following method, calculate the security situation index SSI =

优选地，步骤E安全态势的异常判定，当安全态势指标大于指定阈值时，可以判定网络态势发生异常。此时，通过各层级地址熵值的对比定位网络异常发生所在的分层。通过对各层级地址熵值进行排序，确定地址熵值最大的网络分层为网络安全态势异常所在位置。Preferably, in Step E, the abnormality determination of the security situation, when the security situation index is greater than a specified threshold, it can be determined that the network situation is abnormal. At this time, the layer where the network anomaly occurs is located by comparing the address entropy values of each layer. By sorting the address entropy values of each level, it is determined that the network layer with the largest address entropy value is the location where the network security situation is abnormal.

本发明实施例提供了一种安全态势分析方法，A、通过SYSLOG协议和Flow协议采集网络中各设备日志信息，并从中提取IP地址信息，基于地理信息或业务信息对得到的IP地址进行分层，得到多个层级；B、分别计算各层级的地址熵值；C、持续计算全局地址熵的值，以5分钟为时间周期计算地址熵值基准点，以历史较长时间地址熵值基准点数据的集合建立长周期熵值基线，以最近时间的地址熵值基准点数据的集合建立短周期熵值基线；D、将所述全局地址熵的实测值与所述长周期熵值基线和短周期熵值基线的综合偏差度转换为安全态势指标数据；E、当安全态势指标超过预置的阈值时，判定安全态势发生异常，通过各层级地址熵值的对比定位异常。实现了准确高效的安全态势分析，解决了现有网络安全态势分析方式准确程度和处理效率低下的问题。The embodiment of the present invention provides a security situation analysis method. A. Collect the log information of each device in the network through the SYSLOG protocol and the Flow protocol, and extract IP address information therefrom, and layer the obtained IP addresses based on geographic information or business information , to obtain multiple levels; B. Calculate the address entropy value of each level separately; C. Continuously calculate the value of the global address entropy, calculate the reference point of the address entropy value with a time period of 5 minutes, and use the reference point of the address entropy value for a long time in history The collection of data establishes a long-period entropy baseline, and the collection of address entropy reference point data at the latest time establishes a short-period entropy baseline; D, combining the measured value of the global address entropy with the long-period entropy baseline and short The comprehensive deviation degree of the cycle entropy baseline is converted into security situation indicator data; E. When the security situation indicator exceeds the preset threshold, it is determined that the security situation is abnormal, and the abnormality is located by comparing the address entropy values of each level. Accurate and efficient security situation analysis is realized, and the problems of low accuracy and processing efficiency of the existing network security situation analysis methods are solved.

本领域普通技术人员可以理解上述实施例的全部或部分步骤可以使用计算机程序流程来实现，所述计算机程序可以存储于一计算机可读存储介质中，所述计算机程序在相应的硬件平台上(如系统、设备、装置、器件等)执行，在执行时，包括方法实施例的步骤之一或其组合。Those of ordinary skill in the art can understand that all or part of the steps of the above-mentioned embodiments can be implemented using a computer program flow, the computer program can be stored in a computer-readable storage medium, and the computer program can be run on a corresponding hardware platform (such as system, device, device, device, etc.), and when executed, includes one or a combination of the steps of the method embodiment.

可选地，上述实施例的全部或部分步骤也可以使用集成电路来实现，这些步骤可以被分别制作成一个个集成电路模块，或者将它们中的多个模块或步骤制作成单个集成电路模块来实现。这样，本发明不限制于任何特定的硬件和软件结合。Optionally, all or part of the steps in the above embodiments can also be implemented using integrated circuits, and these steps can be fabricated into individual integrated circuit modules, or multiple modules or steps among them can be fabricated into a single integrated circuit module accomplish. As such, the present invention is not limited to any specific combination of hardware and software.

上述实施例中的各装置/功能模块/功能单元可以采用通用的计算装置来实现，它们可以集中在单个的计算装置上，也可以分布在多个计算装置所组成的网络上。The devices/functional modules/functional units in the above embodiments can be realized by general-purpose computing devices, and they can be concentrated on a single computing device, or distributed on a network composed of multiple computing devices.

上述实施例中的各装置/功能模块/功能单元以软件功能模块的形式实现并作为独立的产品销售或使用时，可以存储在一个计算机可读取存储介质中。上述提到的计算机可读取存储介质可以是只读存储器，磁盘或光盘等。When each device/functional module/functional unit in the above-mentioned embodiments is realized in the form of a software function module and sold or used as an independent product, it can be stored in a computer-readable storage medium. The computer-readable storage medium mentioned above may be a read-only memory, a magnetic disk or an optical disk, and the like.

任何熟悉本技术领域的技术人员在本发明揭露的技术范围内，可轻易想到变化或替换，都应涵盖在本发明的保护范围之内。因此，本发明的保护范围应以权利要求所述的保护范围为准。Any person familiar with the technical field can easily think of changes or substitutions within the technical scope disclosed in the present invention, and all should be covered within the protection scope of the present invention. Therefore, the protection scope of the present invention should be based on the protection scope described in the claims.

Claims

1. A network security situation analysis method, characterized in that the specific steps include:

A. Collect the log information of each device in the network through the SYSLOG protocol and the Flow protocol, and extract the IP address information from it, and stratify the obtained IP addresses based on geographic information or business information to obtain multiple levels;

B. Calculate the address entropy value of each level separately;

C. Continuously calculate the value of the global address entropy, calculate the reference point of the address entropy value with a time period of 5 minutes, establish a long-term entropy value baseline based on the collection of historical address entropy value reference point data for a long time, and use the latest address entropy value The collection of benchmark data establishes a short-period entropy baseline;

D. Converting the comprehensive deviation between the measured value of the global address entropy and the long-period entropy baseline and the short-period entropy baseline into security situation indicator data;

E. When the security situation index exceeds the preset threshold, it is determined that the security situation is abnormal, and the abnormality is located by comparing the address entropy values of each level.

2. the network security situation analysis method according to claim 1, is characterized in that, collects each device log information in the network by SYSLOG agreement and Flow agreement, and therefrom extracts IP address information and comprises:

Distributed collection points extract IP addresses from any or more of the following information:

Network security device logs, application system logs, routing and switching device flow information,

The IP address includes a source IP address and a destination IP address.

3. the network security situation analysis method according to claim 1, is characterized in that, collects each device log information in the network by SYSLOG agreement and Flow agreement, and therefrom extracts IP address information and also comprises:

obtain a geotag for said IP address;

Mapping the IP address into a plastic data structure, storing the geographical mark of the plastic data structure and the IP address in a multi-layer nested HashMap data structure;

The shaping data structure of the IP address is added to the IP mapping cache table, and the IP mapping cache table stores the shaping data structure of the IP address and the number of times the IP address is collected.

4. The network security situation analysis method according to claim 3, characterized in that the method further comprises:

According to the preset update cycle, periodically sort the IP addresses in the IP mapping cache table in the previous cycle according to the traffic of each IP address;

The number of times of collection corresponding to the higher-ranked IP addresses after sorting is updated.

5. The network security situation analysis method according to claim 1, wherein calculating the address entropy values of each level respectively comprises:

The source address entropy of the base layer is calculated according to the following expression:

H h ((SRC SRC)) = = \frac{(({- - Σ Σ}_{i i = = 11}^{N N} ((\frac{{n no}_{ipi ipi}}{s the s})) {log log}_{22} ((\frac{{n no}_{ipi ipi}}{s the s}))))}{{log log}_{22} S S},,

Calculate the destination address entropy of the base layer according to the following expression:

H h ((DEST DEST)) = = \frac{(({- - Σ Σ}_{i i = = 11}^{N N} ((\frac{{n no}_{ipi ipi}}{s the s})) {log log}_{22} ((\frac{{n no}_{ipi ipi}}{s the s}))))}{{log log}_{22} S S},,

in, Indicates the total number of occurrences of IP addresses during the observation period;

The entropy of the intermediate layer is calculated according to the following expression:

H(MIDDLE)=a*H(SRC)+b*H(DEST),

Wherein, the value range of a and b is [0, 1], and a+b=1;

The entropy of the global layer is calculated according to the following expression:

6. The network security situation analysis method according to claim 1, characterized in that, establishing a long-period entropy baseline with a collection of address entropy benchmark data for a long time in history comprises:

Taking a longer cycle as the cycle length, calculate the global entropy value after each first time interval, and form a group of entropy value arrays with multiple points;

A weighted average is performed on the entropy value of this longer period and the baseline entropy value of the last longer period to obtain a new baseline entropy value, and a plurality of the baseline entropy values form a dynamic long-period entropy baseline.

7. The network security situation analysis method according to claim 6, wherein the longer period is a time period of one day or more.

8. The network security situation analysis method according to claim 1, characterized in that, establishing a short-period entropy baseline with the collection of address entropy benchmark data of the latest time comprises:

Calculate the global entropy value periodically according to a shorter cycle;

The entropy data is formed by the global entropy values of the most recent multiple periods, and the curve formed by the entropy data is the short-period entropy baseline.

9. The network security situation analysis method according to claim 1, wherein converting the address entropy value into security situation index data comprises:

Extracting the entropy value corresponding to the current moment from the long-period entropy value baseline, which is the long-period entropy prediction value at the current moment;

The entropy prediction value corresponding to the short-period baseline is obtained according to the following expression:

H _t+1 =H _t +a(y _t -H _t ),

Let the entropy value sequence in the current short-period baseline be:

y ₁ , y ₂ , y ₃ , y ₄ .... y _t is the entropy value sequence in the current short-period baseline, a is the weighting system (0<a<1), and Ht is the predicted entropy value in the t-th period;

Calculate the entropy value deviation rate μ _T according to the following expression:

{μ μ}_{T T} = = \frac{11}{22} * * ((| | H h - - {H h}_{l l} | | / / {H h}_{l l} + + | | H h - - {H h}_{s the s} | | / / {H h}_{s the s})),,

Wherein, H is the measured global entropy value, H ₁ is the predicted entropy value obtained based on the long-period entropy value baseline, and H _s is the predicted entropy value obtained based on the short-period entropy value baseline;

The Security Situation Indicator (SSI) is converted according to the following expression:

10. The network security situation analysis method according to claim 1, wherein when an abnormality occurs in the SSI, the network layer with the largest address entropy value is determined to be the network security situation abnormality by sorting the address entropy values of each level Location.