CN104601604A - Network security situation analyzing method - Google Patents

Network security situation analyzing method Download PDF

Info

Publication number
CN104601604A
CN104601604A CN201510090101.7A CN201510090101A CN104601604A CN 104601604 A CN104601604 A CN 104601604A CN 201510090101 A CN201510090101 A CN 201510090101A CN 104601604 A CN104601604 A CN 104601604A
Authority
CN
China
Prior art keywords
entropy
address
mrow
msub
period
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201510090101.7A
Other languages
Chinese (zh)
Other versions
CN104601604B (en
Inventor
陈连栋
辛锐
赵炜
黄镜宇
崔志坤
王静
宋峥峥
孔明
李井泉
白涛
付强
刘成龙
张磊
王震
周文芳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
State Grid Corp of China SGCC
Information and Telecommunication Branch of State Grid Hebei Electric Power Co Ltd
Original Assignee
State Grid Corp of China SGCC
Information and Telecommunication Branch of State Grid Hebei Electric Power Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by State Grid Corp of China SGCC, Information and Telecommunication Branch of State Grid Hebei Electric Power Co Ltd filed Critical State Grid Corp of China SGCC
Priority to CN201510090101.7A priority Critical patent/CN104601604B/en
Publication of CN104601604A publication Critical patent/CN104601604A/en
Application granted granted Critical
Publication of CN104601604B publication Critical patent/CN104601604B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/30Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
    • H04L63/302Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information gathering intelligence information for situation awareness or reconnaissance

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a network security situation analyzing method, relates to the field of network security, and solves the problems that the existing network security situation analyzing method is low in accuracy and processing efficiency. The method includes the steps of A, acquiring log information of devices in a network through a SYSLOG protocol and a Flow protocol, extracting IP (internet protocol) address information from the log information, and layering the IP address information on the basis of geographical information or business information to obtain multiple layers; B, calculating an address entropy of each layer; C, continuously calculating a value of a global address entropy, calculating an address entropy reference point in a 5-min cycle, establishing a long-cycle entropy reference line through a set of historical long-term address entropy reference point data, and establishing a short-cycle entropy base line through a set of latest address entropy reference point data; D, converting a measured value of the global address entropy and an integrated deviation between the long-cycle entropy base line and the short-cycle entropy base line into security situation index data; E, if a security situation index exceeds a preset threshold, determining that a security situation anomaly occurs, and locating the anomaly through comparison of the address entropies of the layers. The method has the advantage that the security situation is analyzed accurately and efficiently.

Description

Network security situation analysis method
Technical Field
The invention relates to the field of network security, in particular to a network security situation analysis method.
Background
With the increasing scale of the power information network environment, the number of various devices in the network is increased sharply, and various kinds of security and attacks from the outside and the inside are also increased sharply, thus threatening the network information security. In order to continuously respond to new security challenges, an anti-virus system, a firewall, an intrusion detection system, a vulnerability scanning system, a UTM and the like are deployed in the power information network. Under the complex security system, the network has the characteristics of resource distribution sharing, user decentralization, management distribution and the like, and provides a foundation for realizing diversified and intelligent information services. However, security issues in such complex network displays have been a significant obstacle to their development. The safety situation assessment technology can reflect the dynamic safety situation of the network from the comprehensive and macroscopic view, and forecast and early warn the development trend of the safety situation, so that a safety situation analysis model and a key technology aiming at the power information network become research hotspots in the field of network safety at present.
Currently, some valuable theories and application researches have been carried out on the safety situation analysis of the power information network, such as: researching a network security event grouping method based on a fuzzy theory; establishing a fuzzy time series model; researching a network security situation prediction method supporting vector machine regression and the like. In practical applications, a common security situation analysis method includes: (1) the situation visualization display method mainly utilizes the sensibility of people to visual images to present the network interconnection state in a visual view mode, so that a security analyst can intuitively know the current network state and judge whether the network is threatened by attack through experience. (2) The method has the advantages that the method collects the safety logs of various safety devices comprehensively, analyzes the safety situation of the computer network, and evaluates the safety of the computer network through a data mining scheme, but the method has the defects of single information source, only safety log information and low performance because the collection and processing efficiency of heterogeneous safety events is low. (3) By combining the security log information and the equipment vulnerability information, a risk calculation algorithm is adopted to obtain a visual security situation map, but the selected situation evaluation index is not comprehensive enough, the quantitative algorithm result is not accurate enough, and for a large-scale power information network, the collection of the security log information and the equipment vulnerability information is difficult to be comprehensive, so that the final calculation result is distorted.
Disclosure of Invention
The invention provides a network security situation analysis method, which solves the problems of low accuracy and low processing efficiency of the existing network security situation analysis mode.
A security posture analysis method, comprising:
A. collecting log information of each device in the network through a SYSLOG protocol and a Flow protocol, extracting IP address information from the log information, and layering the obtained IP address based on geographic information or service information to obtain a plurality of layers;
B. respectively calculating the address entropy value of each level;
C. continuously calculating the value of global address entropy, calculating an address entropy reference point by taking 5 minutes as a time period, establishing a long-period entropy baseline by using a set of historical longer-period address entropy reference point data, and establishing a short-period entropy baseline by using a set of latest-period address entropy reference point data;
D. converting the measured value of the global address entropy and the comprehensive deviation degree of the long-period entropy value baseline and the short-period entropy value baseline into safety situation index data;
E. and when the safety situation index exceeds a preset threshold value, judging that the safety situation is abnormal, and positioning the abnormality through the comparison of the address entropy values of all levels.
Preferably, the collecting log information of each device in the network by the SYSLOG protocol and the Flow protocol, and extracting the IP address information from the log information includes:
the distributed acquisition point extracts the IP address from any one or more of the following information:
network security device logs, application system logs, routing switch device flow information,
the IP address includes a source IP address and a destination IP address.
Preferably, the collecting log information of each device in the network by the SYSLOG protocol and the Flow protocol, and extracting the IP address information therefrom further includes:
acquiring a geographical mark of the IP address;
mapping the IP address into a shaping data structure, and storing the shaping data structure and the geographical mark of the IP address into a multi-layer nested HashMap data structure;
and adding the shaping data structure of the IP address into an IP mapping cache table, wherein the IP mapping cache table stores the shaping data structure of the IP address and the collected times of the IP address.
Preferably, the method further comprises:
according to a preset updating period, the IP addresses in the IP mapping cache table in the last period are periodically sequenced according to the flow of each IP address;
and updating the collected times corresponding to the IP addresses ranked higher after sorting.
Preferably, the calculating the address entropy values of the respective levels includes:
the source address entropy of the base layer is calculated according to the following expression:
<math> <mrow> <mi>H</mi> <mrow> <mo>(</mo> <mi>SRC</mi> <mo>)</mo> </mrow> <mo>=</mo> <mfrac> <mrow> <mo>(</mo> <mo>-</mo> <msubsup> <mi>&Sigma;</mi> <mrow> <mi>i</mi> <mo>=</mo> <mn>1</mn> </mrow> <mi>N</mi> </msubsup> <mrow> <mo>(</mo> <mfrac> <msub> <mi>n</mi> <mi>ipi</mi> </msub> <mi>s</mi> </mfrac> <mo>)</mo> </mrow> <msub> <mi>log</mi> <mn>2</mn> </msub> <mrow> <mo>(</mo> <mfrac> <msub> <mi>n</mi> <mi>ipi</mi> </msub> <mi>s</mi> </mfrac> <mo>)</mo> </mrow> <mo>)</mo> </mrow> <mrow> <msub> <mi>log</mi> <mn>2</mn> </msub> <mi>s</mi> </mrow> </mfrac> <mo>,</mo> </mrow> </math>
the destination address entropy of the base layer is calculated according to the following expression:
<math> <mrow> <mi>H</mi> <mrow> <mo>(</mo> <mi>DEST</mi> <mo>)</mo> </mrow> <mo>=</mo> <mfrac> <mrow> <mo>(</mo> <mo>-</mo> <msubsup> <mi>&Sigma;</mi> <mrow> <mi>i</mi> <mo>=</mo> <mn>1</mn> </mrow> <mi>N</mi> </msubsup> <mrow> <mo>(</mo> <mfrac> <msub> <mi>n</mi> <mi>ipi</mi> </msub> <mi>s</mi> </mfrac> <mo>)</mo> </mrow> <msub> <mi>log</mi> <mn>2</mn> </msub> <mrow> <mo>(</mo> <mfrac> <msub> <mi>n</mi> <mi>ipi</mi> </msub> <mi>s</mi> </mfrac> <mo>)</mo> </mrow> <mo>)</mo> </mrow> <mrow> <msub> <mi>log</mi> <mn>2</mn> </msub> <mi>s</mi> </mrow> </mfrac> <mo>,</mo> </mrow> </math>
wherein,representing a total number of occurrences of the IP address within the observation period;
the entropy of the intermediate layer is calculated according to the following expression:
H(MIDDLE)=a*H(SRC)+b*H(DEST),
wherein, the value interval of a and b is [0, 1], and a + b is 1;
the entropy of the global layer is calculated according to the following expression:
preferably, establishing the long-period entropy baseline with the set of historical longer-time address entropy baseline data comprises:
calculating the global entropy value after each first time interval by taking a longer period as a cycle duration to form a group of entropy value arrays with a plurality of points;
weighted averaging is performed on the entropy value of the present longer period and the baseline entropy value of the previous longer period to obtain a new baseline entropy value, a plurality of which form a dynamic long-period entropy value baseline.
Preferably, the longer period is a time period of one or more days.
Preferably, establishing the short-cycle entropy baseline with the set of most recent time address entropy reference point data comprises:
calculating a global entropy value according to a shorter periodicity;
and forming entropy data by using the global entropy values of a plurality of recent periods, wherein a curve formed by the entropy data is a short period entropy baseline.
Preferably, the converting the address entropy value into the safety situation indicator data includes:
extracting an entropy value corresponding to the current moment from the long-period entropy value baseline, namely a long-period entropy predicted value of the current moment;
obtaining the entropy predicted value corresponding to the short-period baseline according to the following expression:
Ht+1=Ht+a(yt-Ht),
let the entropy value sequence in the current short period baseline be:
y1,y2,y3,y4….ytfor the sequence of entropy values in the current short period baseline, a is the weighting system (0)<a<1) Ht is the predicted entropy value of the t-th stage;
calculating the entropy deviation ratio μ T according to the following expression:
<math> <mrow> <msub> <mi>&mu;</mi> <mi>T</mi> </msub> <mo>=</mo> <mfrac> <mn>1</mn> <mn>2</mn> </mfrac> <mo>*</mo> <mrow> <mo>(</mo> <mo>|</mo> <mi>H</mi> <mo>-</mo> <msub> <mi>H</mi> <mi>l</mi> </msub> <mo>|</mo> <mo>/</mo> <msub> <mi>H</mi> <mi>l</mi> </msub> <mo>+</mo> <mo>|</mo> <msub> <mrow> <mi>H</mi> <mo>-</mo> <mi>H</mi> </mrow> <mi>s</mi> </msub> <mo>|</mo> <mo>/</mo> <msub> <mi>H</mi> <mi>s</mi> </msub> <mo>)</mo> </mrow> <mo>,</mo> </mrow> </math>
wherein H is the measured global entropy value, HlFor prediction entropy obtained based on a long-period entropy baseline, HsIs a predicted entropy value obtained based on a short-period entropy value baseline;
converting according to the following expression to obtain a Safety Situation Index (SSI):
preferably, when the SSI is abnormal, the network with the largest address entropy value is determined to be the position of the network security situation abnormality by sequencing the address entropy values of the respective levels.
The invention provides a security situation analysis method, which comprises the steps that A, log information of each device in a network is collected through an SYSLOG protocol and a Flow protocol, IP address information is extracted from the log information, and the obtained IP addresses are layered on the basis of geographic information or service information to obtain a plurality of layers; B. respectively calculating the address entropy value of each level; C. continuously calculating the value of global address entropy, calculating an address entropy reference point by taking 5 minutes as a time period, establishing a long-period entropy baseline by using a set of historical longer-period address entropy reference point data, and establishing a short-period entropy baseline by using a set of latest-period address entropy reference point data; D. converting the measured value of the global address entropy and the comprehensive deviation degree of the long-period entropy value baseline and the short-period entropy value baseline into safety situation index data; E. and when the safety situation index exceeds a preset threshold value, judging that the safety situation is abnormal, and positioning the abnormality through the comparison of the address entropy values of all levels. The method and the device realize accurate and efficient security situation analysis and solve the problems of low accuracy and low processing efficiency of the existing network security situation analysis mode.
Drawings
Fig. 1 is a schematic diagram illustrating the establishment and updating principle of an IP mapping cache table.
Detailed Description
Common security posture analysis methods include: (1) the situation visualization display method mainly utilizes the sensibility of people to visual images to present the network interconnection state in a visual view mode, so that a security analyst can intuitively know the current network state and judge whether the network is threatened by attack through experience. (2) The method has the advantages that the method collects the safety logs of various safety devices comprehensively, analyzes the safety situation of the computer network, and evaluates the safety of the computer network through a data mining scheme, but the method has the defects of single information source, only safety log information and low performance because the collection and processing efficiency of heterogeneous safety events is low. (3) By combining the security log information and the equipment vulnerability information, a risk calculation algorithm is adopted to obtain a visual security situation map, but the selected situation evaluation index is not comprehensive enough, the quantitative algorithm result is not accurate enough, and for a large-scale power information network, the collection of the security log information and the equipment vulnerability information is difficult to be comprehensive, so that the final calculation result is distorted.
In order to solve the above problem, an embodiment of the present invention provides a network security situation analysis method. Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings. It should be noted that the embodiments and features of the embodiments in the present application may be arbitrarily combined with each other without conflict.
First, a first embodiment of the present invention will be described with reference to the drawings.
The embodiment of the invention provides a network security situation analysis method for an electric power information network based on large-scale address entropy model calculation, which is used for comprehensively, deeply, indexably and hierarchically analyzing the security situation of the electric power information network. The method comprises the steps of firstly collecting IP addresses by all distributed collection points, then storing the IP addresses collected by all the distributed collection points by a central situation analysis system, and analyzing the security situation in an address entropy model mode. The method specifically comprises the following steps:
A. obtaining and layering IP information: collecting log information of each device in the network through a SYSLOG protocol and a Flow protocol, extracting IP address information from the log information, and layering the received IP addresses to obtain a plurality of layers.
B. Respectively calculating the address entropy value of each level;
C. constructing a global entropy baseline: continuously calculating a global entropy value, obtaining a global entropy value reference point by taking 5 minutes as a unit, establishing a long-period entropy value baseline by using a set of historical longer-time entropy value reference point data, and establishing a short-period entropy value baseline by using a set of latest time entropy value reference point data;
D. calculating a safety situation index value: and converting the comprehensive deviation degrees of the address entropy measured value and the long-period entropy baseline and the short-period entropy baseline into safety situation index data.
E. And (4) judging the abnormity of the safety situation: when the safety situation index is abnormal, the abnormal situation is positioned through the comparison of the address entropy values of all levels.
Preferably, the acquiring of the IP information in step a acquires log information of each device in the network through the SYSLOG protocol and the Flow protocol, and extracts IP address information from the log information.
The data source of IP data collection comprises a network security device log, an application system log and a route switching device flow data. The IP information extraction method comprises the following steps:
the IP address data formatting field extraction structure in the power information network is as follows:
< block index ═ 2 ═ name ═ src "type ═ source address ═ default >
<field match="^[0,1]"value="aa"/>
<field match="^[2-4]"value="bb"/>
</block>
Wherein the block field is defined as follows:
index: the field index extracted corresponding to the information corresponds to the group number of regular expressions in the Match of the log or flow information, and the group number starts from 1;
name: corresponding to the field name;
type: corresponding field types including source address, destination address and time;
defaults: direct assignment to this field;
if the extraction result is directly adopted, the field does not need to be configured, and if the secondary extraction is needed according to the extraction result, the field needs to be configured.
The field is an IP parsing rule, original information such as IP information contained in a syslog can be directly identified as IP data, and the field does not need to be configured; the original information, such as the IP information contained in the netflow, is byte-coded, and field is configured for parsing.
field is defined as follows:
match: extracting the regular expression of the field from the extracted field;
value: and field assignment, namely assigning according to the Match result, and if the Match result is empty, directly adopting the extracted result.
Preferably, in the step a, the IP address information is layered based on a geographic hierarchy, and the address entropy is calculated based on the layering, so that the purpose of distributed operation can be achieved, and meanwhile, when the security situation is abnormal, the abnormal source can be positioned based on the network layering, and the analysis of the problem by the security manager is assisted.
The embodiment of the invention constructs a layered network IP model, divides the network into three layers of a basic layer, a middle layer and a global layer based on the geographic position of the IP, and can determine the division granularity according to the requirement, wherein the middle layer can be continuously divided into a plurality of layers according to the analysis of the actual situation. For example, for such a network in the southern power grid, the IP hierarchy partitioning is shown in table 1.
TABLE 1
Global layer Southern power grid all IP
Intermediate layer Including IP of Guangdong, Guangxi, Yunnan, Guizhou and Hainan provinces
Base layer Provinces and cities level IP
The hierarchy is divided according to IP geographical information or traffic information.
Preferably, the hierarchical data of the IP address information is constructed and updated in real time in step a, and because the power information network is large in scale and complex in equipment, the IP data in the power information network is a high-throughput data stream composed of uncontrollable active data. Aiming at the processing of IP data, the traditional log file system analysis method cannot meet the requirements, and therefore, the IP address partition mapping algorithm in the power information network is adopted in the embodiment of the invention to effectively improve the IP related operation efficiency and reduce the cache space, so that the complex calculation aiming at large-scale IP addresses becomes possible.
And when the IP address data are acquired, the system obtains the geographic mark of each IP address according to an IP geographic information knowledge base provided by the power information network specification and performs mapping and caching by using an IP address partition mapping algorithm. The IP address partition mapping algorithm maps the IP address data of the String data structure into a shaping data structure which is easy to store and calculate; the geographical marking of the IP address marks the geographical position information of the IP address in the power information network. The shaping data structure of the IP address is stored in an IP mapping cache table. The embodiment of the invention adopts a multi-layer nested HashMap data structure to realize the IP mapping cache table, and the data structure of the IP mapping cache table respectively comprises the following layers:
HashMap<Integer,HashMap<String,Integer>>=new HashMap<Integer,HashMap<String,Integer>>。
the key of the first layer HashMap is Integer, the content corresponds to the geographic mark, the value is HashMap, and the content corresponds to the IP address data mapping table of the geographic area.
The key of the HashMap at the second layer is String, the content corresponds to the IP address, the value is Integer, and the content corresponds to the shaping mark of the IP.
Besides the shaping data structure for recording the IP address, the IP mapping cache table also stores the collected times corresponding to the IP address.
The principle of establishing and updating the IP mapping cache table is shown in fig. 1. The establishment of the IP mapping cache table is driven by an acquisition engine, and when receiving a piece of distributed acquisition point IP data information, the central situation analysis system adds the IP address into the IP mapping cache table, performs IP mapping until the mapping cache table reaches 100 thousands (namely the number of the stored IPs is a configurable value), and uniformly identifies the IPs outside the mapping cache table as ELSE, thereby not only controlling the complexity of the IP, but also ensuring that the total amount of the IP information is not damaged. The establishment time of the IP mapping cache table in the invention can be basically ignored.
To control the size and efficiency of the IP address mapping cache table. When the mapping cache table size reaches 100 ten thousand (namely the IP number stored in the mapping cache table is a configurable value), the IP outside the mapping cache table is uniformly identified as ELSE, so that the complexity of the IP is controlled, and the total quantity of the IP information is ensured not to be lost. The establishment time of the IP mapping cache table in the invention can be basically ignored.
And updating the IP comparison table according to the IP sequencing of the last period by adopting a dynamic updating mechanism in the IP address mapping cache table. Based on the consideration of efficiency, the IP comparison table is not updated completely every period, the IP of the TOP 100 is obtained, and if the IP comparison table does not contain the 100 IPs, the IP comparison table is added forcibly. The scheme ensures that the updating time of the IP comparison table is within 10 ms.
Preferably, the step B calculates the address entropy values of the respective levels, and after obtaining the massive IP data information, the present invention implements a hierarchical address entropy algorithm based on a hierarchical network IP model.
The IP address is used as a basic element of the power information network, and how to quantitatively analyze the distribution change of the address is the root of safety situation analysis. The address entropy model uses information entropy to measure the degree of dispersion or concentration of address distribution.
Information entropy (entropy for short) is a concept proposed by c.e. shannon, the father of information theory, in 1948, and the entropy is used as a reference for thermodynamics, so that the average information content of information excluding redundancy is the information entropy. Information entropy is an important tool used in information theory to measure the degree of ordering of information quantity. The value of the information entropy is inversely proportional to the degree of information source ordering: the higher the degree of order, the lower the information entropy value; the lower the degree of ordering, the higher the information entropy value.
The theory of the information entropy is applied to information network analysis, and the embodiment of the invention designs a calculation model of the address entropy.
Let IP statistics set Nip={Nip1,,Nip2,,Nip3,,…,Nipn},NipnThe number of times of occurrence of the IP address n in a certain time period is represented, the base number is defined to be 2, and for convenience of display, the value range of the entropy value can be limited to be between 0 and 1, so that the original entropy value needs to be divided by logN. Thus, from the definition formula of entropy:
H(IP)=H(Nip)=
wherein,representing the total number of occurrences of IP addresses within the observation period. According to the definition, the smaller the entropy value is, the more concentrated the IP address distribution is, and the larger the entropy value is, the more discrete the IP address distribution is.
According to the IP hierarchical structure, the address moisture value is calculated.
Wherein, the calculation formula of the basic layer is as follows:
source address entropy: <math> <mrow> <mi>H</mi> <mrow> <mo>(</mo> <mi>SRC</mi> <mo>)</mo> </mrow> <mo>=</mo> <mfrac> <mrow> <mo>(</mo> <mo>-</mo> <msubsup> <mi>&Sigma;</mi> <mrow> <mi>i</mi> <mo>=</mo> <mn>1</mn> </mrow> <mi>N</mi> </msubsup> <mrow> <mo>(</mo> <mfrac> <msub> <mi>n</mi> <mi>ipi</mi> </msub> <mi>s</mi> </mfrac> <mo>)</mo> </mrow> <msub> <mi>log</mi> <mn>2</mn> </msub> <mrow> <mo>(</mo> <mfrac> <msub> <mi>n</mi> <mi>ipi</mi> </msub> <mi>s</mi> </mfrac> <mo>)</mo> </mrow> <mo>)</mo> </mrow> <mrow> <msub> <mi>log</mi> <mn>2</mn> </msub> <mi>s</mi> </mrow> </mfrac> <mo>,</mo> </mrow> </math>
entropy of destination address: <math> <mrow> <mi>H</mi> <mrow> <mo>(</mo> <mi>DEST</mi> <mo>)</mo> </mrow> <mo>=</mo> <mfrac> <mrow> <mo>(</mo> <mo>-</mo> <msubsup> <mi>&Sigma;</mi> <mrow> <mi>i</mi> <mo>=</mo> <mn>1</mn> </mrow> <mi>N</mi> </msubsup> <mrow> <mo>(</mo> <mfrac> <msub> <mi>n</mi> <mi>ipi</mi> </msub> <mi>s</mi> </mfrac> <mo>)</mo> </mrow> <msub> <mi>log</mi> <mn>2</mn> </msub> <mrow> <mo>(</mo> <mfrac> <msub> <mi>n</mi> <mi>ipi</mi> </msub> <mi>s</mi> </mfrac> <mo>)</mo> </mrow> <mo>)</mo> </mrow> <mrow> <msub> <mi>log</mi> <mn>2</mn> </msub> <mi>s</mi> </mrow> </mfrac> <mo>.</mo> </mrow> </math>
wherein,representing the total number of occurrences of IP addresses within the observation period.
The calculation formula of the intermediate layer is as follows:
H(MIDDLE)=a*H(SRC)+b*H(DEST)
wherein, the value intervals of a and b are [0, 1], and a + b is 1. a. The value of b is set according to the network specific practice.
The global layer, i.e. the calculation formula of the global address entropy value, is:
by adopting a hierarchical address entropy algorithm, the network global IP active situation can be quickly acquired, and the local IP active situation can be analyzed layer by layer. The basic composition of the IP address network, the IP active situation can macroscopically reflect the network activity condition, the IP active situation (H) is expressed by an entropy value,
the change of the H value is in a time sequence steady state, the calculation of the SSI is to obtain a plurality of H values of continuous time, then predict the H value of the next moment, and obtain the SSI through the deviation of a predicted value and an actual value, so as to express the network security situation.
Preferably, step C continuously calculates global address entropy, periodically continuously calculates and records global address entropy to form an entropy baseline, and observes and analyzes fluctuation of global address entropy through deviation of measured address entropy and baseline prediction entropy. In the embodiment of the invention, the entropy value baseline is established by combining the long period analysis and the short period analysis.
The long-period baseline analysis is to divide a longer period into a plurality of periods and calculate the average value of the global address entropies of the same period in each period, and the average value of the global address entropies of the continuous different periods forms a baseline; the baseline reflects the global address entropy change trend presented under the normal behavior of the network, and once an abnormality occurs in the network, the change is directly reflected on the change of the global address entropy.
The short-period baseline analysis is an actual measurement value obtained by advancing the current time by a plurality of sampling time points, is a data queue formed by a group of global address entropy values and represents the trend of the whole network address moisture in the recent period of time. The global address entropy value of the next period can be calculated through a prediction algorithm, and the short-time mutation condition of the global address entropy can be analyzed through the comparison condition of the measured value of the next period and the predicted value.
The method for establishing the long-period entropy value baseline comprises the following steps: taking days as the cycle duration, calculating the global entropy value every 5 minutes to form a group of entropy value arrays with 288 points, and carrying out weighted average on the entropy value of the corresponding time point of the new day and the original baseline entropy value to obtain a new baseline entropy value, thereby forming a dynamic long-period entropy value baseline. The method for calculating the predicted value corresponding to the long-period entropy value baseline comprises the following steps: and extracting the entropy value corresponding to the current moment from the long-period entropy value baseline, namely the long-period entropy prediction value at the moment.
The method for establishing the short-period entropy value baseline comprises the following steps: and calculating global entropy values in a minute period, updating in real time, and forming a group of entropy value data with 10 points by using the entropy values of the last 10 periods so as to form a dynamic short-period entropy value baseline. And obtaining a predicted value corresponding to the short-period entropy value baseline by adopting an exponential smoothing method.
The exponential smoothing method is a time series analysis prediction method developed on the basis of a moving average method, and predicts the future of a phenomenon by calculating an exponential smoothing value and matching with a certain time series prediction model. The principle is that the exponential smoothing value of any period is the weighted average of the actual observed value of the period and the exponential smoothing value of the previous period.
The calculation formula of the prediction entropy value corresponding to the short-period entropy value baseline is as follows:
let the entropy-value sequence in the current short-period baseline be
y1,y2,y3,y4….yt,
The calculation method of the prediction entropy value is as follows:
Ht+1=Ht+a(yt-Ht)。
where a is the weighting system (0< a <1) and Ht is the predicted entropy value for period t.
Preferably, in the step D, the calculation of the safety situation index converts the global address entropy measured value and the comprehensive deviation degree of the long-period entropy baseline and the short-period entropy baseline into safety situation index data.
In the embodiment of the present invention, a formula for calculating the Safety Situation Index (SSI) is as follows:
calculating the entropy deviation ratio μ T according to the following expression:
<math> <mrow> <msub> <mi>&mu;</mi> <mi>T</mi> </msub> <mo>=</mo> <mfrac> <mn>1</mn> <mn>2</mn> </mfrac> <mo>*</mo> <mrow> <mo>(</mo> <mo>|</mo> <msub> <mrow> <mi>H</mi> <mo>-</mo> <mi>H</mi> </mrow> <mi>l</mi> </msub> <mo>|</mo> <mo>/</mo> <msub> <mi>H</mi> <mi>l</mi> </msub> <mo>+</mo> <mo>|</mo> <msub> <mrow> <mi>H</mi> <mo>-</mo> <mi>H</mi> </mrow> <mi>s</mi> </msub> <mo>|</mo> <mo>/</mo> <msub> <mi>H</mi> <mi>s</mi> </msub> <mo>)</mo> </mrow> <mo>,</mo> </mrow> </math>
wherein H is the measured global entropy value, HlFor prediction entropy obtained based on a long-period entropy baseline, HsIs a predicted entropy value obtained based on a short-term entropy baseline.
The safety situation indicator SSI is calculated according to the following method
Preferably, in the step E, the abnormality of the security situation is determined, and when the security situation index is greater than a specified threshold, it may be determined that the network situation is abnormal. At the moment, the hierarchy where the network abnormity occurs is positioned through the comparison of the address entropy values of the various hierarchies. And sequencing the address entropy values of all levels to determine the position of the network security situation abnormality of the network with the maximum address entropy value.
The embodiment of the invention provides a security situation analysis method, which comprises the steps that A, log information of each device in a network is collected through a SYSLOG protocol and a Flow protocol, IP address information is extracted from the log information, and the obtained IP addresses are layered on the basis of geographic information or service information to obtain a plurality of layers; B. respectively calculating the address entropy value of each level; C. continuously calculating the value of global address entropy, calculating an address entropy reference point by taking 5 minutes as a time period, establishing a long-period entropy baseline by using a set of historical longer-period address entropy reference point data, and establishing a short-period entropy baseline by using a set of latest-period address entropy reference point data; D. converting the measured value of the global address entropy and the comprehensive deviation degree of the long-period entropy value baseline and the short-period entropy value baseline into safety situation index data; E. and when the safety situation index exceeds a preset threshold value, judging that the safety situation is abnormal, and positioning the abnormality through the comparison of the address entropy values of all levels. The method and the device realize accurate and efficient security situation analysis and solve the problems of low accuracy and low processing efficiency of the existing network security situation analysis mode.
It will be understood by those of ordinary skill in the art that all or part of the steps of the above embodiments may be implemented using a computer program flow, which may be stored in a computer readable storage medium and executed on a corresponding hardware platform (e.g., system, apparatus, device, etc.), and when executed, includes one or a combination of the steps of the method embodiments.
Alternatively, all or part of the steps of the above embodiments may be implemented by using an integrated circuit, and the steps may be respectively manufactured as an integrated circuit module, or a plurality of the blocks or steps may be manufactured as a single integrated circuit module. Thus, the present invention is not limited to any specific combination of hardware and software.
The devices/functional modules/functional units in the above embodiments may be implemented by general-purpose computing devices, and they may be centralized on a single computing device or distributed on a network formed by a plurality of computing devices.
Each device/function module/function unit in the above embodiments may be implemented in the form of a software function module and may be stored in a computer-readable storage medium when being sold or used as a separate product. The computer readable storage medium mentioned above may be a read-only memory, a magnetic disk or an optical disk, etc.
Any person skilled in the art can easily conceive of changes or substitutions within the technical scope of the present disclosure, and all such changes or substitutions are included in the scope of the present disclosure. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims (10)

1. A network security situation analysis method is characterized by comprising the following specific steps:
A. collecting log information of each device in the network through a SYSLOG protocol and a Flow protocol, extracting IP address information from the log information, and layering the obtained IP address based on geographic information or service information to obtain a plurality of layers;
B. respectively calculating the address entropy value of each level;
C. continuously calculating the value of global address entropy, calculating an address entropy reference point by taking 5 minutes as a time period, establishing a long-period entropy baseline by using a set of historical longer-period address entropy reference point data, and establishing a short-period entropy baseline by using a set of latest-period address entropy reference point data;
D. converting the measured value of the global address entropy and the comprehensive deviation degree of the long-period entropy value baseline and the short-period entropy value baseline into safety situation index data;
E. and when the safety situation index exceeds a preset threshold value, judging that the safety situation is abnormal, and positioning the abnormality through the comparison of the address entropy values of all levels.
2. The network security situation analysis method of claim 1, wherein collecting log information of each device in the network through a SYSLOG protocol and a Flow protocol, and extracting IP address information therefrom comprises:
the distributed acquisition point extracts the IP address from any one or more of the following information:
network security device logs, application system logs, routing switch device flow information,
the IP address includes a source IP address and a destination IP address.
3. The network security situation analysis method of claim 1, wherein collecting log information of each device in the network through a SYSLOG protocol and a Flow protocol, and extracting IP address information therefrom further comprises:
acquiring a geographical mark of the IP address;
mapping the IP address into a shaping data structure, and storing the shaping data structure and the geographical mark of the IP address into a multi-layer nested HashMap data structure;
and adding the shaping data structure of the IP address into an IP mapping cache table, wherein the IP mapping cache table stores the shaping data structure of the IP address and the collected times of the IP address.
4. The network security posture analysis method of claim 3, further comprising:
according to a preset updating period, the IP addresses in the IP mapping cache table in the last period are periodically sequenced according to the flow of each IP address;
and updating the collected times corresponding to the IP addresses ranked higher after sorting.
5. The method according to claim 1, wherein the calculating the address entropy values of the respective levels comprises:
the source address entropy of the base layer is calculated according to the following expression:
<math> <mrow> <mi>H</mi> <mrow> <mo>(</mo> <mi>SRC</mi> <mo>)</mo> </mrow> <mo>=</mo> <mfrac> <mrow> <mo>(</mo> <msubsup> <mrow> <mo>-</mo> <mi>&Sigma;</mi> </mrow> <mrow> <mi>i</mi> <mo>=</mo> <mn>1</mn> </mrow> <mi>N</mi> </msubsup> <mrow> <mo>(</mo> <mfrac> <msub> <mi>n</mi> <mi>ipi</mi> </msub> <mi>s</mi> </mfrac> <mo>)</mo> </mrow> <msub> <mi>log</mi> <mn>2</mn> </msub> <mrow> <mo>(</mo> <mfrac> <msub> <mi>n</mi> <mi>ipi</mi> </msub> <mi>s</mi> </mfrac> <mo>)</mo> </mrow> <mo>)</mo> </mrow> <mrow> <msub> <mi>log</mi> <mn>2</mn> </msub> <mi>S</mi> </mrow> </mfrac> <mo>,</mo> </mrow> </math>
the destination address entropy of the base layer is calculated according to the following expression:
<math> <mrow> <mi>H</mi> <mrow> <mo>(</mo> <mi>DEST</mi> <mo>)</mo> </mrow> <mo>=</mo> <mfrac> <mrow> <mo>(</mo> <msubsup> <mrow> <mo>-</mo> <mi>&Sigma;</mi> </mrow> <mrow> <mi>i</mi> <mo>=</mo> <mn>1</mn> </mrow> <mi>N</mi> </msubsup> <mrow> <mo>(</mo> <mfrac> <msub> <mi>n</mi> <mi>ipi</mi> </msub> <mi>s</mi> </mfrac> <mo>)</mo> </mrow> <msub> <mi>log</mi> <mn>2</mn> </msub> <mrow> <mo>(</mo> <mfrac> <msub> <mi>n</mi> <mi>ipi</mi> </msub> <mi>s</mi> </mfrac> <mo>)</mo> </mrow> <mo>)</mo> </mrow> <mrow> <msub> <mi>log</mi> <mn>2</mn> </msub> <mi>S</mi> </mrow> </mfrac> <mo>,</mo> </mrow> </math>
wherein,representing a total number of occurrences of the IP address within the observation period;
the entropy of the intermediate layer is calculated according to the following expression:
H(MIDDLE)=a*H(SRC)+b*H(DEST),
wherein, the value interval of a and b is [0, 1], and a + b is 1;
the entropy of the global layer is calculated according to the following expression:
6. the network security posture analysis method of claim 1, wherein establishing a long-period entropy baseline with a set of historical longer-time address entropy baseline data comprises:
calculating the global entropy value after each first time interval by taking a longer period as a cycle duration to form a group of entropy value arrays with a plurality of points;
weighted averaging is performed on the entropy value of the present longer period and the baseline entropy value of the previous longer period to obtain a new baseline entropy value, a plurality of which form a dynamic long-period entropy value baseline.
7. The network security situation analysis method according to claim 6, wherein the longer period is a time period of one or more days.
8. The network security posture analysis method of claim 1, wherein establishing a short-cycle entropy baseline with a set of most recent time address entropy reference point data comprises:
calculating a global entropy value according to a shorter periodicity;
and forming entropy data by using the global entropy values of a plurality of recent periods, wherein a curve formed by the entropy data is a short period entropy baseline.
9. The network security posture analysis method of claim 1, wherein converting the address entropy value into security posture index data comprises:
extracting an entropy value corresponding to the current moment from the long-period entropy value baseline, namely a long-period entropy predicted value of the current moment;
obtaining the entropy predicted value corresponding to the short-period baseline according to the following expression:
Ht+1=Ht+a(yt-Ht),
let the entropy value sequence in the current short period baseline be:
y1,y2,y3,y4....ytfor the sequence of entropy values in the current short period baseline, a is the weighting system (0)<a<1) Ht is the predicted entropy value of the t-th stage;
calculating the deviation rate of entropy value mu according to the following expressionT
<math> <mrow> <msub> <mi>&mu;</mi> <mi>T</mi> </msub> <mo>=</mo> <mfrac> <mn>1</mn> <mn>2</mn> </mfrac> <mo>*</mo> <mrow> <mo>(</mo> <mo>|</mo> <mi>H</mi> <mo>-</mo> <msub> <mi>H</mi> <mi>l</mi> </msub> <mo>|</mo> <mo>/</mo> <msub> <mi>H</mi> <mi>l</mi> </msub> <mo>+</mo> <mo>|</mo> <mi>H</mi> <mo>-</mo> <msub> <mi>H</mi> <mi>s</mi> </msub> <mo>|</mo> <mo>/</mo> <msub> <mi>H</mi> <mi>s</mi> </msub> <mo>)</mo> </mrow> <mo>,</mo> </mrow> </math>
Wherein H is the measured global entropy value, HlFor prediction entropy obtained based on a long-period entropy baseline, HsIs a predicted entropy value obtained based on a short-period entropy value baseline;
converting according to the following expression to obtain a Safety Situation Index (SSI):
10. the method according to claim 1, wherein when SSI is abnormal, the network layer with the largest address entropy is determined as the location of the abnormal network security situation by sorting the address entropy values of the respective layers.
CN201510090101.7A 2014-06-12 2015-02-27 Network safety situation analysis method Active CN104601604B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510090101.7A CN104601604B (en) 2014-06-12 2015-02-27 Network safety situation analysis method

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
CN2014102622451 2014-06-12
CN201410262245 2014-06-12
CN201510090101.7A CN104601604B (en) 2014-06-12 2015-02-27 Network safety situation analysis method

Publications (2)

Publication Number Publication Date
CN104601604A true CN104601604A (en) 2015-05-06
CN104601604B CN104601604B (en) 2019-03-15

Family

ID=53127108

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510090101.7A Active CN104601604B (en) 2014-06-12 2015-02-27 Network safety situation analysis method

Country Status (1)

Country Link
CN (1) CN104601604B (en)

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105656693A (en) * 2016-03-15 2016-06-08 南京联成科技发展有限公司 Regression-based information safety and anomaly detection method and system
CN106686157A (en) * 2017-01-25 2017-05-17 同盾科技有限公司 Method and system for identifying proxy IP
WO2017092250A1 (en) * 2015-11-30 2017-06-08 乐视控股(北京)有限公司 Method of detecting connection hijacking and device
CN107204975A (en) * 2017-05-11 2017-09-26 四川大学 A kind of industrial control system network attack detection technology based on scene fingerprint
CN107370807A (en) * 2017-07-12 2017-11-21 中南大学 The service end and its cache optimization method accessed based on transparent service platform data
CN108614547A (en) * 2018-06-14 2018-10-02 上海大学 A kind of industrial control protocols safety evaluation method based on decay factor
CN112637212A (en) * 2020-12-24 2021-04-09 北京天融信网络安全技术有限公司 Analysis method and analysis device for network security situation
CN113225226A (en) * 2021-04-30 2021-08-06 上海爱数信息技术股份有限公司 Cloud native system observation method and system based on information entropy
CN113282920A (en) * 2021-05-28 2021-08-20 平安科技(深圳)有限公司 Log abnormity detection method and device, computer equipment and storage medium
CN116708208A (en) * 2023-08-07 2023-09-05 山东慧贝行信息技术有限公司 Network data transmission situation prediction method based on machine learning
CN117097521A (en) * 2023-08-08 2023-11-21 北京宇信智臻信息技术有限公司 Network security analysis method and system based on big data

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2009021070A1 (en) * 2007-08-06 2009-02-12 Bernard De Monseignat System and method for authentication, data transfer, and protection against phishing
CN101582788A (en) * 2008-05-12 2009-11-18 北京启明星辰信息技术股份有限公司 Grading processing method and grading processing system for security event
CN101719906A (en) * 2009-11-10 2010-06-02 电子科技大学 Worm propagation behavior-based worm detection method
CN101741608A (en) * 2008-11-10 2010-06-16 北京启明星辰信息技术股份有限公司 Traffic characteristic-based P2P application identification system and method
CN101741633A (en) * 2008-11-06 2010-06-16 北京启明星辰信息技术股份有限公司 Association analysis method and system for massive logs
CN101795215A (en) * 2010-01-28 2010-08-04 哈尔滨工程大学 Network traffic anomaly detection method and detection device
CN102111302A (en) * 2009-12-28 2011-06-29 北京安码科技有限公司 Worm detection method
CN103338128A (en) * 2013-02-25 2013-10-02 中国人民解放军91655部队 Information security management system with integrated security management and control function

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2009021070A1 (en) * 2007-08-06 2009-02-12 Bernard De Monseignat System and method for authentication, data transfer, and protection against phishing
CN101582788A (en) * 2008-05-12 2009-11-18 北京启明星辰信息技术股份有限公司 Grading processing method and grading processing system for security event
CN101741633A (en) * 2008-11-06 2010-06-16 北京启明星辰信息技术股份有限公司 Association analysis method and system for massive logs
CN101741608A (en) * 2008-11-10 2010-06-16 北京启明星辰信息技术股份有限公司 Traffic characteristic-based P2P application identification system and method
CN101719906A (en) * 2009-11-10 2010-06-02 电子科技大学 Worm propagation behavior-based worm detection method
CN102111302A (en) * 2009-12-28 2011-06-29 北京安码科技有限公司 Worm detection method
CN101795215A (en) * 2010-01-28 2010-08-04 哈尔滨工程大学 Network traffic anomaly detection method and detection device
CN103338128A (en) * 2013-02-25 2013-10-02 中国人民解放军91655部队 Information security management system with integrated security management and control function

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
张登银,廖建飞: "基于相对熵的网络流量异常检测方法", 《南京邮电大学学报( 自然科学版)2012年10月第32卷第5期》 *

Cited By (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017092250A1 (en) * 2015-11-30 2017-06-08 乐视控股(北京)有限公司 Method of detecting connection hijacking and device
CN105656693A (en) * 2016-03-15 2016-06-08 南京联成科技发展有限公司 Regression-based information safety and anomaly detection method and system
CN105656693B (en) * 2016-03-15 2019-06-07 南京联成科技发展股份有限公司 A kind of method and system of the information security abnormality detection based on recurrence
CN106686157A (en) * 2017-01-25 2017-05-17 同盾科技有限公司 Method and system for identifying proxy IP
CN106686157B (en) * 2017-01-25 2022-03-25 同盾控股有限公司 Method and system for identifying proxy IP
CN107204975B (en) * 2017-05-11 2020-05-05 四川大学 Industrial control system network attack detection technology based on scene fingerprints
CN107204975A (en) * 2017-05-11 2017-09-26 四川大学 A kind of industrial control system network attack detection technology based on scene fingerprint
CN107370807A (en) * 2017-07-12 2017-11-21 中南大学 The service end and its cache optimization method accessed based on transparent service platform data
CN107370807B (en) * 2017-07-12 2020-05-08 中南大学 Server based on transparent service platform data access and cache optimization method thereof
CN108614547A (en) * 2018-06-14 2018-10-02 上海大学 A kind of industrial control protocols safety evaluation method based on decay factor
CN112637212A (en) * 2020-12-24 2021-04-09 北京天融信网络安全技术有限公司 Analysis method and analysis device for network security situation
CN112637212B (en) * 2020-12-24 2022-09-16 北京天融信网络安全技术有限公司 Analysis method and analysis device for network security situation
CN113225226A (en) * 2021-04-30 2021-08-06 上海爱数信息技术股份有限公司 Cloud native system observation method and system based on information entropy
CN113282920A (en) * 2021-05-28 2021-08-20 平安科技(深圳)有限公司 Log abnormity detection method and device, computer equipment and storage medium
CN113282920B (en) * 2021-05-28 2023-10-10 平安科技(深圳)有限公司 Log abnormality detection method, device, computer equipment and storage medium
CN116708208A (en) * 2023-08-07 2023-09-05 山东慧贝行信息技术有限公司 Network data transmission situation prediction method based on machine learning
CN116708208B (en) * 2023-08-07 2023-10-13 山东慧贝行信息技术有限公司 Network data transmission situation prediction method based on machine learning
CN117097521A (en) * 2023-08-08 2023-11-21 北京宇信智臻信息技术有限公司 Network security analysis method and system based on big data

Also Published As

Publication number Publication date
CN104601604B (en) 2019-03-15

Similar Documents

Publication Publication Date Title
CN104601604B (en) Network safety situation analysis method
CN116129366B (en) Digital twinning-based park monitoring method and related device
Long et al. Mapping block-level urban areas for all Chinese cities
CN110392048A (en) Network security situation awareness model and method based on CE-RBF
CN106095639A (en) A kind of cluster subhealth state method for early warning and system
CN107944590B (en) Method and equipment for analyzing and forecasting fishing situations
CN112541028B (en) Water environment big data monitoring system and method
CN102457412A (en) Large-scale network security situation evaluation method based on index system
Zheng et al. An eiot system designed for ecological and environmental management of the xianghe segment of china’s grand canal
CN112688431A (en) Power distribution network load overload visualization method and system based on big data
CN111797918B (en) Atmospheric pollution source identification method, apparatus, computer device and storage medium
CN116721781B (en) Method and device for predicting insect vector infectious disease transmission risk, electronic equipment and medium
Jiang et al. Exploring human mobility patterns based on location information of US flights
CN118171035B (en) Method and device for early warning of people stream heating power, electronic equipment and storage medium
US20140214464A1 (en) Methods and apparatus for monitoring and analyzing utility consumption
Oprea et al. On the development of an intelligent system for particulate matter air pollution monitoring, analysis and forecasting in urban regions
CN105913654B (en) A kind of Intelligent traffic management systems
CN113705693A (en) Power grid lightning early warning method, device, recording medium and system
JP6010059B2 (en) Equipment maintenance burden evaluation method and apparatus
Thompson et al. Developing effective sampling designs for monitoring natural resources in Alaskan national parks: An example using simulations and vegetation data
CN105933138A (en) Time-space dimension combined cloud service reliability situation assessment and prediction method
KR102646407B1 (en) Ecosystem species extinction risk diagnosis system and operation method thereof
CN112380126A (en) Web system health prediction device and method
Pandey et al. Geomatics approach for assessment of respiratory disease mapping
Wang et al. Research of the early warning analysis of crop diseases and insect pests

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant