CN105681298A - Data security abnormity monitoring method and system in public information platform - Google Patents
Data security abnormity monitoring method and system in public information platform Download PDFInfo
- Publication number
- CN105681298A CN105681298A CN201610022174.7A CN201610022174A CN105681298A CN 105681298 A CN105681298 A CN 105681298A CN 201610022174 A CN201610022174 A CN 201610022174A CN 105681298 A CN105681298 A CN 105681298A
- Authority
- CN
- China
- Prior art keywords
- data
- security
- analysis
- layer
- clustering
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 91
- 238000012544 monitoring process Methods 0.000 title claims abstract description 26
- 238000004458 analytical method Methods 0.000 claims abstract description 28
- 238000012545 processing Methods 0.000 claims abstract description 25
- 230000008569 process Effects 0.000 claims abstract description 22
- 238000007405 data analysis Methods 0.000 claims abstract description 8
- 238000004364 calculation method Methods 0.000 claims description 31
- 230000006399 behavior Effects 0.000 claims description 30
- 238000007726 management method Methods 0.000 claims description 19
- 238000004422 calculation algorithm Methods 0.000 claims description 16
- 238000012550 audit Methods 0.000 claims description 12
- 238000001514 detection method Methods 0.000 claims description 12
- 238000012800 visualization Methods 0.000 claims description 12
- 238000005516 engineering process Methods 0.000 claims description 9
- 230000000694 effects Effects 0.000 claims description 8
- 230000004927 fusion Effects 0.000 claims description 8
- 230000002159 abnormal effect Effects 0.000 claims description 7
- 230000000007 visual effect Effects 0.000 claims description 7
- 230000035945 sensitivity Effects 0.000 claims description 6
- 238000012731 temporal analysis Methods 0.000 claims description 6
- 238000000700 time series analysis Methods 0.000 claims description 6
- 230000001960 triggered effect Effects 0.000 claims description 5
- 241001123248 Arma Species 0.000 claims description 4
- 238000010219 correlation analysis Methods 0.000 claims description 4
- 238000013075 data extraction Methods 0.000 claims description 4
- 238000005065 mining Methods 0.000 claims description 4
- 238000004891 communication Methods 0.000 claims description 3
- 239000000284 extract Substances 0.000 claims description 3
- 235000019580 granularity Nutrition 0.000 claims description 3
- 238000013178 mathematical model Methods 0.000 claims description 3
- 238000005457 optimization Methods 0.000 claims description 3
- 238000007619 statistical method Methods 0.000 claims description 3
- 238000011161 development Methods 0.000 abstract description 6
- 238000013480 data collection Methods 0.000 abstract description 5
- 238000001914 filtration Methods 0.000 description 10
- 206010000117 Abnormal behaviour Diseases 0.000 description 8
- 230000008859 change Effects 0.000 description 6
- 238000009826 distribution Methods 0.000 description 6
- 238000013459 approach Methods 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 238000000605 extraction Methods 0.000 description 3
- 238000005259 measurement Methods 0.000 description 3
- 230000002776 aggregation Effects 0.000 description 2
- 238000004220 aggregation Methods 0.000 description 2
- 230000000903 blocking effect Effects 0.000 description 2
- 238000013079 data visualisation Methods 0.000 description 2
- 230000010365 information processing Effects 0.000 description 2
- 238000010801 machine learning Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000010606 normalization Methods 0.000 description 2
- 238000011160 research Methods 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 230000006978 adaptation Effects 0.000 description 1
- 230000002155 anti-virotic effect Effects 0.000 description 1
- 230000003247 decreasing effect Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000009795 derivation Methods 0.000 description 1
- 238000011156 evaluation Methods 0.000 description 1
- 230000001747 exhibiting effect Effects 0.000 description 1
- 230000007774 longterm Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000003909 pattern recognition Methods 0.000 description 1
- 230000002085 persistent effect Effects 0.000 description 1
- 238000002360 preparation method Methods 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 230000000630 rising effect Effects 0.000 description 1
- 238000012216 screening Methods 0.000 description 1
- 230000001932 seasonal effect Effects 0.000 description 1
- 238000005309 stochastic process Methods 0.000 description 1
- 238000003860 storage Methods 0.000 description 1
- 230000007704 transition Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention discloses a data security abnormity monitoring method and system in a public information platform. The system comprises a data layer responsible for data collection, an analysis layer for three-level data analysis and a presentation layer for visibility presentation and threat prediction. The data collection of the data layer adopts a multi-source data collection method; the presentation layer mainly afterwards applies a visibility technique, carries out visibility presentation to security threats and helps a decision maker to know the security threat tendency and dynamic states of the system visually; and an executor can know concrete details through a multi-layer pull-down form. According to the method and the system provided by the invention, a manager center processes, analyzes and presents collected data in a clustering mode; the system is of B/S architecture; different personnel can carry out operations such as querying, processing and analyzing to the data through an IE or other browsers; related managers can carry out graphical presentation, know the security conditions of the data visually, perceive the development dynamic states of the data security and dispose timely after an event is generated.
Description
Technical Field
The invention relates to the field of data security, in particular to a method and a system for monitoring data security abnormity in a public information platform.
Background
Traditional technologies such as firewalls have existed for two to thirty years, and although they have been changing, their nature and architecture have not changed, and they will not be able to adapt to security requirements in a big data environment in the future. With the emergence of application modes such as cloud computing and big data, the safe architecture will also change greatly. For example, users all use intelligent devices, all data are stored in the cloud, all information is stored in a centralized manner, and how to ensure safe use of the information is based on big data analysis and machine learning modeling. Therefore, the technology of collecting, processing and analyzing big data is used as a drive, the enterprise is helped to automatically detect the internal and external security threats existing in the data security which occurs or is about to occur in real time, the efficiency of processing the security events is improved, and the information asset security of the enterprise is protected to the maximum extent, which is a future development trend.
The invention discloses a method and a platform for managing and controlling data security in an information center of Guangdong power grid limited responsibility company, namely Zhonghuan, Qianyang, Chenruizhong and the like, which provide the following steps: dividing the data according to the data category and the security level (S1); according to the data division result, encrypting the data, authenticating the identity, controlling the access, performing security audit, tracking and obtaining evidence, distributing corresponding security protection tools and performing security protection (S2); log information generated by the safety protection tool is collected and normalized to establish a safe view of the full life cycle of the data (S3).
This patent and solution has significant limitations, mainly in that: (1) the method is applied to the information system which has small data change and easily defined data attribute, category and security level aiming at a specific unit and a specific system for carrying out safety control; (2) the main purpose of dividing the data category and the security level is to perform security protection, and the main mode of establishing a security view is according to a security log; (3) the traditional means such as encryption are difficult to be applied to the data security protection of the open public platform.
Enterprises hope to seek new development opportunities in new normal states by means of emerging technologies such as mobile, cloud computing and big data. However, while enterprises desire to gain rapid growth, they have been plagued with security issues, particularly with more covert security measures (e.g., APT attacks, etc.), which are more threatening than viruses, trojans, etc. Traditional firewalls, antivirus software and IDSs are difficult to discover the security threats, particularly abnormal access and abnormal stealing of core resources by insiders. Today, many industry associates recognize this problem and begin to think of new solutions.
The arrival of the big data era leads a plurality of industries to find the huge intrinsic value of the data: they can reveal new changing trends not seen in traditional means, such as deep understanding of consumer behavior, advertising effectiveness, business trends, etc., while there are few benchmarking cases in enterprise IT markets. With the increasing data value, security events for data are on a rapid rising trend. In 2014 alone, many information data attacks and leakage events occur globally, such as affected JPMorgan7600 ten thousands of users, affected US family treasure 5600 ten thousands of users, information leakage of users of a portable network, and the like, and the network attack events also enable people to more clearly recognize the important significance of data security protection. Some enterprises have also begun to conduct research in this regard, such as: the invention relates to a method and a platform for managing and controlling data security in an information center of Guangdong power grid limited responsibility company, which are invented by Chinese torrential flood, money, Chenrui loyalty and the like, the inventions are only suitable for specific environments, are difficult to adapt to data security protection in a public information platform, and are mainly embodied in the following aspects:
1. the data security of the open platform is not feasible by adopting precautionary measures such as encryption and the like, because the data security of the open platform brings great system overhead and influences the experience of users, and the key management of the users is difficult in the open environment. Therefore, the traditional means of replacing encryption with monitoring and the like is an effective means for protecting data security in a large data platform opened in the future;
2. the identification of data categories is difficult to perform in public information platforms (such as smart city information processing platforms and the like), so that the classification and grading idea is difficult to implement in the public information platforms by applying the existing method;
3. in a public information platform, the data volume is very large and changes frequently, and the existing algorithm is difficult to respond in real time;
4. in the existing method, data classification and classification are mainly applied to fine-grained protection of data and rarely used for security exception access identification of the data;
at present, the main method for monitoring data security anomaly is to analyze anomaly from logs, and correlation analysis is rarely performed on access behaviors, service operations, logs and the like of data, so that complex attacks such as APT and the like are difficult to accurately identify.
Data are core assets and key protection objects of public information platforms such as smart city information processing platforms, and an abnormal behavior monitoring mode is adopted in the method, a data safety abnormal behavior monitoring system is constructed, and data loss is prevented. The following technical problems need to be solved:
1) in an open public information platform, the data volume is very large and is constantly changing, and how to quickly identify whether the access behavior of a user is abnormal is very difficult;
2) in a big data environment, the security attribute of some data is explicit, the security attribute of some data is implicit (for example, a single data is non-sensitive, but a plurality of data are aggregated to become sensitive data), and how to identify and prevent implicit sensitive data from leaking is also a difficult problem in monitoring big data security abnormal behaviors;
3) identification and prevention of APT attack are the problems of information security at present, and how to identify APT aiming at data by using a big data analysis method is also a problem to be solved by the patent.
Disclosure of Invention
The invention provides a method and a system for monitoring data security abnormity in a public information platform, which can analyze the operation behavior of data step by step and deeply and step by step mine the abnormal behavior of the data.
The technical scheme of the invention is realized as follows: a data security abnormity monitoring method and system in a public information platform comprises a data layer responsible for data acquisition, an analysis layer for performing three-level data analysis and a display layer for performing visual display and threat prediction; the data acquisition of the data layer is a multi-source data acquisition method, which specifically comprises a, operating behaviors of bypass shunting on data, performing protocol analysis to obtain behavior data b, and acquiring system logs, equipment logs, application logs, database logs and the like; c. simultaneously, collecting intranet safety log information; the analysis layer analyzes the data with different granularities by adopting a three-level analysis mode; the display layer is mainly used for visually displaying the security threat by using a visualization technology, a decision maker is helped to visually know the security threat trend and the dynamic state of the system, and an executive person can also know specific details through a multi-layer pull-down form.
Preferably, in the multi-source data acquisition method, the device for collecting logs is a log collection server, which mainly uses Syslog4j and JDBC interfaces for collection, and the log collection server further performs log normalization processing, audit object management and log query tasks.
Preferably, the three-level data analysis comprises d, rapidly detecting whether the access behavior is abnormal or not by using a rule-based streaming data abnormity detection method; e. performing correlation analysis on the operation data to prevent the hidden sensitive data from being leaked; f. and performing deep fusion on the historical data and the current data, and deeply mining whether the historical data and the current data have attack modes such as APT (android Package) and the like.
Preferably, in the step d, a fast clustering method based on streaming data is adopted, and the method is divided into three modules of fast calculation, data concept drift detection and clustering; the fast calculation module firstly filters data flow data, then extracts data characteristics, and finally fast clusters the data; the data concept drift detection module is responsible for analyzing and detecting concept drift of data, and judges whether the data has concept drift or not by performing related calculation on intermediate data provided by the rapid calculation layer, so as to trigger clustering operation of the clustering layer and provide corresponding data parameters; the clustering module is a core module for processing clustering in the framework and is a passive triggering type clustering module. And only when the trigger is triggered, performing refined formal clustering calculation by using the previous intermediate result and related parameter information, and returning a proper clustering result after clustering is performed.
Preferably, in the step e, deep fusion analysis is performed on the related data, whether the hidden privacy disclosure exists in the system is mined, and if a hidden sensitive disclosure path exists, the sensitive data in the path is processed anonymously to prevent the hidden sensitive disclosure; adopt local yoke difference method to discover the emergence of recessive sensitivity to through the random process when defining the limited time of stopping, solve the recessive sensitivity of extensive data and distinguish and control optimization problem in limited time, when detecting that there is the recessive sensitive information of system to reveal, carry out anonymous processing to the recessive sensitive information, prevent to reveal again.
Preferably, the visualization display specifically includes performing extraction analysis and statistics on data such as logs and operation behaviors, performing attribute calculation on the data according to a certain algorithm principle, displaying the data, and performing various adjustments on the display model effect by combining with parameter adjustment of a user so as to find detailed information of network data; the visual display subsystem is divided into four modules which are respectively: the system comprises a data extraction and statistics module, a node coordinate calculation module, a graph display module and a parameter adjustment module.
Preferably, the data statistics module is used for performing preliminary statistical analysis on original data, and storing the original data by using a hash table, wherein a keyword Key in the hash table is in a character string form, the character string is composed of a source IP, an operation main body, an evidence chain and operation time, the four items are used as a new element to be inserted into the hash table, and each element is a node in future graphical representation and represents an operation relationship between the evidence chains; the value corresponding to Key represents the total amount of data in the connection communication activity.
Preferably, the node coordinate calculation module adopts the IP address, the behavior body, and the evidence chain as factors for IP address calculation.
Preferably, the threat prediction analysis mainly utilizes a situation prediction algorithm based on time series analysis, and the time series analysis is a theory and a method for establishing a mathematical model through curve fitting and parameter estimation according to time series data obtained by system observation. The method utilizes the advantages of a first-order gray prediction GM (1,1) model, an ARMA model and a Holt-Winter model to respectively predict threats, and then compares and fuses the predicted values of the three methods.
Compared with the prior art, the invention has the advantages that: and a three-stage analysis mode is adopted to carry out stage-by-stage analysis on the operation behaviors of the data and deeply and stage-by-stage mine the abnormal behaviors. Respectively as follows: (a) rapidly finding and blocking dangerous behaviors; (b) continuously tracking and deeply analyzing suspicious behaviors; (c) whether APT attack behaviors exist in the historical multi-source data is mined; the streaming clustering method is adopted, so that the real-time clustering requirement of data in a big data open environment is met; the method adopts sigma algebra (sigma-algebra) and halter strap theory (martingalethiory) to solve the problem of finding the implicit privacy relationship.
The "intelligency" and "visualization" are highlights of data security anomaly monitoring. This is also of most concern to information security authorities of public platforms such as smart cities. Unlike the simple information summary of traditional security information management systems, the system can present an overall, real-time security and compliance situation for the highest decision-making level of an enterprise. Through data visualization, a decision maker can easily know key trends and dynamics, and a specific executive can also know specific details through a multi-layer drop-down form.
In actual use work, data is acquired through Syslog, bypass monitoring, trigger forwarding and the like installed in a database, the data is stored in a data acquisition server, and the data acquisition server provides services such as data collection, data standardization processing, audit object management, data query and the like: on one hand, the collected original data is stored in a database, the standardized data is sent to the sub-management control center through the ActiveMQ, and meanwhile, the query service of the original data is provided; on the other hand, the ActiveMQ is used for receiving the management of the audit management center (including state collection inquiry, service start and stop, configuration of an audit object and the like), and in order to ensure the remote authorized access of the service, the encryption and the authentication based on the certificate are adopted.
The management center processes, analyzes and displays the acquired data in a cluster mode. The system adopts a B/S framework, different personnel can query, process and analyze data through IE or other browsers, related management personnel can also graphically display, visually know the safety condition of the data and perceive the development dynamics of data safety, and when a safety event occurs, the data is timely disposed.
Drawings
FIG. 1 is a data security anomaly monitoring system architecture in a public information platform of the present invention;
FIG. 2 is a block diagram of the data acquisition of the present invention;
FIG. 3 is a diagram of a fast clustering framework for data streams according to the present invention;
FIG. 4 is a flow chart of the system operation of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Example (b): referring to figures 1, 2, 3 and 4,
the data security abnormity monitoring system framework in the public information platform is constructed by adopting the idea of 'three-level analysis and detection', and whether abnormal behaviors exist in the system is analyzed in different modes according to different scenes. The frame is shown in figure 1:
the system is divided into a data layer, an analysis layer and a display layer. The basic data mainly come from: bypass shunting is carried out on the operation behavior of the data, and protocol analysis is carried out to obtain the behavior data; acquiring system logs, equipment logs, application logs, database logs and the like; and thirdly, simultaneously acquiring safety log information of the intranet. And the analysis layer analyzes the data with different granularities in a three-level analysis mode. The display layer mainly utilizes a visualization technology to visually display the security threat, a decision maker is helped to visually know the security threat trend and the dynamic state of the system, and an executive person can also know specific details through a multi-layer pull-down form. The key technologies used for each layer are described below.
1) Multi-source data acquisition method
As shown in fig. 2, the log collection server mainly performs log collection (using Syslog4j and JDBC interface), log normalization processing, audit object management, and log query tasks: on one hand, the collected original log is stored in a database, the standardized log is sent to a sub-management control center through an ActiveMQ, and meanwhile, the query service of the original log is provided; on the other hand, the ActiveMQ is used for receiving the management of the audit management center (including state collection inquiry, service start and stop, configuration of an audit object and the like), and in order to ensure the remote authorized access of the service, the encryption and the authentication based on the certificate are adopted.
For the management and service access operation of the database, a DDL trigger is adopted to actively monitor the execution of DDL statements, when the DDL is executed on the database, the DDL triggers the execution, the information is stored in a table, the HostName of an operation user and the modified T-SQL are sent to a log acquisition server, and the T-SQL statements are analyzed and then sent to a sub-management control center through an ActiveMQ.
2) Three-level data analysis
(1) Firstly, a rule-based streaming data anomaly detection method is used for rapidly detecting whether an access behavior is abnormal or not.
Due to popularization and popularization of cloud computing, the internet of things and mobile terminals, data in a public information platform are massive and dynamically change. Therefore, when defining the access rule of the user/process to the data, the specific data cannot be accurately defined, the access rule definition can be only performed according to the security level of the data class, and the accurate and rapid aggregation of the data to one data class is the key for analyzing whether the behavior is abnormal or not. The method is based on a streaming data fast clustering method and comprises three modules of fast calculation, data concept drift detection and clustering. And detecting whether the data drift or not through a data concept drift detection module, clustering the rapidly calculated data by using a clustering module when the data drift occurs, and otherwise, not changing the data class. When the user accesses the data, the user behavior abnormity detection module is triggered, and whether the user has the authority of accessing the data class is analyzed according to the access control rule. The fast clustering framework for streaming data is shown in fig. 3.
A fast calculation module: the module is responsible for quickly and simply processing the data stream and obtaining a quick calculation intermediate processing result so as to be used for subsequent processing of other modules. The scheme applied to the rapid processing is as follows: firstly, data flow data filtering is carried out, then data characteristic extraction is carried out, and finally data are clustered quickly. The former reduces the data amount in the data stream, such as data filtering and other calculations, because most data belong to public data with the lowest security level in a public information platform, the data can be directly classified without participating in clustering operation; the latter extracts the characteristics of the extracted data without directly processing the original data by reducing the storage capacity of single data, thereby reducing the pressure of space and improving the clustering effect by characteristic extraction; finally, such data is classified into different categories according to the security features of the data.
Data concept drift detection module: the module is responsible for analyzing and detecting concept drift of data, and related calculation is carried out on intermediate data provided by the rapid calculation layer, so that whether the data has the concept drift is judged, clustering operation of the clustering layer is triggered, and corresponding data parameters are provided. The new data set has been migrated with respect to the original data set in some characteristics, resulting in the two previous and subsequent data sets exhibiting different meanings or characteristics. The method mainly focuses on the evolution of cluster information of front and back clusters, and the evaluation of the drift of the data concept mainly starts from the cluster evolution angle, and if the added amount or the disappeared amount of the clusters exceeds a specific threshold value or a new data set is excessively dispersed, the data concept is considered to have important drift. For a better description of the data concept drift, the degree to which the data concept drift occurs is divided into 6 levels { L | L ═ 0,1, …,5}, with higher levels indicating a greater degree of concept drift and vice versa.
A clustering module: and a core module for processing clustering in the framework is a passive triggering type clustering module. And performing refined formal clustering calculation by using the previous intermediate result and related parameter information only when necessary (namely, triggered), and returning a proper clustering result after clustering is performed.
Under a big data environment, a density-based clustering algorithm OPTICS is adopted, and the idea of the method is to classify points into one class when the density of the points in a region is greater than a certain threshold value, so that the density-based clustering algorithm has a strong capability of searching outlier noise points. The general clustering algorithm finally obtains a specific classification result under a fixed parameter, but the OPTICS does not finally obtain a sequence which contains all possible points for classification under a certain parameter interval, namely the minimum domain radius (-neighbor), and each point in the sequence records 2 attributes of the point under the specific parameter interval, namely the core distance (coredistance) and the reachable distance (reachabilitistance). From this sequence, we can easily derive the classification results for the data points under the parameter '(when' ≦ neighbor). OPTICS has 2 very important features: the ability to combat outlier noise interference (the ability to find outlier noise points) is insensitive to the initial parameters.
(2) And secondly, performing correlation analysis on the operation data to prevent the hidden sensitive data from being leaked.
In further background analysis, the related data is subjected to deep fusion analysis, whether the hidden privacy leakage occurs in the system is mined, and if a hidden sensitive leakage path exists, sensitive data in the path is subjected to anonymous processing to prevent hidden sensitive leakage. The method adopts a local yoke difference method to discover the occurence of recessive sensitivity, and solves the problems of recessive sensitivity discrimination and control optimization of large-scale data in limited time by defining a random process during limited stop. When detecting that the system has hidden sensitive information leakage, anonymizing the hidden sensitive information to prevent the hidden sensitive information from being leaked again.
Taking personal information as an example, let (Ω, a, P) denote a probability space, where Ω is the space, a is the σ -domain on Ω, and P is the probability measure of a. In particular, in this problem, Ω represents the population of the population, a is the population subset, and P is the subset measure.
Discrete filtering is defined as an incremental σ field F on Ω ═ Fn. In this problem, anonymization processing is performed on the public information, and a natural discrete filter is formed as the anonymization processing strength is reduced.
A random process X is called F-adapted, Xn is Fn-measurable if and only if for all n ∈ Z +, Xn is not detectable. In this problem, the secrecy and the information volume under different anonymization methods both constitute a random process of F adaptation.
A random time N ∈ Z + { ∞ } is called F-stop, if it is measurable for Fn for all N ∈ Z + { N ≦ N }, i.e., if the process { Xn ≦ 1(N ≦ N) } is F-adapted.
The specific method comprises the following steps:
designing An anonymization processing process An with decreasing intensity to form discrete filtering F
In case of the fully anonymous approach, i.e. constituting the first term F1 of the discrete filtering F, the sigma domain contains only two trivial elements: the measures for both the empty set and the full set are 0 and 1 for any measurable random variable defined over the sigma domain. In the process of opening the public information, the anonymity processing degree is reduced, the sigma domain is increased continuously, the measurement is refined continuously, the corresponding information amount is increased gradually, the secrecy is weakened gradually, and the discrete filtering on the public information is formed.
In particular, discrete filtering grows faster due to the interleaving of common information from different domains, departments. For example, a public information containing 20 attributes has a sigma domain potential (which may be loosely understood as the number of collection elements) ofWherein,is the potential of the value range of the ith attribute. When 5 items of public information from different fields and about the object class are fused together, the potential of the sigma domain of the object class is increased to 5 power of the previous expression, meanwhile, the information amount is increased by 5 times, and the secrecy is greatly reduced.
Secondly, a random process X for measuring secrecy is constructed, and F adaptability of the process is proved
From the high secrecy under the condition of 'closed' or the corresponding 0 information content, the anonymity can be gradually reduced and the openness degree can be improved according to different 'open strategies'. For these open strategies, a random procedure is provided to measure the reasonable degree of privacy, as follows:
the secrecy of isolated public information that is partially open is a measure of the set of information that has the same attribute. When the measurement is too small, the object of the information has been exposed, although it still has some information not disclosed.
The secrecy of the public information which is partially opened and is to be fused with other information is an expectation of a measure of the information sets having the same attribute after fusion. When the expectation is too small, there will be a higher probability that the information will be exposed in the fusion, i.e. "implicit" leakage, although its "explicit" leakage does not occur.
Since 1 is a deterministic approach, the key to the problem is the 2 nd random process. It is necessary to demonstrate its F-fitness (to ensure testability) and further to give the theoretical derivation and algorithm expected for this measure.
Thirdly, optimizing privacy protection time-stopping strategy by adopting local yoke method
The halter strap property is an analysis focus for a random process, particularly under discrete filtering, and is also a bridge for transition to a dead time strategy. This project work has demonstrated partial upper yoke in information service selection. In this project, the secrecy and the halter strap nature of the information volume under the discrete filtering caused by the above open policy will be further studied.
Based on halter strap property (or portion halter strap property), particularly the upper-yoke property of the information volume, the local-yoke method derived by previous work can minimize the random time N (time-out), thereby maximizing the information volume under privacy-preserving conditions. The local yoke differences can achieve an optimal or near optimal solution.
And for the situation of singularity, giving an optimal strategy by adopting a fractal fitting method.
The random process method is mainly suitable for the condition that public information is normally distributed, such as probability measurement conforming to normal distribution, data generation conforming to Possion distribution, request response time conforming to exponential distribution and the like. For the case of singularities (aggregations, self-similarities and scale independence), there may be a large deviation from your actual situation if the desired calculation method of the stochastic process is still employed.
The fractal method is adopted for processing, and the method comprises the following steps:
and carrying out pattern recognition on the aggregative property, the self-similarity and the scale independence of the public information. To determine whether a fractal chemistry approach is applicable;
for the scale-independent interval, calculating main fractal parameters, such as a fractional dimension;
solving fitting parameters conforming to fractal distribution characteristics according to an equation set formed by the overall distribution and the fractional dimension;
and V, constructing a distribution model by using the fitting parameters, and calculating corresponding expected values for measuring an open strategy and calculating the optimal stopping time.
(3) And finally, performing deep fusion on the historical data and the current data, and deeply mining whether the historical data and the current data have attack modes such as APT (advanced persistent threat) or not.
The patent detects abnormal behavior patterns and hidden threats by machine learning and algorithm analysis of a large amount of historical log information and behavior data, and whether external APT attacks or internal personnel divulgence. By filtering and analyzing large and complex data sets, the latest security threat changes are covered. Meanwhile, the system creates a multi-layer instrument panel and a report, so that a decision layer, a management layer and a front-line operation and maintenance personnel can monitor the latest security situation from different perspectives and continuously learn and improve the latest security situation.
3) Visual display
The network security information visualization technology is different from the traditional method for analyzing log data, and the visualization technology brings a revolution of research methods. The visualization of the network security information not only can effectively process mass data information, but also can effectively display attacks and anomalies through graphs, and even can give early warning to potential threats in the network. With the popularization of networks in recent years, attack forms are diversified and difficult to detect. Such as APT attack, has the characteristics of long-term and strong concealment. Visualization is essential in analyzing complex data, and is a means for discovering the relationship between data and whether an APT attack exists.
According to the method, data such as logs and operation behaviors are extracted, analyzed and counted, the attribute of the graphic element is calculated according to a certain algorithm principle, then the graphic element is displayed, and various adjustments can be performed on the effect of a display model by combining with parameter adjustment of a user so as to discover detailed information of network data.
The visual display subsystem is divided into four modules which are respectively: the system comprises a data extraction and statistics module, a node coordinate calculation module, a graph display module and a parameter adjustment module.
Data extraction and statistics module
The data statistics module aims at performing preliminary statistical analysis on original data, and stores the original data by adopting a hash table, wherein a keyword Key in the hash table is in a character string form, and the character string is formed by: the method comprises the following steps that a source IP, an operation main body, an evidence chain and operation time are formed, the four items are used as new elements to be inserted into a hash table, each element is a node in the future graphical representation, and the operation relation among the evidence chains is represented; the value corresponding to Key represents the total amount of data in the connection communication activity.
Second, the coordinate of node calculates the module
Since the final purpose is to draw a graph to represent the change condition of an evidence chain of the APT attack, the calculation of the node coordinates is the most important preparation work and is the basic condition and algorithm for finally ensuring the effectiveness and the efficiency of the visualization model display. The patent uses an IP address, a behavior body and an evidence chain as the factors for IP address calculation.
Image display module
After the node calculation is completed, all the node coordinates and other related information which need to be drawn are stored in the program, and then the drawing work is handed to the graphic display module for carrying out, and the graphic display module does not participate in the calculation of any node, so that the two works are completely independent, and the logic division and the later modification and updating are facilitated.
Parameter adjusting module
The adjustment of the parameters is not in the algorithm and display range from the perspective of the core structure of the visualization model, because many parameters will be encountered during the operation of the model, the parameters are fixed and adjustable, and the change of the parameters will cause the redrawing of the display result and, of course, the change of the screening conditions.
4) Threat prediction analysis
The method mainly utilizes a situation prediction algorithm based on time series analysis, wherein the time series analysis is a theory and a method for establishing a mathematical model through curve fitting and parameter estimation according to time series data obtained by system observation. The method utilizes the advantages of a first-order gray prediction GM (1,1) model, an ARMA model and a Holt-Winter model to respectively predict threats, and then compares and fuses the predicted values of the three methods.
The first-order gray prediction model algorithm is simple, easy to implement and high in speed, parameter setting or other manual intervention is not needed in the prediction process, the prediction result reflects the development trend of the original sequence smoothly, and the defect that the prediction result cannot reflect factors such as randomness, periodicity and the like is overcome; the ARMA model algorithm reflects the autocorrelation of the time sequence, and the prediction result reflects the factors of randomness, periodicity and the like of the time sequence, and has the disadvantages that more manual operations are needed in the prediction process, and the number of grasped samples is always limited, so that the deviation between the prediction result and an actual value is larger if the predicted time point is farther; the Holt-Winter model considers factors such as the trend, randomness, period and season of a time sequence, the mean square error of a prediction result is small, the effect is good in short-term seasonal prediction, and the deviation between the prediction result and an actual value is larger and larger along with the longer of the prediction time point.
And a three-stage analysis mode is adopted to carry out stage-by-stage analysis on the operation behaviors of the data and deeply and stage-by-stage mine the abnormal behaviors. Respectively as follows: (a) rapidly finding and blocking dangerous behaviors; (b) continuously tracking and deeply analyzing suspicious behaviors; (c) whether APT attack behaviors exist in the historical multi-source data is mined; the streaming clustering method is adopted, so that the real-time clustering requirement of data in a big data open environment is met; the method adopts sigma algebra (sigma-algebra) and halter strap theory (martingalethiory) to solve the problem of finding the implicit privacy relationship.
The work flow diagram is shown in FIG. 4: the "intelligency" and "visualization" are highlights of data security anomaly monitoring. This is also of most concern to information security authorities of public platforms such as smart cities. Unlike the simple information summary of traditional security information management systems, the system can present an overall, real-time security and compliance situation for the highest decision-making level of an enterprise. Through data visualization, a decision maker can easily know key trends and dynamics, and a specific executive can also know specific details through a multi-layer drop-down form.
In actual use work, data is acquired through Syslog, bypass monitoring, trigger forwarding and the like installed in a database, the data is stored in a data acquisition server, and the data acquisition server provides services such as data collection, data standardization processing, audit object management, data query and the like: on one hand, the collected original data is stored in a database, the standardized data is sent to the sub-management control center through the ActiveMQ, and meanwhile, the query service of the original data is provided; on the other hand, the ActiveMQ is used for receiving the management of the audit management center (including state collection inquiry, service start and stop, configuration of an audit object and the like), and in order to ensure the remote authorized access of the service, the encryption and the authentication based on the certificate are adopted.
The management center processes, analyzes and displays the acquired data in a cluster mode. The system adopts a B/S framework, different personnel can query, process and analyze data through IE or other browsers, related management personnel can also graphically display, visually know the safety condition of the data and perceive the development dynamics of data safety, and when a safety event occurs, the data is timely disposed.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents, improvements and the like that fall within the spirit and principle of the present invention are intended to be included therein.
Claims (9)
1. A data security abnormity monitoring method and system in a public information platform are characterized in that: the system comprises a data layer responsible for data acquisition, an analysis layer for performing three-level data analysis and a display layer for performing visual display and threat prediction;
the data acquisition of the data layer is a multi-source data acquisition method, which specifically comprises a, operating behaviors of bypass shunting on data, performing protocol analysis to obtain behavior data b, and acquiring system logs, equipment logs, application logs, database logs and the like; c. simultaneously, collecting intranet safety log information;
the analysis layer analyzes the data with different granularities by adopting a three-level analysis mode;
the display layer is mainly used for visually displaying the security threat by using a visualization technology, a decision maker is helped to visually know the security threat trend and the dynamic state of the system, and an executive person can also know specific details through a multi-layer pull-down form.
2. The method and system for monitoring data security anomaly in a public information platform according to claim 1, wherein: in the multi-source data acquisition method, the equipment for collecting the logs is a log acquisition server which mainly uses Syslog4j and JDBC interfaces for collection, and the log acquisition server also performs log standardized processing, audit object management and log query tasks.
3. The method and system for monitoring data security anomaly in a public information platform according to claim 1, wherein: d, the three-level data analysis comprises d, rapidly detecting whether the access behavior is abnormal or not by a rule-based stream data abnormity detection method; e. performing correlation analysis on the operation data to prevent the hidden sensitive data from being leaked; f. and performing deep fusion on the historical data and the current data, and deeply mining whether the historical data and the current data have attack modes such as APT (android Package) and the like.
4. The method and system for monitoring data security anomaly in a public information platform according to claim 3, wherein: in the step d, a fast clustering method based on streaming data is adopted and is divided into three modules of fast calculation, data concept drift detection and clustering; the fast calculation module firstly filters data flow data, then extracts data characteristics, and finally fast clusters the data; the data concept drift detection module is responsible for analyzing and detecting concept drift of data, and judges whether the data has concept drift or not by performing related calculation on intermediate data provided by the rapid calculation layer, so as to trigger clustering operation of the clustering layer and provide corresponding data parameters; the clustering module is a core module for processing clustering in the framework and is a passive triggering type clustering module. And only when the trigger is triggered, performing refined formal clustering calculation by using the previous intermediate result and related parameter information, and returning a proper clustering result after clustering is performed.
5. The method and system for monitoring data security anomaly in a public information platform according to claim 3, wherein: in the step e, performing deep fusion analysis on related data, mining whether a system has hidden privacy disclosure, and if a hidden sensitive disclosure path exists, performing anonymous processing on sensitive data in the path to prevent hidden sensitive disclosure; adopt local yoke difference method to discover the emergence of recessive sensitivity to through the random process when defining the limited time of stopping, solve the recessive sensitivity of extensive data and distinguish and control optimization problem in limited time, when detecting that there is the recessive sensitive information of system to reveal, carry out anonymous processing to the recessive sensitive information, prevent to reveal again.
6. The method and system for monitoring data security anomaly in a public information platform according to claim 1, wherein: the visual display specifically includes that data such as logs, operation behaviors and the like are extracted, analyzed and counted, attribute calculation of graphic elements is carried out on the data according to a certain algorithm principle, then the data are displayed, and various adjustments can be carried out on the effect of a display model by combining with parameter adjustment of a user so as to find detailed information of network data; the visual display subsystem is divided into four modules which are respectively: the system comprises a data extraction and statistics module, a node coordinate calculation module, a graph display module and a parameter adjustment module.
7. The method and system for monitoring data security anomalies in a public information platform according to claim 6, wherein: the data statistics module aims at performing preliminary statistical analysis on original data, a hash table is used for storing the original data, a keyword Key in the hash table is in a character string form, the character string consists of a source IP, an operation main body, an evidence chain and operation time, the four items are used as a newly-built element to be inserted into the hash table, and each element is a node in the future graphical representation and represents the operation relation between the evidence chains; the value corresponding to Key represents the total amount of data in the connection communication activity.
8. The method and system for monitoring data security anomalies in a public information platform according to claim 6, wherein: the node coordinate calculation module adopts the IP address, the behavior body and the evidence chain as the factors for IP address calculation.
9. The method and system for monitoring data security anomaly in a public information platform according to any one of claims 1 to 8, wherein: the threat prediction analysis mainly utilizes a situation prediction algorithm based on time series analysis, and the time series analysis is a theory and a method for establishing a mathematical model through curve fitting and parameter estimation according to time series data obtained by system observation. The method utilizes the advantages of a first-order gray prediction GM (1,1) model, an ARMA model and a Holt-Winter model to respectively predict threats, and then compares and fuses the predicted values of the three methods.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610022174.7A CN105681298A (en) | 2016-01-13 | 2016-01-13 | Data security abnormity monitoring method and system in public information platform |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610022174.7A CN105681298A (en) | 2016-01-13 | 2016-01-13 | Data security abnormity monitoring method and system in public information platform |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN105681298A true CN105681298A (en) | 2016-06-15 |
Family
ID=56300497
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610022174.7A Pending CN105681298A (en) | 2016-01-13 | 2016-01-13 | Data security abnormity monitoring method and system in public information platform |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105681298A (en) |
Cited By (19)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106209826A (en) * | 2016-07-08 | 2016-12-07 | 瑞达信息安全产业股份有限公司 | A kind of safety case investigation method of Network Security Device monitoring |
| CN106254317A (en) * | 2016-07-21 | 2016-12-21 | 柳州龙辉科技有限公司 | A kind of data security exception monitoring system |
| CN106778904A (en) * | 2017-01-10 | 2017-05-31 | 上海鲲云信息科技有限公司 | A kind of data exception detection method, system and the server with the system |
| CN106845272A (en) * | 2017-01-19 | 2017-06-13 | 浙江中都信息技术有限公司 | The leakage-preventing method and system of threat monitoring and data based on terminal agent |
| CN107426159A (en) * | 2017-05-03 | 2017-12-01 | 成都国腾实业集团有限公司 | APT based on big data analysis monitors defence method |
| CN107645480A (en) * | 2016-07-22 | 2018-01-30 | 阿里巴巴集团控股有限公司 | Data monitoring method and system, device |
| CN107733834A (en) * | 2016-08-10 | 2018-02-23 | 中国移动通信集团甘肃有限公司 | A kind of leakage prevention method and device |
| CN108076006A (en) * | 2016-11-09 | 2018-05-25 | 华为技术有限公司 | A kind of lookup is by the method and log management server of attack host |
| CN108074022A (en) * | 2016-11-10 | 2018-05-25 | 中国电力科学研究院 | A kind of hardware resource analysis and appraisal procedure based on concentration O&M |
| CN108665297A (en) * | 2017-03-31 | 2018-10-16 | 北京京东尚科信息技术有限公司 | Detection method, device, electronic equipment and the storage medium of abnormal access behavior |
| CN110022288A (en) * | 2018-01-10 | 2019-07-16 | 贵州电网有限责任公司遵义供电局 | A kind of APT threat recognition methods |
| CN110138770A (en) * | 2019-05-13 | 2019-08-16 | 四川长虹电器股份有限公司 | One kind threatening information generation and shared system and method based on Internet of Things |
| CN110275942A (en) * | 2019-06-26 | 2019-09-24 | 上海交通大学 | A kind of electronics authority security incident convergence analysis method |
| CN111258888A (en) * | 2020-01-09 | 2020-06-09 | 上海丰蕾信息科技有限公司 | Data report generation and analysis system |
| CN112560947A (en) * | 2020-12-14 | 2021-03-26 | 国网青海省电力公司 | Clustering method and device based on energy supply and demand structure analysis |
| US11169506B2 (en) | 2019-06-26 | 2021-11-09 | Cisco Technology, Inc. | Predictive data capture with adaptive control |
| CN114584600A (en) * | 2022-01-20 | 2022-06-03 | 国网青海省电力公司 | Data audit monitoring system |
| CN115495427A (en) * | 2022-11-22 | 2022-12-20 | 青岛远洋船员职业学院 | Log data storage method based on intelligent security management platform |
| CN116126961A (en) * | 2023-04-04 | 2023-05-16 | 河北中废通网络技术有限公司 | Tamper-proof unattended weighing data system of regeneration circulation internet of things information system |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2007131069A3 (en) * | 2006-05-02 | 2008-10-16 | Inividi Technologies Corp | Fuzzy logic based viewer identification |
| CN103353883A (en) * | 2013-06-19 | 2013-10-16 | 华南师范大学 | Big data stream type cluster processing system and method for on-demand clustering |
| CN104268254A (en) * | 2014-10-09 | 2015-01-07 | 浪潮电子信息产业股份有限公司 | Security situation analysis and statistics method |
| CN104753946A (en) * | 2015-04-01 | 2015-07-01 | 浪潮电子信息产业股份有限公司 | Security analysis framework based on network traffic metadata |
-
2016
- 2016-01-13 CN CN201610022174.7A patent/CN105681298A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2007131069A3 (en) * | 2006-05-02 | 2008-10-16 | Inividi Technologies Corp | Fuzzy logic based viewer identification |
| CN103353883A (en) * | 2013-06-19 | 2013-10-16 | 华南师范大学 | Big data stream type cluster processing system and method for on-demand clustering |
| CN104268254A (en) * | 2014-10-09 | 2015-01-07 | 浪潮电子信息产业股份有限公司 | Security situation analysis and statistics method |
| CN104753946A (en) * | 2015-04-01 | 2015-07-01 | 浪潮电子信息产业股份有限公司 | Security analysis framework based on network traffic metadata |
Non-Patent Citations (1)
| Title |
|---|
| 张全友: "《基于时间序列数据挖掘在电力物资系统中的应用研究》", 《中国优秀硕士学位论文全文数据库 信息科技辑》 * |
Cited By (22)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106209826A (en) * | 2016-07-08 | 2016-12-07 | 瑞达信息安全产业股份有限公司 | A kind of safety case investigation method of Network Security Device monitoring |
| CN106254317A (en) * | 2016-07-21 | 2016-12-21 | 柳州龙辉科技有限公司 | A kind of data security exception monitoring system |
| CN107645480A (en) * | 2016-07-22 | 2018-01-30 | 阿里巴巴集团控股有限公司 | Data monitoring method and system, device |
| CN107733834A (en) * | 2016-08-10 | 2018-02-23 | 中国移动通信集团甘肃有限公司 | A kind of leakage prevention method and device |
| CN108076006A (en) * | 2016-11-09 | 2018-05-25 | 华为技术有限公司 | A kind of lookup is by the method and log management server of attack host |
| CN108074022A (en) * | 2016-11-10 | 2018-05-25 | 中国电力科学研究院 | A kind of hardware resource analysis and appraisal procedure based on concentration O&M |
| CN106778904B (en) * | 2017-01-10 | 2019-10-18 | 上海鲲云信息科技有限公司 | A kind of data exception detection method, system and the server with the system |
| CN106778904A (en) * | 2017-01-10 | 2017-05-31 | 上海鲲云信息科技有限公司 | A kind of data exception detection method, system and the server with the system |
| CN106845272A (en) * | 2017-01-19 | 2017-06-13 | 浙江中都信息技术有限公司 | The leakage-preventing method and system of threat monitoring and data based on terminal agent |
| CN108665297B (en) * | 2017-03-31 | 2021-01-26 | 北京京东尚科信息技术有限公司 | Method and device for detecting abnormal access behavior, electronic equipment and storage medium |
| CN108665297A (en) * | 2017-03-31 | 2018-10-16 | 北京京东尚科信息技术有限公司 | Detection method, device, electronic equipment and the storage medium of abnormal access behavior |
| CN107426159A (en) * | 2017-05-03 | 2017-12-01 | 成都国腾实业集团有限公司 | APT based on big data analysis monitors defence method |
| CN110022288A (en) * | 2018-01-10 | 2019-07-16 | 贵州电网有限责任公司遵义供电局 | A kind of APT threat recognition methods |
| CN110138770A (en) * | 2019-05-13 | 2019-08-16 | 四川长虹电器股份有限公司 | One kind threatening information generation and shared system and method based on Internet of Things |
| CN110138770B (en) * | 2019-05-13 | 2021-08-06 | 四川长虹电器股份有限公司 | Threat information generation and sharing system and method based on Internet of things |
| CN110275942A (en) * | 2019-06-26 | 2019-09-24 | 上海交通大学 | A kind of electronics authority security incident convergence analysis method |
| US11169506B2 (en) | 2019-06-26 | 2021-11-09 | Cisco Technology, Inc. | Predictive data capture with adaptive control |
| CN111258888A (en) * | 2020-01-09 | 2020-06-09 | 上海丰蕾信息科技有限公司 | Data report generation and analysis system |
| CN112560947A (en) * | 2020-12-14 | 2021-03-26 | 国网青海省电力公司 | Clustering method and device based on energy supply and demand structure analysis |
| CN114584600A (en) * | 2022-01-20 | 2022-06-03 | 国网青海省电力公司 | Data audit monitoring system |
| CN115495427A (en) * | 2022-11-22 | 2022-12-20 | 青岛远洋船员职业学院 | Log data storage method based on intelligent security management platform |
| CN116126961A (en) * | 2023-04-04 | 2023-05-16 | 河北中废通网络技术有限公司 | Tamper-proof unattended weighing data system of regeneration circulation internet of things information system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105681298A (en) | Data security abnormity monitoring method and system in public information platform | |
| CN107204876B (en) | Network security risk assessment method | |
| US11546359B2 (en) | Multidimensional clustering analysis and visualizing that clustered analysis on a user interface | |
| TWI595375B (en) | Anomaly detection using adaptive behavioral profiles | |
| CN112651006A (en) | Power grid security situation perception platform framework | |
| Mohammad et al. | A novel intrusion detection system by using intelligent data mining in weka environment | |
| Tianfield | Cyber security situational awareness | |
| CN101459537A (en) | Network security situation sensing system and method based on multi-layer multi-angle analysis | |
| CN103441982A (en) | Intrusion alarm analyzing method based on relative entropy | |
| CN105009132A (en) | Event correlation based on confidence factor | |
| US9961047B2 (en) | Network security management | |
| Stiawan et al. | Characterizing network intrusion prevention system | |
| CN115378711B (en) | Intrusion detection method and system for industrial control network | |
| CN112165470A (en) | Intelligent terminal access safety early warning system based on log big data analysis | |
| CN115795330A (en) | Medical information anomaly detection method and system based on AI algorithm | |
| CN114244728A (en) | Network security situation evaluation and prediction method based on multi-factor layering | |
| Lambert II | Security analytics: Using deep learning to detect cyber attacks | |
| RU148692U1 (en) | COMPUTER SECURITY EVENTS MONITORING SYSTEM | |
| CN114070641B (en) | Network intrusion detection method, device, equipment and storage medium | |
| RU180789U1 (en) | DEVICE OF INFORMATION SECURITY AUDIT IN AUTOMATED SYSTEMS | |
| CN117879887A (en) | Computer host information transmission supervision system based on artificial intelligence | |
| CN112596984A (en) | Data security situation sensing system under weak isolation environment of service | |
| Li et al. | The research on network security visualization key technology | |
| Sharma et al. | ICARFAD: a novel framework for improved network security situation awareness | |
| Kang et al. | Multi-dimensional security risk assessment model based on three elements in the IoT system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20160615 |