CN106210088A - A kind of contamination analysis platform of multi-source data - Google Patents
A kind of contamination analysis platform of multi-source data Download PDFInfo
- Publication number
- CN106210088A CN106210088A CN201610562108.9A CN201610562108A CN106210088A CN 106210088 A CN106210088 A CN 106210088A CN 201610562108 A CN201610562108 A CN 201610562108A CN 106210088 A CN106210088 A CN 106210088A
- Authority
- CN
- China
- Prior art keywords
- data
- link
- node
- computer
- similarity
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/12—Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computing Systems (AREA)
- Computer Security & Cryptography (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Medical Informatics (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Alarm Systems (AREA)
Abstract
The contamination analysis platform of a kind of multi-source data, including polluted information acquisition terminal, wireless network, Cloud Server cluster, encryption system and security postures map system;Polluted information acquisition terminal includes polluting distributed points computer, blowdown data distributed computer, air quality distributed computer and water source Mass Distribution formula computer, and the data that polluted information acquisition terminal collects are sent to Cloud Server cluster by wireless network and are analyzed, process and store;Described encryption system is for being encrypted the data received, and the user only holding key could obtain data;Described Cloud Server cluster includes multiple node and link, and described security postures map system is for generating visual security postures map for Cloud Server cluster, to facilitate management personnel to be monitored the safety information of server cluster.
Description
Technical field
The present invention relates to contamination data control field, be specifically related to the contamination analysis platform of a kind of multi-source data.
Background technology
Along with the development of social modernization's process, the pollution problem of environment is increasingly paid close attention to by people, is included into ring
The distributed points of border monitoring gets more and more, and data to be processed also get more and more, and this makes to utilize cloud computing to process relevant environment
Information becomes inevitable trend.Cloud Server be typically all multiple computer composition cluster, but the peace of Cloud Server itself
Full problem is also a highly important problem, because this is related to the problems such as safe, the leakage of important environmental information be correlated with.
Therefore, it is necessary to design the contamination analysis platform of the multi-source data of a kind of high security.
Summary of the invention
For the problems referred to above, the present invention provides the contamination analysis platform of a kind of multi-source data.
The purpose of the present invention realizes by the following technical solutions:
The contamination analysis platform of a kind of multi-source data, including polluted information acquisition terminal, wireless network, Cloud Server collection
Group, encryption system and security postures map system;Described polluted information acquisition terminal includes polluting distributed points computer, blowdown number
According to distributed computer, air quality distributed computer and water source Mass Distribution formula computer, above-mentioned distributed computer divides
Yong Yu not monitor the concrete distribution situation of each points of contamination, the blowdown data of each blowdown point, the air quality of each distributed points
Situation, the water source quality condition of each distributed points, the data that polluted information acquisition terminal collects are sent to by wireless network
Cloud Server cluster is analyzed, processes and stores;Described encryption system, for being encrypted the data received, is only held
The user having key could obtain data;Described Cloud Server cluster includes multiple node and link, described security postures map
System is for generating visual security postures map for Cloud Server cluster, to facilitate management personnel to Cloud Server cluster
Safety information is monitored;
The invention have the benefit that various types of other polluter is monitored by the multiple distributed computer of employing, number
According to the most reliable, cloud service cluster is utilized to alleviate calculating and the storage capacity of tradition home server.
Accompanying drawing explanation
The invention will be further described to utilize accompanying drawing, but the embodiment in accompanying drawing does not constitute any limit to the present invention
System, for those of ordinary skill in the art, on the premise of not paying creative work, it is also possible to obtain according to the following drawings
Other accompanying drawing.
Fig. 1 is the structured flowchart of the contamination analysis platform of a kind of multi-source data;
Fig. 2 is the structured flowchart of safety military posture map system;
Fig. 3 is the security postures map example after generating.
Reference: wireless network-1;Cloud Server cluster-2;Encryption system-3;Pollute distributed points computer-4;Blowdown
Data distributed computer-5;Air quality distributed computer-6;Water source Mass Distribution formula computer-7;Geographical background figure is raw
Become module-100;Safety information acquisition module-200;Data base's generation module-300;Roller warning generation module-400;Peace
Full situation value estimation block-500;Main map generation module-600.
Detailed description of the invention
The invention will be further described with the following Examples.
Application scenarios 1:
The contamination analysis platform of a kind of multi-source data as shown in Figure 1, including polluted information acquisition terminal, wireless network 1,
Cloud Server cluster 2, encryption system 3 and security postures map system.Polluted information acquisition terminal includes that polluting distributed points calculates
Machine 4, blowdown data distributed computer 5, air quality distributed computer 6 and water source Mass Distribution formula computer 7, above-mentioned point
Cloth computer is respectively used to monitor the concrete distribution situation of each points of contamination, the blowdown data of each blowdown point, each distribution
The air quality situation of point, the water source quality condition of each distributed points, the data that polluted information acquisition terminal collects pass through nothing
Gauze network 1 is sent to Cloud Server cluster 2 and is analyzed, processes and stores;Described encryption system 3 is for the data received
Being encrypted, the user only holding key could obtain data;Described Cloud Server cluster 2 includes multiple node and link,
Cloud, for generating visual security postures map for Cloud Server cluster 2, is taken by described security postures map system to facilitate
The safety information of business device cluster is monitored.
The present invention uses multiple distributed computer to be monitored various types of other polluter, and data are comprehensively reliable, profit
Calculating and the storage capacity of tradition home server is alleviated with cloud service cluster.
Preferably, described air quality distributed computer 6 and water source Mass Distribution formula computer 7 include local computer
And the watch-dog being connected with local computer, described watch-dog includes sensor, programmable controller and auxiliary reclay, institute
State sensor and include PH sensor, EO sensor and COD sensor.
Preferably, described local computer carries out communication according to communications protocol by RS232 serial port and watch-dog, passes through
Wireless network 1 and Cloud Server cluster 2 communication.
Preferably, as in figure 2 it is shown, described security postures map system includes geographical background figure generation module 100, safety letter
Breath acquisition module 200, data base's generation module 300, roller warning generation module 400, security postures value estimation block 500 and
Main map generation module 600:
(1) geographical background figure generation module 100: utilize MAPX software, using the geographical map at network place as Background
Layer, splits the network into multiple node and the link connected between two nodes simultaneously, by node and link maps to Background
On layer;
(2) safety information acquisition module 200: network information data is acquired by multiple data acquisition unit, described
Data acquisition unit is based on Syslog acquisition mode, using Snmp as supplementary acquisition mode, by differently configured network security
Equipment completes the collection to network information data;Described network information data includes daily record data, data on flows and vulnerability information,
The acquisition of wherein said vulnerability information by scanning tools and network ids intrusion detection instrument, by Snmp or Http agreement by
Log collection plug-in unit or data-interface complete;Described daily record data is passed through Syslog agreement and Flow agreement by data acquisition unit
It is acquired;
(3) data base's generation module 300: the described network information data after gathering is carried out by proxy management server
Merger and filtration, form unified data form and be sent to server terminal basis of formation data base;
(4) roller warning generation module 400: network information data is carried out polymerization classification and accordingly generates roller report
Alert, described roller is reported to the police and is arranged on the right side of security postures map, the following operation of concrete execution:
(4-1) from basic database, recall network information data, multiple classification thresholds T1 is set simultaneously, T2,
T3 ..., Tn, similarity update threshold values T, curvature threshold K, similarity duration threshold A and initial similarity C, and circulation takes
Go out the network information data in preset time, call Similarity Measure function and calculate real-time similarity, and generate at each node
The curvilinear function AI of real-time similarity and time;
(4-2) result of calculation is compared, if similarity is more than initial similarity C in real time, then update the most similar
Degree is current similarity, and otherwise retaining initial similarity C is current similarity, and enumerator adds 1;
(4-3) by current similarity and multiple classification thresholds T1, T2, T3 ..., Tn compares, according to the most similar
The threshold interval at degree place determines the alarm level of this security incident, wherein T < T1 < T2 < T3 ... < Tn;If it is current
Similarity does not falls within arbitrary interval, then current similarity compared with similarity threshold values T, if current similarity is less than similar
Bottom valve value T, the then following operation of execution:
Calculating current point in time, relative to the real-time similarity variable quantity of previous time point, i.e. calculates described curvilinear function AI
Current point in time is relative to curvature K' of previous time point, if K'> is K, and current similarity is less than similarity threshold T's
When persistent period is less than similarity duration threshold A, by qualitative for this network information data for harmless security incident, do not perform to add
Add the operation of new warning classification, the relevant information of described harmless security incident is stored into the temporary store of artificial setting simultaneously
In, when same node is had reached 2 harmless security incidents by enumerator numeration, then perform to add the behaviour of new warning classification
Make;When arbitrary current similarity is less than the persistent period of similarity threshold T more than or equal to big similarity duration threshold A
Time, also perform to add the operation of new warning classification;The misdetection rate of now security incident is less than 5 ‰;
(4-4) by all-network information data, after above-mentioned polymerization sorting technique classification, to roll the form reported to the police
Display is on the right side of map, and the warning color of different classification is set to different;
(5) security postures value estimation block 500: obtain the network safety situation value of each node and link according to following formula:
FN{WH, WL, FH, FL, t}=WH.FH+WL.FL
Herein,
FH(H, V1, Fs, t)=V1.Fs(t)+10P’(t)
FL(L, V2, US, t)=V2.Us(t)+10B‘(t)
Wherein, WHRepresent the weighted value that destination node is shared in all nodes, WLRepresent that Target Link is in all links
Shared weighted value, WH、WLThe information on services provided by node and link component respectively obtains;
FHRepresenting the security postures situation of t destination node, H represents destination node, V1Represent that a certain service is transported at node
Weight shared in all services of row;P represents joint behavior situation, and P value the biggest expression joint behavior is the poorest, and P ' (t) represents t
Moment link performance changing condition, is tried to achieve by the curvature calculating function P point, and forces P ' (t)≤3, works as P ' (t) value and is more than
When 3, injunction P ' (t)=3;Fs(t)=N1 (t) .10D1(t), represent the service safe situation situation of t destination node, N1
T () represents that t node is hacked the number of times of generation, D1t represents the order of severity that t node is hacked, and it saves with target
The attack kind that the currently provided service of point is subject to is relevant with the number of times of attack being subject to, and is manually set this letter as the case may be
Number;
FLRepresenting the security postures situation of t Target Link, L represents Target Link, V2Represent that a certain Component service is at chain
Shared weight in all component service that road is run;B represents link performance situation, and the performance of numerical value the biggest expression link is the poorest,
B ' (t) represents t link performance changing condition, is tried to achieve by the curvature calculating function B point, and forces B ' (t)≤3, when
When B ' (t) value is more than 3, injunction B ' (t)=3;US(t)=N2 (t) .10D2(t), represent the service safe of t Target Link
Situation situation, N2t represents that t link is hacked the number of times of generation, and D2t represents the order of severity that t link is hacked, its
Attack kind and suffered number of times of attack that the service provided with Target Link is subject to are relevant, the most artificially set
This function fixed;
(6) main map generation module 600: according to each node calculated and the network safety situation value of link, root
According to threshold value set in advance, the network safety situation of different numerical value is carried out classification, represent different situation grade with different colours
Node and the safe condition of link, generate security postures map.
In the present embodiment, network information data is acquired by multiple data acquisition unit, it is ensured that network information data is adopted
Collect is comprehensive;Algorithm based on attribute phase recency, by arranging threshold values, compares each warning information, calls respective function and carries out
The filtration of warning information, polymerization, be simultaneous for the background event that is likely to occur or substantially do not hinder safe event, uses phase
Rate of seemingly writing music and the new evaluation criteria of persistent period, eliminate outside Normal Alarm by this kind of event, reduces and does monitoring personnel
Disturb, on the other hand in order to avoid security breaches, this kind of security incident is put in temporary store, recognize when occurring more than 2 times
Being set to new security incident, the misdetection rate of now security incident is less than 5 ‰, and this makes the safety behavior verity of military posture map more
Height, this improves the credibility of military posture map from another point of view;Devise new network safety situation computing formula, consider simultaneously
The security postures of node and link, it is contemplated that the impact of many factors;Force to be defined to by the maximum of P ' (t) and B ' (t)
3, then the item 10 that reaction node and link performance dynamically changeP‘(t)With 10B‘(t)Not over 1000, this is to a certain degree suppressing
The misjudgment phenomenon in short-term being likely to occur in dynamic representation, it is ensured that the stability of image.
Preferably, the acquisition process of described joint behavior situation P is: respectively to processor utilization, memory usage, net
Network connects number, data packetloss rate arranges corresponding threshold value, and the change threshold at Fixed Time Interval, above-mentioned each value is surpassed
The absolute value sum of the difference crossing respective doors limit value is expressed as J1, by each value in Fixed Time Interval amplitude of variation more than change threshold
The absolute value sum of the concrete difference of value is expressed as J2, following formula obtain joint behavior situation P:P=2J1+J2;
The acquisition process of described link performance situation B is: respectively to link component number of network connections, bandwidth availability ratio, number
According to packet loss, link component processor utilization, corresponding threshold value, and the change threshold at Fixed Time Interval are set;Will
The absolute value sum of the concrete difference that above-mentioned each value exceedes respective doors limit value is designated as J3, and at Fixed Time Interval, each value is changed width
Degree is designated as J4 more than the absolute value sum of the concrete difference of change threshold, following formula obtain link performance situation B:B=2J3+J4;
The determination process of the weighted value of described each node is:
(1) each node is set up relative to other nodes importance degree comparator matrix on network safety situation;
(2) the importance degree comparator matrix by node is converted to the fuzzy consistent matrix of node;
(3) according to each element of the fuzzy consistent matrix of node, the weighted value of each node is calculated.
The determination process of the weighted value of described each link is:
(1) each link is set up relative to other links importance degree comparator matrix on network safety situation;
(2) the importance degree comparator matrix by link is converted to the fuzzy consistent matrix of link;
(3) according to each element of the fuzzy consistent matrix of link, the weighted value of each link is calculated.
Fig. 3 gives the example of the security postures map after generation.
The present embodiment considers the impact of the dynamically change of node and link, relative to present discrete type node and chain
For the performance state method for expressing of road, the dynamically change of node and link (can be passed through P=2 continuouslyJ1+J2And B=2J3+J4
Arrange replace discrete type of the prior art and dynamically change) be reacted in final security postures value.
Application scenarios 2:
The contamination analysis platform of a kind of multi-source data as shown in Figure 1, including polluted information acquisition terminal, wireless network 1,
Cloud Server cluster 2, encryption system 3 and security postures map system.Polluted information acquisition terminal includes that polluting distributed points calculates
Machine 4, blowdown data distributed computer 5, air quality distributed computer 6 and water source Mass Distribution formula computer 7, above-mentioned point
Cloth computer is respectively used to monitor the concrete distribution situation of each points of contamination, the blowdown data of each blowdown point, each distribution
The air quality situation of point, the water source quality condition of each distributed points, the data that polluted information acquisition terminal collects pass through nothing
Gauze network 1 is sent to Cloud Server cluster 2 and is analyzed, processes and stores;Described encryption system 3 is for the data received
Being encrypted, the user only holding key could obtain data;Described Cloud Server cluster 2 includes multiple node and link,
Cloud, for generating visual security postures map for Cloud Server cluster 2, is taken by described security postures map system to facilitate
The safety information of business device cluster is monitored.
The present invention uses multiple distributed computer to be monitored various types of other polluter, and data are comprehensively reliable, profit
Calculating and the storage capacity of tradition home server is alleviated with cloud service cluster.
Preferably, described air quality distributed computer 6 and water source Mass Distribution formula computer 7 include local computer
And the watch-dog being connected with local computer, described watch-dog includes sensor, programmable controller and auxiliary reclay, institute
State sensor and include PH sensor, EO sensor and COD sensor.
Preferably, described local computer carries out communication according to communications protocol by RS232 serial port and watch-dog, passes through
Wireless network 1 and Cloud Server cluster 2 communication.
Preferably, as in figure 2 it is shown, described security postures map system includes geographical background figure generation module 100, safety letter
Breath acquisition module 200, data base's generation module 300, roller warning generation module 400, security postures value estimation block 500 and
Main map generation module 600:
(1) geographical background figure generation module 100: utilize MAPX software, using the geographical map at network place as Background
Layer, splits the network into multiple node and the link connected between two nodes simultaneously, by node and link maps to Background
On layer;
(2) safety information acquisition module 200: network information data is acquired by multiple data acquisition unit, described
Data acquisition unit is based on Syslog acquisition mode, using Snmp as supplementary acquisition mode, by differently configured network security
Equipment completes the collection to network information data;Described network information data includes daily record data, data on flows and vulnerability information,
The acquisition of wherein said vulnerability information by scanning tools and network ids intrusion detection instrument, by Snmp or Http agreement by
Log collection plug-in unit or data-interface complete;Described daily record data is passed through Syslog agreement and Flow agreement by data acquisition unit
It is acquired;
(3) data base's generation module 300: the described network information data after gathering is carried out by proxy management server
Merger and filtration, form unified data form and be sent to server terminal basis of formation data base;
(4) roller warning generation module 400: network information data is carried out polymerization classification and accordingly generates roller report
Alert, described roller is reported to the police and is arranged on the right side of security postures map, the following operation of concrete execution:
(4-1) from basic database, recall network information data, multiple classification thresholds T1 is set simultaneously, T2,
T3 ..., Tn, similarity update threshold values T, curvature threshold K, similarity duration threshold A and initial similarity C, and circulation takes
Go out the network information data in preset time, call Similarity Measure function and calculate real-time similarity, and generate at each node
The curvilinear function AI of real-time similarity and time;
(4-2) result of calculation is compared, if similarity is more than initial similarity C in real time, then update the most similar
Degree is current similarity, and otherwise retaining initial similarity C is current similarity, and enumerator adds 1;
(4-3) by current similarity and multiple classification thresholds T1, T2, T3 ..., Tn compares, according to the most similar
The threshold interval at degree place determines the alarm level of this security incident, wherein T < T1 < T2 < T3 ... < Tn;If it is current
Similarity does not falls within arbitrary interval, then current similarity compared with similarity threshold values T, if current similarity is less than similar
Bottom valve value T, the then following operation of execution:
Calculating current point in time, relative to the real-time similarity variable quantity of previous time point, i.e. calculates described curvilinear function AI
Current point in time is relative to curvature K' of previous time point, if K'> is K, and current similarity is less than similarity threshold T's
When persistent period is less than similarity duration threshold A, by qualitative for this network information data for harmless security incident, do not perform to add
Add the operation of new warning classification, the relevant information of described harmless security incident is stored into the temporary store of artificial setting simultaneously
In, when same node is reached 3 harmless security incidents by enumerator numeration is accumulative, then perform to add the operation of new warning classification;
When arbitrary time currently the similarity persistent period less than similarity threshold T is more than or equal to big similarity duration threshold A, also
Perform to add the operation of new warning classification;The misdetection rate of now security incident is less than 6 ‰;
(4-4) by all-network information data, after above-mentioned polymerization sorting technique classification, to roll the form reported to the police
Display is on the right side of map, and the warning color of different classification is set to different;
(5) security postures value estimation block 500: obtain the network safety situation value of each node and link according to following formula:
FN{WH, WL, FH, FL, t}=WH.FH+WL.FL
Herein,
FH(H, V1, Fs, t)=V1.Fs(t)+10P’(t)
FL(L, V2, US, t)=V2.US(t)+10B‘(t)
Wherein, WHRepresent the weighted value that destination node is shared in all nodes, WLRepresent that Target Link is in all links
Shared weighted value, WH、WLThe information on services provided by node and link component respectively obtains;
FHRepresenting the security postures situation of t destination node, H represents destination node, V1Represent that a certain service is transported at node
Weight shared in all services of row;P represents joint behavior situation, and P value the biggest expression joint behavior is the poorest, and P ' (t) represents t
Moment link performance changing condition, is tried to achieve by the curvature calculating function P point, and forces P ' (t)≤3, works as P ' (t) value and is more than
When 3, injunction P ' (t)=3;Fs(t)=N1 (t) .10D1(t), represent the service safe situation situation of t destination node, N1
T () represents that t node is hacked the number of times of generation, D1t represents the order of severity that t node is hacked, and it saves with target
The attack kind that the currently provided service of point is subject to is relevant with the number of times of attack being subject to, and is manually set this letter as the case may be
Number;
FLRepresenting the security postures situation of t Target Link, L represents Target Link, V2Represent that a certain Component service is at chain
Shared weight in all component service that road is run;B represents link performance situation, and the performance of numerical value the biggest expression link is the poorest,
B ' (t) represents t link performance changing condition, is tried to achieve by the curvature calculating function B point, and forces B ' (t)≤3, when
When B ' (t) value is more than 3, injunction B ' (t)=3;US(t)=N2 (t) .10D2(t), represent the service safe of t Target Link
Situation situation, N2t represents that t link is hacked the number of times of generation, and D2t represents the order of severity that t link is hacked, its
Attack kind and suffered number of times of attack that the service provided with Target Link is subject to are relevant, the most artificially set
This function fixed;
(6) main map generation module 600: according to each node calculated and the network safety situation value of link, root
According to threshold value set in advance, the network safety situation of different numerical value is carried out classification, represent different situation grade with different colours
Node and the safe condition of link, generate security postures map.
In the present embodiment, network information data is acquired by multiple data acquisition unit, it is ensured that network information data is adopted
Collect is comprehensive;Algorithm based on attribute phase recency, by arranging threshold values, compares each warning information, calls respective function and carries out
The filtration of warning information, polymerization, be simultaneous for the background event that is likely to occur or substantially do not hinder safe event, uses phase
Rate of seemingly writing music and the new evaluation criteria of persistent period, eliminate outside Normal Alarm by this kind of event, reduces and does monitoring personnel
Disturb, on the other hand in order to avoid security breaches, this kind of security incident is put in temporary store, recognize when occurring more than 3 times
Being set to new security incident, the misdetection rate of now security incident is less than 6 ‰, and this makes the safety behavior verity of military posture map more
Height, this improves the credibility of military posture map from another point of view;Devise new network safety situation computing formula, consider simultaneously
The security postures of node and link, it is contemplated that the impact of many factors;Force to be defined to by the maximum of P ' (t) and B ' (t)
3, then the item 10 that reaction node and link performance dynamically changeP‘(t)With 10B‘(t)Not over 1000, this is to a certain degree suppressing
The misjudgment phenomenon in short-term being likely to occur in dynamic representation, it is ensured that the stability of image.
Preferably, the acquisition process of described joint behavior situation P is: respectively to processor utilization, memory usage, net
Network connects number, data packetloss rate arranges corresponding threshold value, and the change threshold at Fixed Time Interval, above-mentioned each value is surpassed
The absolute value sum of the difference crossing respective doors limit value is expressed as J1, by each value in Fixed Time Interval amplitude of variation more than change threshold
The absolute value sum of the concrete difference of value is expressed as J2, following formula obtain joint behavior situation P:P=2J1+J2;
The acquisition process of described link performance situation B is: respectively to link component number of network connections, bandwidth availability ratio, number
According to packet loss, link component processor utilization, corresponding threshold value, and the change threshold at Fixed Time Interval are set;Will
The absolute value sum of the concrete difference that above-mentioned each value exceedes respective doors limit value is designated as J3, and at Fixed Time Interval, each value is changed width
Degree is designated as J4 more than the absolute value sum of the concrete difference of change threshold, following formula obtain link performance situation B:B=2J3+J4;
The determination process of the weighted value of described each node is:
(1) each node is set up relative to other nodes importance degree comparator matrix on network safety situation;
(2) the importance degree comparator matrix by node is converted to the fuzzy consistent matrix of node;
(3) according to each element of the fuzzy consistent matrix of node, the weighted value of each node is calculated.
The determination process of the weighted value of described each link is:
(1) each link is set up relative to other links importance degree comparator matrix on network safety situation;
(2) the importance degree comparator matrix by link is converted to the fuzzy consistent matrix of link;
(3) according to each element of the fuzzy consistent matrix of link, the weighted value of each link is calculated.
Fig. 3 gives the example of the security postures map after generation.
The present embodiment considers the impact of the dynamically change of node and link, relative to present discrete type node and chain
For the performance state method for expressing of road, the dynamically change of node and link (can be passed through P=2 continuouslyJ1+J2And B=2J3+J4
Arrange replace discrete type of the prior art and dynamically change) be reacted in final security postures value.
Application scenarios 3:
The contamination analysis platform of a kind of multi-source data as shown in Figure 1, including polluted information acquisition terminal, wireless network 1,
Cloud Server cluster 2, encryption system 3 and security postures map system.Polluted information acquisition terminal includes that polluting distributed points calculates
Machine 4, blowdown data distributed computer 5, air quality distributed computer 6 and water source Mass Distribution formula computer 7, above-mentioned point
Cloth computer is respectively used to monitor the concrete distribution situation of each points of contamination, the blowdown data of each blowdown point, each distribution
The air quality situation of point, the water source quality condition of each distributed points, the data that polluted information acquisition terminal collects pass through nothing
Gauze network 1 is sent to Cloud Server cluster 2 and is analyzed, processes and stores;Described encryption system 3 is for the data received
Being encrypted, the user only holding key could obtain data;Described Cloud Server cluster 2 includes multiple node and link,
Cloud, for generating visual security postures map for Cloud Server cluster 2, is taken by described security postures map system to facilitate
The safety information of business device cluster is monitored.
The present invention uses multiple distributed computer to be monitored various types of other polluter, and data are comprehensively reliable, profit
Calculating and the storage capacity of tradition home server is alleviated with cloud service cluster.
Preferably, described air quality distributed computer 6 and water source Mass Distribution formula computer 7 include local computer
And the watch-dog being connected with local computer, described watch-dog includes sensor, programmable controller and auxiliary reclay, institute
State sensor and include PH sensor, EO sensor and COD sensor.
Preferably, described local computer carries out communication according to communications protocol by RS232 serial port and watch-dog, passes through
Wireless network 1 and Cloud Server cluster 2 communication.
Preferably, as in figure 2 it is shown, described security postures map system includes geographical background figure generation module 100, safety letter
Breath acquisition module 200, data base's generation module 300, roller warning generation module 400, security postures value estimation block 500 and
Main map generation module 600:
(1) geographical background figure generation module 100: utilize MAPX software, using the geographical map at network place as Background
Layer, splits the network into multiple node and the link connected between two nodes simultaneously, by node and link maps to Background
On layer;
(2) safety information acquisition module 200: network information data is acquired by multiple data acquisition unit, described
Data acquisition unit is based on Syslog acquisition mode, using Snmp as supplementary acquisition mode, by differently configured network security
Equipment completes the collection to network information data;Described network information data includes daily record data, data on flows and vulnerability information,
The acquisition of wherein said vulnerability information by scanning tools and network ids intrusion detection instrument, by Snmp or Http agreement by
Log collection plug-in unit or data-interface complete;Described daily record data is passed through Syslog agreement and Flow agreement by data acquisition unit
It is acquired;
(3) data base's generation module 300: the described network information data after gathering is carried out by proxy management server
Merger and filtration, form unified data form and be sent to server terminal basis of formation data base;
(4) roller warning generation module 400: network information data is carried out polymerization classification and accordingly generates roller report
Alert, described roller is reported to the police and is arranged on the right side of security postures map, the following operation of concrete execution:
(4-1) from basic database, recall network information data, multiple classification thresholds T1 is set simultaneously, T2,
T3 ..., Tn, similarity update threshold values T, curvature threshold K, similarity duration threshold A and initial similarity C, and circulation takes
Go out the network information data in preset time, call Similarity Measure function and calculate real-time similarity, and generate at each node
The curvilinear function AI of real-time similarity and time;
(4-2) result of calculation is compared, if similarity is more than initial similarity C in real time, then update the most similar
Degree is current similarity, and otherwise retaining initial similarity C is current similarity, and enumerator adds 1;
(4-3) by current similarity and multiple classification thresholds T1, T2, T3 ..., Tn compares, according to the most similar
The threshold interval at degree place determines the alarm level of this security incident, wherein T < T1 < T2 < T3 ... < Tn;If it is current
Similarity does not falls within arbitrary interval, then current similarity compared with similarity threshold values T, if current similarity is less than similar
Bottom valve value T, the then following operation of execution:
Calculating current point in time, relative to the real-time similarity variable quantity of previous time point, i.e. calculates described curvilinear function AI
Current point in time is relative to curvature K' of previous time point, if K'> is K, and current similarity is less than similarity threshold T's
When persistent period is less than similarity duration threshold A, by qualitative for this network information data for harmless security incident, do not perform to add
Add the operation of new warning classification, the relevant information of described harmless security incident is stored into the temporary store of artificial setting simultaneously
In, when same node is had reached 4 harmless security incidents by enumerator numeration, then perform to add the behaviour of new warning classification
Make;When arbitrary current similarity is less than the persistent period of similarity threshold T more than or equal to big similarity duration threshold A
Time, also perform to add the operation of new warning classification;The misdetection rate of now security incident is less than 7 ‰;
(4-4) by all-network information data, after above-mentioned polymerization sorting technique classification, to roll the form reported to the police
Display is on the right side of map, and the warning color of different classification is set to different;
(5) security postures value estimation block 500: obtain the network safety situation value of each node and link according to following formula:
FN{WH, WL, FH, FL, t}=WH.FH+WL.FL
Herein,
FH(H, V1, Fs, t)=V1.Fs(t)+10P’(t)
FL(L, V2, US, t)=V2.US(t)+10B‘(t)
Wherein, WHRepresent the weighted value that destination node is shared in all nodes, WLRepresent that Target Link is in all links
Shared weighted value, WH、WLThe information on services provided by node and link component respectively obtains;
FHRepresenting the security postures situation of t destination node, H represents destination node, V1Represent that a certain service is transported at node
Weight shared in all services of row;P represents joint behavior situation, and P value the biggest expression joint behavior is the poorest, and P ' (t) represents t
Moment link performance changing condition, is tried to achieve by the curvature calculating function P point, and forces P ' (t)≤3, works as P ' (t) value and is more than
When 3, injunction P ' (t)=3;Fs(t)=N1 (t) .10D1(t), represent the service safe situation situation of t destination node, N1
T () represents that t node is hacked the number of times of generation, D1t represents the order of severity that t node is hacked, and it saves with target
The attack kind that the currently provided service of point is subject to is relevant with the number of times of attack being subject to, and is manually set this letter as the case may be
Number;
FLRepresenting the security postures situation of t Target Link, L represents Target Link, V2Represent that a certain Component service is at chain
Shared weight in all component service that road is run;B represents link performance situation, and the performance of numerical value the biggest expression link is the poorest,
B ' (t) represents t link performance changing condition, is tried to achieve by the curvature calculating function B point, and forces B ' (t)≤3, when
When B ' (t) value is more than 3, injunction B ' (t)=3;US(t)=N2 (t) .10D2(t), represent the service safe of t Target Link
Situation situation, N2t represents that t link is hacked the number of times of generation, and D2t represents the order of severity that t link is hacked, its
Attack kind and suffered number of times of attack that the service provided with Target Link is subject to are relevant, the most artificially set
This function fixed;
(6) main map generation module 600: according to each node calculated and the network safety situation value of link, root
According to threshold value set in advance, the network safety situation of different numerical value is carried out classification, represent different situation grade with different colours
Node and the safe condition of link, generate security postures map.
In the present embodiment, network information data is acquired by multiple data acquisition unit, it is ensured that network information data is adopted
Collect is comprehensive;Algorithm based on attribute phase recency, by arranging threshold values, compares each warning information, calls respective function and carries out
The filtration of warning information, polymerization, be simultaneous for the background event that is likely to occur or substantially do not hinder safe event, uses phase
Rate of seemingly writing music and the new evaluation criteria of persistent period, eliminate outside Normal Alarm by this kind of event, reduces and does monitoring personnel
Disturb, on the other hand in order to avoid security breaches, this kind of security incident is put in temporary store, recognize when occurring more than 4 times
Being set to new security incident, the misdetection rate of now security incident is less than 7 ‰, and this makes the safety behavior verity of military posture map more
Height, this improves the credibility of military posture map from another point of view;Devise new network safety situation computing formula, consider simultaneously
The security postures of node and link, it is contemplated that the impact of many factors;Force to be defined to by the maximum of P ' (t) and B ' (t)
3, then the item 10 that reaction node and link performance dynamically changeP‘(t)With 10B‘(t)Not over 1000, this is to a certain degree suppressing
The misjudgment phenomenon in short-term being likely to occur in dynamic representation, it is ensured that the stability of image.
Preferably, the acquisition process of described joint behavior situation P is: respectively to processor utilization, memory usage, net
Network connects number, data packetloss rate arranges corresponding threshold value, and the change threshold at Fixed Time Interval, above-mentioned each value is surpassed
The absolute value sum of the difference crossing respective doors limit value is expressed as J1, by each value in Fixed Time Interval amplitude of variation more than change threshold
The absolute value sum of the concrete difference of value is expressed as J2, following formula obtain joint behavior situation P:P=2J1+J2;
The acquisition process of described link performance situation B is: respectively to link component number of network connections, bandwidth availability ratio, number
According to packet loss, link component processor utilization, corresponding threshold value, and the change threshold at Fixed Time Interval are set;Will
The absolute value sum of the concrete difference that above-mentioned each value exceedes respective doors limit value is designated as J3, and at Fixed Time Interval, each value is changed width
Degree is designated as J4 more than the absolute value sum of the concrete difference of change threshold, following formula obtain link performance situation B:B=2J3+J4;
The determination process of the weighted value of described each node is:
(1) each node is set up relative to other nodes importance degree comparator matrix on network safety situation;
(2) the importance degree comparator matrix by node is converted to the fuzzy consistent matrix of node;
(3) according to each element of the fuzzy consistent matrix of node, the weighted value of each node is calculated.
The determination process of the weighted value of described each link is:
(1) each link is set up relative to other links importance degree comparator matrix on network safety situation;
(2) the importance degree comparator matrix by link is converted to the fuzzy consistent matrix of link;
(3) according to each element of the fuzzy consistent matrix of link, the weighted value of each link is calculated.
Fig. 3 gives the example of the security postures map after generation.
The present embodiment considers the impact of the dynamically change of node and link, relative to present discrete type node and chain
For the performance state method for expressing of road, the dynamically change of node and link (can be passed through P=2 continuouslyJ1+J2And B=2J3+J4
Arrange replace discrete type of the prior art and dynamically change) be reacted in final security postures value.
Embodiment 4:
The contamination analysis platform of a kind of multi-source data as shown in Figure 1, including polluted information acquisition terminal, wireless network 1,
Cloud Server cluster 2, encryption system 3 and security postures map system.Polluted information acquisition terminal includes that polluting distributed points calculates
Machine 4, blowdown data distributed computer 5, air quality distributed computer 6 and water source Mass Distribution formula computer 7, above-mentioned point
Cloth computer is respectively used to monitor the concrete distribution situation of each points of contamination, the blowdown data of each blowdown point, each distribution
The air quality situation of point, the water source quality condition of each distributed points, the data that polluted information acquisition terminal collects pass through nothing
Gauze network 1 is sent to Cloud Server cluster 2 and is analyzed, processes and stores;Described encryption system 3 is for the data received
Being encrypted, the user only holding key could obtain data;Described Cloud Server cluster 2 includes multiple node and link,
Cloud, for generating visual security postures map for Cloud Server cluster 2, is taken by described security postures map system to facilitate
The safety information of business device cluster is monitored.
The present invention uses multiple distributed computer to be monitored various types of other polluter, and data are comprehensively reliable, profit
Calculating and the storage capacity of tradition home server is alleviated with cloud service cluster.
Preferably, described air quality distributed computer 6 and water source Mass Distribution formula computer 7 include local computer
And the watch-dog being connected with local computer, described watch-dog includes sensor, programmable controller and auxiliary reclay, institute
State sensor and include PH sensor, EO sensor and COD sensor.
Preferably, described local computer carries out communication according to communications protocol by RS232 serial port and watch-dog, passes through
Wireless network 1 and Cloud Server cluster 2 communication.
Preferably, as in figure 2 it is shown, described security postures map system includes geographical background figure generation module 100, safety letter
Breath acquisition module 200, data base's generation module 300, roller warning generation module 400, security postures value estimation block 500 and
Main map generation module 600:
(1) geographical background figure generation module 100: utilize MAPX software, using the geographical map at network place as Background
Layer, splits the network into multiple node and the link connected between two nodes simultaneously, by node and link maps to Background
On layer;
(2) safety information acquisition module 200: network information data is acquired by multiple data acquisition unit, described
Data acquisition unit is based on Syslog acquisition mode, using Snmp as supplementary acquisition mode, by differently configured network security
Equipment completes the collection to network information data;Described network information data includes daily record data, data on flows and vulnerability information,
The acquisition of wherein said vulnerability information by scanning tools and network ids intrusion detection instrument, by Snmp or Http agreement by
Log collection plug-in unit or data-interface complete;Described daily record data is passed through Syslog agreement and Flow agreement by data acquisition unit
It is acquired;
(3) data base's generation module 300: the described network information data after gathering is carried out by proxy management server
Merger and filtration, form unified data form and be sent to server terminal basis of formation data base;
(4) roller warning generation module 400: network information data is carried out polymerization classification and accordingly generates roller report
Alert, described roller is reported to the police and is arranged on the right side of security postures map, the following operation of concrete execution:
(4-1) from basic database, recall network information data, multiple classification thresholds T1 is set simultaneously, T2,
T3 ..., Tn, similarity update threshold values T, curvature threshold K, similarity duration threshold A and initial similarity C, and circulation takes
Go out the network information data in preset time, call Similarity Measure function and calculate real-time similarity, and generate at each node
The curvilinear function AI of real-time similarity and time;
(4-2) result of calculation is compared, if similarity is more than initial similarity C in real time, then update the most similar
Degree is current similarity, and otherwise retaining initial similarity C is current similarity, and enumerator adds 1;
(4-3) by current similarity and multiple classification thresholds T1, T2, T3 ..., Tn compares, according to the most similar
The threshold interval at degree place determines the alarm level of this security incident, wherein T < T1 < T2 < T3 ... < Tn;If it is current
Similarity does not falls within arbitrary interval, then current similarity compared with similarity threshold values T, if current similarity is less than similar
Bottom valve value T, the then following operation of execution:
Calculating current point in time, relative to the real-time similarity variable quantity of previous time point, i.e. calculates described curvilinear function AI
Current point in time is relative to curvature K' of previous time point, if K'> is K, and current similarity is less than similarity threshold T's
When persistent period is less than similarity duration threshold A, by qualitative for this network information data for harmless security incident, do not perform to add
Add the operation of new warning classification, the relevant information of described harmless security incident is stored into the temporary store of artificial setting simultaneously
In, when same node is had reached 5 harmless security incidents by enumerator numeration, then perform to add the behaviour of new warning classification
Make;When arbitrary current similarity is less than the persistent period of similarity threshold T more than or equal to big similarity duration threshold A
Time, also perform to add the operation of new warning classification;The misdetection rate of now security incident is less than 8 ‰;
(4-4) by all-network information data, after above-mentioned polymerization sorting technique classification, to roll the form reported to the police
Display is on the right side of map, and the warning color of different classification is set to different;
(5) security postures value estimation block 500: obtain the network safety situation value of each node and link according to following formula:
FN{WH, WL, FH, FL, t}=WH.FH+WL.FL
Herein,
FH(H, V1, Fs, t)=V1.Fs(t)+10P’(t)
FL(L, V2, US, t)=V2.US(t)+10B‘(t)
Wherein, WHRepresent the weighted value that destination node is shared in all nodes, WLRepresent that Target Link is in all links
Shared weighted value, WH、WLThe information on services provided by node and link component respectively obtains;
FHRepresenting the security postures situation of t destination node, H represents destination node, V1Represent that a certain service is transported at node
Weight shared in all services of row;P represents joint behavior situation, and P value the biggest expression joint behavior is the poorest, and P ' (t) represents t
Moment link performance changing condition, is tried to achieve by the curvature calculating function P point, and forces P ' (t)≤3, works as P ' (t) value and is more than
When 3, injunction P ' (t)=3;Fs(t)=N1 (t) .10D1(t), represent the service safe situation situation of t destination node, N1
T () represents that t node is hacked the number of times of generation, D1t represents the order of severity that t node is hacked, and it saves with target
The attack kind that the currently provided service of point is subject to is relevant with the number of times of attack being subject to, and is manually set this letter as the case may be
Number;
FLRepresenting the security postures situation of t Target Link, L represents Target Link, V2Represent that a certain Component service is at chain
Shared weight in all component service that road is run;B represents link performance situation, and the performance of numerical value the biggest expression link is the poorest,
B ' (t) represents t link performance changing condition, is tried to achieve by the curvature calculating function B point, and forces B ' (t)≤3, when
When B ' (t) value is more than 3, injunction B ' (t)=3;Us(t)=N2 (t) .10D2(t), represent the service safe of t Target Link
Situation situation, N2 (t) represents that t link is hacked the number of times of generation, and D2 (t) represents the serious journey that t link is hacked
Degree, attack kind and suffered number of times of attack that its service provided with Target Link is subject to are relevant, as the case may be
It is manually set this function;
(6) main map generation module 600: according to each node calculated and the network safety situation value of link, root
According to threshold value set in advance, the network safety situation of different numerical value is carried out classification, represent different situation grade with different colours
Node and the safe condition of link, generate security postures map.
In the present embodiment, network information data is acquired by multiple data acquisition unit, it is ensured that network information data is adopted
Collect is comprehensive;Algorithm based on attribute phase recency, by arranging threshold values, compares each warning information, calls respective function and carries out
The filtration of warning information, polymerization, be simultaneous for the background event that is likely to occur or substantially do not hinder safe event, uses phase
Rate of seemingly writing music and the new evaluation criteria of persistent period, eliminate outside Normal Alarm by this kind of event, reduces and does monitoring personnel
Disturb, on the other hand in order to avoid security breaches, this kind of security incident is put in temporary store, recognize when occurring more than 5 times
Being set to new security incident, the misdetection rate of now security incident is less than 8 ‰, and this makes the safety behavior verity of military posture map more
Height, this improves the credibility of military posture map from another point of view;Devise new network safety situation computing formula, consider simultaneously
The security postures of node and link, it is contemplated that the impact of many factors;Force to be defined to by the maximum of P ' (t) and B ' (t)
3, then the item 10 that reaction node and link performance dynamically changeP‘(t)With 10B‘(t)Not over 1000, this is to a certain degree suppressing
The misjudgment phenomenon in short-term being likely to occur in dynamic representation, it is ensured that the stability of image.
Preferably, the acquisition process of described joint behavior situation P is: respectively to processor utilization, memory usage, net
Network connects number, data packetloss rate arranges corresponding threshold value, and the change threshold at Fixed Time Interval, above-mentioned each value is surpassed
The absolute value sum of the difference crossing respective doors limit value is expressed as J1, by each value in Fixed Time Interval amplitude of variation more than change threshold
The absolute value sum of the concrete difference of value is expressed as J2, following formula obtain joint behavior situation P:P=2J1+J2;
The acquisition process of described link performance situation B is: respectively to link component number of network connections, bandwidth availability ratio, number
According to packet loss, link component processor utilization, corresponding threshold value, and the change threshold at Fixed Time Interval are set;Will
The absolute value sum of the concrete difference that above-mentioned each value exceedes respective doors limit value is designated as J3, and at Fixed Time Interval, each value is changed width
Degree is designated as J4 more than the absolute value sum of the concrete difference of change threshold, following formula obtain link performance situation B:B=2J3+J4;
The determination process of the weighted value of described each node is:
(1) each node is set up relative to other nodes importance degree comparator matrix on network safety situation;
(2) the importance degree comparator matrix by node is converted to the fuzzy consistent matrix of node;
(3) according to each element of the fuzzy consistent matrix of node, the weighted value of each node is calculated.
The determination process of the weighted value of described each link is:
(1) each link is set up relative to other links importance degree comparator matrix on network safety situation;
(2) the importance degree comparator matrix by link is converted to the fuzzy consistent matrix of link;
(3) according to each element of the fuzzy consistent matrix of link, the weighted value of each link is calculated.
Fig. 3 gives the example of the security postures map after generation.
The present embodiment considers the impact of the dynamically change of node and link, relative to present discrete type node and chain
For the performance state method for expressing of road, the dynamically change of node and link (can be passed through P=2 continuouslyJ1+J2And B=2J3+J4
Arrange replace discrete type of the prior art and dynamically change) be reacted in final security postures value.
Application scenarios 5:
The contamination analysis platform of a kind of multi-source data as shown in Figure 1, including polluted information acquisition terminal, wireless network 1,
Cloud Server cluster 2, encryption system 3 and security postures map system.Polluted information acquisition terminal includes that polluting distributed points calculates
Machine 4, blowdown data distributed computer 5, air quality distributed computer 6 and water source Mass Distribution formula computer 7, above-mentioned point
Cloth computer is respectively used to monitor the concrete distribution situation of each points of contamination, the blowdown data of each blowdown point, each distribution
The air quality situation of point, the water source quality condition of each distributed points, the data that polluted information acquisition terminal collects pass through nothing
Gauze network 1 is sent to Cloud Server cluster 2 and is analyzed, processes and stores;Described encryption system 3 is for the data received
Being encrypted, the user only holding key could obtain data;Described Cloud Server cluster 2 includes multiple node and link,
Cloud, for generating visual security postures map for Cloud Server cluster 2, is taken by described security postures map system to facilitate
The safety information of business device cluster is monitored.
The present invention uses multiple distributed computer to be monitored various types of other polluter, and data are comprehensively reliable, profit
Calculating and the storage capacity of tradition home server is alleviated with cloud service cluster.
Preferably, described air quality distributed computer 6 and water source Mass Distribution formula computer 7 include local computer
And the watch-dog being connected with local computer, described watch-dog includes sensor, programmable controller and auxiliary reclay, institute
State sensor and include PH sensor, EO sensor and COD sensor.
Preferably, described local computer carries out communication according to communications protocol by RS232 serial port and watch-dog, passes through
Wireless network 1 and Cloud Server cluster 2 communication.
Preferably, as in figure 2 it is shown, described security postures map system includes geographical background figure generation module 100, safety letter
Breath acquisition module 200, data base's generation module 300, roller warning generation module 400, security postures value estimation block 500 and
Main map generation module 600:
(1) geographical background figure generation module 100: utilize MAPX software, using the geographical map at network place as Background
Layer, splits the network into multiple node and the link connected between two nodes simultaneously, by node and link maps to Background
On layer;
(2) safety information acquisition module 200: network information data is acquired by multiple data acquisition unit, described
Data acquisition unit is based on Syslog acquisition mode, using Snmp as supplementary acquisition mode, by differently configured network security
Equipment completes the collection to network information data;Described network information data includes daily record data, data on flows and vulnerability information,
The acquisition of wherein said vulnerability information by scanning tools and network ids intrusion detection instrument, by Snmp or Http agreement by
Log collection plug-in unit or data-interface complete;Described daily record data is passed through Syslog agreement and Flow agreement by data acquisition unit
It is acquired;
(3) data base's generation module 300: the described network information data after gathering is carried out by proxy management server
Merger and filtration, form unified data form and be sent to server terminal basis of formation data base;
(4) roller warning generation module 400: network information data is carried out polymerization classification and accordingly generates roller report
Alert, described roller is reported to the police and is arranged on the right side of security postures map, the following operation of concrete execution:
(4-1) from basic database, recall network information data, multiple classification thresholds T1 is set simultaneously, T2,
T3 ..., Tn, similarity update threshold values T, curvature threshold K, similarity duration threshold A and initial similarity C, and circulation takes
Go out the network information data in preset time, call Similarity Measure function and calculate real-time similarity, and generate at each node
The curvilinear function AI of real-time similarity and time;
(4-2) result of calculation is compared, if similarity is more than initial similarity C in real time, then update the most similar
Degree is current similarity, and otherwise retaining initial similarity C is current similarity, and enumerator adds 1;
(4-3) by current similarity and multiple classification thresholds T1, T2, T3 ..., Tn compares, according to the most similar
The threshold interval at degree place determines the alarm level of this security incident, wherein T < T1 < T2 < T3 ... < Tn;If it is current
Similarity does not falls within arbitrary interval, then current similarity compared with similarity threshold values T, if current similarity is less than similar
Bottom valve value T, the then following operation of execution:
Calculating current point in time, relative to the real-time similarity variable quantity of previous time point, i.e. calculates described curvilinear function AI
Current point in time is relative to curvature K' of previous time point, if K'> is K, and current similarity is less than similarity threshold T's
When persistent period is less than similarity duration threshold A, by qualitative for this network information data for harmless security incident, do not perform to add
Add the operation of new warning classification, the relevant information of described harmless security incident is stored into the temporary store of artificial setting simultaneously
In, when same node is had reached 6 harmless security incidents by enumerator numeration, then perform to add the behaviour of new warning classification
Make;When arbitrary current similarity is less than the persistent period of similarity threshold T more than or equal to big similarity duration threshold A
Time, also perform to add the operation of new warning classification;The misdetection rate of now security incident is less than 9 ‰;
(4-4) by all-network information data, after above-mentioned polymerization sorting technique classification, to roll the form reported to the police
Display is on the right side of map, and the warning color of different classification is set to different;
(5) security postures value estimation block 500: obtain the network safety situation value of each node and link according to following formula:
FN{ WH, WL, FH, FL, t}=WH.FH+WL.FL
Herein,
FH(H, V1, Fs, t)=V1.Fs(t)+10P’(t)
FL(L, V2, US, t)=V2.US(t)+10B‘(t)
Wherein, WHRepresent the weighted value that destination node is shared in all nodes, WLRepresent that Target Link is in all links
Shared weighted value, WH、WLThe information on services provided by node and link component respectively obtains;
FHRepresenting the security postures situation of t destination node, H represents destination node, V1Represent that a certain service is transported at node
Weight shared in all services of row;P represents joint behavior situation, and P value the biggest expression joint behavior is the poorest, and P ' (t) represents t
Moment link performance changing condition, is tried to achieve by the curvature calculating function P point, and forces P ' (t)≤3, works as P ' (t) value and is more than
When 3, injunction P ' (t)=3;Fs(t)=N1 (t) .10D1(t), represent the service safe situation situation of t destination node, N1
T () represents that t node is hacked the number of times of generation, D1 (t) represents the order of severity that t node is hacked, itself and target
The attack kind that the currently provided service of node is subject to is relevant with the number of times of attack being subject to, and is manually set this letter as the case may be
Number;
FLRepresenting the security postures situation of t Target Link, L represents Target Link, V2Represent that a certain Component service is at chain
Shared weight in all component service that road is run;B represents link performance situation, and the performance of numerical value the biggest expression link is the poorest,
B ' (t) represents t link performance changing condition, is tried to achieve by the curvature calculating function B point, and forces B ' (t)≤3, when
When B ' (t) value is more than 3, injunction B ' (t)=3;US(t)=N2 (t) .10D2(t), represent the service safe of t Target Link
Situation situation, N2 (t) represents that t link is hacked the number of times of generation, and D2 (t) represents the serious journey that t link is hacked
Degree, attack kind and suffered number of times of attack that its service provided with Target Link is subject to are relevant, as the case may be
It is manually set this function;
(6) main map generation module 600: according to each node calculated and the network safety situation value of link, root
According to threshold value set in advance, the network safety situation of different numerical value is carried out classification, represent different situation grade with different colours
Node and the safe condition of link, generate security postures map.
In the present embodiment, network information data is acquired by multiple data acquisition unit, it is ensured that network information data is adopted
Collect is comprehensive;Algorithm based on attribute phase recency, by arranging threshold values, compares each warning information, calls respective function and carries out
The filtration of warning information, polymerization, be simultaneous for the background event that is likely to occur or substantially do not hinder safe event, uses phase
Rate of seemingly writing music and the new evaluation criteria of persistent period, eliminate outside Normal Alarm by this kind of event, reduces and does monitoring personnel
Disturb, on the other hand in order to avoid security breaches, this kind of security incident is put in temporary store, recognize when occurring more than 6 times
Being set to new security incident, the misdetection rate of now security incident is less than 9 ‰, and this makes the safety behavior verity of military posture map more
Height, this improves the credibility of military posture map from another point of view;Devise new network safety situation computing formula, consider simultaneously
The security postures of node and link, it is contemplated that the impact of many factors;Force to be defined to by the maximum of P ' (t) and B ' (t)
3, then the item 10 that reaction node and link performance dynamically changeP‘(t)With 10B‘(t)Not over 1000, this is to a certain degree suppressing
The misjudgment phenomenon in short-term being likely to occur in dynamic representation, it is ensured that the stability of image.
Preferably, the acquisition process of described joint behavior situation P is: respectively to processor utilization, memory usage, net
Network connects number, data packetloss rate arranges corresponding threshold value, and the change threshold at Fixed Time Interval, above-mentioned each value is surpassed
The absolute value sum of the difference crossing respective doors limit value is expressed as J1, by each value in Fixed Time Interval amplitude of variation more than change threshold
The absolute value sum of the concrete difference of value is expressed as J2, following formula obtain joint behavior situation P:P=2J1+J2;
The acquisition process of described link performance situation B is: respectively to link component number of network connections, bandwidth availability ratio, number
According to packet loss, link component processor utilization, corresponding threshold value, and the change threshold at Fixed Time Interval are set;Will
The absolute value sum of the concrete difference that above-mentioned each value exceedes respective doors limit value is designated as J3, and at Fixed Time Interval, each value is changed width
Degree is designated as J4 more than the absolute value sum of the concrete difference of change threshold, following formula obtain link performance situation B:B=2J3+J4;
The determination process of the weighted value of described each node is:
(1) each node is set up relative to other nodes importance degree comparator matrix on network safety situation;
(2) the importance degree comparator matrix by node is converted to the fuzzy consistent matrix of node;
(3) according to each element of the fuzzy consistent matrix of node, the weighted value of each node is calculated.
The determination process of the weighted value of described each link is:
(1) each link is set up relative to other links importance degree comparator matrix on network safety situation;
(2) the importance degree comparator matrix by link is converted to the fuzzy consistent matrix of link;
(3) according to each element of the fuzzy consistent matrix of link, the weighted value of each link is calculated.
Fig. 3 gives the example of the security postures map after generation.
The present embodiment considers the impact of the dynamically change of node and link, relative to present discrete type node and chain
For the performance state method for expressing of road, the dynamically change of node and link (can be passed through P=2 continuouslyJ1+J2And B=2J3+J4
Arrange replace discrete type of the prior art and dynamically change) be reacted in final security postures value.
Last it should be noted that, above example is only in order to illustrate technical scheme, rather than the present invention is protected
Protecting the restriction of scope, although having made to explain to the present invention with reference to preferred embodiment, those of ordinary skill in the art should
Work as understanding, technical scheme can be modified or equivalent, without deviating from the reality of technical solution of the present invention
Matter and scope.
Claims (3)
1. a contamination analysis platform for multi-source data, is characterized in that, including polluted information acquisition terminal, wireless network, cloud clothes
Business device cluster, encryption system and security postures map system;Described polluted information acquisition terminal include pollute distributed points computer,
Blowdown data distributed computer, air quality distributed computer and water source Mass Distribution formula computer, above-mentioned distributed meter
Calculation machine is respectively used to monitor the concrete distribution situation of each points of contamination, the blowdown data of each blowdown point, the sky of each distributed points
Gas quality condition, the water source quality condition of each distributed points, the data that polluted information acquisition terminal collects pass through wireless network
It is sent to Cloud Server cluster be analyzed, process and store;Described encryption system is used for being encrypted the data received,
The user only holding key could obtain data;Described Cloud Server cluster includes multiple node and link, described safe state
Gesture map system is for generating visual security postures map for Cloud Server cluster, to facilitate the peace to Cloud Server cluster
Full information is monitored.
The contamination analysis platform of a kind of multi-source data the most according to claim 1, is characterized in that, described air quality is distributed
Formula computer includes local computer and the watch-dog being connected with local computer, described prison with water source Mass Distribution formula computer
Control device include sensor, programmable controller and auxiliary reclay, described sensor include PH sensor, EO sensor and
COD sensor.
The contamination analysis platform of a kind of multi-source data the most according to claim 2, is characterized in that, described local computer is pressed
Communication is carried out by RS232 serial port and watch-dog, by wireless network and Cloud Server trunking communication according to communications protocol.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610562108.9A CN106210088A (en) | 2016-07-14 | 2016-07-14 | A kind of contamination analysis platform of multi-source data |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610562108.9A CN106210088A (en) | 2016-07-14 | 2016-07-14 | A kind of contamination analysis platform of multi-source data |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN106210088A true CN106210088A (en) | 2016-12-07 |
Family
ID=57475136
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610562108.9A Withdrawn CN106210088A (en) | 2016-07-14 | 2016-07-14 | A kind of contamination analysis platform of multi-source data |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106210088A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108268569A (en) * | 2017-01-04 | 2018-07-10 | 上海宝信软件股份有限公司 | The acquisition of water resource monitoring data and analysis system and method based on big data technology |
| CN109478055A (en) * | 2016-03-01 | 2019-03-15 | 源讯网源公司 | Using intelligent node for monitoring industrial process in general, intelligence system |
| CN109873802A (en) * | 2018-12-25 | 2019-06-11 | 中铁西南科学研究院有限公司 | A kind of managing and control system of measuring instrumentss data safety |
-
2016
- 2016-07-14 CN CN201610562108.9A patent/CN106210088A/en not_active Withdrawn
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109478055A (en) * | 2016-03-01 | 2019-03-15 | 源讯网源公司 | Using intelligent node for monitoring industrial process in general, intelligence system |
| CN108268569A (en) * | 2017-01-04 | 2018-07-10 | 上海宝信软件股份有限公司 | The acquisition of water resource monitoring data and analysis system and method based on big data technology |
| CN109873802A (en) * | 2018-12-25 | 2019-06-11 | 中铁西南科学研究院有限公司 | A kind of managing and control system of measuring instrumentss data safety |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106209856B (en) | Method for generating big data security posture map based on trusted computing | |
| CN103685575B (en) | A kind of web portal security monitoring method based on cloud framework | |
| Yang et al. | A time efficient approach for detecting errors in big sensor data on cloud | |
| CN107851049A (en) | System and method for providing Network Safety Analysis based on operating technology and information technology | |
| CN110445801B (en) | Situation sensing method and system of Internet of things | |
| CN111162949A (en) | Interface monitoring method based on Java byte code embedding technology | |
| WO2008100604A1 (en) | Method for equitable placement of a limited number of sensors for wide area surveillance | |
| CN111131304A (en) | Cloud platform-oriented large-scale virtual machine fine-grained abnormal behavior detection method and system | |
| CN110460608B (en) | Situation awareness method and system including correlation analysis | |
| CN108494802A (en) | Key message infrastructure security based on artificial intelligence threatens Active Defending System Against | |
| CN106210088A (en) | A kind of contamination analysis platform of multi-source data | |
| CN115037559B (en) | Data safety monitoring system based on flow, electronic equipment and storage medium | |
| CN105915402A (en) | Industrial control network security protection system | |
| Agate et al. | A resilient smart architecture for road surface condition monitoring | |
| CN110493044B (en) | Quantifiable situation perception method and system | |
| CN110493217B (en) | Distributed situation perception method and system | |
| CN117729032A (en) | Night safety protection method for office network | |
| CN109150920A (en) | A kind of attack detecting source tracing method based on software defined network | |
| CN110493218B (en) | Situation awareness virtualization method and device | |
| Tsugawa et al. | Community structure and interaction locality in social networks | |
| CN110471975B (en) | Internet of things situation awareness calling method and device | |
| CN109725121A (en) | A kind of method and system generating sampling task | |
| CN106226719A (en) | A kind of fault electric arc detecting system based on secure cloud network | |
| Lim et al. | Research issues in data provenance for streaming environments | |
| CN106196450A (en) | A kind of high security central air conditioning system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C04 | Withdrawal of patent application after publication (patent law 2001) | ||
| WW01 | Invention patent application withdrawn after publication |
Application publication date: 20161207 |