CN108683663A - A kind of appraisal procedure and device of network safety situation - Google Patents
A kind of appraisal procedure and device of network safety situation Download PDFInfo
- Publication number
- CN108683663A CN108683663A CN201810458202.9A CN201810458202A CN108683663A CN 108683663 A CN108683663 A CN 108683663A CN 201810458202 A CN201810458202 A CN 201810458202A CN 108683663 A CN108683663 A CN 108683663A
- Authority
- CN
- China
- Prior art keywords
- data
- characteristic information
- target characteristic
- source data
- index
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 61
- 238000012545 processing Methods 0.000 claims abstract description 30
- 230000009467 reduction Effects 0.000 claims description 28
- 238000011156 evaluation Methods 0.000 claims description 13
- 238000012216 screening Methods 0.000 claims description 13
- 230000008859 change Effects 0.000 claims description 11
- 238000013528 artificial neural network Methods 0.000 claims description 9
- 238000004364 calculation method Methods 0.000 claims description 5
- 238000010586 diagram Methods 0.000 description 6
- 230000008569 process Effects 0.000 description 5
- 238000004422 calculation algorithm Methods 0.000 description 3
- 238000004590 computer program Methods 0.000 description 3
- 230000007547 defect Effects 0.000 description 2
- 238000012854 evaluation process Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 238000012549 training Methods 0.000 description 2
- 230000006399 behavior Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 239000011159 matrix material Substances 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000000638 solvent extraction Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the present invention provides a kind of appraisal procedure and device of network safety situation, the method includes:Obtain the characteristic information of multi-source data;The characteristic information is screened, to obtain the first object characteristic information with data-driven characteristic;Data Discretization and yojan processing are carried out to the first object characteristic information;First object characteristic information of presorting that treated, to obtain each corresponding second target signature information of classifying;Second target signature information is inputted to the preset model that corresponding difference divides source data respectively, and according to the output of the preset model as a result, obtaining the data target value of comprehensive multi-source data decision;According to the data target value, the rank of network safety situation is assessed.Described device executes the above method.The appraisal procedure and device of network safety situation provided in an embodiment of the present invention accurately, can conveniently and efficiently assess network safety situation under specific application scene.
Description
Technical Field
The embodiment of the invention relates to the technical field of network security, in particular to a method and a device for evaluating network security situation.
Background
The network intrusion behavior gradually tends to scale, complicate and indirect, and the network security threat factors are increasing day by day.
In the prior art, a single theory or algorithm is usually adopted to evaluate the network security situation, but the single theory or algorithm has the defects of inaccurate and subjective evaluation, harsh use conditions and the like, and especially when the network is too complex and the data volume is rapidly developed, the evaluation efficiency is very low.
Therefore, how to avoid the above-mentioned defects and accurately, conveniently and efficiently evaluate the risks existing in the network in a specific application scenario becomes a problem to be solved urgently.
Disclosure of Invention
Aiming at the problems in the prior art, the embodiment of the invention provides a method and a device for evaluating a network security situation.
In a first aspect, an embodiment of the present invention provides a method for evaluating a network security situation, where the method includes:
acquiring characteristic information of multi-source data; screening the characteristic information to obtain first target characteristic information with data driving characteristics;
carrying out data discretization and reduction processing on the first target characteristic information;
pre-classifying the processed first target characteristic information to obtain second target characteristic information corresponding to each classification;
inputting the second target characteristic information into preset models corresponding to different sub-source data respectively, and acquiring data index values of a comprehensive multi-source data decision according to output results of the preset models;
and evaluating the level of the network security situation according to the data index value.
In a second aspect, an embodiment of the present invention provides an apparatus for evaluating a network security situation, where the apparatus includes:
the acquiring unit is used for acquiring characteristic information of multi-source data; screening the characteristic information to obtain first target characteristic information with data driving characteristics;
the processing unit is used for carrying out data discretization and reduction processing on the first target characteristic information;
the classification unit is used for pre-classifying the processed first target characteristic information to acquire second target characteristic information corresponding to each classification;
the acquisition unit is used for respectively inputting the second target characteristic information into preset models corresponding to different source data and acquiring data index values of comprehensive multi-source data decision according to output results of the preset models;
and the evaluation unit is used for evaluating the level of the network security situation according to the data index value.
In a third aspect, an embodiment of the present invention provides an electronic device, including: a processor, a memory, and a bus, wherein,
the processor and the memory are communicated with each other through the bus;
the memory stores program instructions executable by the processor, the processor invoking the program instructions to perform a method comprising:
acquiring characteristic information of multi-source data; screening the characteristic information to obtain first target characteristic information with data driving characteristics;
carrying out data discretization and reduction processing on the first target characteristic information;
pre-classifying the processed first target characteristic information to obtain second target characteristic information corresponding to each classification;
inputting the second target characteristic information into preset models corresponding to different sub-source data respectively, and acquiring data index values of a comprehensive multi-source data decision according to output results of the preset models;
and evaluating the level of the network security situation according to the data index value.
In a fourth aspect, an embodiment of the present invention provides a non-transitory computer-readable storage medium, including:
the non-transitory computer readable storage medium stores computer instructions that cause the computer to perform a method comprising:
acquiring characteristic information of multi-source data; screening the characteristic information to obtain first target characteristic information with data driving characteristics;
carrying out data discretization and reduction processing on the first target characteristic information;
pre-classifying the processed first target characteristic information to obtain second target characteristic information corresponding to each classification;
inputting the second target characteristic information into preset models corresponding to different sub-source data respectively, and acquiring data index values of a comprehensive multi-source data decision according to output results of the preset models;
and evaluating the level of the network security situation according to the data index value.
According to the method and the device for evaluating the network security situation, the acquired first target characteristic information is processed and classified, the data index value of the comprehensive multi-source data decision is acquired through the output results of the preset models corresponding to different source-separated data respectively, so that the level of the network security situation is evaluated, and the network security situation can be accurately, conveniently and efficiently evaluated in a specific application scene.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and those skilled in the art can also obtain other drawings according to the drawings without creative efforts.
FIG. 1 is a schematic flow chart illustrating a method for evaluating a network security situation according to an embodiment of the present invention;
FIG. 2 is a screenshot of second target feature information corresponding to each category according to an embodiment of the present disclosure;
FIGS. 3(a) - (c) are respectively a screenshot of the evaluation of the network security situation according to the embodiment of the present invention;
FIG. 4 is a three-level framework diagram for assessing network security posture in accordance with an embodiment of the present invention;
FIG. 5 is a schematic structural diagram of an apparatus for evaluating a network security situation according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Fig. 1 is a schematic flow chart of a method for evaluating a network security situation according to an embodiment of the present invention, and as shown in fig. 1, the method for evaluating a network security situation according to the embodiment of the present invention includes the following steps:
s1: acquiring characteristic information of multi-source data; and screening the characteristic information to obtain first target characteristic information with data driving characteristics.
Specifically, the device acquires characteristic information of multi-source data; and screening the characteristic information to obtain first target characteristic information with data driving characteristics. The sources of the multi-source data may include log data, network security alarm data, and network traffic data. It should be noted that after the multi-source data is obtained, before the feature information is extracted, the information missing or redundant part in the multi-source data may be deleted. Data-driven is to select a powerful indicator based on the relationship between the indicator values in the training data. The feature information may be screened using a rough set method.
S2: and carrying out data discretization and reduction processing on the first target characteristic information.
Specifically, the device performs data discretization and reduction processing on the first target characteristic information. Further, the data discretization and reduction processing may be performed on the first target feature information according to a rough set theory, and specifically may be as follows: performing attribute reduction calculation on the first target characteristic information subjected to data discretization by adopting a table logic data tool rosetta of a rough set theoretical framework; the data discretization is carried out by adopting a NaiveScalar method. The discretization can be carried out by the following method: sorting the instances in the decision set according to the sequence of the attribute values from small to large, selecting the average value of the two attribute values as a breakpoint under the condition that the decision value and the attribute value are different for two adjacent instances, and repeating the process to gradually increase the breakpoints, thereby realizing discretization; and respectively calculating the approximate classification quality of each condition attribute in the existing index system in the decision table and the non-decision table, thereby judging whether the index is reserved.
The theory for the rough set is briefly described as follows:
the rough set theory is based on a classification mechanism, which understands classification as an equivalence relation on a specific space, and the equivalence relation constitutes the division of the space. The theory only needs to utilize the existing knowledge base and does not need to provide any other prior knowledge, so that the uncertainty problem can be more objectively processed. The embodiment of the invention mainly uses the rough set theory to carry out attribute reduction, and the execution basis is that the classification capability of the conditional attribute to the decision attribute does not change before and after the reduction, and the importance and the approximate classification quality of the attribute are simply calculated by using a resolvable matrix. The specific mathematical expression is as follows:
definition 1. decision table S can be expressed as:
s ═ U, C ∪ D, V, f >, where C ∩ D ≠ φ and D ≠ φ,
where U is a non-empty finite set of objects, called the universe of discourse; c is a condition attribute, D is a decision attribute, and V is an attribute value set;
f:U×R->v is an information function that specifies the value of each attribute of each object in the domain U relative to xiE U, R e R has f (x)i,r)=Vr。
Define 2 (approximate Classification quality) for each setAnd any set equivalence relationThe approximate classification quality of X with respect to R is defined as follows:
wherein,
|R(Xi) And | is the number of corresponding objects of Xi in all the binary relations, | U | is the total number of objects in the domain of interest, n is the number of attributes in the X attribute set, and i is 1,2, … and n.
Define 3 (importance of Property) if there is a conditional PropertyThen the importance of c with respect to the decision attribute set D is defined as follows:
SIG(c)=rC(D)-rC-{c}(D)
wherein, γC(D) Is the approximate classification quality of D with respect to C; r isC-{c}(D) Is D aboutC-{c}Approximate classification quality of (d); wherein,C-{c}indicating that the condition attribute C is deleted from the condition attributes C. The definition represents the influence of the conditional attribute set on the decision classification after deleting the attribute in the conditional attribute set. The greater the quality of the approximate classification, the more important the attribute is, otherwise the less important the attribute is considered.
Definition 4. given a decision system S ═<U,C∪D,V,f>If arbitrarySatisfy gammaC(D)=γC-{c}(D) It is said that the relative decision in the conditional attribute can be omitted, otherwise it is not.
Thus, if a conditional attribute in a decision table is omissible, removing the attribute does not change the partitioning of the conditional attribute into domains of interest, and therefore does not change its classification capability. Namely, the attribute reduction of the step can maintain the accuracy and simultaneously achieve the dimension reduction of the data.
In addition, it should be noted that: due to the characteristic of the algorithm, for large-scale data with continuous features, the data is discretized by a rough set method.
And S3, pre-classifying the processed first target characteristic information to obtain second target characteristic information corresponding to each classification.
Specifically, the device pre-classifies the processed first target feature information to obtain second target feature information corresponding to each classification. Fig. 2 is a screenshot of second target feature information corresponding to each category, and as shown in fig. 2, the categories are determined according to a disaster tolerance index, a threat index, a stability index, and a vulnerability index, respectively; namely: the second target characteristic information corresponding to the disaster tolerance index may include network bandwidth, the number of security devices in the subnet, and the like; the second target characteristic information corresponding to the threat characteristic index may include alarm number, subnet bandwidth utilization rate, and the like; the second target characteristic information corresponding to the stability index may include a change rate of subnet traffic, a change rate of distribution ratios of different protocol data packets in the subnet, and the like; the second target characteristic information corresponding to the vulnerability index may include the number and level of network vulnerabilities, network topology, and the like.
S4: and respectively inputting the second target characteristic information into preset models corresponding to different sub-source data, and acquiring data index values of a comprehensive multi-source data decision according to output results of the preset models.
Specifically, the device inputs the second target characteristic information into preset models corresponding to different sub-source data respectively, and obtains data index values of a comprehensive multi-source data decision according to output results of the preset models. The output result can be processed by adopting Dempster-Shafer merging rules in an evidence theory method to obtain the data index value. Namely: the number of output results (3 in this example) corresponding to the processed multi-source data is 1. Fig. 3(a) - (c) are respectively screenshots of evaluation of the network security situation according to the embodiment of the present invention, and as shown in fig. 3(a), the security level (low, medium, and high) of the data index value can be determined; the "vulnerability index" in the graph corresponds to the "vulnerability" implemented by the present invention, as shown in (b) of fig. 3: according to the safety level of the determined data, the network safety situation level (safety, light danger, general danger, moderate danger and high danger) can be further evaluated; as shown in fig. 3 (c): the security index value in the graph can be calculated according to preset weighted values of four indexes (threat, vulnerability, disaster tolerance and stability), and the network security situation level can be visually evaluated through quantized calculation results. The Dempster-Shafer merge rule is a mature technique in the field and is not described in detail. The preset model may be a pre-trained BP neural network. The training process, as well as the BP neural network, are well-established techniques in the art and will not be described further. Referring to the above example, since the sources of the multi-source data include log data, network security alarm data, and network traffic data, the second target feature information whose source is the log data corresponds to the BP neural network trained using the log data; the second target characteristic information from which the network security alarm data is derived corresponds to a BP neural network trained by the network security alarm data; the second target feature information sourced as network traffic data corresponds to a BP neural network trained using the network traffic data.
S5: and evaluating the level of the network security situation according to the data index value.
Specifically, the device evaluates the level of the network security situation according to the data index value. Reference may be made to the above embodiments, which are not described in detail.
According to the method for evaluating the network security situation provided by the embodiment of the invention, the acquired first target characteristic information is processed and classified, and the data index value of the comprehensive multi-source data decision is acquired through the output results of the preset models corresponding to different source-separated data respectively, so that the level of the network security situation is evaluated, and the network security situation can be accurately, conveniently and efficiently evaluated in a specific application scene.
On the basis of the foregoing embodiment, the performing data discretization and reduction processing on the first target feature information includes:
and carrying out data discretization and reduction processing on the first target characteristic information according to a rough set theory.
Specifically, the device performs data discretization and reduction processing on the first target characteristic information according to a rough set theory. Reference may be made to the above embodiments, which are not described in detail.
According to the network security situation assessment method provided by the embodiment of the invention, data discretization and reduction processing are carried out on the first target characteristic information according to a rough set theory, so that the operation efficiency in the network security situation assessment process can be improved.
On the basis of the foregoing embodiment, the performing data discretization and reduction processing on the first target feature information according to rough set theory includes:
performing attribute reduction calculation on the first target characteristic information subjected to data discretization by adopting a table logic data tool rosetta of a rough set theoretical framework; the data discretization is carried out by adopting a NaiveScalar method.
Specifically, the device adopts a table logic data tool rosetta of a rough set theoretical framework to perform attribute reduction calculation on first target characteristic information subjected to data discretization; the data discretization is carried out by adopting a NaiveScalar method. Reference may be made to the above embodiments, which are not described in detail.
The evaluation method for the network security situation provided by the embodiment of the invention not only can improve the operation efficiency in the evaluation process of the network security situation, but also can conveniently apply the rough set theory to the evaluation process of the network security situation.
On the basis of the above embodiment, obtaining a data index value of a comprehensive multi-source data decision according to the output result of the preset model includes:
and processing the output result by adopting a Dempster-Shafer merging rule in an evidence theory method to obtain the data index value.
Specifically, the device processes the output result by adopting a Dempster-Shafer merging rule in an evidence theory method to obtain the data index value. Reference may be made to the above embodiments, which are not described in detail.
According to the method for evaluating the network security situation provided by the embodiment of the invention, the Dempster-Shafer merging rule in the evidence theory method is adopted to process the output result so as to obtain the data index value, so that the multi-source data decision can be effectively integrated, and the reasonability of obtaining the data index value is improved.
On the basis of the above embodiment, the preset model is a BP neural network trained in advance.
Specifically, the preset model in the device is a pre-trained BP neural network. Reference may be made to the above embodiments, which are not described in detail.
According to the method for evaluating the network security situation provided by the embodiment of the invention, the accuracy of evaluating the overall network security situation can be further improved by selecting the preset model as the pre-trained BP neural network.
On the basis of the above embodiment, the sources of the multi-source data include log data, network security alarm data, and network traffic data.
Specifically, the sources of the multi-source data in the device include log data, network security alarm data and network traffic data. Reference may be made to the above embodiments, which are not described in detail.
According to the method for evaluating the network security situation provided by the embodiment of the invention, the multi-source data is obtained from the log data, the network security alarm data and the network flow data, so that the multi-source data can be effectively and conveniently obtained.
On the basis of the embodiment, classification is determined according to the disaster tolerance index, the threat index, the stability index and the vulnerability index; correspondingly, the obtaining of the second target feature information corresponding to each classification includes:
the network bandwidth and the number of safety devices in the subnet corresponding to the disaster tolerance index; the number of alarms and the utilization rate of the subnet bandwidth corresponding to the threat index; the change rate of the subnet traffic corresponding to the stability index and the change rate of the distribution ratio of different protocol data packets in the subnet; and the number and the level of the network vulnerabilities corresponding to the vulnerability indexes, and the network topology.
Specifically, the obtaining, by the device, the second target feature information corresponding to each category includes:
the network bandwidth and the number of safety devices in the subnet corresponding to the disaster tolerance index; the number of alarms and the utilization rate of the subnet bandwidth corresponding to the threat index; the change rate of the subnet traffic corresponding to the stability index and the change rate of the distribution ratio of different protocol data packets in the subnet; and the number and the level of the network vulnerabilities corresponding to the vulnerability indexes, and the network topology. Reference may be made to the above embodiments, which are not described in detail.
The method for evaluating the network security situation provided by the embodiment of the invention can further effectively evaluate the network security situation by acquiring the specific target characteristic information corresponding to each classification.
Fig. 4 is a three-layer framework diagram for evaluating a network security situation according to an embodiment of the present invention, and as shown in fig. 4, effective evaluation of the network security situation is achieved. For the detailed description, reference is made to the above description, which is not repeated.
Fig. 5 is a schematic structural diagram of an evaluation apparatus for network security situation according to an embodiment of the present invention, and as shown in fig. 5, an embodiment of the present invention provides an evaluation apparatus for network security situation, which includes an obtaining unit 1, a processing unit 2, a classifying unit 3, an obtaining unit 4, and an evaluating unit 5, where:
the acquiring unit 1 is used for acquiring characteristic information of multi-source data; screening the characteristic information to obtain first target characteristic information with data driving characteristics; the processing unit 2 is used for carrying out data discretization and reduction processing on the first target characteristic information; the classification unit 3 is used for pre-classifying the processed first target feature information to obtain second target feature information corresponding to each classification; the obtaining unit 4 is configured to input the second target feature information into preset models corresponding to different source data, and obtain a data index value of a comprehensive multi-source data decision according to an output result of the preset models; and the evaluation unit 5 is used for evaluating the level of the network security situation according to the data index value.
Specifically, the obtaining unit 1 is configured to obtain feature information of multi-source data; screening the characteristic information to obtain first target characteristic information with data driving characteristics; the processing unit 2 is used for carrying out data discretization and reduction processing on the first target characteristic information; the classification unit 3 is used for pre-classifying the processed first target feature information to obtain second target feature information corresponding to each classification; the obtaining unit 4 is configured to input the second target feature information into preset models corresponding to different source data, and obtain a data index value of a comprehensive multi-source data decision according to an output result of the preset models; and the evaluation unit 5 is used for evaluating the level of the network security situation according to the data index value.
The evaluation device for network security situation provided by the embodiment of the invention obtains the data index value of the comprehensive multi-source data decision by processing and classifying the obtained first target characteristic information and respectively corresponding to the output results of the preset models of different source-separated data so as to evaluate the level of the network security situation, and can accurately, conveniently and efficiently evaluate the network security situation in a specific application scene.
The device for evaluating network security posture provided by the embodiment of the present invention may be specifically configured to execute the processing flows of the above method embodiments, and the functions thereof are not described herein again, and refer to the detailed description of the above method embodiments.
Fig. 6 is a schematic structural diagram of an electronic device according to an embodiment of the present invention, and as shown in fig. 6, the electronic device includes: a processor (processor)601, a memory (memory)602, and a bus 603;
the processor 601 and the memory 602 complete mutual communication through a bus 603;
the processor 601 is configured to call the program instructions in the memory 02 to execute the methods provided by the above method embodiments, including: acquiring characteristic information of multi-source data; screening the characteristic information to obtain first target characteristic information with data driving characteristics; carrying out data discretization and reduction processing on the first target characteristic information; pre-classifying the processed first target characteristic information to obtain second target characteristic information corresponding to each classification; inputting the second target characteristic information into preset models corresponding to different sub-source data respectively, and acquiring data index values of a comprehensive multi-source data decision according to output results of the preset models; and evaluating the level of the network security situation according to the data index value.
The present embodiment discloses a computer program product comprising a computer program stored on a non-transitory computer readable storage medium, the computer program comprising program instructions which, when executed by a computer, enable the computer to perform the method provided by the above-mentioned method embodiments, for example, comprising: acquiring characteristic information of multi-source data; screening the characteristic information to obtain first target characteristic information with data driving characteristics; carrying out data discretization and reduction processing on the first target characteristic information; pre-classifying the processed first target characteristic information to obtain second target characteristic information corresponding to each classification; inputting the second target characteristic information into preset models corresponding to different sub-source data respectively, and acquiring data index values of a comprehensive multi-source data decision according to output results of the preset models; and evaluating the level of the network security situation according to the data index value.
The present embodiments provide a non-transitory computer-readable storage medium storing computer instructions that cause the computer to perform the methods provided by the above method embodiments, for example, including: acquiring characteristic information of multi-source data; screening the characteristic information to obtain first target characteristic information with data driving characteristics; carrying out data discretization and reduction processing on the first target characteristic information; pre-classifying the processed first target characteristic information to obtain second target characteristic information corresponding to each classification; inputting the second target characteristic information into preset models corresponding to different sub-source data respectively, and acquiring data index values of a comprehensive multi-source data decision according to output results of the preset models; and evaluating the level of the network security situation according to the data index value.
Those of ordinary skill in the art will understand that: all or part of the steps for implementing the method embodiments may be implemented by hardware related to program instructions, and the program may be stored in a computer readable storage medium, and when executed, the program performs the steps including the method embodiments; and the aforementioned storage medium includes: various media that can store program codes, such as ROM, RAM, magnetic or optical disks.
The above-described embodiments of the electronic device and the like are merely illustrative, where the units described as separate parts may or may not be physically separate, and the parts displayed as units may or may not be physical units, may be located in one place, or may also be distributed on multiple network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments.
Finally, it should be noted that: the above embodiments are only used for illustrating the technical solutions of the embodiments of the present invention, and are not limited thereto; although embodiments of the present invention have been described in detail with reference to the foregoing embodiments, those skilled in the art will understand that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; and the modifications or the substitutions do not make the essence of the corresponding technical solutions depart from the scope of the technical solutions of the embodiments of the present invention.
Claims (10)
1. A method for evaluating network security situation, comprising:
acquiring characteristic information of multi-source data; screening the characteristic information to obtain first target characteristic information with data driving characteristics;
carrying out data discretization and reduction processing on the first target characteristic information;
pre-classifying the processed first target characteristic information to obtain second target characteristic information corresponding to each classification;
inputting the second target characteristic information into preset models corresponding to different sub-source data respectively, and acquiring data index values of a comprehensive multi-source data decision according to output results of the preset models;
and evaluating the level of the network security situation according to the data index value.
2. The method of claim 1, wherein the discretizing and reducing the first target feature information comprises:
and carrying out data discretization and reduction processing on the first target characteristic information according to a rough set theory.
3. The method of claim 2, wherein the discretizing and reducing the first target feature information according to rough set theory comprises:
performing attribute reduction calculation on the first target characteristic information subjected to data discretization by adopting a table logic data tool rosetta of a rough set theoretical framework; the data discretization is carried out by adopting a NaiveScalar method.
4. The method according to any one of claims 1 to 3, wherein obtaining data index values for a comprehensive multi-source data decision according to the output result of the preset model comprises:
and processing the output result by adopting a Dempster-Shafer merging rule in an evidence theory method to obtain the data index value.
5. The method according to any one of claims 1 to 3, wherein the predetermined model is a pre-trained BP neural network.
6. The method of any one of claims 1 to 3, wherein the sources of the multi-source data include log data, network security alarm data, and network traffic data.
7. The method according to any one of claims 1 to 3, wherein the classification is determined based on a disaster tolerance index, a threat index, a stability index and a vulnerability index, respectively; correspondingly, the obtaining of the second target feature information corresponding to each classification includes:
the network bandwidth and the number of safety devices in the subnet corresponding to the disaster tolerance index;
the number of alarms and the utilization rate of the subnet bandwidth corresponding to the threat index;
the change rate of the subnet traffic corresponding to the stability index and the change rate of the distribution ratio of different protocol data packets in the subnet;
and the number and the level of the network vulnerabilities corresponding to the vulnerability indexes, and the network topology.
8. An apparatus for assessing network security posture, comprising:
the acquiring unit is used for acquiring characteristic information of multi-source data; screening the characteristic information to obtain first target characteristic information with data driving characteristics;
the processing unit is used for carrying out data discretization and reduction processing on the first target characteristic information;
the classification unit is used for pre-classifying the processed first target characteristic information to acquire second target characteristic information corresponding to each classification;
the acquisition unit is used for respectively inputting the second target characteristic information into preset models corresponding to different source data and acquiring data index values of comprehensive multi-source data decision according to output results of the preset models;
and the evaluation unit is used for evaluating the level of the network security situation according to the data index value.
9. An electronic device, comprising: a processor, a memory, and a bus, wherein,
the processor and the memory are communicated with each other through the bus;
the memory stores program instructions executable by the processor, the processor invoking the program instructions to perform the method of any of claims 1 to 7.
10. A non-transitory computer-readable storage medium storing computer instructions that cause a computer to perform the method of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810458202.9A CN108683663B (en) | 2018-05-14 | 2018-05-14 | Network security situation assessment method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810458202.9A CN108683663B (en) | 2018-05-14 | 2018-05-14 | Network security situation assessment method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108683663A true CN108683663A (en) | 2018-10-19 |
| CN108683663B CN108683663B (en) | 2021-04-20 |
Family
ID=63806272
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810458202.9A Active CN108683663B (en) | 2018-05-14 | 2018-05-14 | Network security situation assessment method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108683663B (en) |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109583056A (en) * | 2018-11-16 | 2019-04-05 | 中国科学院信息工程研究所 | A kind of network-combination yarn tool performance appraisal procedure and system based on emulation platform |
| CN111045912A (en) * | 2019-12-29 | 2020-04-21 | 浪潮(北京)电子信息产业有限公司 | AI application performance evaluation method, device and related equipment |
| CN111786950A (en) * | 2020-05-28 | 2020-10-16 | 中国平安财产保险股份有限公司 | Situation awareness-based network security monitoring method, device, equipment and medium |
| CN111882179A (en) * | 2020-07-09 | 2020-11-03 | 福建奇点时空数字科技有限公司 | Network security situation awareness system platform based on data stream processing |
| CN112653666A (en) * | 2020-11-25 | 2021-04-13 | 中国大唐集团科学技术研究院有限公司 | Thermal power plant industrial control system generalized network security situation assessment index system |
| CN113010895A (en) * | 2020-12-08 | 2021-06-22 | 四川大学 | Vulnerability hazard assessment index technology based on deep learning |
| CN113076451A (en) * | 2020-01-03 | 2021-07-06 | 中国移动通信集团广东有限公司 | Abnormal behavior recognition and risk model library establishing method and device and electronic equipment |
| CN116127522A (en) * | 2023-04-17 | 2023-05-16 | 北京盛科沃科技发展有限公司 | Safety risk analysis method and system based on multi-source data acquisition |
| WO2023184764A1 (en) * | 2022-05-31 | 2023-10-05 | 广东海洋大学 | Fault diagnosis method and system based on rough set and evidence theory |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101436967A (en) * | 2008-12-23 | 2009-05-20 | 北京邮电大学 | Method and system for evaluating network safety situation |
| CN103748989B (en) * | 2009-07-14 | 2010-10-06 | 北京理工大学 | A kind of many granularities of matrix form network security threats method for situation assessment |
| US20100257267A1 (en) * | 2007-09-21 | 2010-10-07 | Electronics And Telecommunications Research Institute | Apparatus and method for visualizing network state by using geographic information |
| CN105306438A (en) * | 2015-09-17 | 2016-02-03 | 杭州安恒信息技术有限公司 | Network security situation assessment method based on fuzzy rough set |
-
2018
- 2018-05-14 CN CN201810458202.9A patent/CN108683663B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100257267A1 (en) * | 2007-09-21 | 2010-10-07 | Electronics And Telecommunications Research Institute | Apparatus and method for visualizing network state by using geographic information |
| CN101436967A (en) * | 2008-12-23 | 2009-05-20 | 北京邮电大学 | Method and system for evaluating network safety situation |
| CN103748989B (en) * | 2009-07-14 | 2010-10-06 | 北京理工大学 | A kind of many granularities of matrix form network security threats method for situation assessment |
| CN105306438A (en) * | 2015-09-17 | 2016-02-03 | 杭州安恒信息技术有限公司 | Network security situation assessment method based on fuzzy rough set |
Non-Patent Citations (1)
| Title |
|---|
| 姜旭伟: ""基于粗糙理论的网络安全态势感知方法研究"", 《中国优秀硕士论文全文数据库》 * |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109583056A (en) * | 2018-11-16 | 2019-04-05 | 中国科学院信息工程研究所 | A kind of network-combination yarn tool performance appraisal procedure and system based on emulation platform |
| CN111045912A (en) * | 2019-12-29 | 2020-04-21 | 浪潮(北京)电子信息产业有限公司 | AI application performance evaluation method, device and related equipment |
| CN111045912B (en) * | 2019-12-29 | 2022-03-22 | 浪潮(北京)电子信息产业有限公司 | AI application performance evaluation method, device and related equipment |
| CN113076451A (en) * | 2020-01-03 | 2021-07-06 | 中国移动通信集团广东有限公司 | Abnormal behavior recognition and risk model library establishing method and device and electronic equipment |
| CN111786950A (en) * | 2020-05-28 | 2020-10-16 | 中国平安财产保险股份有限公司 | Situation awareness-based network security monitoring method, device, equipment and medium |
| CN111786950B (en) * | 2020-05-28 | 2023-10-27 | 中国平安财产保险股份有限公司 | Network security monitoring method, device, equipment and medium based on situation awareness |
| CN111882179A (en) * | 2020-07-09 | 2020-11-03 | 福建奇点时空数字科技有限公司 | Network security situation awareness system platform based on data stream processing |
| CN112653666A (en) * | 2020-11-25 | 2021-04-13 | 中国大唐集团科学技术研究院有限公司 | Thermal power plant industrial control system generalized network security situation assessment index system |
| CN112653666B (en) * | 2020-11-25 | 2023-04-07 | 中国大唐集团科学技术研究院有限公司 | Thermal power plant industrial control system generalized network security situation assessment index system |
| CN113010895A (en) * | 2020-12-08 | 2021-06-22 | 四川大学 | Vulnerability hazard assessment index technology based on deep learning |
| WO2023184764A1 (en) * | 2022-05-31 | 2023-10-05 | 广东海洋大学 | Fault diagnosis method and system based on rough set and evidence theory |
| CN116127522A (en) * | 2023-04-17 | 2023-05-16 | 北京盛科沃科技发展有限公司 | Safety risk analysis method and system based on multi-source data acquisition |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108683663B (en) | 2021-04-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108683663B (en) | Network security situation assessment method and device | |
| CN109598095B (en) | Method and device for establishing scoring card model, computer equipment and storage medium | |
| Nayak et al. | Network mining techniques to analyze the risk of the occupational accident via bayesian network | |
| CN106951925B (en) | Data processing method, device, server and system | |
| US11108795B2 (en) | Intrusion detection using robust singular value decomposition | |
| CN107025596B (en) | Risk assessment method and system | |
| US9804909B1 (en) | Scalable predictive early warning system for data backup event log | |
| CN109871688B (en) | Vulnerability threat degree evaluation method | |
| CN112711705B (en) | Public opinion data processing method, equipment and storage medium | |
| CN111310139B (en) | Behavior data identification method and device and storage medium | |
| CN114638498A (en) | ESG evaluation method, ESG evaluation system, electronic equipment and storage equipment | |
| CN113112026A (en) | Optimization method and device for federated learning model | |
| CN114117029B (en) | Solution recommendation method and system based on multi-level information enhancement | |
| CN112862345B (en) | Hidden danger quality inspection method and device, electronic equipment and storage medium | |
| CN114398685A (en) | Government affair data processing method and device, computer equipment and storage medium | |
| LU505740B1 (en) | Data monitoring method and system | |
| CN113934863B (en) | Food safety risk prediction method and device, electronic equipment and medium | |
| CN107402984B (en) | A kind of classification method and device based on theme | |
| CN116401372A (en) | Knowledge graph representation learning method and device, electronic equipment and readable storage medium | |
| CN115203277A (en) | Data decision method and device | |
| CN110472233B (en) | Relation similarity measurement method and system based on head-tail entity distribution in knowledge base | |
| US20220253690A1 (en) | Machine-learning systems for simulating collaborative behavior by interacting users within a group | |
| KR20230093622A (en) | Anomaly Detection Method and System Using Twin Model, and Learning Method Thereof | |
| CN113850462A (en) | Event prediction disposal recommendation method and system | |
| Wahyuningrum et al. | An Extended Consistent Fuzzy Preference Relation to Evaluating Website Usability |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |