CN109120637B - Network security supervision platform and method - Google Patents
Network security supervision platform and method Download PDFInfo
- Publication number
- CN109120637B CN109120637B CN201811065661.7A CN201811065661A CN109120637B CN 109120637 B CN109120637 B CN 109120637B CN 201811065661 A CN201811065661 A CN 201811065661A CN 109120637 B CN109120637 B CN 109120637B
- Authority
- CN
- China
- Prior art keywords
- log
- network
- communication
- clock
- time
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/069—Management of faults, events, alarms or notifications using logs of notifications; Post-processing of notifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
Abstract
The invention relates to a network security supervision platform and a method, which solve the technical problem of large time error, and adopt a platform comprising a distributed network log collector, a middle unified server which is uniformly connected with each network log collector, and a platform server which is connected with the middle unified server, wherein the middle unified server adopts platform server time; the clock of the network log collector comprises a service clock and a communication clock which are mutually related; the clock of the intermediate unified server comprises a service clock and a communication clock which are mutually related; the platform server is used for solving the service clock according to the communication clock and calculating the clock reliability, well solves the problem and can be used in network safety supervision application.
Description
Technical Field
The invention relates to the technical field of communication, in particular to a network security supervision platform and a network security supervision method.
Background
With the rapid development of computer technology and communication technology and the increasing demand of users, computer networks and communication networks are increasingly complex, and at the same time, network security faces a severe challenge. The supervision and detection of network security becomes a topic of user relationships.
The existing network security supervision technology has large clock error and cannot meet the requirement of high-precision network security supervision prediction and defense. Therefore, it is necessary to provide a network security supervision platform and method for solving the above technical problems.
Disclosure of Invention
The invention aims to solve the technical problem of large time error in the prior art. The network security supervision platform and the network security supervision method have the characteristics of high time reliability, accurate performance and high stability.
In order to solve the technical problems, the technical scheme is as follows:
a network security supervision platform comprises network log collectors which are arranged in a distributed mode, an intermediate unified server which is connected with the network log collectors in a unified mode, and a platform server which is connected with the intermediate unified server, wherein the intermediate unified server adopts platform server time;
the clock of the network log collector comprises a service clock and a communication clock which are mutually related; the clock of the intermediate unified server comprises a service clock and a communication clock which are mutually related; the platform server is used for calculating the service clock according to the communication clock and calculating the clock reliability.
The working principle of the invention is as follows: the invention corrects the service by using the communication clock, the precision of the communication clock is far higher than that of the service clock, and the high-precision clock co-platform server can be completely provided for calculating and estimating the network attitude parameters to obtain the high-precision network safety value.
In the above scheme, for optimization, the weblog collector is further provided with a first terminal adaptation unit and a first communication terminal, the intermediate unified server is provided with a second communication terminal, a first communication agent, a second terminal adaptation unit and a log collection session agent, and the platform server is provided with a third communication agent;
the log collection session agent establishes a session layer aiming at log collection transaction session negotiation independently or together with the first terminal adapting unit, and the session layer is used for realizing the establishment of log collection session negotiation and log collection session process control between the middle unified server and the network log collector by matching with a collection communication protocol.
Furthermore, the first communication terminal and the second communication terminal are both multi-mode communication terminals, and the first communication agent and the first terminal adaptation unit establish connection control for communication transmission, so as to be used for maintaining TCP/IP connection during heterogeneous communication of the multi-mode communication terminals in different networks; the second communication agent and the second terminal adaptation unit establish connection control aiming at communication transmission and are used for TCP/IP connection maintenance during heterogeneous communication of the multimode communication terminal in different networks.
A network security supervision method, which is based on the foregoing network security supervision platform, includes:
step 1, an intermediate unified server receives a log service data packet generated by a network log collector from a network, and a network collection log server marks a service time mark and a service time mark error in the log service data packet and marks a communication time mark and a communication time mark error in a communication data packet;
step 2, the intermediate unified server carries out classification pretreatment on the log service data packets and transmits the log service data packets to a network platform server;
step 3, the network platform server carries out log information resolving and clock reliability calculation according to the received log service data packet and the received communication data packet, carries out log audit and calculates the safety threat theoretical value of the network node;
step 3, the network platform server receives the correction parameters of the network correction operation of the user, and corrects the safety threat theoretical value of the network node according to the correction parameters;
step 4, weighting and calculating a network security situation value and node service information according to a weighted value corresponding to a network node;
and 5, predicting the network security situation value by using a GM-ARMA method according to the clock reliability.
Further, the clock reliability calculation includes:
the network platform server establishes a related group between a communication time scale in a communication data packet and a service time scale of a log service data packet;
the network platform server adopts a data fusion algorithm to resolve log data time marks; the log data time stamp characterizes a log generation time and a time error range with reference to a platform server time.
Further, the service time stamp includes a log generation start time t1 and a log generation end time t 2.
Further, the data fusion algorithm comprises:
step A, the middle unified server receives data of each weblog collector;
b, the intermediate unified server eliminates the data with the error exceeding the threshold value according to the threshold value of the allowable function to complete data preprocessing;
c, the intermediate unified server performs batch estimation on the preprocessed data, and calculates an optimal estimation value of network acquisition;
and step D, performing self-adaptive weighted fusion on all the network acquisition log servers according to the weight optimal potential distribution criterion, and calculating the log data time scale.
Further, the GM-ARMA method comprises:
step a, performing stationarity test on a time sequence to obtain a time stationarity sequence;
step b, performing accumulation calculation on the time stationary sequence to obtain a new accumulation sequence;
step b, calculating a sample autocorrelation coefficient and a partial autocorrelation coefficient of the accumulated sequence, and determining a corresponding time sequence model and an order according to tailing or truncation of the sample autocorrelation coefficient and the partial autocorrelation coefficient;
and c, calculating a predicted value of the network security situation value by using a parameter estimation method, wherein the parameter estimation method comprises a moment estimation method, a maximum likelihood estimation method and a least square estimation method.
The invention adopts the session layer to cooperate with the acquisition communication protocol to realize the establishment of the log acquisition session negotiation and the log acquisition session process control between the middle unified server and the network log collector, and can ensure the uninterrupted service connection particularly in the TCP/IP connection process during the heterogeneous communication of the different networks. And the network security supervision with high stability is realized. The network security supervision method is simple and rapid by accumulating the time sequence, reflects the autocorrelation of the time sequence and embodies the randomness and periodicity of the time sequence.
The invention has the beneficial effects that: the invention realizes the prediction of the network security attitude with high time precision, and can calculate the error of the estimated value of the network security attitude by referring to the time error in the calculated time reliability. The proxy is adopted to maintain TCP/IP connection under the heterogeneous communication bearing condition of the different network, and after the self-adaptive change of the channel is ensured, the consistency of the address of a TCP/UDP port number and the continuity of the serial number of a TCP message are ensured, and the real-time adjustment of a standby channel and the consistency of an IP address under the condition of channel interruption are ensured.
Drawings
The invention is further illustrated with reference to the following figures and examples.
Fig. 1 is a schematic diagram of a network security supervision platform in embodiment 1.
Fig. 2 is a schematic flow chart of a network security supervision method in embodiment 1.
FIG. 3, schematic flow diagram of the GM-ARMA process.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is further described in detail with reference to the following embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
Example 1
The embodiment provides a network security supervision platform, as shown in fig. 1, the network security supervision platform includes network log collectors arranged in a distributed manner, an intermediate unified server uniformly connected with each network log collector, and a platform server connected with the intermediate unified server, wherein the intermediate unified server adopts a platform server time; the clock of the network log collector comprises a service clock and a communication clock which are mutually related; the clock of the intermediate unified server comprises a service clock and a communication clock which are mutually related; the platform server is used for calculating the service clock according to the communication clock and calculating the clock reliability.
Specifically, as shown in fig. 1, the weblog collector is provided with a first terminal adapting unit and a first communication terminal, the intermediate unified server is provided with a second communication terminal, a first communication agent, a second terminal adapting unit and a log collection session agent, and the platform server is provided with a third communication agent;
the log collection session agent establishes a session layer aiming at log collection transaction session negotiation independently or together with the first terminal adapting unit, and the session layer is used for realizing the establishment of log collection session negotiation and log collection session process control between the middle unified server and the network log collector by matching with a collection communication protocol.
Specifically, the first communication terminal and the second communication terminal are both multimode communication terminals, and the first communication agent and the first terminal adaptation unit establish connection control for communication transmission, which is used for maintaining TCP/IP connection during heterogeneous communication of the multimode communication terminal in different networks; the second communication agent and the second terminal adaptation unit establish connection control aiming at communication transmission and are used for TCP/IP connection maintenance during heterogeneous communication of the multimode communication terminal in different networks.
The embodiment also provides a network security supervision method, where the network security supervision method is based on the foregoing network security supervision platform, and as shown in fig. 2, the network security supervision method includes:
step 1, an intermediate unified server receives a log service data packet generated by a network log collector from a network, and a network collection log server marks a service time mark and a service time mark error in the log service data packet and marks a communication time mark and a communication time mark error in a communication data packet;
step 2, the intermediate unified server carries out classification pretreatment on the log service data packets and transmits the log service data packets to a network platform server;
step 3, the network platform server carries out log information resolving and clock reliability calculation according to the received log service data packet and the received communication data packet, carries out log audit and calculates the safety threat theoretical value of the network node;
step 3, the network platform server receives the correction parameters of the network correction operation of the user, and corrects the safety threat theoretical value of the network node according to the correction parameters;
step 4, weighting and calculating a network security situation value and node service information according to a weighted value corresponding to a network node;
and 5, predicting the network security situation value by using a GM-ARMA method according to the clock reliability.
Specifically, the clock reliability calculation includes:
the network platform server establishes a related group between a communication time scale in a communication data packet and a service time scale of a log service data packet;
the network platform server adopts a data fusion algorithm to resolve log data time marks; the log data time stamp characterizes a log generation time and a time error range with reference to a platform server time.
Specifically, the service time stamp includes a log generation start time t1 and a log generation end time t 2.
Specifically, the data fusion algorithm includes:
step A, the middle unified server receives data of each weblog collector;
b, the intermediate unified server eliminates the data with the error exceeding the threshold value according to the threshold value of the allowable function to complete data preprocessing;
c, the intermediate unified server performs batch estimation on the preprocessed data, and calculates an optimal estimation value of network acquisition;
and step D, performing self-adaptive weighted fusion on all the network acquisition log servers according to the weight optimal potential distribution criterion, and calculating the log data time scale.
Specifically, the GM-ARMA method comprises:
step a, performing stationarity test on a time sequence to obtain a time stationarity sequence;
step b, performing accumulation calculation on the time stationary sequence to obtain a new accumulation sequence;
step b, calculating a sample autocorrelation coefficient and a partial autocorrelation coefficient of the accumulated sequence, and determining a corresponding time sequence model and an order according to tailing or truncation of the sample autocorrelation coefficient and the partial autocorrelation coefficient;
and c, calculating a predicted value of the network security situation value by using a parameter estimation method, wherein the parameter estimation method comprises a moment estimation method, a maximum likelihood estimation method and a least square estimation method.
The parts not described in the present embodiment are related to the prior art.
Although the illustrative embodiments of the present invention have been described above to enable those skilled in the art to understand the present invention, the present invention is not limited to the scope of the embodiments, and it is apparent to those skilled in the art that all the inventive concepts using the present invention are protected as long as they can be changed within the spirit and scope of the present invention as defined and defined by the appended claims.
Claims (7)
1. A network security administration platform, comprising: the network security supervision platform comprises network log collectors which are arranged in a distributed mode, an intermediate unified server which is connected with the network log collectors in a unified mode, and a platform server which is connected with the intermediate unified server, wherein the intermediate unified server adopts platform server time;
the clock of the network log collector comprises a service clock and a communication clock which are mutually related; the clock of the intermediate unified server comprises a service clock and a communication clock which are mutually related; the platform server is used for resolving a service clock according to the communication clock and calculating clock reliability;
the clock reliability calculation includes:
the network platform server establishes a related group between a communication time scale in a communication data packet and a service time scale of a log service data packet;
the network platform server adopts a data fusion algorithm to resolve log data time marks; the log data time stamp characterizes a log generation time and a time error range with reference to a platform server time.
2. The network security administration platform of claim 1, wherein: the network log collector is provided with a first terminal adapting unit and a first communication terminal, the middle unified server is provided with a second communication terminal, a first communication agent, a second terminal adapting unit and a log collection session agent, and the platform server is provided with a third communication agent;
the log collection session agent establishes a session layer aiming at log collection transaction session negotiation independently or together with the first terminal adapting unit, and the session layer is used for realizing the establishment of log collection session negotiation and log collection session process control between the middle unified server and the network log collector by matching with a collection communication protocol.
3. The network security administration platform of claim 2, wherein: the first communication agent and the first terminal adaptation unit establish connection control aiming at communication transmission and are used for TCP/IP connection maintenance during heterogeneous communication of the multimode communication terminal in different networks; and the third communication agent and the second terminal adaptation unit establish connection control aiming at communication transmission and are used for maintaining TCP/IP connection during heterogeneous communication of the multimode communication terminal.
4. A network security supervision method is characterized in that: the network security supervision method is based on the network security supervision platform of any one of claims 1 to 3, and comprises the following steps:
step 1, an intermediate unified server receives a log service data packet generated by a network log collector from a network, and a network collection log server marks a service time mark and a service time mark error in the log service data packet and marks a communication time mark and a communication time mark error in a communication data packet;
step 2, the intermediate unified server carries out classification pretreatment on the log service data packets and transmits the log service data packets to a network platform server;
step 3, the network platform server carries out log information resolving and clock reliability calculation according to the received log service data packet and the received communication data packet, carries out log audit and calculates the safety threat theoretical value of the network node;
step 4, the network platform server receives the correction parameters of the network correction operation of the user, and corrects the safety threat theoretical value of the network node according to the correction parameters;
step 5, weighting and calculating a network security situation value and node service information according to a weighted value corresponding to a network node;
and 6, predicting the network security situation value by using a GM-ARMA method according to the clock reliability.
5. The network security administration method of claim 4, wherein: the service time stamp includes a log generation start time t1 and a log generation end time t 2.
6. The network security administration method of claim 5, wherein: the data fusion algorithm comprises:
step A, the middle unified server receives data of each weblog collector;
b, the intermediate unified server eliminates the data with the error exceeding the threshold value according to the threshold value of the allowable function to complete data preprocessing;
c, the intermediate unified server performs batch estimation on the preprocessed data to calculate a network optimal estimation value;
and step D, performing self-adaptive weighted fusion on all the network acquisition log servers according to the weight optimal potential distribution criterion, and calculating the log data time scale.
7. The network security administration method of claim 5, wherein: the GM-ARMA process comprises:
step a, performing stationarity test on a time sequence to obtain a time stationarity sequence;
step b, performing accumulation calculation on the time stationary sequence to obtain a new accumulation sequence;
step b, calculating a sample autocorrelation coefficient and a partial autocorrelation coefficient of the accumulated sequence, and determining a corresponding time sequence model and an order according to tailing or truncation of the sample autocorrelation coefficient and the partial autocorrelation coefficient;
and c, calculating a predicted value of the network security situation value by using a parameter estimation method, wherein the parameter estimation method comprises a moment estimation method, a maximum likelihood estimation method and a least square estimation method.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811065661.7A CN109120637B (en) | 2018-09-12 | 2018-09-12 | Network security supervision platform and method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811065661.7A CN109120637B (en) | 2018-09-12 | 2018-09-12 | Network security supervision platform and method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109120637A CN109120637A (en) | 2019-01-01 |
| CN109120637B true CN109120637B (en) | 2021-02-12 |
Family
ID=64859253
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811065661.7A Active CN109120637B (en) | 2018-09-12 | 2018-09-12 | Network security supervision platform and method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109120637B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110377123A (en) * | 2019-07-16 | 2019-10-25 | 广东申立信息工程股份有限公司 | A kind of network security supervising platform and its application method |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP2208311A2 (en) * | 2007-06-19 | 2010-07-21 | Sand Holdings, LLC | Devices and methods for automatic reset of monitored network equipment |
| CN101902292A (en) * | 2009-12-30 | 2010-12-01 | 西安大唐电信有限公司 | UTC high-precision time synchronization method based on optical transmission network |
| CN102185735A (en) * | 2011-04-26 | 2011-09-14 | 华北电力大学 | Network security situation prediction method |
| CN203135907U (en) * | 2013-01-31 | 2013-08-14 | 福建省电力有限公司 | Time quality monitoring system |
| CN105656590A (en) * | 2015-12-30 | 2016-06-08 | 天维尔信息科技股份有限公司 | Time synchronization method, device and system |
| CN105893629A (en) * | 2016-05-25 | 2016-08-24 | 江苏斯因信息科技有限公司 | Energy monitoring system and software based on Internet of Things and cloud computing |
| CN107465559A (en) * | 2017-09-20 | 2017-12-12 | 河北师范大学 | A kind of network security supervising platform |
-
2018
- 2018-09-12 CN CN201811065661.7A patent/CN109120637B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP2208311A2 (en) * | 2007-06-19 | 2010-07-21 | Sand Holdings, LLC | Devices and methods for automatic reset of monitored network equipment |
| CN101902292A (en) * | 2009-12-30 | 2010-12-01 | 西安大唐电信有限公司 | UTC high-precision time synchronization method based on optical transmission network |
| CN102185735A (en) * | 2011-04-26 | 2011-09-14 | 华北电力大学 | Network security situation prediction method |
| CN203135907U (en) * | 2013-01-31 | 2013-08-14 | 福建省电力有限公司 | Time quality monitoring system |
| CN105656590A (en) * | 2015-12-30 | 2016-06-08 | 天维尔信息科技股份有限公司 | Time synchronization method, device and system |
| CN105893629A (en) * | 2016-05-25 | 2016-08-24 | 江苏斯因信息科技有限公司 | Energy monitoring system and software based on Internet of Things and cloud computing |
| CN107465559A (en) * | 2017-09-20 | 2017-12-12 | 河北师范大学 | A kind of network security supervising platform |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109120637A (en) | 2019-01-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| WO2017107577A1 (en) | Node probing method and device, path selection method and device, and network system | |
| CN103326893B (en) | A kind of method that limit tests the speed | |
| US20150074258A1 (en) | Scalable performance monitoring using dynamic flow sampling | |
| EP3295612B1 (en) | Uplink performance management | |
| WO2012078316A1 (en) | Endpoint web monitoring system and method for measuring popularity of a service or application on a web server | |
| EP4095768A1 (en) | Application recognition model updating method and apparatus, and storage medium | |
| CN101662389B (en) | Method for carrying out statistics on performance data and device applying same | |
| CN107306200B (en) | Network fault early warning method and gateway for network fault early warning | |
| CN109120637B (en) | Network security supervision platform and method | |
| US9948540B2 (en) | Method and system for detecting proxy internet access | |
| CN108768738B (en) | Rapid self-adaptive network bandwidth detection method based on CDN network technology | |
| CN111147323A (en) | Speed measuring method and device | |
| CN114827296B (en) | Communication method and system for carrying out data communication based on multiple communication protocols | |
| CN110896544B (en) | Fault delimiting method and device | |
| CN111400653A (en) | Robustness analysis model evaluation method based on multi-path transmission system | |
| CN115865707A (en) | Internet data management system | |
| CN112242937B (en) | Network speed measuring method and device, electronic equipment and computer readable medium | |
| CN115550978A (en) | 5G complaint preprocessing method and system based on big data | |
| EP4084408A1 (en) | Fault detection method, apparatus and system | |
| CN111130923B (en) | Network bandwidth determining method and device, electronic equipment and storage medium | |
| CN113852497A (en) | Internet Virtual Private Network (VPN) acceleration channel network quality detection system based on internet control protocol (ICMP) | |
| CN113438116A (en) | Power communication data management system and method | |
| CN112328463A (en) | Log monitoring method and device | |
| CN106130822B (en) | Uniformly send the method and system of CCM message | |
| Gao et al. | The diagnosis of wired network malfunctions based on big data and traffic prediction: An overview |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |