CN109766695A - A kind of network security situational awareness method and system based on fusion decision - Google Patents
A kind of network security situational awareness method and system based on fusion decision Download PDFInfo
- Publication number
- CN109766695A CN109766695A CN201811529588.4A CN201811529588A CN109766695A CN 109766695 A CN109766695 A CN 109766695A CN 201811529588 A CN201811529588 A CN 201811529588A CN 109766695 A CN109766695 A CN 109766695A
- Authority
- CN
- China
- Prior art keywords
- data
- fusion
- acquisition
- network
- sflow
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Abstract
The application is for a kind of network security situational awareness method based on fusion decision, which comprises from monitored network acquisition sFlow data, netflow data, SNMP data and daily record data;The sFlow data of acquisition, netflow data, SNMP data and daily record data are pre-processed;It is merged to by pretreated data progress flow analysis, equipment performance analysis, by blending algorithm, obtains the security postures of monitored network.Multi-source heterogeneous data information can be obtained and carry out data fusion, the safe operation situation of whole network is obtained and whether net interior host and attacked the even information such as which kind of attack classification, to make more accurate assessment to network security situation awareness.
Description
Technical field
This application involves network communication technology fields, are specifically designed a kind of network security situation awareness based on fusion decision
Method and system.
Background technique
As internet is gradually popularized, the new technologies such as Internet of Things, big data, cloud computing, which are maked rapid progress, to be developed, network security
Moment is faced with severe invasion and threatens.Existing safety equipment is in autonomous working state mostly, can only be a certain to network system
Aspect is detected and is defendd, and defect and limitation gradually show.NSSA(Network Security Situation
Awareness, network security situation awareness) it comes into being, it is increasingly becoming emerging one of the research focus of network safety filed.
NSSA is by comprehensive converged network security factor, the characteristics of comprehensively utilizing traditional detection tools, from integral macroscopic angle to network
Security postures are accurately held, and are analyzed and predicted to the development trend of safe condition, assist administrator timely and effective
Ground carries out reinforcement protection to network system, it is ensured that network system is run in a secure environment.It is mainly adopted in existing NSSA
Collect the log in network switch device or network security product, such as firewall, specifically include that device Run Log, attacks
Port log etc., but these data are frequently present of and fail to report and make a false report.When especially facing large-scale data, it will a large amount of numbers occur
According to loss and mistake, it is difficult to guarantee the accuracy of data.
Summary of the invention
In view of this, the application provides a kind of network security situational awareness method and system based on fusion decision, it can
It obtains multi-source heterogeneous data information and carries out data fusion, obtain the safe operation situation of whole network and whether net interior host
The even information such as which kind of attack classification are attacked, to make more accurate assessment to network security situation awareness.
Specifically, the application is achieved by the following technical solution:
A kind of network security situational awareness method based on fusion decision, which comprises
From monitored network acquisition sFlow data, netflow data, SNMP data and daily record data;
The sFlow data of acquisition, netflow data, SNMP data and daily record data are pre-processed;
It merges, obtains to by pretreated data progress flow analysis, equipment performance analysis, by blending algorithm
The security postures of monitored network.
Wherein, the acquisition sFlow data, netflow data, SNMP data and daily record data, specifically:
It is adopted by sFlow collector, NetFlow collector, the collector of SNMP and the log of deployment on network devices
Storage obtains sFlow data, netflow data, SNMP data and the daily record data for flowing through the network equipment.
Wherein, the pretreatment, specifically: according to sFlow acquisition, NetFlow acquisition, SNMP acquisition and log collection
The characteristics of data format, parses data packet and obtains data, is formatted storage to the data after parsing, and extract data information
It is uploaded.
It is wherein, described to be merged by blending algorithm, specifically: in conjunction with Cluster-Fusion algorithm to by pretreated number
According to information fusion is carried out, according to fusion grain size parameter, Cluster-Fusion is carried out to data.
Wherein, the Cluster-Fusion algorithm specifically: Bayes-Fuzzy Cluster Fusion algorithm.
Present invention also provides it is a kind of based on fusion decision network security situation sensing system, the system comprises: number
According to acquisition module, data preprocessing module, data fusion module, wherein
The data acquisition module, for acquiring sFlow data, netflow data, SNMP data from monitored network
And daily record data;
The data preprocessing module, for the sFlow data of acquisition, netflow data, SNMP data and log number
According to being pre-processed;
The data fusion module, for pretreated data to carry out flow analysis, equipment performance is analyzed, is passed through to passing through
Blending algorithm is merged, and the security postures of monitored network are obtained.
Wherein, the acquisition sFlow data, netflow data, SNMP data and daily record data, specifically:
Pass through sFlow collector, the NetFlow collector, SNMP disposed in data acquisition module on network devices
Collector and log collector, obtain and flow through sFlow data, netflow data, SNMP data and the day of the network equipment
Will data.
Wherein, the data preprocessing module is pre-processed, specifically:
Data are parsed according to the characteristics of data format of sFlow acquisition, NetFlow acquisition, SNMP acquisition and log collection
Packet obtains data, is formatted storage to the data after parsing, and extract data information and uploaded.
Wherein, the data fusion module is merged by blending algorithm, specifically:
Information fusion is carried out to by pretreated data in conjunction with Cluster-Fusion algorithm, according to fusion grain size parameter, logarithm
According to progress Cluster-Fusion.
Wherein, the Cluster-Fusion algorithm specifically: Bayes-Fuzzy Cluster Fusion algorithm.
By the above technical solution provided by the present application as it can be seen that a kind of network security situation awareness side based on fusion decision
Method, which comprises from monitored network acquisition sFlow data, netflow data, SNMP data and daily record data;It is right
SFlow data, netflow data, SNMP data and the daily record data of acquisition are pre-processed;To by pretreated data into
Row flow analysis, equipment performance analysis are merged by blending algorithm, obtain the security postures of monitored network.It can
It obtains multi-source heterogeneous data information and carries out data fusion, obtain the safe operation situation of whole network and whether net interior host
The even information such as which kind of attack classification are attacked, to make more accurate assessment to network security situation awareness.
Detailed description of the invention
Fig. 1 is the system architecture schematic diagram of the NSSA in the related technology shown in the application;
Fig. 2 is a kind of network security situational awareness method flow chart based on fusion decision shown in the application;
Fig. 3 is a kind of network security situation sensing system structure chart based on fusion decision shown in the application.
Specific embodiment
Example embodiments are described in detail here, and the example is illustrated in the accompanying drawings.Following description is related to
When attached drawing, unless otherwise indicated, the same numbers in different drawings indicate the same or similar elements.Following exemplary embodiment
Described in embodiment do not represent all embodiments consistent with the application.On the contrary, they be only with it is such as appended
The example of the consistent device and method of some aspects be described in detail in claims, the application.
It is only to be not intended to be limiting the application merely for for the purpose of describing particular embodiments in term used in this application.
It is also intended in the application and the "an" of singular used in the attached claims, " described " and "the" including majority
Form, unless the context clearly indicates other meaning.It is also understood that term "and/or" used herein refers to and wraps
It may be combined containing one or more associated any or all of project listed.
It will be appreciated that though various information, but this may be described using term first, second, third, etc. in the application
A little information should not necessarily be limited by these terms.These terms are only used to for same type of information being distinguished from each other out.For example, not departing from
In the case where the application range, the first information can also be referred to as the second information, and similarly, the second information can also be referred to as
One information.Depending on context, word as used in this " if " can be construed to " ... when " or " when ...
When " or " in response to determination ".
Referring to Figure 1, Fig. 1 is the system architecture schematic diagram of the NSSA in the related technology shown in the application.
In configuration diagram shown in fig. 1, situation information acquisition and pretreatment 110, network data convergence are specifically included that
120, Network Situation defence 130 is assessed and predicted with Network Situation.
Situation information acquisition and pretreatment 110 in Fig. 1 specifically: the assets information in situation information acquisition includes: visible
Assets and software asset, it is seen that assets for example: the network equipment, server and storage equipment etc..Software asset is primarily referred to as transporting
Row is in the system software and application software of server and client side and business datum etc..In situation information acquisition, system layer
The security breaches of fragility are frequently mined, and the hack tool and virus that are directed to these loopholes are also endlessly in internet
Upper publication uses, and very big risk is brought to network safety system.The assets object in network is caused in addition, threat information refers to
The security incident of destruction.The acquisition of threat information mainly passes through the means such as the detection devices such as IDS and manual analysis and is perceived.
Performance information refers to the various performance informations of system equipment, includes CPU, memory usage, bandwidth availability ratio and load feelings
Condition and data packet packet loss etc..It also needs to carry out situation pretreatment after situation information acquisition, mainly due to information, there are isomeries
Property, if layer is submitted directly up, difficulty will be caused to the storage of the information unification of upper service module and convergence analysis.Therefore have
The consistent situation information pretreated model of necessity building standardization, realizes unified data structure, simplifies system processing situation letter
Cease complexity.
Network data convergence and Network Situation assessment and prediction 120 in Fig. 1 specifically: use Situation Assessment algorithm, analysis
The data of situation Understanding Module, the security postures of quantitative description system assess current safe condition.The fusion of Situation Assessment is calculated
Method can be divided into: the fusion of the blending algorithm, Process Based of blending algorithm, logic-based relationship based on mathematical model is calculated
Method and blending algorithm based on probability statistics.In addition, Tendency Prediction refers to the suitable predictive model algorithm of building, with history and work as
Preceding situation information is reference, is calculated to the development of future secure situation.
Network Situation defence 130 in Fig. 1 specifically: defendd by network safety situation the Visual Implementation Network Situation.Its
Middle network safety situation visualization, which refers to, is simply directly displayed to user for assessment result using visualization technique, can pass through column
The modes such as table is checked, map is checked and line chart is checked are shown.
Especially, it should be noted that carrying out abnormal flow identification in practical applications, DDoS equipment detection stream is generallyd use
Amount, note abnormalities flow, by abnormal process event log, is sent to unified management center.Abnormal behaviour identification is carried out, usually
By firewall box flow, analysis in real time, the external suspicious connection behavior of discovery are sent to system then by suspicious event log
One administrative center.
Before the network security situational awareness method and system for introducing the application, first 5 dedicated abbreviations are sketched:
CSA (Cyberspace Situation Awareness, network situation awareness), network situation awareness are to advise greatly
In mould network environment, to the changed security factor of Network Situation can be caused to be obtained, understood, shown and predicted most
Close development trend.Therefore Environmental, dynamic and globality especially emphasized to the understanding of situation, dynamic be situation at any time
Constantly variation, situation information not only include also making prediction in the past to following trend with current state;Globality is state
The embodiment of correlation between each entity of gesture, certain network entity states change, and influence whether the state of other network entities,
And then influence the situation of whole network.
Flow is made of the network packet of the one direction transmission between a source host and a purpose, it at least can be with
It is only made of a data packet, the data packet for belonging to the same stream has same alike result, there are ways to indicate a stream, leads to
Common five-tuple, that is, possess the IP address of identical source and destination, identical source and destination port numbers, identical transport layer protocol
Type, this five attribute unique identifications one stream.
NetFlow is a kind of data exchange ways, its working principle is that: NetFlow is handled using the switch mode of standard
First IP bag data of data flow generates NetFlow caching, and then same data are based on cache information in the same data
It is transmitted in stream, no longer matches the strategies such as relevant access control, NetFlow is cached while being contained the system of subsequent data flow
Count information.
SFlow is a kind of network monitor technology, it uses data flow random sampling technique, it is possible to provide the complete second layer arrives
Flow information within the scope of 4th layer or even whole network, the flow analysis being adapted under large network traffic environment allow user
In detail, analyze in real time the performance of network transmission stream, trend and there are the problem of.
SNMP (Simple Network Management Protocol, Simple Network Management Protocol).SNMP is wide
General receiving and the industrial standard that comes into operation are convenient for network pipe for guaranteeing that management information transmits between any two points in a network
Any Nodes Retrieval information of the reason person on network, modification information, positioning failure, complete fault diagnosis, carry out capacity planning and
Generate report.
Fig. 2 is referred to, Fig. 2 is a kind of network security situational awareness method process based on fusion decision shown in the application
Figure.It is specific to execute following steps:
Step 201: from monitored network acquisition sFlow data, netflow data, SNMP data and daily record data;
Wherein, the acquisition sFlow data, netflow data, SNMP data and daily record data, specifically: pass through deployment
SFlow collector on network devices, NetFlow collector, SNMP collector and log collector, acquisition flows through described
SFlow data, netflow data, SNMP data and the daily record data of the network equipment.The network equipment includes: interchanger, road
The network equipment for thering is data flow to pass through by device etc..Further, sFlow data, netflow data, SNMP data and day are acquired
After will data, storage processing is carried out to initial data.
Step 202: the sFlow data of acquisition, netflow data, SNMP data and daily record data are pre-processed;
Wherein, the pretreatment, specifically: according to sFlow acquisition, NetFlow acquisition, SNMP acquisition and log collection
The characteristics of data format, parses data packet and obtains data, is formatted storage to the data after parsing, and extract data information
It is uploaded.
Step 203: carrying out flow analysis, equipment performance analysis, by blending algorithm progress to by pretreated data
Fusion, obtains the security postures of monitored network.
It is wherein, described to be merged by blending algorithm, specifically: in conjunction with Cluster-Fusion algorithm to by pretreated number
According to information fusion is carried out, according to fusion grain size parameter, Cluster-Fusion is carried out to data.The Cluster-Fusion algorithm specifically: shellfish
Ye Si-Fuzzy Cluster Fusion algorithm.
To better understand the application, the application is illustrated by a specific embodiment.
Collector by sFlow, NetFlow and SNMP for being deployed on interchanger or router, acquisition flow through this
The information such as sFlow data, netflow data, SNMP data and the daily record data of a little network equipments.Wherein,
SFlow data are acquired, specifically: the acquisition of sFlow data packet mainly passes through data command row information, setting acquisition
Data packet header information source IP, data package size, timestamp, agreement are united using version and to acquisition data counter in data
Meter.
Netflow data is acquired, specifically: by NetFlow mode, realized with two threads, one of thread
It realizes the reception to data message, and data packet is stored in packet buffer area, another thread is responsible for taking out report from packet buffer area
Text, and data packet is disassembled, discharge record is restored, traffic statistics are carried out.Further according to the source in data traffic/
Destination IP, source/destination AS, source/destination port numbers, protocol type, TCP flag bit, byte arrays are at being counted.
SNMP data are acquired, specifically: acquires the information in network equipment MIB by snmp protocol, these information can retouch
Draw network equipment itself and network be conditions associated, including network traffic information, device capability information, network failure information and
Network topology.The main task of SNMP acquisition is the mib information and trap information obtained in equipment, and will further be collected
Information pre-processed.
Acquire daily record data, specifically: acquisition network switch device, network security product, such as firewall, in day
Will.Such as: device Run Log, attacked port log.Further comprise: host loophole log mainly passes through scanning work
Tool is scanned terminal, carries out vulnerability scanning to host with Nessus.
The sFlow data of acquisition, netflow data, SNMP data and daily record data are pre-processed, specifically: it is right
The multi-source heterogeneous information obtained is pre-processed, and is allowed to have certain formatting before incoming emerging system, can be in data
It is applied in fusion.
Finally, to carrying out flow analysis, equipment performance analysis by pretreated data, being melted by blending algorithm
It closes, obtains the security postures of monitored network.
Wherein, flow analysis is primarily to discovery exception of network traffic, exception of network traffic is usually Network Abnormal
The direct form of expression, and Traffic Anomaly is mainly reflected in occupied bandwidth and causes network congestion, packet loss index increases, time delay increases
Add, then illustrate to be attacked by specific attacker, such as: DDOS attack and worm-type virus etc. can cause Traffic Anomaly.
Equipment performance is analyzed mainly for router and switch device, and state performance parameter includes: systematic name, is
System description, system operation time, CPU usage, memory utilization rate, interface quantity and each interface index, interface retouch
It states, interface type, interface mtu, interface rate, interface physical address, interface current state, interface utilization, input packet loss
Deng can also need increase or decrease according to user and need the index that monitors, carry out state analysis.
Further, it is also necessary to network event sign library, comprising: network safety event sign library, safety product event body
Levy library, attack anomalous event sign library.Network safety event sign library includes viral anomalous event data, such as: shock wave disease
Poison uses Protocol TCP port 135;Worm-type virus uses Protocol UDP port 1434.Safety product event sign library includes: being directed to
The anomalous event data of network switch device, network security product (firewall).Such as: DDOS attack log.Attack is abnormal
Event sign library includes: traffic statistics being compared with viral anomalous event data, if in confidence interval in Current observation
It is interior, then it is assumed that the network behavior be it is normal, if falling in other than confidence interval, be then classified as suspicious event, and do into one
Step analyzes and determines, immediately matches suspicious event with safety product affair character library, if there is successful match is regarded as
Low confidence level event, if matching is unsuccessful to be regarded as high confidence level event.
The purpose of data fusion is comprehensive analysis network safety event, network flow, equipment/network performance, judges net
Network safety level operation conditions.
1. being merged by Bayes-Fuzzy Cluster Fusion algorithm
(1) step 1: fusion grain size parameter λ is calculated, when sFlow data information accuracy rate high information quantity is big, after fusion
Data will take into account the comprehensive and validity that sFlow data information has guaranteed data,
Firstly, fusion grain size parameter λ is determined, the characteristics of acquisition according to sFlow, if sampling N number of data packet altogether, while right
N sample is analyzed, wherein the specified some type of data of acquisition are surrounded by c, due to each summary for obtaining each data packet
It is identical, so the average sample probability of specified data packet is P=c/n, wherein P can configure sample information by interchanger
Obtaining corresponding numerical value can be used data error formula error (sFlow) < 1/c
Therefore, the error of sFlow acquisition is related to certain specific type packet, so that the total amount to sampling set is related, sFlow
The form for being suitble to data volume big in the form of data packet sampling, NetFlow cut down data information in the form of intelligence sample,
To guarantee the lesser situation of data volume, more data that sFlow is obtained when the data volume in network is big reduce data and miss
Rate leads to the decline of netflow data information reliability, therefore error (sFlow)+error (NetFlow)=1
Prior probability W in conjunction with bayesian theory sFlow as data fusion probability, because sFlow data packet uses process
Middle data sampling rate P is it is known that then C=N/P, and wherein N is the total amount of the quantity packet obtained, can be straight by the total amount of packet capture
Network flow acquisition was connected, so choosing the stream of same period sFlow and NetFlow in sample space { X1, X2 ... ..Xn }
Information is measured, error rate (fusion grain size parameter) λ is calculated by calculation formula
(2) step 2: carrying out quantification treatment to data to be fused, by using the corresponding Processing Algorithm that quantifies by original number
It is believed that breath chemical conversion is conducive to the data information calculated
Due to using sFlow and NetFlow to monitor same section of network, and comprising similar in two kinds of data checkings
Information source/destination IP, the AS of source/destination, source/destination port numbers, protocol type etc., but data are variant in various information,
Just need to carry out differentiation processing, every sFlow data information or netflow data all can include information above, wherein will
Every kind of information characteristics element is set as X, it is assumed that and sFlow and NetFlow acquisition is shared in same amount of time extracts n initial data,
N initial data is shared to each feature X, is equipped with x '1k, x '2k..., x 'nk, referred to as each element of this feature, by this
A little original transformations are that available data will carry out quantification treatment, and progress data first calculate conversion
(3) step 3: carrying out fuzzy clustering processing to the data that quantization has, fuse information is determined according to grain size parameter and is melted
Direction is closed, fuse information is ultimately generated
Data clusters are carried out in conjunction with the data information after fusion grain size parameter λ and quantization, initially set up fuzzy similarity matrix,
If extracting n data information, i.e. sample space X={ x in a period of time1, x2..., xn, wherein every data sample x 'i,
Include 10 characteristic (xi1, xi2..., xi8) source/destination IP, the AS of source/destination, source/destination port numbers, systematic name,
CPU usage, Transmission Control Protocol type, IP type of service and temporal information, will establish similar matrixThen to similar
Matrix R uses transmitting polymerization
Level Matrix RλMiddle vector corresponds to the pieces of data information of sample space, put vector value in Level Matrix other arrange
When identical, illustrate relative to data information be a category information, and carry out data merging, sentenced in merging process by reference to λ
Disconnected fusion direction trend.
Think that the error of sFlow is higher if when λ > 0.5, based on netflow data,
Think that the data information of sFlow is accurate if when λ < 0.5, NetFlow carries out packet loss processing.
It can be seen from above-described embodiment that acquired sFlow acquisition, NetFlow acquisition, SNMP by blending algorithm,
Log collection carries out algorithm fusion, provides basis with the Situation Assessment time for network safety situation prediction.It is calculated in conjunction with Cluster-Fusion
Method carries out information fusion to acquisition data, according to fusion grain size parameter, clusters to data, can greatly improve network security
The accuracy of situation data information.
Fig. 3 is referred to, Fig. 3 is a kind of network security situation sensing system structure based on fusion decision shown in the application
Figure, the system comprises: data acquisition module 310, data preprocessing module 320, data fusion module 330, wherein
The data acquisition module 310, for acquiring sFlow data, netflow data, SNMP from monitored network
Data and daily record data;
Wherein, the acquisition sFlow data, netflow data, SNMP data and daily record data, specifically: pass through deployment
The sFlow collector in data acquisition module 310, NetFlow collector, the collector of SNMP and log on network devices
Collector obtains sFlow data, netflow data, SNMP data and the daily record data for flowing through the network equipment.The net
Network equipment includes: the network equipment that interchanger, router etc. have data flow to pass through.Further, the data acquisition module 310
After acquisition sFlow data, netflow data, SNMP data and daily record data, storage processing is carried out to initial data.
The data preprocessing module 320, for the sFlow data of acquisition, netflow data, SNMP data and day
Will data are pre-processed;
Wherein, the data preprocessing module 320 is pre-processed, specifically: it is adopted according to sFlow acquisition, NetFlow
The characteristics of data format of collection, SNMP acquisition and log collection parsing data packet obtains data, carries out lattice to the data after parsing
Formulaization storage, and extract data information and uploaded.
The data fusion module 330, for analyzing process pretreated data progress flow analysis, equipment performance,
It is merged by blending algorithm, obtains the security postures of monitored network.
Wherein, the data fusion module 330 is merged by blending algorithm, specifically: in conjunction with Cluster-Fusion algorithm
Information fusion is carried out to by pretreated data, according to fusion grain size parameter, Cluster-Fusion is carried out to data.The cluster is melted
Hop algorithm specifically: Bayes-Fuzzy Cluster Fusion algorithm.
The function of each unit and the realization process of effect are specifically detailed in the above method and correspond to step in above-mentioned apparatus
Realization process, details are not described herein.
For device embodiment, since it corresponds essentially to embodiment of the method, so related place is referring to method reality
Apply the part explanation of example.The apparatus embodiments described above are merely exemplary, wherein described be used as separation unit
The unit of explanation may or may not be physically separated, and component shown as a unit can be or can also be with
It is not physical unit, it can it is in one place, or may be distributed over multiple network units.It can be according to actual
The purpose for needing to select some or all of the modules therein to realize application scheme.Those of ordinary skill in the art are not paying
Out in the case where creative work, it can understand and implement.
The foregoing is merely the preferred embodiments of the application, not to limit the application, all essences in the application
Within mind and principle, any modification, equivalent substitution, improvement and etc. done be should be included within the scope of the application protection.
Claims (10)
1. a kind of network security situational awareness method based on fusion decision, which is characterized in that the described method includes:
From monitored network acquisition sFlow data, netflow data, SNMP data and daily record data;
The sFlow data of acquisition, netflow data, SNMP data and daily record data are pre-processed;
It is merged to by pretreated data progress flow analysis, equipment performance analysis, by blending algorithm, acquisition is supervised
The security postures of the network of control.
2. the method according to claim 1, wherein the acquisition sFlow data, netflow data, SNMP number
According to and daily record data, specifically:
By disposing the collector and log collector of sFlow collector on network devices, NetFlow collector, SNMP,
Obtain sFlow data, netflow data, SNMP data and the daily record data for flowing through the network equipment.
3. the method according to claim 1, wherein the pretreatment, specifically: according to sFlow acquisition,
The characteristics of data format of NetFlow acquisition, SNMP acquisition and log collection parsing data packet obtains data, to the number after parsing
It is stored according to being formatted, and extracts data information and uploaded.
4. the method according to claim 1, wherein described merged by blending algorithm, specifically: in conjunction with
Cluster-Fusion algorithm carries out information fusion to by pretreated data, according to fusion grain size parameter, carries out cluster to data and melts
It closes.
5. according to the method described in claim 4, it is characterized in that, the Cluster-Fusion algorithm specifically: Bayes-is fuzzy poly-
Class blending algorithm.
6. a kind of network security situation sensing system based on fusion decision, which is characterized in that the system comprises: data acquisition
Module, data preprocessing module, data fusion module, wherein
The data acquisition module, for acquiring sFlow data, netflow data, SNMP data and day from monitored network
Will data;
The data preprocessing module, for the sFlow data of acquisition, netflow data, SNMP data and daily record data into
Row pretreatment;
The data fusion module, for pretreated data to carry out flow analysis, equipment performance is analyzed, passes through fusion to passing through
Algorithm is merged, and the security postures of monitored network are obtained.
7. system according to claim 6, which is characterized in that the acquisition sFlow data, netflow data, SNMP number
According to and daily record data, specifically:
It is adopted by the sFlow collector disposed in data acquisition module on network devices, NetFlow collector, SNMP
Storage and log collector obtain sFlow data, netflow data, SNMP data and the log number for flowing through the network equipment
According to.
8. system according to claim 6, which is characterized in that the data preprocessing module is pre-processed, specifically:
It is obtained according to parsing data packet the characteristics of the data format of sFlow acquisition, NetFlow acquisition, SNMP acquisition and log collection
Data after parsing are formatted storage, and extract data information and uploaded by access evidence.
9. system according to claim 6, which is characterized in that the data fusion module is melted by blending algorithm
It closes, specifically:
In conjunction with Cluster-Fusion algorithm to by pretreated data carry out information fusion, according to fusion grain size parameter, to data into
Row Cluster-Fusion.
10. system according to claim 9, which is characterized in that the Cluster-Fusion algorithm specifically: Bayes-is fuzzy
Cluster-Fusion algorithm.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811529588.4A CN109766695A (en) | 2018-12-14 | 2018-12-14 | A kind of network security situational awareness method and system based on fusion decision |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811529588.4A CN109766695A (en) | 2018-12-14 | 2018-12-14 | A kind of network security situational awareness method and system based on fusion decision |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN109766695A true CN109766695A (en) | 2019-05-17 |
Family
ID=66450633
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811529588.4A Pending CN109766695A (en) | 2018-12-14 | 2018-12-14 | A kind of network security situational awareness method and system based on fusion decision |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109766695A (en) |
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110191024A (en) * | 2019-05-31 | 2019-08-30 | 中国联合网络通信集团有限公司 | Network flow monitoring method and device |
| CN110719194A (en) * | 2019-09-12 | 2020-01-21 | 中国联合网络通信集团有限公司 | Network data analysis method and device |
| CN110769007A (en) * | 2019-12-26 | 2020-02-07 | 国网电子商务有限公司 | Network security situation sensing method and device based on abnormal traffic detection |
| CN111193734A (en) * | 2019-12-27 | 2020-05-22 | 杭州安恒信息技术股份有限公司 | User behavior analysis method based on http traffic situation |
| CN111654489A (en) * | 2020-05-27 | 2020-09-11 | 杭州迪普科技股份有限公司 | Network security situation sensing method, device, equipment and storage medium |
| CN111832017A (en) * | 2020-07-17 | 2020-10-27 | 中国移动通信集团广西有限公司 | Cloud-oriented database security situation sensing system |
| CN112799956A (en) * | 2021-02-07 | 2021-05-14 | 杭州迪普科技股份有限公司 | Asset identification capability test method, device and system device |
| CN113572781A (en) * | 2021-07-28 | 2021-10-29 | 中国南方电网有限责任公司 | Method for collecting network security threat information |
| CN114157592A (en) * | 2021-11-09 | 2022-03-08 | 北京天融信网络安全技术有限公司 | Test system and method for network equipment flow management |
| CN115001793A (en) * | 2022-05-27 | 2022-09-02 | 北京双湃智安科技有限公司 | Data fusion method for information security multi-source heterogeneous data |
| CN115103000A (en) * | 2022-06-20 | 2022-09-23 | 北京鼎兴达信息科技股份有限公司 | Method for restoring and analyzing business session of railway data network based on NetStream |
| CN115499320A (en) * | 2022-08-22 | 2022-12-20 | 中国南方电网有限责任公司超高压输电公司 | Monitoring system of network space assets |
| CN116723136A (en) * | 2023-08-09 | 2023-09-08 | 南京华飞数据技术有限公司 | Network data detection method applying FCM clustering algorithm |
| CN117375982A (en) * | 2023-11-07 | 2024-01-09 | 广州融服信息技术有限公司 | Network situation safety monitoring system |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103905440B (en) * | 2014-03-28 | 2017-02-22 | 哈尔滨工程大学 | Network security situation awareness analysis method based on log and SNMP information fusion |
-
2018
- 2018-12-14 CN CN201811529588.4A patent/CN109766695A/en active Pending
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103905440B (en) * | 2014-03-28 | 2017-02-22 | 哈尔滨工程大学 | Network security situation awareness analysis method based on log and SNMP information fusion |
Non-Patent Citations (2)
| Title |
|---|
| 葛宝玉: "基于xFlow的网络安全态势融合分析技术", 《中国优秀硕士学位论文全文数据库(信息科技辑)》 * |
| 韩承钦: "基于sFlow和SNMP的网络安全态势融合方法的研究", 《中国优秀硕士学位论文全文数据库(信息科技辑)》 * |
Cited By (20)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110191024A (en) * | 2019-05-31 | 2019-08-30 | 中国联合网络通信集团有限公司 | Network flow monitoring method and device |
| CN110719194A (en) * | 2019-09-12 | 2020-01-21 | 中国联合网络通信集团有限公司 | Network data analysis method and device |
| CN110769007A (en) * | 2019-12-26 | 2020-02-07 | 国网电子商务有限公司 | Network security situation sensing method and device based on abnormal traffic detection |
| CN111193734A (en) * | 2019-12-27 | 2020-05-22 | 杭州安恒信息技术股份有限公司 | User behavior analysis method based on http traffic situation |
| CN111654489A (en) * | 2020-05-27 | 2020-09-11 | 杭州迪普科技股份有限公司 | Network security situation sensing method, device, equipment and storage medium |
| CN111654489B (en) * | 2020-05-27 | 2022-07-29 | 杭州迪普科技股份有限公司 | Network security situation sensing method, device, equipment and storage medium |
| CN111832017A (en) * | 2020-07-17 | 2020-10-27 | 中国移动通信集团广西有限公司 | Cloud-oriented database security situation sensing system |
| CN111832017B (en) * | 2020-07-17 | 2023-08-11 | 中国移动通信集团广西有限公司 | Cloud-oriented database security situation awareness system |
| CN112799956B (en) * | 2021-02-07 | 2023-05-23 | 杭州迪普科技股份有限公司 | Asset identification capability test method, device and system device |
| CN112799956A (en) * | 2021-02-07 | 2021-05-14 | 杭州迪普科技股份有限公司 | Asset identification capability test method, device and system device |
| CN113572781A (en) * | 2021-07-28 | 2021-10-29 | 中国南方电网有限责任公司 | Method for collecting network security threat information |
| CN114157592A (en) * | 2021-11-09 | 2022-03-08 | 北京天融信网络安全技术有限公司 | Test system and method for network equipment flow management |
| CN115001793A (en) * | 2022-05-27 | 2022-09-02 | 北京双湃智安科技有限公司 | Data fusion method for information security multi-source heterogeneous data |
| CN115103000A (en) * | 2022-06-20 | 2022-09-23 | 北京鼎兴达信息科技股份有限公司 | Method for restoring and analyzing business session of railway data network based on NetStream |
| CN115103000B (en) * | 2022-06-20 | 2023-09-26 | 北京鼎兴达信息科技股份有限公司 | Method for restoring and analyzing business session of railway data network based on NetStream |
| CN115499320A (en) * | 2022-08-22 | 2022-12-20 | 中国南方电网有限责任公司超高压输电公司 | Monitoring system of network space assets |
| CN116723136A (en) * | 2023-08-09 | 2023-09-08 | 南京华飞数据技术有限公司 | Network data detection method applying FCM clustering algorithm |
| CN116723136B (en) * | 2023-08-09 | 2023-11-03 | 南京华飞数据技术有限公司 | Network data detection method applying FCM clustering algorithm |
| CN117375982A (en) * | 2023-11-07 | 2024-01-09 | 广州融服信息技术有限公司 | Network situation safety monitoring system |
| CN117375982B (en) * | 2023-11-07 | 2024-03-15 | 广州融服信息技术有限公司 | Network situation safety monitoring system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109766695A (en) | A kind of network security situational awareness method and system based on fusion decision | |
| US20220353286A1 (en) | Artificial intelligence cyber security analyst | |
| CN112651006B (en) | Power grid security situation sensing system | |
| CN107683597B (en) | Network behavior data collection and analysis for anomaly detection | |
| EP4111370A2 (en) | Treating data flows differently based on level of interest | |
| CN104115463B (en) | For processing the streaming method and system of network metadata | |
| CN108833397A (en) | A kind of big data safety analysis plateform system based on network security | |
| CN105051696A (en) | An improved streaming method and system for processing network metadata | |
| US7903657B2 (en) | Method for classifying applications and detecting network abnormality by statistical information of packets and apparatus therefor | |
| CN114679338A (en) | Network risk assessment method based on network security situation awareness | |
| CN113067804B (en) | Network attack detection method and device, electronic equipment and storage medium | |
| US20150172302A1 (en) | Interface for analysis of malicious activity on a network | |
| KR101602189B1 (en) | traffic analysis and network monitoring system by packet capturing of 10-giga bit data | |
| Janabi et al. | Convolutional neural network based algorithm for early warning proactive system security in software defined networks | |
| Niandong et al. | Detection of probe flow anomalies using information entropy and random forest method | |
| CN104092588B (en) | A kind of exception flow of network detection method combined based on SNMP with NetFlow | |
| CN106375295B (en) | Data store monitoring method | |
| CN106372171B (en) | Monitor supervision platform real-time data processing method | |
| Amza et al. | Hybrid network intrusion detection | |
| CN114006719B (en) | AI verification method, device and system based on situation awareness | |
| CN113824730A (en) | Attack analysis method, device, equipment and storage medium | |
| Jahnke et al. | Components for cooperative intrusion detection in dynamic coalition environments | |
| Kushwah et al. | An approach to meta-alert generation for anomalous tcp traffic | |
| Reddy et al. | DDOS attack detection method for SDN by using deep neutral network | |
| Tafazzoli et al. | A proposed architecture for network forensic system in large-scale networks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190517 |