CN110392048A - Network security situation awareness model and method based on CE-RBF - Google Patents

Network security situation awareness model and method based on CE-RBF Download PDF

Info

Publication number
CN110392048A
CN110392048A CN201910597734.5A CN201910597734A CN110392048A CN 110392048 A CN110392048 A CN 110392048A CN 201910597734 A CN201910597734 A CN 201910597734A CN 110392048 A CN110392048 A CN 110392048A
Authority
CN
China
Prior art keywords
data
vulnerability
attack
network
asset
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
CN201910597734.5A
Other languages
Chinese (zh)
Inventor
洪薇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hubei Yangzhong Jushi Information Technology Co Ltd
Original Assignee
Hubei Yangzhong Jushi Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hubei Yangzhong Jushi Information Technology Co Ltd filed Critical Hubei Yangzhong Jushi Information Technology Co Ltd
Priority to CN201910597734.5A priority Critical patent/CN110392048A/en
Publication of CN110392048A publication Critical patent/CN110392048A/en
Withdrawn legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/045Combinations of networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Artificial Intelligence (AREA)
  • Evolutionary Computation (AREA)
  • Health & Medical Sciences (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Biomedical Technology (AREA)
  • Biophysics (AREA)
  • Computational Linguistics (AREA)
  • Data Mining & Analysis (AREA)
  • Signal Processing (AREA)
  • General Health & Medical Sciences (AREA)
  • Molecular Biology (AREA)
  • General Physics & Mathematics (AREA)
  • Mathematical Physics (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention discloses network security situation awareness model and method based on CE-RBF, model includes data preprocessing module, situation computing module, parameter optimization module and Tendency Prediction module;Method includes: to collect the data set of separate sources, extracts the principal component information for being used for Situation Awareness, obtains assets attack threat data and system state data;Threat data calculation risk value is attacked according to the assets of the network equipment, and assesses the security postures of whole network;The initial parameter for determining RBF neural, establishes optimization object function, is optimized using CE algorithm to parameter therein, after finding optimized parameter collection, substitutes into RBF neural, the Network Situation value of usage history is trained as sample data;Use trained RBF neural, Lai Jinhang Tendency Prediction.The present invention goes to solve the problems, such as parameter optimization in High-Dimensional Model using the efficient optimizing ability of CE, improves the predictive ability of neural network.

Description

CE-RBF-based network security situation perception model and method
Technical Field
The invention relates to the field of network information security, in particular to a CE-RBF-based network security situation awareness model and a CE-RBF-based network security situation awareness method.
Background
With the rapid development of network technology, network attack events also increase year by year, network security problems become the focus of current attention of people, network security situations are predicted, and the security state of a network can be mastered before the network attack events occur, so that corresponding protective measures are taken to avoid unnecessary attack and loss.
For the research of network security situation awareness, the initiation in China is late, most of the research is the research of a network threat quantification process and an intrusion detection process, and a few of prediction models can only be suitable for a specific standard system and an application scene. As an efficient feedforward neural network, the RBF (Radial Basis Function) neural network has good approaching performance and global optimal characteristics, is simple in structure and high in training speed, but a large number of parameters need to be optimized in the RBF training process, otherwise, an accurate prediction effect cannot be achieved.
Disclosure of Invention
Aiming at the defects in the prior art, the invention aims to: a CE (Covariance Matrix adaptive evolution) algorithm and an RBF neural network model are combined to realize an efficient and accurate network security situation perception model and a perception method thereof.
In order to achieve the purpose, the technical scheme provided by the invention is as follows: the utility model provides a network security situation perception model based on CE-RBF, includes data preprocessing module, situation calculation module, parameter optimization module and situation prediction module, wherein:
the data preprocessing module is used for collecting data sets from different sources, extracting principal component information for sensing network security situation from the data sets, then excavating the relevance among the data after eliminating the redundancy of multi-source data through data correlation analysis, thereby obtaining vulnerability information, system operation information, attack information and asset information required by network security situation calculation, and obtaining corresponding asset vulnerability threat data, asset attack threat data and system state from the vulnerability threat data;
the situation calculation module is used for evaluating the importance of the network equipment in the network according to the asset vulnerability threat data, the asset attack threat data and the current system state which are obtained by the data preprocessing module, calculating the risk value of the network equipment and evaluating the security situation of the whole network;
the parameter optimization module is used for determining initial parameters of the RBF neural network, establishing an optimization objective function, optimizing the parameters by using a CE algorithm, substituting the parameters into the RBF neural network after finding an optimal parameter set, and performing RBF neural network training by using historical network situation values as sample data;
and the situation prediction module is used for predicting the network security situation value of the next month by using the RBF neural network trained by the parameter optimization module and taking the network security situation values of three adjacent months as input data, and drawing a network security situation perception map.
On the basis of the scheme, the data preprocessing module (comprising a data acquisition module, a data principal component extraction module and a data association analysis module;
the data acquisition module is used for acquiring data sets of four different sources including vulnerability data, system operation data, attack event data and asset data;
the vulnerability data is acquired from websites such as CNNVD, CNVD, CVE and the like in a crawler mode; the system operation data is acquired from log information of a system host; the attack event data is acquired from log information of IDS, firewall, switch and other devices; the asset data refers to hardware equipment information and user data information in a network system;
the data principal component extraction module is used for extracting principal component data which are useful for network security situation perception from the data sets of the four different sources collected by the data collection module so as to improve algorithm efficiency and reduce model calculation burden;
the major component data which is required to be extracted from the vulnerability data and is useful for sensing the network security situation comprises the name, the type, the release time, the influencing equipment, the threat level and the attack type caused by the vulnerability; the main component data which is useful for sensing the network security situation and needs to be extracted from the system operation data comprises the service quantity, the service type, the open port and the network information started by the host; the main component data which is extracted from the attack event data and is useful for sensing the network security situation comprises an attacker IP, an attacker attribution, a victim IP, a victim attribution, an attacked platform, an attack port, an attack type, attack time, attack behaviors and vulnerability utilization information; the main component data which is required to be extracted from the asset data and is useful for network security situation perception comprises equipment types, hardware parameters, equipment connection numbers and user privacy data quantity in the equipment connection numbers;
the data correlation analysis module is used for performing correlation analysis according to the principal component data which is extracted by the data principal component extraction module and is useful for sensing the network security situation to obtain corresponding asset vulnerability threat data, asset attack threat data and system operating environments which are met when various attack events are exploded, so that the system state is divided into a security state, an early warning state, an attack state and a damage state;
the asset vulnerability threat data is obtained by performing correlation analysis on the asset data and the vulnerability data; the asset attack threat data is obtained by performing correlation analysis on vulnerability data and attack event data; the system operation environment met by various attack event outbreaks is obtained by performing correlation analysis on system operation data and attack event data.
On the basis of the scheme, the asset vulnerability threat data is obtained by the following method:
the method comprises the steps of firstly associating asset data with vulnerability data, then counting the number of vulnerability outbreaks of various types in a period of time for a certain equipment type, and finally calculating the threat degree of the vulnerability according to the threat level of the vulnerability to obtain the vulnerability outbreak rule of the certain equipment type in a period of time, namely the asset vulnerability threat data;
the asset attack threat data is obtained by the following method:
firstly, correlating vulnerability data with attack event data, then counting the number of attack events utilizing vulnerability outbreak in a period of time aiming at a certain vulnerability type, and calculating the attack outbreak rate of the vulnerability of the type; and then, performing correlation analysis on the obtained asset vulnerability threat data and the attack outbreak rate of the vulnerability to obtain an attack outbreak rule of a certain asset type in a period of time, namely the asset attack threat data.
A network security situation perception method based on CE-RBF includes the following steps:
s1, collecting data sets from different sources, extracting principal component information for network security situation awareness, obtaining vulnerability data, system operation data, attack event data and asset data for network security situation calculation, performing data association analysis, eliminating redundancy of multi-source data, mining association among data, and obtaining asset vulnerability threat data, asset attack threat data and system state data;
s2, according to the asset attack threat data obtained in the step S1, the importance W of the equipment in the network is obtainediUsing a risk assessment function Ei=F(Ti×Di) Calculating a risk value E of the network deviceiAnd in combination with the importance W of the device in the networkiCalculating the whole network security situation value E, E ═ sigma WiEi
S3, determining initial parameters of the RBF neural network, establishing an optimization objective function, optimizing the parameters by using a CE algorithm, substituting the parameters into the RBF neural network after finding an optimal parameter set, and training by using historical network situation values as sample data;
and S4, predicting the network security situation value of the next month by using the trained RBF neural network and taking the network security situation values of the adjacent three months as input data, and by analogy, predicting the network security situation by drawing a network security situation perception map.
On the basis of the above scheme, step S1 specifically includes the following steps:
s101, collecting data sets containing four different sources of vulnerability data, system operation data, attack event data and asset data through a data collection module;
s102, extracting principal component information for sensing network security situation from the four types of data sets with different sources collected by the data acquisition module in the step S101 through a data principal component extraction module, the principal component information comprises vulnerability names, types, release time, influencing equipment and threat levels extracted from vulnerability data, the attack type caused by the vulnerability, the number of host open services, the service type, the open port and the network information extracted from the system operation data, the attacker IP extracted from the attack event data, the attacker attribution, the victim IP, the victim attribution, the attacked platform, the attack port, the attack type, the attack time, the attack behavior and the vulnerability information, and the device type, the service type, the open port, the device connection number and the privacy data amount in the device type, the service type, the open port, the device connection number and the privacy data amount extracted from the asset data;
s103, associating the asset data principal component information extracted in the step S102 with vulnerability data principal component information through a data association analysis module, counting the number of vulnerability outbreaks of each type in a period of time for a certain equipment type, calculating the threat degree of each type of vulnerability according to the threat level of each type of vulnerability, obtaining the vulnerability outbreak rule of the certain equipment type in a period of time, namely asset vulnerability threat data, and so on to obtain asset vulnerability threat data of the whole network;
s104, associating the vulnerability data principal component information extracted in the step S102 with the attack event data principal component information through a data association analysis module, counting the number of attack events utilizing vulnerability outbreak within a period of time aiming at a certain vulnerability type, calculating the attack outbreak rate of the vulnerability of the type, then performing association analysis on the attack outbreak rate of the vulnerability of the type and the asset vulnerability threat data obtained in the step S103 to obtain an attack outbreak rule of the certain asset type within a period of time, namely asset attack threat data, and so on to obtain the asset attack threat data of the whole network;
and S105, performing correlation analysis on the system operation data principal component information extracted in the step S102 and the attack event data principal component information through a data correlation analysis module to obtain system operation environments met by various attack event outbreaks, and further dividing the system state into a safety state, an early warning state, an attack state and a damage state.
On the basis of the above scheme, the step S2 specifically includes the following steps:
s201, evaluating the importance W of the equipment in the network according to the asset data of the equipmenti(ii) a The evaluation process specifically comprises the following steps:
1) counting the number of the connections of the equipment in the network and the number of the user privacy stored in the equipment;
2) defining the function level of the equipment according to the equipment type and the service influence range;
3) defining the performance grade of the equipment according to the hardware parameters, accumulating and standardizing the attribute values to obtain the importance W of the equipment in the networki
S202, using a risk assessment function Ei=F(Ti×Di) Calculating a risk value E of the devicei
Wherein the function F is a preset risk evaluation function TiIs the attack threat value faced by the current time slot of the device, DiThe current system state of the equipment is represented, x is matrix multiplication operation, and the process goes to S203;
s203: the importance W of the device in the network obtained in connection with step S201iAnd calculating the security situation value E of the whole network, wherein the calculation formula is as follows:
E=∑WiEi
wherein, WiFor the importance of the devices in the network, EiIs the risk value of the device.
On the basis of the above scheme, the step S3 specifically includes the following steps:
s301, determining the structure of an RBF model, wherein the RBF is a three-layer neural network structure comprising an input layer, a hidden layer and an output layer; transforming historical network security situation data into multidimensional vectors which are used as a plurality of inputs of the RBF neural network model, wherein a sliding window algorithm is adopted for input:
wherein I is an input vector of the RBF model, O is an output vector of the RBF model, n is the length of the input vector of the RBF model, and k is the number of the input vectors;
s302, determining an initial parameter omega of the RBF model0=(w1,w2,…,wm;nc(ii) a σ) and the maximum number of iterations tmax
Wherein w represents the connection weight from hidden layer neuron to output layer, m represents the number of hidden layer neuron, ncRepresenting the number of centers of the hidden layer basis function, sigma representing the spreading constant of the radial basis function, tmaxSelecting according to experience;
s303, determining an optimization objective function F of the model to be min { F (omega) }, and carrying out iteration on F each round by using a parameter omegatAs a parameter to be optimized, transmitting the parameter into a CE algorithm;
wherein omega is RBF model parameter, and f (omega) represents predicted value O'iAnd the actual output value OiMean square error of (1), predicted value O'iInputting vector I according to RBF modeliCalculating to obtain;
s304, determining initial parameters of the CE algorithm, namely initial parameters omega of RBF0Determining initial parameters of the CE algorithm;
s305, optimizing the parameters by using a CE algorithm to obtain the optimal parameters, wherein the parameter optimization process is as follows:
1) in omegatTo the desired meantCalculating new population
Wherein,representing the individuals of the population, t represents the algebra of evolution and 0 < t < tmaxQ represents the qth individual, meantRepresenting the center point of the population, i.e. expectation, s represents the update step length, and M represents the covariance matrix of the population;
2) a new covariance matrix M is generated using the following equationt+1
Wherein, a1And aμRepresents a learning factor, p represents an evolution path, the initial evolution path is 0, and then the following formula is updated:
the step size s is updated according to the following formula:
wherein d issFor damping coefficients, E | | | N (0, I) | | is the expectation of the Euclidean norm | | N (0, I) | | |, I represents the identity matrix, asRepresenting a conjugated evolutionary path psParameter of (1), psUpdated according to the following formula:
3) the new population expectation mean is calculated using the following formulat+1To obtain an optimized parameter omegat+1And a new objective function value;
wherein eta represents the weight of the individual, the sum of eta is 1, lambda represents the number of individuals in the population,represents an ith individual selected from the lambda individuals;
Ωt+1=meant+1
4) repeating 1) to 3) for cyclic optimization until t > tmaxWill be omega at this timetOptimal parameter omega as RBF neural networkbest
S306, the optimal parameter omega obtained in the step S305bestAnd inputting the data into the RBF neural network, and training the RBF neural network by taking the historical network security situation data as training data samples.
On the basis of the above scheme, in the step S4, the network security situation value in the next month is predicted, and the specific method is as follows: and taking a Predict function as a network security situation prediction function, taking network security situation values of three adjacent months as input data, predicting the network security situation values by using a model integrated by an RBF neural network model and a CE evolution algorithm, returning a situation value sequence by the Predict function at the moment, and obtaining the final situation value which is the predicted result of the network security situation.
The main working principle of the invention is as follows: firstly, acquiring asset attack threat data and system state data for situation awareness through feature extraction and correlation analysis of acquired information; then, a situation value of the network equipment is obtained by utilizing a risk evaluation function, and the evaluation of the network security situation is realized by combining the importance of the equipment; and finally, forecasting the network security situation through calculation of the RBF neural network and optimization of the CE algorithm.
Compared with the prior art, the invention has the advantages that:
the CE evolutionary algorithm is introduced into the RBF neural network, the problem of parameter optimization in a high-dimensional model is solved by utilizing the efficient optimizing capability of the CE, the structure and parameters of the neural network are more reasonable by combining the CE evolutionary algorithm and the CE evolutionary algorithm, and the prediction capability of the neural network is greatly improved.
Drawings
FIG. 1 is a schematic diagram of a CE-RBF-based network security situation awareness model according to the present invention;
FIG. 2 is a flow chart of the CE-RBF-based network security situation awareness method of the present invention.
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings and examples.
Referring to fig. 1, a network security situation awareness model based on a CE-RBF according to an embodiment of the present invention includes a data preprocessing module 1, a situation calculation module 2, a parameter optimization module 3, and a situation prediction module 4; wherein:
the data preprocessing module 1 is used for collecting data sets from different sources, extracting principal component information for network security situation perception from the data sets, then excavating the relevance among the data after eliminating the redundancy of multi-source data through data correlation analysis, thereby obtaining vulnerability information, system operation information, attack information and asset information required by network security situation calculation, and obtaining corresponding asset vulnerability threat data, asset attack threat data and system state from the vulnerability threat data;
the situation calculation module 2 is used for evaluating the importance of the network equipment in the network according to the asset vulnerability threat data, the asset attack threat data and the current system state which are obtained by the data preprocessing module 1, calculating the risk value of the network equipment and evaluating the security situation of the whole network;
the parameter optimization module 3 is used for determining initial parameters of the RBF neural network, establishing an optimization objective function, optimizing the parameters by using a CE algorithm, substituting the parameters into the RBF neural network after finding an optimal parameter set, and performing RBF neural network training by using historical network situation values as sample data;
and the situation prediction module 4 is used for predicting the network security situation value of the next month by using the RBF neural network trained by the parameter optimization module 3 and taking the network security situation values of three adjacent months as input data, and drawing a network security situation perception map.
Referring to fig. 1, in the embodiment of the present invention, the data preprocessing module 1 includes a data acquisition module 1.1, a data principal component extraction module 1.2, and a data association analysis module 1.3;
the data acquisition module 1.1 is used for acquiring data sets of four different sources including vulnerability data, system operation data, attack event data and asset data;
the vulnerability data is acquired from websites such as CNNVD, CNVD, CVE and the like in a crawler mode; the system operation data is acquired from log information of a system host; the attack event data is acquired from log information of IDS, firewall, switch and other devices; the asset data refers to hardware equipment information and user data information in a network system;
the data principal component extraction module 1.2 is used for extracting principal component data which are useful for sensing network security situation from the data collection module which collects the data sets from 1.1 to the four different sources so as to improve algorithm efficiency and reduce model calculation burden;
the major component data which is required to be extracted from the vulnerability data and is useful for sensing the network security situation comprises the name, the type, the release time, the influencing equipment, the threat level and the attack type caused by the vulnerability; the main component data which is useful for sensing the network security situation and needs to be extracted from the system operation data comprises the service quantity, the service type, the open port and the network information started by the host; the main component data which is extracted from the attack event data and is useful for sensing the network security situation comprises an attacker IP, an attacker attribution, a victim IP, a victim attribution, an attacked platform, an attack port, an attack type, attack time, attack behaviors and vulnerability utilization information; the main component data which is required to be extracted from the asset data and is useful for network security situation perception comprises equipment types, hardware parameters, equipment connection numbers and user privacy data quantity in the equipment connection numbers;
the data association analysis module 1.3 is used for performing association analysis according to the principal component data which is extracted by the data principal component extraction module 1.2 and is useful for sensing the network security situation to obtain corresponding asset vulnerability threat data, asset attack threat data and system operating environments which are met when various attack events are outbreak, so that the system state is divided into a security state, an early warning state, an attack state and a damage state;
the asset vulnerability threat data is obtained by performing correlation analysis on the asset data and the vulnerability data; the asset attack threat data is obtained by performing correlation analysis on vulnerability data and attack event data; the system operating environment satisfied by various attack event outbreaks is obtained by performing correlation analysis on system operating data and attack event data, and specifically, the system operating environment is divided into a safety state, an early warning state, an attack state and a damage state.
More specifically, in the situation awareness model embodiment of the present invention, the asset vulnerability threat data is obtained specifically by the following method:
the method comprises the steps of firstly associating asset data with vulnerability data, then counting the number of vulnerability outbreaks of various types in a period of time for a certain equipment type, and finally calculating the threat degree of the vulnerability according to the threat level of the vulnerability to obtain the vulnerability outbreak rule of the certain equipment type in a period of time, namely the asset vulnerability threat data;
more specifically, in the situation awareness model embodiment of the present invention, the asset attack threat data is obtained specifically by:
firstly, correlating vulnerability data with attack event data, then counting the number of attack events utilizing vulnerability outbreak in a period of time aiming at a certain vulnerability type, and calculating the attack outbreak rate of the vulnerability of the type; and then, performing correlation analysis on the obtained asset vulnerability threat data and the attack outbreak rate of the vulnerability to obtain an attack outbreak rule of a certain asset type in a period of time, namely the asset attack threat data.
Referring to fig. 2, the method for sensing a network security situation based on a CE-RBF provided by the present invention includes the following steps:
s1, collecting data sets from different sources, extracting principal component information for network security situation awareness, obtaining vulnerability data, system operation data, attack event data and asset data for network security situation calculation, performing data association analysis, eliminating redundancy of multi-source data, mining association among data, and obtaining asset vulnerability threat data, asset attack threat data and system state data;
s2, according to the asset attack threat data obtained in the step S1, the importance W of the equipment in the network is obtainediUsing a risk assessment function Ei=F(Ti×Di) Calculating a risk value E of the network deviceiAnd in combination with the importance W of the device in the networkiCalculating the whole network security situation value E, E ═ sigma WiEi
S3, determining initial parameters of the RBF neural network, establishing an optimization objective function, optimizing the parameters by using a CE algorithm, substituting the parameters into the RBF neural network after finding an optimal parameter set, and training by using historical network situation values as sample data;
and S4, predicting the network security situation value of the next month by using the trained RBF neural network and taking the network security situation values of the adjacent three months as input data, and by analogy, predicting the network security situation by drawing a network security situation perception map.
More specifically, in the embodiment of the situation awareness method of the present invention, step S1 specifically includes the following steps:
s101, collecting data sets containing four different sources of vulnerability data, system operation data, attack event data and asset data through a data collection module;
the vulnerability data can be acquired from websites such as CNNVD, CNVD, CVE and the like in a crawler mode; the system operation data can be obtained from the log information of the system host; the attack event data can be obtained from log information of devices such as IDS, firewall, switch and the like; the asset data refers to hardware device information and user profile information in the network system.
S102, a data principal component extraction module extracts four types of data sets from different sources from the data acquisition module in the step S101, extracting principal component information for sensing network security situation, wherein the principal component information comprises vulnerability names, types, release time, influencing equipment and threat levels extracted from vulnerability data, the attack type caused by the vulnerability, the number of host open services, the service type, the open port and the network information extracted from the system operation data, the attacker IP extracted from the attack event data, the attacker attribution, the victim IP, the victim attribution, the attacked platform, the attack port, the attack type, the attack time, the attack behavior and the vulnerability information, and the device type, the service type, the open port, the device connection number and the privacy data amount in the device type, the service type, the open port, the device connection number and the privacy data amount extracted from the asset data;
s103, associating the asset data principal component information extracted in the step S102 with vulnerability data principal component information through a data association analysis module, counting the number of vulnerability outbreaks of each type in a period of time for a certain equipment type, calculating the threat degree of each type of vulnerability according to the threat level of each type of vulnerability, obtaining the vulnerability outbreak rule of the certain equipment type in a period of time, namely asset vulnerability threat data, and so on to obtain asset vulnerability threat data of the whole network;
s104, associating the vulnerability data principal component information extracted in the step S102 with the attack event data principal component information through a data association analysis module, counting the number of attack events utilizing vulnerability outbreak within a period of time aiming at a certain vulnerability type, calculating the attack outbreak rate of the vulnerability of the type, then performing association analysis on the attack outbreak rate of the vulnerability of the type and the asset vulnerability threat data obtained in the step S103 to obtain an attack outbreak rule of the certain asset type within a period of time, namely asset attack threat data, and so on to obtain the asset attack threat data of the whole network;
and S105, performing correlation analysis on the system operation data principal component information extracted in the step S102 and the attack event data principal component information through a data correlation analysis module to obtain system operation environments met by various attack event outbreaks, and further dividing the system state into a safety state, an early warning state, an attack state and a damage state.
More specifically, in the embodiment of the situation awareness method of the present invention, step S2 specifically includes the following steps:
s201, evaluating the importance W of the equipment in the network according to the asset data of the equipmenti(ii) a The evaluation process specifically comprises the following steps:
1) counting the number of the connections of the equipment in the network and the number of the user privacy stored in the equipment;
2) defining the function level of the equipment according to the equipment type and the service influence range;
3) defining the performance grade of the equipment according to the hardware parameters, accumulating and standardizing the attribute values to obtain the importance W of the equipment in the networki
S202, using a risk assessment function Ei=F(Ti×Di) Calculating a risk value E of a devicei
Wherein the function F is a preset risk evaluation function TiIs the attack threat value faced by the current time slot of the device, DiThe current system state of the equipment, and x is matrix multiplication operation;
s203: the importance W of the device in the network obtained in connection with step S201iAnd calculating the security situation value E of the whole network, wherein the calculation formula is as follows:
E=∑WiEi
wherein, WiFor the importance of the devices in the network, EiIs the risk value of the device.
More specifically, in the embodiment of the situation awareness method of the present invention, step S3 specifically includes the following steps:
s301, determining the structure of an RBF model, wherein the RBF is a three-layer neural network structure comprising an input layer, a hidden layer and an output layer; transforming historical network security situation data into multidimensional vectors which are used as a plurality of inputs of the RBF neural network model, wherein a sliding window algorithm is adopted for input:
where I is an input vector of the RBF model, O is an output vector of the RBF model, n is an input vector length of the RBF model, and k is a number of input vectors, for example: determining input data of RBF as I ═ I1,I2,…,I9) In which Ik=(xk,xk+1,xk+2) And representing situation values of three adjacent months to generate 9 groups of sample data, predicting the situation value of 4 months by using the situation value of 1-3 months by using the model, predicting the situation value of 5 months by using the situation value of 2-4 months, and circulating the steps until predicting the situation value of 12 months by using the situation value of 9-11 months. So, the data input vector length is 3, the dimension is 9;
s302, determining an initial parameter omega of the RBF model0=(w1,w2,…,wm;nc(ii) a σ) and the maximum number of iterations tmaxFor example, the population size is 15, the initial step size is 0.5, and the sub-population size is 8;
w represents the connection weight from hidden layer neuron to output layer, m represents the number of hidden layer neuron, and the output required by the model is one-dimensional data, so the number of weight w is equal to the number m, n of hidden layer neuroncRepresenting the number of the centers of the hidden layer basis functions, and sigma representing the spreading constant of the radial basis function, wherein the spreading constant reflects the width of a function image, and the smaller sigma is, the narrower the width is, and the more selective the function is; t is tmaxSelecting according to experience;
s303, determining an optimization objective function F of the RBF model to be min { F (omega) }, and carrying out iteration on F each round to obtain a parameter omegatAs a parameter to be optimized, transmitting the parameter into a CE algorithm;
wherein omega is RBF model parameter, and f (omega) represents predicted value O'iAnd the actual output value OiMean square error of (1), predicted value O'iInputting vector I according to RBF modeliCalculating to obtain;
s304, determining initial parameters of the CE algorithm, namely initial parameters omega of RBF0Determining initial parameters of the CE algorithm;
s305, optimizing the parameters by using a CE algorithm to obtain the optimal parameters, wherein the parameter optimization process is as follows:
1) in omegatTo the desired meantCalculating new population
Wherein,represents the individuals of the population, t represents the algebra of evolution, and 0 < t < tmaxQ represents the qth individual, meantRepresenting the center point of the population, i.e. expectation, s represents the update step length, and M represents the covariance matrix of the population;
2) a new covariance matrix M is generated using the following equationt+1
Wherein, a1And aμRepresents a learning factor, p represents an evolution path, the initial evolution path is 0, and then the following formula is updated:
the step size s is updated according to the following formula:
wherein d issFor damping coefficients, E | | | N (0, I) | | is the expectation of the Euclidean norm | | N (0, I) | | |, I represents the identity matrix, asRepresenting a conjugated evolutionary path psParameter of (1), psUpdated according to the following formula:
3) the new population expectation mean is calculated using the following formulat+1To obtain an optimized parameter omegat+1And a new objective function value;
wherein eta represents the weight of the individual, the sum of eta is 1, lambda represents the number of individuals in the population,represents an ith individual selected from the lambda individuals;
Ωt+1=meant+1
4) repeating 1) to 3) for cyclic optimization until t > tmaxWill be omega at this timetOptimal parameter omega as RBF neural networkbest
S306, the optimal parameter omega obtained in the step S305bestAnd inputting the data into the RBF neural network, and training the RBF neural network by taking the historical network security situation data as training data samples.
More specifically, in the embodiment of the situation awareness method of the present invention, in step S4, the network security situation value of the next month is predicted, for example: predicting the network security situation value of the next 1 month of the year, which comprises the following steps:
and taking a Predict function as a network security situation prediction function, taking network security situation values of adjacent 10-12 months as input data, and predicting the network security situation values by using a model integrated by an RBF neural network model and a CE evolution algorithm, wherein the Predict function returns a situation value sequence, and the last situation value is the calculated network security situation prediction result.
When the CE-RBF-based network security situation awareness model provided by the invention is used for predicting the network security situation, the following functions are specifically used:
an evolutionary algorithm function CE () mainly completes the optimization of RBF neural network parameters;
the model construction function CMA _ RBF () is used for integrating the RBF neural network model and the CE evolution algorithm into a prediction model, namely a network security situation perception model based on the CE-RBF;
training function Train () of RBF neural network;
the situation prediction function Predict () is used for using the sample data as input and using the RBF model to Predict the situation;
a prediction result Analysis function Analysis () used for calculating the error between the predicted value and the actual value and further optimizing the feedback evolution algorithm function CE ();
the whole function call flow is as follows: 1) reading sample data by a model construction function CMA _ RBF () and calling an evolutionary algorithm function CE () to optimize parameters; 2) calling a training function Train () of the RBF neural network through an evolutionary algorithm (CE ()) to Train an RBF model, and generating weight, expectation and center point data; 3) then, calling a prediction result Analysis function (Analysis ()) through an evolutionary algorithm function (CE ()) to carry out iterative optimization, namely finding the most suitable number of central points, training by using the most suitable number and original data, and finding out the optimal RBF neural network parameters; 4) and calling a situation prediction function Predict () through a model building function CMA _ RBF () to perform situation prediction.
The main working principle of the invention is as follows: firstly, acquiring asset attack threat data and system state data for situation awareness through feature extraction and correlation analysis of acquired information; then, a situation value of the network equipment is obtained by utilizing a risk evaluation function, and the evaluation of the network security situation is realized by combining the importance of the equipment; and finally, forecasting the network security situation through calculation of the RBF neural network and optimization of the CE algorithm.
Finally, the above description is only an embodiment of the present invention, and not intended to limit the scope of the present invention, and all equivalent structures or equivalent processes performed by the present invention or directly or indirectly applied to other related technical fields using the contents of the present specification and the attached drawings are included in the scope of the present invention.

Claims (8)

1. The network security situation awareness model based on the CE-RBF is characterized in that: the system comprises a data preprocessing module (1), a situation calculation module (2), a parameter optimization module (3) and a situation prediction module (4);
the data preprocessing module (1) is used for collecting data sets from different sources, extracting principal component information for sensing network security situation from the data sets, then excavating the relevance among the data after eliminating the redundancy of multi-source data through data correlation analysis, thereby obtaining vulnerability information, system operation information, attack information and asset information required by network security situation calculation, and obtaining corresponding asset vulnerability threat data, asset attack threat data and system state from the vulnerability threat data;
the situation calculation module (2) is used for evaluating the importance of the network equipment in the network according to the asset vulnerability threat data, the asset attack threat data and the current system state which are obtained by the data preprocessing module (1), calculating the risk value of the network equipment and evaluating the security situation of the whole network;
the parameter optimization module (3) is used for determining initial parameters of the RBF neural network, establishing an optimization objective function, optimizing the parameters by using a CE algorithm, substituting the parameters into the RBF neural network after finding an optimal parameter set, and performing RBF neural network training by using historical network situation values as sample data;
and the situation prediction module (4) is used for predicting the network security situation value of the next month by using the RBF neural network trained by the parameter optimization module (3) and taking the network security situation values of three adjacent months as input data, and drawing a network security situation perception map.
2. The CE-RBF based network security situation awareness model according to claim 1, wherein:
the data preprocessing module (1) comprises a data acquisition module (1.1), a data principal component extraction module (1.2) and a data association analysis module (1.3);
the data acquisition module (1.1) is used for acquiring data sets of four different sources including vulnerability data, system operation data, attack event data and asset data;
the vulnerability data is acquired from websites such as CNNVD, CNVD, CVE and the like in a crawler mode; the system operation data is acquired from log information of a system host; the attack event data is acquired from log information of IDS, firewall, switch and other devices; the asset data refers to hardware equipment information and user data information in a network system;
the data principal component extraction module (1.2) is used for extracting principal component data which are useful for sensing network security situation from the data sets of the four different sources acquired by the data acquisition module (1.1) so as to improve algorithm efficiency and reduce model calculation burden;
the major component data which is required to be extracted from the vulnerability data and is useful for sensing the network security situation comprises the name, the type, the release time, the influencing equipment, the threat level and the attack type caused by the vulnerability; the main component data which is useful for sensing the network security situation and needs to be extracted from the system operation data comprises the service quantity, the service type, the open port and the network information started by the host; the main component data which is extracted from the attack event data and is useful for sensing the network security situation comprises an attacker IP, an attacker attribution, a victim IP, a victim attribution, an attacked platform, an attack port, an attack type, attack time, attack behaviors and vulnerability utilization information; the main component data which is required to be extracted from the asset data and is useful for network security situation perception comprises equipment types, hardware parameters, equipment connection numbers and user privacy data quantity in the equipment connection numbers;
the data correlation analysis module (1.3) is used for performing correlation analysis according to the principal component data which is extracted by the data principal component extraction module (1.2) and is useful for sensing the network security situation to obtain corresponding asset vulnerability threat data, asset attack threat data and system operating environments which are met when various attack events are exploded, so that the system state is divided into a security state, an early warning state, an attack state and a damage state;
the asset vulnerability threat data is obtained by performing correlation analysis on the asset data and the vulnerability data; the asset attack threat data is obtained by performing correlation analysis on vulnerability data and attack event data; the system operation environment met by various attack event outbreaks is obtained by performing correlation analysis on system operation data and attack event data.
3. The CE-RBF based network security situation awareness model according to claim 2, wherein: the asset vulnerability threat data is obtained by the following method:
the method comprises the steps of firstly associating asset data with vulnerability data, then counting the number of vulnerability outbreaks of various types in a period of time for a certain equipment type, and finally calculating the threat degree of the vulnerability according to the threat level of the vulnerability to obtain the vulnerability outbreak rule of the certain equipment type in a period of time, namely the asset vulnerability threat data;
the asset attack threat data is obtained by the following method:
firstly, correlating vulnerability data with attack event data, then counting the number of attack events utilizing vulnerability outbreak in a period of time aiming at a certain vulnerability type, and calculating the attack outbreak rate of the vulnerability of the type; and then, performing correlation analysis on the obtained asset vulnerability threat data and the attack outbreak rate of the vulnerability to obtain an attack outbreak rule of a certain asset type in a period of time, namely the asset attack threat data.
4. The network security situation perception method based on the CE-RBF is characterized by comprising the following steps: comprises the following steps:
s1, collecting data sets from different sources, extracting principal component information for network security situation awareness, obtaining vulnerability data, system operation data, attack event data and asset data for network security situation calculation, performing data association analysis, eliminating redundancy of multi-source data, mining association among data, and obtaining asset vulnerability threat data, asset attack threat data and system state data;
s2, according to the asset attack threat data obtained in the step S1, the importance W of the equipment in the network is obtainediUsing a risk assessment function Ei=F(Ti×Di) Calculating a risk value E of the network deviceiAnd in combination with the importance W of the device in the networkiCalculating the whole network security situation value E, E ═ sigma WiEi
S3, determining initial parameters of the RBF neural network, establishing an optimization objective function, optimizing the parameters by using a CE algorithm, substituting the parameters into the RBF neural network after finding an optimal parameter set, and training by using historical network situation values as sample data;
and S4, predicting the network security situation value of the next month by using the trained RBF neural network and taking the network security situation values of the adjacent three months as input data, and by analogy, predicting the network security situation by drawing a network security situation perception map.
5. The CE-RBF-based network security situation awareness method according to claim 4, wherein the step S1 specifically comprises the steps of:
s101, collecting data sets containing four different sources of vulnerability data, system operation data, attack event data and asset data through a data collection module;
s102, extracting principal component information for sensing network security situation from the four types of data sets with different sources collected by the data acquisition module in the step S101 through a data principal component extraction module, the principal component information comprises vulnerability names, types, release time, influencing equipment and threat levels extracted from vulnerability data, the attack type caused by the vulnerability, the number of host open services, the service type, the open port and the network information extracted from the system operation data, the attacker IP extracted from the attack event data, the attacker attribution, the victim IP, the victim attribution, the attacked platform, the attack port, the attack type, the attack time, the attack behavior and the vulnerability information, and the device type, the service type, the open port, the device connection number and the privacy data amount in the device type, the service type, the open port, the device connection number and the privacy data amount extracted from the asset data;
s103, associating the asset data principal component information extracted in the step S102 with vulnerability data principal component information through a data association analysis module, counting the number of vulnerability outbreaks of each type in a period of time for a certain equipment type, calculating the threat degree of each type of vulnerability according to the threat level of each type of vulnerability, obtaining the vulnerability outbreak rule of the certain equipment type in a period of time, namely asset vulnerability threat data, and so on to obtain asset vulnerability threat data of the whole network;
s104, associating the vulnerability data principal component information extracted in the step S102 with the attack event data principal component information through a data association analysis module, counting the number of attack events utilizing vulnerability outbreak within a period of time aiming at a certain vulnerability type, calculating the attack outbreak rate of the vulnerability of the type, then performing association analysis on the attack outbreak rate of the vulnerability of the type and the asset vulnerability threat data obtained in the step S103 to obtain an attack outbreak rule of the certain asset type within a period of time, namely asset attack threat data, and so on to obtain the asset attack threat data of the whole network;
and S105, performing correlation analysis on the system operation data principal component information extracted in the step S102 and the attack event data principal component information through a data correlation analysis module to obtain system operation environments met by various attack event outbreaks, and further dividing the system state into a safety state, an early warning state, an attack state and a damage state.
6. The CE-RBF-based network security situation awareness method according to claim 4, wherein said step S2 specifically comprises the following steps:
s201, evaluating the importance W of the equipment in the network according to the asset data of the equipmenti(ii) a The evaluation process specifically comprises the following steps:
1) counting the number of the connections of the equipment in the network and the number of the user privacy stored in the equipment;
2) defining the function level of the equipment according to the equipment type and the service influence range;
3) defining the performance grade of the equipment according to the hardware parameters, accumulating and standardizing the attribute values to obtain the importance W of the equipment in the networki
S202, using a risk assessment function Ei=F(Ti×Di) Calculating a risk value E of the devicei
Wherein the function F is a preset risk evaluation function TiIs the attack threat value faced by the current time slot of the device, DiThe current system state of the equipment is represented, x is matrix multiplication operation, and the process goes to S203;
s203: the importance W of the device in the network obtained in connection with step S201iAnd calculating the security situation value E of the whole network, wherein the calculation formula is as follows:
E=∑WiEi
wherein, WiFor the importance of the devices in the network, EiIs the risk value of the device.
7. The CE-RBF-based network security situation awareness method according to claim 4, wherein said step S3 specifically comprises the steps of:
s301, determining the structure of an RBF model, wherein the RBF is a three-layer neural network structure comprising an input layer, a hidden layer and an output layer; transforming historical network security situation data into multidimensional vectors which are used as a plurality of inputs of the RBF neural network model, wherein a sliding window algorithm is adopted for input:
wherein I is an input vector of the RBF model, O is an output vector of the RBF model, n is the length of the input vector of the RBF model, and k is the number of the input vectors;
s302, determining an initial parameter omega of the RBF model0=(w1,w2,…,wm;nc(ii) a σ) and the maximum number of iterations tmax
Wherein w represents the connection weight from hidden layer neuron to output layer, m represents the number of hidden layer neuron, ncRepresenting the number of centers of the hidden layer basis function, sigma representing the spreading constant of the radial basis function, tmaxSelecting according to experience;
s303, determining an optimization objective function F of the model to be min { F (omega) }, and carrying out iteration on F each round by using a parameter omegatAs a parameter to be optimized, transmitting the parameter into a CE algorithm;
wherein omega is RBF model parameter, and f (omega) represents predicted value O'iAnd the actual output value OiMean square error of (1), predicted value O'iInputting vector I according to RBF modeliCalculating to obtain;
s304, determining initial parameters of the CE algorithm, namely initial parameters omega of RBF0Determining initial parameters of the CE algorithm;
s305, optimizing the parameters by using a CE algorithm to obtain the optimal parameters, wherein the parameter optimization process is as follows:
1) in omegatTo the desired meantCalculating new population
Wherein,representing the individuals of the population, t represents the algebra of evolution and 0 < t < tmaxQ represents the qth individual, meantRepresenting the center point of the population, i.e. expectation, s represents the update step length, and M represents the covariance matrix of the population;
2) a new covariance matrix M is generated using the following equationt+1
Wherein, a1And aμRepresents a learning factor, p represents an evolution path, the initial evolution path is 0, and then the following formula is updated:
the step size s is updated according to the following formula:
wherein d issFor damping coefficients, ElN (0, I) | | is the expectation of the Euclidean norm ElN (0, I) | |, I represents the identity matrix, asRepresenting a conjugated evolutionary path psParameter of (1), psUpdated according to the following formula:
3) the new population expectation mean is calculated using the following formulat+1To obtain an optimized parameter omegat+1And a new objective function value;
wherein eta represents the weight of the individual, the sum of eta is 1, lambda represents the number of individuals in the population,represents an ith individual selected from the lambda individuals;
Ωt+1=meant+1
4) repeating 1) to 3) for cyclic optimization until t > tmaxWill be omega at this timetOptimal parameter omega as RBF neural networkbest
S306, the optimal parameter omega obtained in the step S305bestAnd inputting the data into the RBF neural network, and training the RBF neural network by taking the historical network security situation data as training data samples.
8. The CE-RBF-based network security situation awareness method according to claim 4, wherein in step S4, the network security situation value in the next month is predicted by: and taking a Predict function as a network security situation prediction function, taking network security situation values of three adjacent months as input data, predicting the network security situation values by using a model integrated by an RBF neural network model and a CE evolution algorithm, returning a situation value sequence by the Predict function at the moment, and obtaining the final situation value which is the predicted result of the network security situation.
CN201910597734.5A 2019-07-04 2019-07-04 Network security situation awareness model and method based on CE-RBF Withdrawn CN110392048A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910597734.5A CN110392048A (en) 2019-07-04 2019-07-04 Network security situation awareness model and method based on CE-RBF

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910597734.5A CN110392048A (en) 2019-07-04 2019-07-04 Network security situation awareness model and method based on CE-RBF

Publications (1)

Publication Number Publication Date
CN110392048A true CN110392048A (en) 2019-10-29

Family

ID=68286115

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910597734.5A Withdrawn CN110392048A (en) 2019-07-04 2019-07-04 Network security situation awareness model and method based on CE-RBF

Country Status (1)

Country Link
CN (1) CN110392048A (en)

Cited By (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110826617A (en) * 2019-10-31 2020-02-21 中国人民公安大学 Situation element classification method and training method and device of model thereof, and server
CN111092912A (en) * 2019-12-31 2020-05-01 中国银行股份有限公司 Security defense method and device
CN111510332A (en) * 2020-04-14 2020-08-07 杭州练链科技有限公司 Network security state prediction system
CN111652496A (en) * 2020-05-28 2020-09-11 中国能源建设集团广东省电力设计研究院有限公司 Operation risk assessment method and device based on network security situation awareness system
CN111832017A (en) * 2020-07-17 2020-10-27 中国移动通信集团广西有限公司 Cloud-oriented database security situation sensing system
CN111917785A (en) * 2020-08-06 2020-11-10 重庆邮电大学 Industrial internet security situation prediction method based on DE-GWO-SVR
CN112039903A (en) * 2020-09-03 2020-12-04 中国民航大学 Network security situation assessment method based on deep self-coding neural network model
CN112383505A (en) * 2020-10-14 2021-02-19 广州锦行网络科技有限公司 IT asset risk situation perception display method
CN112637215A (en) * 2020-12-22 2021-04-09 北京天融信网络安全技术有限公司 Network security detection method and device, electronic equipment and readable storage medium
CN113114489A (en) * 2021-03-29 2021-07-13 广州杰赛科技股份有限公司 Network security situation assessment method, device, equipment and storage medium
CN114006744A (en) * 2021-10-28 2022-02-01 中能电力科技开发有限公司 LSTM-based power monitoring system network security situation prediction method and system
CN114826691A (en) * 2022-04-02 2022-07-29 深圳市博博信息咨询有限公司 Network information safety intelligent analysis early warning management system based on multi-dimensional analysis
CN115314305A (en) * 2022-08-10 2022-11-08 重庆电子工程职业学院 Network security situation sensing system and method based on artificial intelligence
CN115396324A (en) * 2022-08-15 2022-11-25 合肥天帷信息安全技术有限公司 Network security situation perception early warning processing system
CN116756225A (en) * 2023-08-14 2023-09-15 南京展研信息技术有限公司 Situation data information processing method based on computer network security

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101436967A (en) * 2008-12-23 2009-05-20 北京邮电大学 Method and system for evaluating network safety situation
CN102821007A (en) * 2012-08-06 2012-12-12 河南科技大学 Network security situation awareness system based on self-discipline computing and processing method thereof
CN107528850A (en) * 2017-09-05 2017-12-29 西北大学 A kind of optimal prevention policies analysis system and method based on improvement ant group algorithm
CN108494810A (en) * 2018-06-11 2018-09-04 中国人民解放军战略支援部队信息工程大学 Network security situation prediction method, apparatus and system towards attack
CN109242306A (en) * 2018-09-04 2019-01-18 深圳市城市公共安全技术研究院有限公司 Safety production risk assessment method and system based on multilevel gray correlation analysis
CN109660526A (en) * 2018-12-05 2019-04-19 国网江西省电力有限公司信息通信分公司 A kind of big data analysis method applied to information security field
CN109861995A (en) * 2019-01-17 2019-06-07 安徽谛听信息科技有限公司 A kind of safe big data intelligent analysis method of cyberspace, computer-readable medium

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101436967A (en) * 2008-12-23 2009-05-20 北京邮电大学 Method and system for evaluating network safety situation
CN102821007A (en) * 2012-08-06 2012-12-12 河南科技大学 Network security situation awareness system based on self-discipline computing and processing method thereof
CN107528850A (en) * 2017-09-05 2017-12-29 西北大学 A kind of optimal prevention policies analysis system and method based on improvement ant group algorithm
CN108494810A (en) * 2018-06-11 2018-09-04 中国人民解放军战略支援部队信息工程大学 Network security situation prediction method, apparatus and system towards attack
CN109242306A (en) * 2018-09-04 2019-01-18 深圳市城市公共安全技术研究院有限公司 Safety production risk assessment method and system based on multilevel gray correlation analysis
CN109660526A (en) * 2018-12-05 2019-04-19 国网江西省电力有限公司信息通信分公司 A kind of big data analysis method applied to information security field
CN109861995A (en) * 2019-01-17 2019-06-07 安徽谛听信息科技有限公司 A kind of safe big data intelligent analysis method of cyberspace, computer-readable medium

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
杨明等: "CMA-ES 算法优化网络安全态势预测模型", 《哈尔滨理工大学学报》 *

Cited By (24)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110826617A (en) * 2019-10-31 2020-02-21 中国人民公安大学 Situation element classification method and training method and device of model thereof, and server
CN111092912A (en) * 2019-12-31 2020-05-01 中国银行股份有限公司 Security defense method and device
CN111092912B (en) * 2019-12-31 2022-12-23 中国银行股份有限公司 Security defense method and device
CN111510332A (en) * 2020-04-14 2020-08-07 杭州练链科技有限公司 Network security state prediction system
CN111652496A (en) * 2020-05-28 2020-09-11 中国能源建设集团广东省电力设计研究院有限公司 Operation risk assessment method and device based on network security situation awareness system
CN111652496B (en) * 2020-05-28 2023-09-05 中国能源建设集团广东省电力设计研究院有限公司 Running risk assessment method and device based on network security situation awareness system
CN111832017A (en) * 2020-07-17 2020-10-27 中国移动通信集团广西有限公司 Cloud-oriented database security situation sensing system
CN111832017B (en) * 2020-07-17 2023-08-11 中国移动通信集团广西有限公司 Cloud-oriented database security situation awareness system
CN111917785B (en) * 2020-08-06 2022-07-15 重庆邮电大学 Industrial internet security situation prediction method based on DE-GWO-SVR
CN111917785A (en) * 2020-08-06 2020-11-10 重庆邮电大学 Industrial internet security situation prediction method based on DE-GWO-SVR
CN112039903A (en) * 2020-09-03 2020-12-04 中国民航大学 Network security situation assessment method based on deep self-coding neural network model
CN112039903B (en) * 2020-09-03 2022-03-08 中国民航大学 Network security situation assessment method based on deep self-coding neural network model
CN112383505A (en) * 2020-10-14 2021-02-19 广州锦行网络科技有限公司 IT asset risk situation perception display method
CN112637215A (en) * 2020-12-22 2021-04-09 北京天融信网络安全技术有限公司 Network security detection method and device, electronic equipment and readable storage medium
CN113114489A (en) * 2021-03-29 2021-07-13 广州杰赛科技股份有限公司 Network security situation assessment method, device, equipment and storage medium
CN113114489B (en) * 2021-03-29 2022-06-17 广州杰赛科技股份有限公司 Network security situation assessment method, device, equipment and storage medium
CN114006744A (en) * 2021-10-28 2022-02-01 中能电力科技开发有限公司 LSTM-based power monitoring system network security situation prediction method and system
CN114006744B (en) * 2021-10-28 2024-05-28 中能电力科技开发有限公司 LSTM-based power monitoring system network security situation prediction method and system
CN114826691A (en) * 2022-04-02 2022-07-29 深圳市博博信息咨询有限公司 Network information safety intelligent analysis early warning management system based on multi-dimensional analysis
CN114826691B (en) * 2022-04-02 2023-08-18 上海硕曜科技有限公司 Network information security intelligent analysis early warning management system based on multidimensional analysis
CN115314305A (en) * 2022-08-10 2022-11-08 重庆电子工程职业学院 Network security situation sensing system and method based on artificial intelligence
CN115396324A (en) * 2022-08-15 2022-11-25 合肥天帷信息安全技术有限公司 Network security situation perception early warning processing system
CN116756225A (en) * 2023-08-14 2023-09-15 南京展研信息技术有限公司 Situation data information processing method based on computer network security
CN116756225B (en) * 2023-08-14 2023-11-07 南京展研信息技术有限公司 Situation data information processing method based on computer network security

Similar Documents

Publication Publication Date Title
CN110392048A (en) Network security situation awareness model and method based on CE-RBF
CN110380896B (en) Network security situation awareness system and method based on attack graph
CN110417721B (en) Security risk assessment method, device, equipment and computer readable storage medium
JP7183385B2 (en) Node classification method, model training method, and its device, equipment and computer program
CN110380897A (en) Network security situation awareness model and method based on improved BP
EP2814218B1 (en) Detecting anomalies in work practice data by combining multiple domains of information
CN106600052B (en) User attribute and social network detection system based on space-time trajectory
CN107786369A (en) Based on the perception of IRT step analyses and LSTM powerline network security postures and Forecasting Methodology
Tabash et al. Intrusion detection model using naive bayes and deep learning technique.
Adhao et al. Feature selection using principal component analysis and genetic algorithm
CN112422537A (en) Behavior prediction method of network attack knowledge graph generated based on honeypot actual combat
CN113111930B (en) End-to-end Ethernet fishing account detection method and system
CN103186575B (en) A kind of clustering method of sensing data and system
CN113783874A (en) Network security situation assessment method and system based on security knowledge graph
CN109040027A (en) The active predicting method of network vulnerability node based on gray model
CN116112283A (en) CNN-LSTM-based power system network security situation prediction method and system
CN112653680B (en) Model training method, network situation prediction method, device, equipment and medium
CN110084291A (en) A kind of students &#39; behavior analysis method and device based on the study of the big data limit
CN118018260A (en) Network attack detection method, system, equipment and medium
Huo et al. Traffic anomaly detection method based on improved GRU and EFMS-Kmeans clustering
CN111402028A (en) Information processing method, device and equipment
CN115834251B (en) Hypergraph-transform-based threat hunting model building method
CN117081941A (en) Flow prediction method and device based on attention mechanism and electronic equipment
CN116545679A (en) Industrial situation security basic framework and network attack behavior feature analysis method
CN114006744B (en) LSTM-based power monitoring system network security situation prediction method and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WW01 Invention patent application withdrawn after publication

Application publication date: 20191029

WW01 Invention patent application withdrawn after publication