CN110460608B - Situation awareness method and system including correlation analysis - Google Patents

Situation awareness method and system including correlation analysis Download PDF

Info

Publication number
CN110460608B
CN110460608B CN201910757474.3A CN201910757474A CN110460608B CN 110460608 B CN110460608 B CN 110460608B CN 201910757474 A CN201910757474 A CN 201910757474A CN 110460608 B CN110460608 B CN 110460608B
Authority
CN
China
Prior art keywords
situation
rule
information
data
single key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910757474.3A
Other languages
Chinese (zh)
Other versions
CN110460608A (en
Inventor
段彬
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wuhan Sipuling Technology Co Ltd
Original Assignee
Wuhan Sipuling Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wuhan Sipuling Technology Co Ltd filed Critical Wuhan Sipuling Technology Co Ltd
Priority to CN201910757474.3A priority Critical patent/CN110460608B/en
Publication of CN110460608A publication Critical patent/CN110460608A/en
Application granted granted Critical
Publication of CN110460608B publication Critical patent/CN110460608B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/24Querying
    • G06F16/245Query processing
    • G06F16/2458Special types of queries, e.g. statistical queries, fuzzy queries or distributed queries
    • G06F16/2471Distributed queries
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/147Network analysis or design for predicting network behaviour
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods

Abstract

The invention provides a situation awareness method and a system containing correlation analysis, which collect data of different information sources, obtain data streams of a uniform format through preprocessing, extract high-frequency project group elements from the data streams, generate high-frequency correlation rules, send the high-frequency correlation rules into situation evaluation for evaluation and quantification, obtain situation values of single equipment and local networks through fusion with different evaluation systems and fuzzy processing of the data elements, obtain the situation values of the whole system by combining the architecture composition of the whole network, introduce the situation values of different layers into a neural network model for prediction, finally visually display prediction results, fully evaluate the whole system and each single equipment, establish correlation between each equipment and each layer, perform rule detection on different rules, calculate risk values, and further scientifically predict future systems, provides valuable reference suggestions for users.

Description

Situation awareness method and system including correlation analysis
Technical Field
The present application relates to the field of network security technologies, and in particular, to a situation awareness method and system including association analysis.
Background
The existing situation perception technology adopts simple situation understanding, so that a safety situation assessment result of the whole system can be obtained, a situation assessment report cannot be quantitatively given, the safety situation can not be predicted based on the situation assessment result, and the utilization value of the situation perception technology is very limited.
The situation assessment including the association analysis not only algorithmically and fully assesses the whole system and each single device, but also can establish association with each device and each layer based on given situation values, carry out rule detection on different rules and calculate risk values, so that the future system can be scientifically predicted, and valuable reference suggestions are provided for users. This is the technical problem to be solved by the present invention.
Disclosure of Invention
The invention aims to provide a situation awareness method and system including correlation analysis, which are used for acquiring data of different information sources, preprocessing the data to obtain a data stream with a uniform format, extracting high-frequency project group elements from the data stream to generate a high-frequency correlation rule, sending the high-frequency correlation rule into situation assessment to evaluate and quantify, fusing different assessment systems and fuzzily processing the data elements to obtain situation values of single equipment and a local network, combining the architecture composition of the whole network to obtain the situation values of the whole system, importing the situation values of different layers into a neural network model to predict, and finally visually displaying a prediction result.
In a first aspect, the present application provides a situational awareness method including correlation analysis, the method comprising:
collecting running state data of sensors, information platforms and detection equipment from different sources;
after receiving the collected data, clearing redundant information in the data, converting the data format into a uniform format according to the type of a source, dividing the uniform format into corresponding fields, and combining the fields into a data stream;
extracting elements from the merged data stream, finding information of behavior action, access object, source address and instantaneous flow included in the elements, discovering high-frequency project group, generating high-frequency association rule according to the information corresponding to the high-frequency project group, increasing the corresponding weight of the high-frequency project group, and forming a frequent pattern tree structure;
judging whether the rule queue is empty or not, if so, performing matching query with the sub-rule base, taking the queried sub-rule as a specified association rule, and performing rule detection according to the sub-rule; if not, carrying out rule detection; the rule detects and calculates a risk value and sends out corresponding alarm information;
according to the frequent pattern tree structure, inquiring the asset situation information adjacent and close to the address, inquiring the asset situation information of the same layer to which the access object belongs, and inquiring the asset situation information with similar flow speed and flow total;
judging whether a single key device has a security vulnerability identical to the adjacent similar assets of the address, judging whether a concurrent thread, a bandwidth, a network topology and an access frequency of the single key device have an alarm identical to the assets of the same layer, judging whether the inflow increase rate, the distribution proportion of different protocol data packets and the distribution proportion of different size data packets of the single key device have the same change identical to the assets similar to the flow speed and the flow total amount, and calculating the security situation value of the single key device;
a plurality of adjacent single key devices or a plurality of single key devices with service interaction form a local network, and the security situation value of the local network is calculated by introducing fuzzy processing according to the service priority by the security loophole, concurrent thread, bandwidth, network topology, access frequency, inflow increase rate, different protocol data packet distribution proportion and different size data packet distribution proportion corresponding to each key device in the local network;
according to the topological relations of the local networks, carrying out fuzzy processing to calculate the security situation value of the whole network;
respectively importing the security situation values of a single key device, a local network and the whole network into a neural network model, and obtaining the prediction about the source and the attack range of an attacker in a future period of time through deduction of the neural network model;
and visually displaying the security situation values of the single key equipment, the local network and the whole network, the source of the attacker and the prediction result of the attack range.
With reference to the first aspect, in a first possible implementation manner of the first aspect, the extracting elements from the merged data stream includes: and extracting element information from corresponding fields of the data stream according to an evaluation model, an association rule and an index library of the past historical data.
With reference to the first aspect, in a second possible implementation manner of the first aspect, the removing redundant information in the data, converting the data format into a uniform format according to the type of the source, and processing based on Map Reduce distributed parallel computing.
With reference to the first aspect, in a third possible implementation manner of the first aspect, the fuzzy processing calculation is based on a method that combines a D-S theory and a fuzzy set, and calculates a probability that an attack is supported.
In a second aspect, the present application provides a situational awareness system including correlation analysis, the system comprising:
the acquisition unit is used for acquiring running state data of the sensors, the information platform and the detection equipment from different sources;
the preprocessing unit is used for clearing redundant information in the data after receiving the acquired data, converting the data format into a uniform format according to the type of a source, dividing the uniform format into corresponding fields and combining the fields into a data stream;
the situation understanding unit is used for extracting elements from the merged data stream, finding information of behavior actions, access objects, source addresses and instantaneous flow included in the elements, discovering high-frequency project groups from the information, generating high-frequency association rules according to the information corresponding to the high-frequency project groups, increasing the corresponding weights of the high-frequency project groups and forming a frequent pattern tree structure;
judging whether the rule queue is empty or not, if so, performing matching query with the sub-rule base, taking the queried sub-rule as a specified association rule, and performing rule detection according to the sub-rule; if not, carrying out rule detection; the rule detects and calculates a risk value and sends out corresponding alarm information;
the situation evaluation unit is used for inquiring the asset situation information with adjacent and similar addresses, inquiring the asset situation information of the same layer to which the access object belongs and inquiring the asset situation information with similar flow speed and flow total amount according to the frequent mode tree structure; judging whether a single key device has a security vulnerability identical to the adjacent similar assets of the address, judging whether a concurrent thread, a bandwidth, a network topology and an access frequency of the single key device have an alarm identical to the assets of the same layer, judging whether the inflow increase rate, the distribution proportion of different protocol data packets and the distribution proportion of different size data packets of the single key device have the same change identical to the assets similar to the flow speed and the flow total amount, and calculating the security situation value of the single key device;
a plurality of adjacent single key devices or a plurality of single key devices with service interaction form a local network, and the security situation value of the local network is calculated by introducing fuzzy processing according to the service priority by the security loophole, concurrent thread, bandwidth, network topology, access frequency, inflow increase rate, different protocol data packet distribution proportion and different size data packet distribution proportion corresponding to each key device in the local network;
according to the topological relations of the local networks, carrying out fuzzy processing to calculate the security situation value of the whole network;
the situation prediction unit is used for respectively importing the security situation values of the single key device, the local network and the whole network into the neural network model, and obtaining the prediction about the source and the attack range of the attacker in a future period of time through deduction of the neural network model;
and the situation display unit is used for visually displaying the security situation values of the single key device, the local network and the whole network, the source of the attacker and the prediction result of the attack range.
With reference to the second aspect, in a first possible implementation manner of the second aspect, the extracting, by the situation understanding unit, elements from the merged data stream includes: and extracting element information from corresponding fields of the data stream according to an evaluation model, an association rule and an index library of the past historical data.
With reference to the second aspect, in a second possible implementation manner of the second aspect, the preprocessing unit removes redundant information in the data, converts the data format into a uniform format according to the type of the source, and is based on Map Reduce distributed parallel computing processing.
With reference to the second aspect, in a third possible implementation manner of the second aspect, the situation assessment unit calculates the probability of attack occurrence support based on a method that combines a D-S theory and a fuzzy set.
The invention provides a situation awareness method and a system containing correlation analysis, which collect data of different information sources, obtain data streams of a uniform format through preprocessing, extract high-frequency project group elements from the data streams, generate high-frequency correlation rules, send the high-frequency correlation rules into situation evaluation for evaluation and quantification, obtain situation values of single equipment and local networks through fusion with different evaluation systems and fuzzy processing of the data elements, obtain the situation values of the whole system by combining the architecture composition of the whole network, introduce the situation values of different layers into a neural network model for prediction, finally visually display prediction results, fully evaluate the whole system and each single equipment, establish correlation between each equipment and each layer, perform rule detection on different rules, calculate risk values, and further scientifically predict future systems, provides valuable reference suggestions for users.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious for those skilled in the art that other drawings can be obtained according to these drawings without creative efforts.
FIG. 1 is a flow chart of a situational awareness method involving correlation analysis in accordance with the present invention;
FIG. 2 is an architecture diagram of a situational awareness system incorporating correlation analysis in accordance with the present invention.
Detailed Description
The preferred embodiments of the present invention will be described in detail below with reference to the accompanying drawings so that the advantages and features of the present invention can be more easily understood by those skilled in the art, and the scope of the present invention will be more clearly and clearly defined.
Fig. 1 is a flowchart of a situation awareness method including correlation analysis provided in the present application, where the method includes:
collecting running state data of sensors, information platforms and detection equipment from different sources;
after receiving the collected data, clearing redundant information in the data, converting the data format into a uniform format according to the type of a source, dividing the uniform format into corresponding fields, and combining the fields into a data stream;
extracting elements from the merged data stream, finding information of behavior action, access object, source address and instantaneous flow included in the elements, discovering high-frequency project group, generating high-frequency association rule according to the information corresponding to the high-frequency project group, increasing the corresponding weight of the high-frequency project group, and forming a frequent pattern tree structure;
judging whether the rule queue is empty or not, if so, performing matching query with the sub-rule base, taking the queried sub-rule as a specified association rule, and performing rule detection according to the sub-rule; if not, carrying out rule detection; the rule detects and calculates a risk value and sends out corresponding alarm information;
according to the frequent pattern tree structure, inquiring the asset situation information adjacent and close to the address, inquiring the asset situation information of the same layer to which the access object belongs, and inquiring the asset situation information with similar flow speed and flow total;
judging whether a single key device has a security vulnerability identical to the adjacent similar assets of the address, judging whether a concurrent thread, a bandwidth, a network topology and an access frequency of the single key device have an alarm identical to the assets of the same layer, judging whether the inflow increase rate, the distribution proportion of different protocol data packets and the distribution proportion of different size data packets of the single key device have the same change identical to the assets similar to the flow speed and the flow total amount, and calculating the security situation value of the single key device;
a plurality of adjacent single key devices or a plurality of single key devices with service interaction form a local network, and the security situation value of the local network is calculated by introducing fuzzy processing according to the service priority by the security loophole, concurrent thread, bandwidth, network topology, access frequency, inflow increase rate, different protocol data packet distribution proportion and different size data packet distribution proportion corresponding to each key device in the local network;
according to the topological relations of the local networks, carrying out fuzzy processing to calculate the security situation value of the whole network;
respectively importing the security situation values of a single key device, a local network and the whole network into a neural network model, and obtaining the prediction about the source and the attack range of an attacker in a future period of time through deduction of the neural network model;
and visually displaying the security situation values of the single key equipment, the local network and the whole network, the source of the attacker and the prediction result of the attack range.
In some preferred embodiments, said extracting elements from the merged data stream comprises: and extracting element information from corresponding fields of the data stream according to an evaluation model, an association rule and an index library of the past historical data.
In some preferred embodiments, the removing of redundant information in the data, converting the data format into a uniform format according to the type of the source, is based on Map Reduce distributed parallel computing processing.
In some preferred embodiments, the fuzzy processing calculation is based on a method of combining D-S theory and fuzzy sets, and the probability of attack occurrence support is calculated.
Fig. 2 is an architecture diagram of a situation awareness system including correlation analysis provided in the present application, the system including:
the acquisition unit is used for acquiring running state data of the sensors, the information platform and the detection equipment from different sources;
the preprocessing unit is used for clearing redundant information in the data after receiving the acquired data, converting the data format into a uniform format according to the type of a source, dividing the uniform format into corresponding fields and combining the fields into a data stream;
the situation understanding unit is used for extracting elements from the merged data stream, finding information of behavior actions, access objects, source addresses and instantaneous flow included in the elements, discovering high-frequency project groups from the information, generating high-frequency association rules according to the information corresponding to the high-frequency project groups, increasing the corresponding weights of the high-frequency project groups and forming a frequent pattern tree structure;
judging whether the rule queue is empty or not, if so, performing matching query with the sub-rule base, taking the queried sub-rule as a specified association rule, and performing rule detection according to the sub-rule; if not, carrying out rule detection; the rule detects and calculates a risk value and sends out corresponding alarm information;
the situation evaluation unit is used for inquiring the asset situation information with adjacent and similar addresses, inquiring the asset situation information of the same layer to which the access object belongs and inquiring the asset situation information with similar flow speed and flow total amount according to the frequent mode tree structure; judging whether a single key device has a security vulnerability identical to the adjacent similar assets of the address, judging whether a concurrent thread, a bandwidth, a network topology and an access frequency of the single key device have an alarm identical to the assets of the same layer, judging whether the inflow increase rate, the distribution proportion of different protocol data packets and the distribution proportion of different size data packets of the single key device have the same change identical to the assets similar to the flow speed and the flow total amount, and calculating the security situation value of the single key device;
a plurality of adjacent single key devices or a plurality of single key devices with service interaction form a local network, and the security situation value of the local network is calculated by introducing fuzzy processing according to the service priority by the security loophole, concurrent thread, bandwidth, network topology, access frequency, inflow increase rate, different protocol data packet distribution proportion and different size data packet distribution proportion corresponding to each key device in the local network;
according to the topological relations of the local networks, carrying out fuzzy processing to calculate the security situation value of the whole network;
the situation prediction unit is used for respectively importing the security situation values of the single key device, the local network and the whole network into the neural network model, and obtaining the prediction about the source and the attack range of the attacker in a future period of time through deduction of the neural network model;
and the situation display unit is used for visually displaying the security situation values of the single key device, the local network and the whole network, the source of the attacker and the prediction result of the attack range.
In some preferred embodiments, the situation understanding unit extracts elements from the merged data stream, including: and extracting element information from corresponding fields of the data stream according to an evaluation model, an association rule and an index library of the past historical data.
In some preferred embodiments, the preprocessing unit removes redundant information in the data, converts the data format into a uniform format according to the type of the source, and is based on Map Reduce distributed parallel computing processing.
In some preferred embodiments, the situation assessment unit calculates the probability of attack occurrence support based on a method of combining D-S theory and fuzzy sets.
In specific implementation, the present invention further provides a computer storage medium, where the computer storage medium may store a program, and the program may include some or all of the steps in the embodiments of the present invention when executed. The storage medium may be a magnetic disk, an optical disk, a read-only memory (ROM) or a Random Access Memory (RAM).
Those skilled in the art will readily appreciate that the techniques of the embodiments of the present invention may be implemented as software plus a required general purpose hardware platform. Based on such understanding, the technical solutions in the embodiments of the present invention may be embodied in the form of a software product, which may be stored in a storage medium, such as a ROM/RAM, a magnetic disk, an optical disk, etc., and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method according to the embodiments or some parts of the embodiments.
The same and similar parts in the various embodiments of the present specification may be referred to each other. In particular, for the embodiments, since they are substantially similar to the method embodiments, the description is simple, and the relevant points can be referred to the description in the method embodiments.
The above-described embodiments of the present invention should not be construed as limiting the scope of the present invention.

Claims (6)

1. A situational awareness method comprising correlation analysis, the method comprising:
collecting running state data of sensors, information platforms and detection equipment from different sources;
after receiving the collected data, clearing redundant information in the data, converting the data format into a uniform format according to the type of a source, dividing the uniform format into corresponding fields, and combining the fields into a data stream;
extracting elements from the merged data stream, finding information of behavior action, access object, source address and instantaneous flow included in the elements, discovering high-frequency project group, generating high-frequency association rule according to the information corresponding to the high-frequency project group, increasing the corresponding weight of the high-frequency project group, and forming a frequent pattern tree structure;
judging whether the rule queue is empty or not, if so, performing matching query with the sub-rule base, taking the queried sub-rule as a specified association rule, and performing rule detection according to the sub-rule; if not, carrying out rule detection; the rule detects and calculates a risk value and sends out corresponding alarm information;
according to the frequent pattern tree structure, inquiring the asset situation information adjacent and close to the address, inquiring the asset situation information of the same layer to which the access object belongs, and inquiring the asset situation information with similar flow speed and flow total;
judging whether a single key device has a security vulnerability identical to the adjacent similar assets of the address, judging whether a concurrent thread, a bandwidth, a network topology and an access frequency of the single key device have an alarm identical to the assets of the same layer, judging whether the inflow increase rate, the distribution proportion of different protocol data packets and the distribution proportion of different size data packets of the single key device have the same change identical to the assets similar to the flow speed and the flow total amount, and calculating the security situation value of the single key device;
a plurality of adjacent single key devices or a plurality of single key devices with service interaction form a local network, and the security situation value of the local network is calculated by introducing fuzzy processing according to the service priority by the security loophole, concurrent thread, bandwidth, network topology, access frequency, inflow increase rate, different protocol data packet distribution proportion and different size data packet distribution proportion corresponding to each key device in the local network;
according to the topological relations of the local networks, carrying out fuzzy processing to calculate the security situation value of the whole network;
respectively importing the security situation values of a single key device, a local network and the whole network into a neural network model, and obtaining the prediction about the source and the attack range of an attacker in a future period of time through deduction of the neural network model;
visually displaying the security situation values of a single key device, a local network and the whole network, the source of an attacker and the prediction result of the attack range;
the extracting elements from the merged data stream includes: and extracting element information from corresponding fields of the data stream according to an evaluation model, an association rule and an index library of the past historical data.
2. The method of claim 1, wherein the removing of redundant information from the data, the converting of the data format to a unified format based on the type of source, is based on a Map Reduce distributed parallel computing process.
3. The method of claim 2, wherein the fuzzy processing calculation is based on a method of combining D-S theory and fuzzy sets, and calculates the probability of attack support.
4. A situational awareness system including associative analysis, the system comprising:
the acquisition unit is used for acquiring running state data of the sensors, the information platform and the detection equipment from different sources;
the preprocessing unit is used for clearing redundant information in the data after receiving the acquired data, converting the data format into a uniform format according to the type of a source, dividing the uniform format into corresponding fields and combining the fields into a data stream;
the situation understanding unit is used for extracting elements from the merged data stream, finding information of behavior actions, access objects, source addresses and instantaneous flow included in the elements, discovering high-frequency project groups from the information, generating high-frequency association rules according to the information corresponding to the high-frequency project groups, increasing the corresponding weights of the high-frequency project groups and forming a frequent pattern tree structure;
judging whether the rule queue is empty or not, if so, performing matching query with the sub-rule base, taking the queried sub-rule as a specified association rule, and performing rule detection according to the sub-rule; if not, carrying out rule detection; the rule detects and calculates a risk value and sends out corresponding alarm information;
the situation evaluation unit is used for inquiring the asset situation information with adjacent and similar addresses, inquiring the asset situation information of the same layer to which the access object belongs and inquiring the asset situation information with similar flow speed and flow total amount according to the frequent mode tree structure; judging whether a single key device has a security vulnerability identical to the adjacent similar assets of the address, judging whether a concurrent thread, a bandwidth, a network topology and an access frequency of the single key device have an alarm identical to the assets of the same layer, judging whether the inflow increase rate, the distribution proportion of different protocol data packets and the distribution proportion of different size data packets of the single key device have the same change identical to the assets similar to the flow speed and the flow total amount, and calculating the security situation value of the single key device;
a plurality of adjacent single key devices or a plurality of single key devices with service interaction form a local network, and the security situation value of the local network is calculated by introducing fuzzy processing according to the service priority by the security loophole, concurrent thread, bandwidth, network topology, access frequency, inflow increase rate, different protocol data packet distribution proportion and different size data packet distribution proportion corresponding to each key device in the local network;
according to the topological relations of the local networks, carrying out fuzzy processing to calculate the security situation value of the whole network;
the situation prediction unit is used for respectively importing the security situation values of the single key device, the local network and the whole network into the neural network model, and obtaining the prediction about the source and the attack range of the attacker in a future period of time through deduction of the neural network model;
the situation display unit is used for visually displaying the security situation values of the single key device, the local network and the whole network, the source of the attacker and the prediction result of the attack range;
the situation understanding unit extracts elements from the merged data stream, including: and extracting element information from corresponding fields of the data stream according to an evaluation model, an association rule and an index library of the past historical data.
5. The system of claim 4, wherein the preprocessing unit removes redundant information from the data, converts the data format to a uniform format according to the type of source, and is based on a Map Reduce distributed parallel computing process.
6. The system according to claim 5, wherein the situation assessment unit fuzzy processing calculation is based on a method of combining D-S theory and fuzzy set, and calculates the probability of attack occurrence support.
CN201910757474.3A 2019-08-16 2019-08-16 Situation awareness method and system including correlation analysis Active CN110460608B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910757474.3A CN110460608B (en) 2019-08-16 2019-08-16 Situation awareness method and system including correlation analysis

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910757474.3A CN110460608B (en) 2019-08-16 2019-08-16 Situation awareness method and system including correlation analysis

Publications (2)

Publication Number Publication Date
CN110460608A CN110460608A (en) 2019-11-15
CN110460608B true CN110460608B (en) 2022-04-12

Family

ID=68487159

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910757474.3A Active CN110460608B (en) 2019-08-16 2019-08-16 Situation awareness method and system including correlation analysis

Country Status (1)

Country Link
CN (1) CN110460608B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111277568A (en) * 2020-01-09 2020-06-12 武汉思普崚技术有限公司 Isolation attack method and system for distributed virtual network
CN111586046B (en) * 2020-05-08 2021-02-09 武汉思普崚技术有限公司 Network traffic analysis method and system combining threat intelligence and machine learning
CN112202593A (en) * 2020-09-03 2021-01-08 深圳前海微众银行股份有限公司 Data acquisition method, device, network management system and computer storage medium
CN116015903A (en) * 2022-12-29 2023-04-25 南京仁可科技有限公司 Network security situation awareness comprehensive analysis system and method thereof

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102263410A (en) * 2010-05-31 2011-11-30 河南省电力公司 Security risk assessment model, assessment method and assessment parameter determining method
CN102624696A (en) * 2011-12-27 2012-08-01 中国航天科工集团第二研究院七〇六所 Network security situation evaluation method
WO2016172514A1 (en) * 2015-04-24 2016-10-27 Siemens Aktiengesellschaft Improving control system resilience by highly coupling security functions with control
CN108769048A (en) * 2018-06-08 2018-11-06 武汉思普崚技术有限公司 A kind of secure visualization and Situation Awareness plateform system
CN110059939A (en) * 2018-12-13 2019-07-26 成都亚信网络安全产业技术研究院有限公司 A kind of risk checking method and device

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107404400B (en) * 2017-07-20 2020-05-19 中国电子科技集团公司第二十九研究所 Network situation awareness implementation method and device
CN108494810B (en) * 2018-06-11 2021-01-26 中国人民解放军战略支援部队信息工程大学 Attack-oriented network security situation prediction method, device and system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102263410A (en) * 2010-05-31 2011-11-30 河南省电力公司 Security risk assessment model, assessment method and assessment parameter determining method
CN102624696A (en) * 2011-12-27 2012-08-01 中国航天科工集团第二研究院七〇六所 Network security situation evaluation method
WO2016172514A1 (en) * 2015-04-24 2016-10-27 Siemens Aktiengesellschaft Improving control system resilience by highly coupling security functions with control
CN108769048A (en) * 2018-06-08 2018-11-06 武汉思普崚技术有限公司 A kind of secure visualization and Situation Awareness plateform system
CN110059939A (en) * 2018-12-13 2019-07-26 成都亚信网络安全产业技术研究院有限公司 A kind of risk checking method and device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
基于RAN-RBF神经网络的网络安全态势预测模型;甘文道等;《计算机科学》;20161115;全文 *

Also Published As

Publication number Publication date
CN110460608A (en) 2019-11-15

Similar Documents

Publication Publication Date Title
CN110460608B (en) Situation awareness method and system including correlation analysis
CN110445801B (en) Situation sensing method and system of Internet of things
CN110620759B (en) Multi-dimensional association-based network security event hazard index evaluation method and system
CN110474904B (en) Situation awareness method and system for improving prediction
Kolozali et al. A knowledge-based approach for real-time iot data stream annotation and processing
CN111786950B (en) Network security monitoring method, device, equipment and medium based on situation awareness
CN111586046B (en) Network traffic analysis method and system combining threat intelligence and machine learning
CN111614690A (en) Abnormal behavior detection method and device
CN105009132A (en) Event correlation based on confidence factor
CN110493043B (en) Distributed situation awareness calling method and device
CN112738040A (en) Network security threat detection method, system and device based on DNS log
CN109873790A (en) Network security detection method, device and computer readable storage medium
CN110493044B (en) Quantifiable situation perception method and system
CN110493217B (en) Distributed situation perception method and system
CN110493218B (en) Situation awareness virtualization method and device
CN110471975B (en) Internet of things situation awareness calling method and device
CN105827611A (en) Distributed rejection service network attack detection method and system based on fuzzy inference
Yao et al. Survey of network security situational awareness
CN114362994A (en) Multilayer different-granularity intelligent aggregation railway system operation behavior safety risk identification method
CN109871711B (en) Ocean big data sharing and distributing risk control model and method
CN110460472B (en) Weighted quantization situation perception method and system
CN110474805B (en) Method and device for situation awareness analysis capable of being called
Su et al. Detection ddos of attacks based on federated learning with digital twin network
CN113032774A (en) Training method, device and equipment of anomaly detection model and computer storage medium
Hu et al. Research on elephant flow detection method based on information entropy and improved random forest

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant