CN110474805B - Method and device for situation awareness analysis capable of being called - Google Patents
Method and device for situation awareness analysis capable of being called Download PDFInfo
- Publication number
- CN110474805B CN110474805B CN201910757693.1A CN201910757693A CN110474805B CN 110474805 B CN110474805 B CN 110474805B CN 201910757693 A CN201910757693 A CN 201910757693A CN 110474805 B CN110474805 B CN 110474805B
- Authority
- CN
- China
- Prior art keywords
- situation
- information
- data
- rule
- single key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/145—Network analysis or design involving simulating, designing, planning or modelling of a network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/147—Network analysis or design for predicting network behaviour
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/22—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks comprising specially adapted graphical user interfaces [GUI]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Physics & Mathematics (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Biomedical Technology (AREA)
- General Health & Medical Sciences (AREA)
- Life Sciences & Earth Sciences (AREA)
- Artificial Intelligence (AREA)
- Computer Hardware Design (AREA)
- Biophysics (AREA)
- Computational Linguistics (AREA)
- Data Mining & Analysis (AREA)
- Evolutionary Computation (AREA)
- Health & Medical Sciences (AREA)
- Molecular Biology (AREA)
- General Physics & Mathematics (AREA)
- Mathematical Physics (AREA)
- Software Systems (AREA)
- Human Computer Interaction (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a method and a device for situation perception analysis, which can be called, interfaces for collecting different information sources are packaged, the calling of customers is convenient, a data stream with a uniform format is obtained through preprocessing, high-frequency project group elements are extracted from the data stream, high-frequency association rules are generated and sent to situation evaluation for evaluation and quantification, situation values of single equipment and a local network are obtained through fusion with different evaluation systems and fuzzy processing of the data elements, the situation values of the whole device are obtained by combining the framework composition of the whole network, the situation values of different layers are led into a neural network model for prediction, finally, prediction results are displayed visually, the whole network and each single equipment are fully evaluated, association is established between each equipment and each layer, rule detection is carried out on different rules, risk values are calculated, and therefore future devices can be scientifically predicted, provides valuable reference suggestions for users.
Description
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method and an apparatus for situation awareness analysis that can be invoked.
Background
The situation awareness function needs to be called in the next generation of networks including car networking, internet of things, cloud networks, industrial internet and video monitoring networks, and the situation awareness platform is complex and expensive to build, so that a service provider capable of providing situation awareness service needs to virtualize situation awareness into plug-in or component, and customers can conveniently call the situation awareness.
Meanwhile, the existing situation awareness technology adopts simple situation understanding, so that a safety situation assessment result of the whole device can be obtained, a situation assessment report cannot be quantitatively given, safety situation prediction cannot be performed based on the situation assessment result, and the utilization value of the technology is very limited.
The invention is intended to not only evaluate the whole network and each single device in an algorithm fully, but also establish association with each device and each layer based on given situation values, carry out rule detection on different rules and calculate risk values, thereby scientifically predicting future devices and providing valuable reference suggestions for users.
Disclosure of Invention
The invention aims to provide a method and a device for calling situation awareness analysis, which are used for packaging interfaces for collecting different information sources, facilitating calling of clients, obtaining a data stream with a uniform format through preprocessing, extracting high-frequency project group elements from the data stream, generating a high-frequency association rule, sending the high-frequency association rule into situation assessment for assessment and quantification, obtaining situation values of single equipment and a local network through fusion with different assessment systems and fuzzy processing of the data elements, obtaining the situation values of the whole device by combining the architecture composition of the whole network, introducing the situation values of different layers into a neural network model for prediction, and finally visually displaying a prediction result.
In a first aspect, the present application provides a method of situation awareness analysis that may be invoked, the method comprising:
the interfaces capable of receiving different information sources are virtualized into an external data interface, so that other networks can be conveniently called, the different information sources are mutually independent, the interfaces of other information sources cannot be found, and the corresponding interfaces are self-adaptively corresponding; acquiring running state data of sensors, information platforms and detection equipment from different sources through an external data interface;
after receiving the collected data, clearing redundant information in the data, converting the data format into a uniform format according to the type of a source, dividing the uniform format into corresponding fields, and combining the fields into a data stream;
extracting elements from the merged data stream, finding information of behavior action, access object, source address and instantaneous flow included in the elements, discovering high-frequency project group, generating high-frequency association rule according to the information corresponding to the high-frequency project group, increasing the corresponding weight of the high-frequency project group, and forming a frequent pattern tree structure;
judging whether the rule queue is empty or not, if so, performing matching query with the sub-rule base, taking the queried sub-rule as a specified association rule, and performing rule detection according to the sub-rule; if not, carrying out rule detection; the rule detects and calculates a risk value and sends out corresponding alarm information;
according to the frequent pattern tree structure, calling a distributed database, inquiring the asset situation information adjacent to the address, inquiring the asset situation information of the same layer to which the access object belongs, and inquiring the asset situation information with similar flow speed and flow total;
judging whether a single key device has a security vulnerability identical to the adjacent similar assets of the address, judging whether a concurrent thread, a bandwidth, a network topology and an access frequency of the single key device have an alarm identical to the assets of the same layer, judging whether the inflow increase rate, the distribution proportion of different protocol data packets and the distribution proportion of different size data packets of the single key device have the same change identical to the assets similar to the flow speed and the flow total amount, and calculating the security situation value of the single key device;
forming a local network by a plurality of adjacent single key devices or a plurality of single key devices with service interaction, calling a distributed database again, introducing fuzzy processing according to service priority to calculate the security situation value of the local network by using the security loophole, concurrent threads, bandwidth, network topology, access frequency, inflow increase rate, data packet distribution proportion of different protocols and data packet distribution proportion of different sizes corresponding to each key device in the local network;
requesting a network topological relation from a distributed equalization server, and calculating a security situation value of the whole network through fuzzy processing according to the topological relations of a plurality of local networks;
respectively importing security situation values of a single key device, a local network and the whole network into a neural network model in a distributed equalization server, obtaining the prediction about the source and the attack range of an attacker in a future period through deduction of the neural network model, and returning the prediction result by the distributed equalization server;
and sending the security situation values of the single key equipment, the local network and the whole network, and the prediction results of the attacker source and the attack range for visual display.
With reference to the first aspect, in a first possible implementation manner of the first aspect, the extracting elements from the merged data stream includes: and calling an evaluation model, an association rule and an index library of the past historical data, and extracting element information from corresponding fields of the data stream.
With reference to the first aspect, in a second possible implementation manner of the first aspect, the removing redundant information in the data, converting the data format into a uniform format according to the type of the source, and processing based on Map Reduce distributed parallel computing.
With reference to the first aspect, in a third possible implementation manner of the first aspect, the fuzzy processing calculation is based on a method that combines a D-S theory and a fuzzy set, and calculates a probability that an attack is supported.
In a second aspect, the present application provides an apparatus for situation awareness analysis that may be invoked, the apparatus comprising:
the external interface unit is used for virtualizing the interfaces capable of receiving different information sources into an external data interface, so that other networks can be conveniently called, the different information sources are mutually independent, the interfaces of other information sources cannot be found, and the corresponding interfaces are self-adaptively corresponding; acquiring running state data of sensors, information platforms and detection equipment from different sources through an external data interface;
the preprocessing unit is used for clearing redundant information in the data after receiving the acquired data, converting the data format into a uniform format according to the type of a source, dividing the uniform format into corresponding fields and combining the fields into a data stream;
the situation understanding unit is used for extracting elements from the merged data stream, finding information of behavior actions, access objects, source addresses and instantaneous flow included in the elements, discovering high-frequency project groups from the information, generating high-frequency association rules according to the information corresponding to the high-frequency project groups, increasing the corresponding weights of the high-frequency project groups and forming a frequent pattern tree structure;
judging whether the rule queue is empty or not, if so, performing matching query with the sub-rule base, taking the queried sub-rule as a specified association rule, and performing rule detection according to the sub-rule; if not, carrying out rule detection; the rule detects and calculates a risk value and sends out corresponding alarm information;
the situation evaluation unit is used for calling the distributed database according to the frequent pattern tree structure, inquiring the asset situation information with adjacent addresses, inquiring the asset situation information of the access object belonging to the same layer, and inquiring the asset situation information with similar flow speed and flow total; judging whether a single key device has a security vulnerability identical to the adjacent similar assets of the address, judging whether a concurrent thread, a bandwidth, a network topology and an access frequency of the single key device have an alarm identical to the assets of the same layer, judging whether the inflow increase rate, the distribution proportion of different protocol data packets and the distribution proportion of different size data packets of the single key device have the same change identical to the assets similar to the flow speed and the flow total amount, and calculating the security situation value of the single key device;
forming a local network by a plurality of adjacent single key devices or a plurality of single key devices with service interaction, calling a distributed database again, introducing fuzzy processing according to service priority to calculate the security situation value of the local network by using the security loophole, concurrent threads, bandwidth, network topology, access frequency, inflow increase rate, data packet distribution proportion of different protocols and data packet distribution proportion of different sizes corresponding to each key device in the local network;
requesting a network topological relation from a distributed equalization server, and calculating a security situation value of the whole network through fuzzy processing according to the topological relations of a plurality of local networks;
the situation prediction unit is used for respectively importing the security situation values of the single key device, the local network and the whole network into a neural network model in the distributed equalization server, obtaining the prediction about the source and the attack range of an attacker in a future period of time through deduction of the neural network model, and returning the prediction result by the distributed equalization server;
and the situation output unit is used for sending the safety situation values of the single key equipment, the local network and the whole network, the attacker source and the attack range prediction results for visual display.
With reference to the second aspect, in a first possible implementation manner of the second aspect, the extracting, by the situation understanding unit, elements from the merged data stream includes: and calling an evaluation model, an association rule and an index library of the past historical data, and extracting element information from corresponding fields of the data stream.
With reference to the second aspect, in a second possible implementation manner of the second aspect, the preprocessing unit removes redundant information in the data, converts the data format into a uniform format according to the type of the source, and is based on Map Reduce distributed parallel computing processing.
With reference to the second aspect, in a third possible implementation manner of the second aspect, the situation assessment unit calculates the probability of attack occurrence support based on a method that combines a D-S theory and a fuzzy set.
The invention provides a method and a device for situation perception analysis, which can be called, interfaces for collecting different information sources are packaged, the calling of customers is convenient, a data stream with a uniform format is obtained through preprocessing, high-frequency project group elements are extracted from the data stream, high-frequency association rules are generated and sent to situation evaluation for evaluation and quantification, situation values of single equipment and a local network are obtained through fusion with different evaluation systems and fuzzy processing of the data elements, the situation values of the whole device are obtained by combining the framework composition of the whole network, the situation values of different layers are led into a neural network model for prediction, finally, prediction results are displayed visually, the whole network and each single equipment are fully evaluated, association is established between each equipment and each layer, rule detection is carried out on different rules, risk values are calculated, and therefore future devices can be scientifically predicted, provides valuable reference suggestions for users.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious for those skilled in the art that other drawings can be obtained according to these drawings without creative efforts.
FIG. 1 is a flow diagram of a method of situational awareness analysis that may be invoked in accordance with the present invention;
FIG. 2 is an architecture diagram of a device for context aware analysis that may be invoked in accordance with the present invention.
Detailed Description
The preferred embodiments of the present invention will be described in detail below with reference to the accompanying drawings so that the advantages and features of the present invention can be more easily understood by those skilled in the art, and the scope of the present invention will be more clearly and clearly defined.
Fig. 1 is a flowchart of a method of callable situational awareness analysis provided herein, the method comprising:
the interfaces capable of receiving different information sources are virtualized into an external data interface, so that other networks can be conveniently called, the different information sources are mutually independent, the interfaces of other information sources cannot be found, and the corresponding interfaces are self-adaptively corresponding; acquiring running state data of sensors, information platforms and detection equipment from different sources through an external data interface;
after receiving the collected data, clearing redundant information in the data, converting the data format into a uniform format according to the type of a source, dividing the uniform format into corresponding fields, and combining the fields into a data stream;
extracting elements from the merged data stream, finding information of behavior action, access object, source address and instantaneous flow included in the elements, discovering high-frequency project group, generating high-frequency association rule according to the information corresponding to the high-frequency project group, increasing the corresponding weight of the high-frequency project group, and forming a frequent pattern tree structure;
judging whether the rule queue is empty or not, if so, performing matching query with the sub-rule base, taking the queried sub-rule as a specified association rule, and performing rule detection according to the sub-rule; if not, carrying out rule detection; the rule detects and calculates a risk value and sends out corresponding alarm information;
according to the frequent pattern tree structure, calling a distributed database, inquiring the asset situation information adjacent to the address, inquiring the asset situation information of the same layer to which the access object belongs, and inquiring the asset situation information with similar flow speed and flow total;
judging whether a single key device has a security vulnerability identical to the adjacent similar assets of the address, judging whether a concurrent thread, a bandwidth, a network topology and an access frequency of the single key device have an alarm identical to the assets of the same layer, judging whether the inflow increase rate, the distribution proportion of different protocol data packets and the distribution proportion of different size data packets of the single key device have the same change identical to the assets similar to the flow speed and the flow total amount, and calculating the security situation value of the single key device;
forming a local network by a plurality of adjacent single key devices or a plurality of single key devices with service interaction, calling a distributed database again, introducing fuzzy processing according to service priority to calculate the security situation value of the local network by using the security loophole, concurrent threads, bandwidth, network topology, access frequency, inflow increase rate, data packet distribution proportion of different protocols and data packet distribution proportion of different sizes corresponding to each key device in the local network;
requesting a network topological relation from a distributed equalization server, and calculating a security situation value of the whole network through fuzzy processing according to the topological relations of a plurality of local networks;
respectively importing security situation values of a single key device, a local network and the whole network into a neural network model in a distributed equalization server, obtaining the prediction about the source and the attack range of an attacker in a future period through deduction of the neural network model, and returning the prediction result by the distributed equalization server;
and sending the security situation values of the single key equipment, the local network and the whole network, and the prediction results of the attacker source and the attack range for visual display.
In some preferred embodiments, said extracting elements from the merged data stream comprises: and calling an evaluation model, an association rule and an index library of the past historical data, and extracting element information from corresponding fields of the data stream.
In some preferred embodiments, the removing of redundant information in the data, converting the data format into a uniform format according to the type of the source, is based on Map Reduce distributed parallel computing processing.
In some preferred embodiments, the fuzzy processing calculation is based on a method of combining D-S theory and fuzzy sets, and the probability of attack occurrence support is calculated.
FIG. 2 is an architecture diagram of an apparatus for callable situational awareness analysis provided herein, the apparatus comprising:
the external interface unit is used for virtualizing the interfaces capable of receiving different information sources into an external data interface, so that other networks can be conveniently called, the different information sources are mutually independent, the interfaces of other information sources cannot be found, and the corresponding interfaces are self-adaptively corresponding; acquiring running state data of sensors, information platforms and detection equipment from different sources through an external data interface;
the preprocessing unit is used for clearing redundant information in the data after receiving the acquired data, converting the data format into a uniform format according to the type of a source, dividing the uniform format into corresponding fields and combining the fields into a data stream;
the situation understanding unit is used for extracting elements from the merged data stream, finding information of behavior actions, access objects, source addresses and instantaneous flow included in the elements, discovering high-frequency project groups from the information, generating high-frequency association rules according to the information corresponding to the high-frequency project groups, increasing the corresponding weights of the high-frequency project groups and forming a frequent pattern tree structure;
judging whether the rule queue is empty or not, if so, performing matching query with the sub-rule base, taking the queried sub-rule as a specified association rule, and performing rule detection according to the sub-rule; if not, carrying out rule detection; the rule detects and calculates a risk value and sends out corresponding alarm information;
the situation evaluation unit is used for calling the distributed database according to the frequent pattern tree structure, inquiring the asset situation information with adjacent addresses, inquiring the asset situation information of the access object belonging to the same layer, and inquiring the asset situation information with similar flow speed and flow total; judging whether a single key device has a security vulnerability identical to the adjacent similar assets of the address, judging whether a concurrent thread, a bandwidth, a network topology and an access frequency of the single key device have an alarm identical to the assets of the same layer, judging whether the inflow increase rate, the distribution proportion of different protocol data packets and the distribution proportion of different size data packets of the single key device have the same change identical to the assets similar to the flow speed and the flow total amount, and calculating the security situation value of the single key device;
forming a local network by a plurality of adjacent single key devices or a plurality of single key devices with service interaction, calling a distributed database again, introducing fuzzy processing according to service priority to calculate the security situation value of the local network by using the security loophole, concurrent threads, bandwidth, network topology, access frequency, inflow increase rate, data packet distribution proportion of different protocols and data packet distribution proportion of different sizes corresponding to each key device in the local network;
requesting a network topological relation from a distributed equalization server, and calculating a security situation value of the whole network through fuzzy processing according to the topological relations of a plurality of local networks;
the situation prediction unit is used for respectively importing the security situation values of the single key device, the local network and the whole network into a neural network model in the distributed equalization server, obtaining the prediction about the source and the attack range of an attacker in a future period of time through deduction of the neural network model, and returning the prediction result by the distributed equalization server;
and the situation output unit is used for sending the safety situation values of the single key equipment, the local network and the whole network, the attacker source and the attack range prediction results for visual display.
In some preferred embodiments, the situation understanding unit extracts elements from the merged data stream, including: and calling an evaluation model, an association rule and an index library of the past historical data, and extracting element information from corresponding fields of the data stream.
In some preferred embodiments, the preprocessing unit removes redundant information in the data, converts the data format into a uniform format according to the type of the source, and is based on Map Reduce distributed parallel computing processing.
In some preferred embodiments, the situation assessment unit calculates the probability of attack occurrence support based on a method of combining D-S theory and fuzzy sets.
In specific implementation, the present invention further provides a computer storage medium, where the computer storage medium may store a program, and the program may include some or all of the steps in the embodiments of the present invention when executed. The storage medium may be a magnetic disk, an optical disk, a read-only memory (ROM) or a Random Access Memory (RAM).
Those skilled in the art will readily appreciate that the techniques of the embodiments of the present invention may be implemented as software plus a required general purpose hardware platform. Based on such understanding, the technical solutions in the embodiments of the present invention may be embodied in the form of a software product, which may be stored in a storage medium, such as a ROM/RAM, a magnetic disk, an optical disk, etc., and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method according to the embodiments or some parts of the embodiments.
The same and similar parts in the various embodiments of the present specification may be referred to each other. In particular, for the embodiments, since they are substantially similar to the method embodiments, the description is simple, and the relevant points can be referred to the description in the method embodiments.
The above-described embodiments of the present invention should not be construed as limiting the scope of the present invention.
Claims (6)
1. A method of situation awareness analysis that may be invoked, the method comprising:
the interfaces capable of receiving different information sources are virtualized into an external data interface, so that other networks can be conveniently called, the different information sources are mutually independent, the interfaces of other information sources cannot be found, and the corresponding interfaces are self-adaptively corresponding; acquiring running state data of sensors, information platforms and detection equipment from different sources through an external data interface;
after receiving the collected data, clearing redundant information in the data, converting the data format into a uniform format according to the type of a source, dividing the uniform format into corresponding fields, and combining the fields into a data stream;
extracting elements from the merged data stream, finding information of behavior action, access object, source address and instantaneous flow included in the elements, discovering high-frequency project group, generating high-frequency association rule according to the information corresponding to the high-frequency project group, increasing the corresponding weight of the high-frequency project group, and forming a frequent pattern tree structure;
judging whether the rule queue is empty or not, if so, performing matching query with the sub-rule base, taking the queried sub-rule as a specified association rule, and performing rule detection according to the sub-rule; if not, carrying out rule detection; the rule detects and calculates a risk value and sends out corresponding alarm information;
according to the frequent pattern tree structure, calling a distributed database, inquiring the asset situation information adjacent to the address, inquiring the asset situation information of the same layer to which the access object belongs, and inquiring the asset situation information with similar flow speed and flow total;
judging whether a single key device has a security vulnerability identical to the adjacent similar assets of the address, judging whether a concurrent thread, a bandwidth, a network topology and an access frequency of the single key device have an alarm identical to the assets of the same layer, judging whether the inflow increase rate, the distribution proportion of different protocol data packets and the distribution proportion of different size data packets of the single key device have the same change identical to the assets similar to the flow speed and the flow total amount, and calculating the security situation value of the single key device;
forming a local network by a plurality of adjacent single key devices or a plurality of single key devices with service interaction, calling a distributed database again, introducing fuzzy processing according to service priority to calculate the security situation value of the local network by using the security loophole, concurrent threads, bandwidth, network topology, access frequency, inflow increase rate, data packet distribution proportion of different protocols and data packet distribution proportion of different sizes corresponding to each key device in the local network;
requesting a network topological relation from a distributed equalization server, and calculating a security situation value of the whole network through fuzzy processing according to the topological relations of a plurality of local networks;
respectively importing security situation values of a single key device, a local network and the whole network into a neural network model in a distributed equalization server, obtaining the prediction about the source and the attack range of an attacker in a future period through deduction of the neural network model, and returning the prediction result by the distributed equalization server;
sending the security situation values of a single key device, a local network and the whole network, and the prediction results of the attacker source and the attack range for visual display;
the extracting elements from the merged data stream includes: and calling an evaluation model, an association rule and an index library of the past historical data, and extracting element information from corresponding fields of the data stream.
2. The method of claim 1, wherein the removing of redundant information from the data, the converting of the data format to a unified format based on the type of source, is based on a Map Reduce distributed parallel computing process.
3. The method of claim 1, wherein the fuzzy processing calculation is based on a method of combining D-S theory and fuzzy sets, and calculates the probability of attack support.
4. An apparatus for situation awareness analysis that may be invoked, the apparatus comprising:
the external interface unit is used for virtualizing the interfaces capable of receiving different information sources into an external data interface, so that other networks can be conveniently called, the different information sources are mutually independent, the interfaces of other information sources cannot be found, and the corresponding interfaces are self-adaptively corresponding; acquiring running state data of sensors, information platforms and detection equipment from different sources through an external data interface;
the preprocessing unit is used for clearing redundant information in the data after receiving the acquired data, converting the data format into a uniform format according to the type of a source, dividing the uniform format into corresponding fields and combining the fields into a data stream;
the situation understanding unit is used for extracting elements from the merged data stream, finding information of behavior actions, access objects, source addresses and instantaneous flow included in the elements, discovering high-frequency project groups from the information, generating high-frequency association rules according to the information corresponding to the high-frequency project groups, increasing the corresponding weights of the high-frequency project groups and forming a frequent pattern tree structure;
judging whether the rule queue is empty or not, if so, performing matching query with the sub-rule base, taking the queried sub-rule as a specified association rule, and performing rule detection according to the sub-rule; if not, carrying out rule detection; the rule detects and calculates a risk value and sends out corresponding alarm information;
the situation evaluation unit is used for calling the distributed database according to the frequent pattern tree structure, inquiring the asset situation information with adjacent addresses, inquiring the asset situation information of the access object belonging to the same layer, and inquiring the asset situation information with similar flow speed and flow total; judging whether a single key device has a security vulnerability identical to the adjacent similar assets of the address, judging whether a concurrent thread, a bandwidth, a network topology and an access frequency of the single key device have an alarm identical to the assets of the same layer, judging whether the inflow increase rate, the distribution proportion of different protocol data packets and the distribution proportion of different size data packets of the single key device have the same change identical to the assets similar to the flow speed and the flow total amount, and calculating the security situation value of the single key device;
forming a local network by a plurality of adjacent single key devices or a plurality of single key devices with service interaction, calling a distributed database again, introducing fuzzy processing according to service priority to calculate the security situation value of the local network by using the security loophole, concurrent threads, bandwidth, network topology, access frequency, inflow increase rate, data packet distribution proportion of different protocols and data packet distribution proportion of different sizes corresponding to each key device in the local network;
requesting a network topological relation from a distributed equalization server, and calculating a security situation value of the whole network through fuzzy processing according to the topological relations of a plurality of local networks;
the situation prediction unit is used for respectively importing the security situation values of the single key device, the local network and the whole network into a neural network model in the distributed equalization server, obtaining the prediction about the source and the attack range of an attacker in a future period of time through deduction of the neural network model, and returning the prediction result by the distributed equalization server;
the situation output unit is used for sending the safety situation values of the single key equipment, the local network and the whole network, the source of the attacker and the prediction result of the attack range out for visual display;
the situation understanding unit extracts elements from the merged data stream, including: and calling an evaluation model, an association rule and an index library of the past historical data, and extracting element information from corresponding fields of the data stream.
5. The apparatus of claim 4, wherein the preprocessing unit removes redundant information from the data, converts the data format to a uniform format according to the type of source, and is based on a Map Reduce distributed parallel computing process.
6. The apparatus according to claim 4, wherein the situation assessment unit is configured to compute the probability of attack support based on a method combining D-S theory and fuzzy set.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910757693.1A CN110474805B (en) | 2019-08-16 | 2019-08-16 | Method and device for situation awareness analysis capable of being called |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910757693.1A CN110474805B (en) | 2019-08-16 | 2019-08-16 | Method and device for situation awareness analysis capable of being called |
Publications (2)
Publication Number | Publication Date |
---|---|
CN110474805A CN110474805A (en) | 2019-11-19 |
CN110474805B true CN110474805B (en) | 2022-05-03 |
Family
ID=68510931
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910757693.1A Active CN110474805B (en) | 2019-08-16 | 2019-08-16 | Method and device for situation awareness analysis capable of being called |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110474805B (en) |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102263410A (en) * | 2010-05-31 | 2011-11-30 | 河南省电力公司 | Security risk assessment model, assessment method and assessment parameter determining method |
CN102624696A (en) * | 2011-12-27 | 2012-08-01 | 中国航天科工集团第二研究院七〇六所 | Network security situation evaluation method |
WO2016172514A1 (en) * | 2015-04-24 | 2016-10-27 | Siemens Aktiengesellschaft | Improving control system resilience by highly coupling security functions with control |
CN108769048A (en) * | 2018-06-08 | 2018-11-06 | 武汉思普崚技术有限公司 | A kind of secure visualization and Situation Awareness plateform system |
CN110059939A (en) * | 2018-12-13 | 2019-07-26 | 成都亚信网络安全产业技术研究院有限公司 | A kind of risk checking method and device |
Family Cites Families (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107404400B (en) * | 2017-07-20 | 2020-05-19 | 中国电子科技集团公司第二十九研究所 | Network situation awareness implementation method and device |
CN108494810B (en) * | 2018-06-11 | 2021-01-26 | 中国人民解放军战略支援部队信息工程大学 | Attack-oriented network security situation prediction method, device and system |
-
2019
- 2019-08-16 CN CN201910757693.1A patent/CN110474805B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102263410A (en) * | 2010-05-31 | 2011-11-30 | 河南省电力公司 | Security risk assessment model, assessment method and assessment parameter determining method |
CN102624696A (en) * | 2011-12-27 | 2012-08-01 | 中国航天科工集团第二研究院七〇六所 | Network security situation evaluation method |
WO2016172514A1 (en) * | 2015-04-24 | 2016-10-27 | Siemens Aktiengesellschaft | Improving control system resilience by highly coupling security functions with control |
CN108769048A (en) * | 2018-06-08 | 2018-11-06 | 武汉思普崚技术有限公司 | A kind of secure visualization and Situation Awareness plateform system |
CN110059939A (en) * | 2018-12-13 | 2019-07-26 | 成都亚信网络安全产业技术研究院有限公司 | A kind of risk checking method and device |
Non-Patent Citations (2)
Title |
---|
加权频繁模式挖掘算法研究;耿汝年;《中国博士学位论文全文数据库》;20100515;论文正文第1-7章 * |
基于RAN-RBF神经网络的网络安全态势预测模型;甘文道等;《计算机科学》;20161115;全文 * |
Also Published As
Publication number | Publication date |
---|---|
CN110474805A (en) | 2019-11-19 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110493043B (en) | Distributed situation awareness calling method and device | |
CN110445801B (en) | Situation sensing method and system of Internet of things | |
US10855545B2 (en) | Centralized resource usage visualization service for large-scale network topologies | |
Kumar et al. | A Distributed framework for detecting DDoS attacks in smart contract‐based Blockchain‐IoT Systems by leveraging Fog computing | |
US20220124108A1 (en) | System and method for monitoring security attack chains | |
US9647904B2 (en) | Customer-directed networking limits in distributed systems | |
CN110474904B (en) | Situation awareness method and system for improving prediction | |
CN111786950B (en) | Network security monitoring method, device, equipment and medium based on situation awareness | |
CN111586046B (en) | Network traffic analysis method and system combining threat intelligence and machine learning | |
CN110460608B (en) | Situation awareness method and system including correlation analysis | |
CN112738040A (en) | Network security threat detection method, system and device based on DNS log | |
CN109873790A (en) | Network security detection method, device and computer readable storage medium | |
CN110493218B (en) | Situation awareness virtualization method and device | |
CN110493217B (en) | Distributed situation perception method and system | |
CN110493044B (en) | Quantifiable situation perception method and system | |
CN110471975B (en) | Internet of things situation awareness calling method and device | |
JP2022000775A (en) | Test method, device and apparatus for traffic flow monitoring measurement system | |
CN110322153A (en) | Monitor event processing method and system | |
CN110474805B (en) | Method and device for situation awareness analysis capable of being called | |
CN110460472B (en) | Weighted quantization situation perception method and system | |
Rivera et al. | Automation of network anomaly detection and mitigation with the use of IBN: A deployment case on KOREN | |
CN117097578B (en) | Network traffic safety monitoring method, system, medium and electronic equipment | |
Zhang et al. | Design and analysis of an effective two-step clustering scheme to optimize prefetch cache technology | |
CN115858309B (en) | Data monitoring method and device for distributed system and electronic equipment | |
CN112187623B (en) | Information release management system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |