CN110474805B - Method and device for situation awareness analysis capable of being called - Google Patents

Method and device for situation awareness analysis capable of being called Download PDF

Info

Publication number
CN110474805B
CN110474805B CN201910757693.1A CN201910757693A CN110474805B CN 110474805 B CN110474805 B CN 110474805B CN 201910757693 A CN201910757693 A CN 201910757693A CN 110474805 B CN110474805 B CN 110474805B
Authority
CN
China
Prior art keywords
situation
information
data
rule
single key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910757693.1A
Other languages
Chinese (zh)
Other versions
CN110474805A (en
Inventor
段彬
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wuhan Sipuling Technology Co Ltd
Original Assignee
Wuhan Sipuling Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wuhan Sipuling Technology Co Ltd filed Critical Wuhan Sipuling Technology Co Ltd
Priority to CN201910757693.1A priority Critical patent/CN110474805B/en
Publication of CN110474805A publication Critical patent/CN110474805A/en
Application granted granted Critical
Publication of CN110474805B publication Critical patent/CN110474805B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/145Network analysis or design involving simulating, designing, planning or modelling of a network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/147Network analysis or design for predicting network behaviour
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/22Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks comprising specially adapted graphical user interfaces [GUI]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Biomedical Technology (AREA)
  • General Health & Medical Sciences (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Artificial Intelligence (AREA)
  • Computer Hardware Design (AREA)
  • Biophysics (AREA)
  • Computational Linguistics (AREA)
  • Data Mining & Analysis (AREA)
  • Evolutionary Computation (AREA)
  • Health & Medical Sciences (AREA)
  • Molecular Biology (AREA)
  • General Physics & Mathematics (AREA)
  • Mathematical Physics (AREA)
  • Software Systems (AREA)
  • Human Computer Interaction (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a method and a device for situation perception analysis, which can be called, interfaces for collecting different information sources are packaged, the calling of customers is convenient, a data stream with a uniform format is obtained through preprocessing, high-frequency project group elements are extracted from the data stream, high-frequency association rules are generated and sent to situation evaluation for evaluation and quantification, situation values of single equipment and a local network are obtained through fusion with different evaluation systems and fuzzy processing of the data elements, the situation values of the whole device are obtained by combining the framework composition of the whole network, the situation values of different layers are led into a neural network model for prediction, finally, prediction results are displayed visually, the whole network and each single equipment are fully evaluated, association is established between each equipment and each layer, rule detection is carried out on different rules, risk values are calculated, and therefore future devices can be scientifically predicted, provides valuable reference suggestions for users.

Description

Method and device for situation awareness analysis capable of being called
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method and an apparatus for situation awareness analysis that can be invoked.
Background
The situation awareness function needs to be called in the next generation of networks including car networking, internet of things, cloud networks, industrial internet and video monitoring networks, and the situation awareness platform is complex and expensive to build, so that a service provider capable of providing situation awareness service needs to virtualize situation awareness into plug-in or component, and customers can conveniently call the situation awareness.
Meanwhile, the existing situation awareness technology adopts simple situation understanding, so that a safety situation assessment result of the whole device can be obtained, a situation assessment report cannot be quantitatively given, safety situation prediction cannot be performed based on the situation assessment result, and the utilization value of the technology is very limited.
The invention is intended to not only evaluate the whole network and each single device in an algorithm fully, but also establish association with each device and each layer based on given situation values, carry out rule detection on different rules and calculate risk values, thereby scientifically predicting future devices and providing valuable reference suggestions for users.
Disclosure of Invention
The invention aims to provide a method and a device for calling situation awareness analysis, which are used for packaging interfaces for collecting different information sources, facilitating calling of clients, obtaining a data stream with a uniform format through preprocessing, extracting high-frequency project group elements from the data stream, generating a high-frequency association rule, sending the high-frequency association rule into situation assessment for assessment and quantification, obtaining situation values of single equipment and a local network through fusion with different assessment systems and fuzzy processing of the data elements, obtaining the situation values of the whole device by combining the architecture composition of the whole network, introducing the situation values of different layers into a neural network model for prediction, and finally visually displaying a prediction result.
In a first aspect, the present application provides a method of situation awareness analysis that may be invoked, the method comprising:
the interfaces capable of receiving different information sources are virtualized into an external data interface, so that other networks can be conveniently called, the different information sources are mutually independent, the interfaces of other information sources cannot be found, and the corresponding interfaces are self-adaptively corresponding; acquiring running state data of sensors, information platforms and detection equipment from different sources through an external data interface;
after receiving the collected data, clearing redundant information in the data, converting the data format into a uniform format according to the type of a source, dividing the uniform format into corresponding fields, and combining the fields into a data stream;
extracting elements from the merged data stream, finding information of behavior action, access object, source address and instantaneous flow included in the elements, discovering high-frequency project group, generating high-frequency association rule according to the information corresponding to the high-frequency project group, increasing the corresponding weight of the high-frequency project group, and forming a frequent pattern tree structure;
judging whether the rule queue is empty or not, if so, performing matching query with the sub-rule base, taking the queried sub-rule as a specified association rule, and performing rule detection according to the sub-rule; if not, carrying out rule detection; the rule detects and calculates a risk value and sends out corresponding alarm information;
according to the frequent pattern tree structure, calling a distributed database, inquiring the asset situation information adjacent to the address, inquiring the asset situation information of the same layer to which the access object belongs, and inquiring the asset situation information with similar flow speed and flow total;
judging whether a single key device has a security vulnerability identical to the adjacent similar assets of the address, judging whether a concurrent thread, a bandwidth, a network topology and an access frequency of the single key device have an alarm identical to the assets of the same layer, judging whether the inflow increase rate, the distribution proportion of different protocol data packets and the distribution proportion of different size data packets of the single key device have the same change identical to the assets similar to the flow speed and the flow total amount, and calculating the security situation value of the single key device;
forming a local network by a plurality of adjacent single key devices or a plurality of single key devices with service interaction, calling a distributed database again, introducing fuzzy processing according to service priority to calculate the security situation value of the local network by using the security loophole, concurrent threads, bandwidth, network topology, access frequency, inflow increase rate, data packet distribution proportion of different protocols and data packet distribution proportion of different sizes corresponding to each key device in the local network;
requesting a network topological relation from a distributed equalization server, and calculating a security situation value of the whole network through fuzzy processing according to the topological relations of a plurality of local networks;
respectively importing security situation values of a single key device, a local network and the whole network into a neural network model in a distributed equalization server, obtaining the prediction about the source and the attack range of an attacker in a future period through deduction of the neural network model, and returning the prediction result by the distributed equalization server;
and sending the security situation values of the single key equipment, the local network and the whole network, and the prediction results of the attacker source and the attack range for visual display.
With reference to the first aspect, in a first possible implementation manner of the first aspect, the extracting elements from the merged data stream includes: and calling an evaluation model, an association rule and an index library of the past historical data, and extracting element information from corresponding fields of the data stream.
With reference to the first aspect, in a second possible implementation manner of the first aspect, the removing redundant information in the data, converting the data format into a uniform format according to the type of the source, and processing based on Map Reduce distributed parallel computing.
With reference to the first aspect, in a third possible implementation manner of the first aspect, the fuzzy processing calculation is based on a method that combines a D-S theory and a fuzzy set, and calculates a probability that an attack is supported.
In a second aspect, the present application provides an apparatus for situation awareness analysis that may be invoked, the apparatus comprising:
the external interface unit is used for virtualizing the interfaces capable of receiving different information sources into an external data interface, so that other networks can be conveniently called, the different information sources are mutually independent, the interfaces of other information sources cannot be found, and the corresponding interfaces are self-adaptively corresponding; acquiring running state data of sensors, information platforms and detection equipment from different sources through an external data interface;
the preprocessing unit is used for clearing redundant information in the data after receiving the acquired data, converting the data format into a uniform format according to the type of a source, dividing the uniform format into corresponding fields and combining the fields into a data stream;
the situation understanding unit is used for extracting elements from the merged data stream, finding information of behavior actions, access objects, source addresses and instantaneous flow included in the elements, discovering high-frequency project groups from the information, generating high-frequency association rules according to the information corresponding to the high-frequency project groups, increasing the corresponding weights of the high-frequency project groups and forming a frequent pattern tree structure;
judging whether the rule queue is empty or not, if so, performing matching query with the sub-rule base, taking the queried sub-rule as a specified association rule, and performing rule detection according to the sub-rule; if not, carrying out rule detection; the rule detects and calculates a risk value and sends out corresponding alarm information;
the situation evaluation unit is used for calling the distributed database according to the frequent pattern tree structure, inquiring the asset situation information with adjacent addresses, inquiring the asset situation information of the access object belonging to the same layer, and inquiring the asset situation information with similar flow speed and flow total; judging whether a single key device has a security vulnerability identical to the adjacent similar assets of the address, judging whether a concurrent thread, a bandwidth, a network topology and an access frequency of the single key device have an alarm identical to the assets of the same layer, judging whether the inflow increase rate, the distribution proportion of different protocol data packets and the distribution proportion of different size data packets of the single key device have the same change identical to the assets similar to the flow speed and the flow total amount, and calculating the security situation value of the single key device;
forming a local network by a plurality of adjacent single key devices or a plurality of single key devices with service interaction, calling a distributed database again, introducing fuzzy processing according to service priority to calculate the security situation value of the local network by using the security loophole, concurrent threads, bandwidth, network topology, access frequency, inflow increase rate, data packet distribution proportion of different protocols and data packet distribution proportion of different sizes corresponding to each key device in the local network;
requesting a network topological relation from a distributed equalization server, and calculating a security situation value of the whole network through fuzzy processing according to the topological relations of a plurality of local networks;
the situation prediction unit is used for respectively importing the security situation values of the single key device, the local network and the whole network into a neural network model in the distributed equalization server, obtaining the prediction about the source and the attack range of an attacker in a future period of time through deduction of the neural network model, and returning the prediction result by the distributed equalization server;
and the situation output unit is used for sending the safety situation values of the single key equipment, the local network and the whole network, the attacker source and the attack range prediction results for visual display.
With reference to the second aspect, in a first possible implementation manner of the second aspect, the extracting, by the situation understanding unit, elements from the merged data stream includes: and calling an evaluation model, an association rule and an index library of the past historical data, and extracting element information from corresponding fields of the data stream.
With reference to the second aspect, in a second possible implementation manner of the second aspect, the preprocessing unit removes redundant information in the data, converts the data format into a uniform format according to the type of the source, and is based on Map Reduce distributed parallel computing processing.
With reference to the second aspect, in a third possible implementation manner of the second aspect, the situation assessment unit calculates the probability of attack occurrence support based on a method that combines a D-S theory and a fuzzy set.
The invention provides a method and a device for situation perception analysis, which can be called, interfaces for collecting different information sources are packaged, the calling of customers is convenient, a data stream with a uniform format is obtained through preprocessing, high-frequency project group elements are extracted from the data stream, high-frequency association rules are generated and sent to situation evaluation for evaluation and quantification, situation values of single equipment and a local network are obtained through fusion with different evaluation systems and fuzzy processing of the data elements, the situation values of the whole device are obtained by combining the framework composition of the whole network, the situation values of different layers are led into a neural network model for prediction, finally, prediction results are displayed visually, the whole network and each single equipment are fully evaluated, association is established between each equipment and each layer, rule detection is carried out on different rules, risk values are calculated, and therefore future devices can be scientifically predicted, provides valuable reference suggestions for users.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious for those skilled in the art that other drawings can be obtained according to these drawings without creative efforts.
FIG. 1 is a flow diagram of a method of situational awareness analysis that may be invoked in accordance with the present invention;
FIG. 2 is an architecture diagram of a device for context aware analysis that may be invoked in accordance with the present invention.
Detailed Description
The preferred embodiments of the present invention will be described in detail below with reference to the accompanying drawings so that the advantages and features of the present invention can be more easily understood by those skilled in the art, and the scope of the present invention will be more clearly and clearly defined.
Fig. 1 is a flowchart of a method of callable situational awareness analysis provided herein, the method comprising:
the interfaces capable of receiving different information sources are virtualized into an external data interface, so that other networks can be conveniently called, the different information sources are mutually independent, the interfaces of other information sources cannot be found, and the corresponding interfaces are self-adaptively corresponding; acquiring running state data of sensors, information platforms and detection equipment from different sources through an external data interface;
after receiving the collected data, clearing redundant information in the data, converting the data format into a uniform format according to the type of a source, dividing the uniform format into corresponding fields, and combining the fields into a data stream;
extracting elements from the merged data stream, finding information of behavior action, access object, source address and instantaneous flow included in the elements, discovering high-frequency project group, generating high-frequency association rule according to the information corresponding to the high-frequency project group, increasing the corresponding weight of the high-frequency project group, and forming a frequent pattern tree structure;
judging whether the rule queue is empty or not, if so, performing matching query with the sub-rule base, taking the queried sub-rule as a specified association rule, and performing rule detection according to the sub-rule; if not, carrying out rule detection; the rule detects and calculates a risk value and sends out corresponding alarm information;
according to the frequent pattern tree structure, calling a distributed database, inquiring the asset situation information adjacent to the address, inquiring the asset situation information of the same layer to which the access object belongs, and inquiring the asset situation information with similar flow speed and flow total;
judging whether a single key device has a security vulnerability identical to the adjacent similar assets of the address, judging whether a concurrent thread, a bandwidth, a network topology and an access frequency of the single key device have an alarm identical to the assets of the same layer, judging whether the inflow increase rate, the distribution proportion of different protocol data packets and the distribution proportion of different size data packets of the single key device have the same change identical to the assets similar to the flow speed and the flow total amount, and calculating the security situation value of the single key device;
forming a local network by a plurality of adjacent single key devices or a plurality of single key devices with service interaction, calling a distributed database again, introducing fuzzy processing according to service priority to calculate the security situation value of the local network by using the security loophole, concurrent threads, bandwidth, network topology, access frequency, inflow increase rate, data packet distribution proportion of different protocols and data packet distribution proportion of different sizes corresponding to each key device in the local network;
requesting a network topological relation from a distributed equalization server, and calculating a security situation value of the whole network through fuzzy processing according to the topological relations of a plurality of local networks;
respectively importing security situation values of a single key device, a local network and the whole network into a neural network model in a distributed equalization server, obtaining the prediction about the source and the attack range of an attacker in a future period through deduction of the neural network model, and returning the prediction result by the distributed equalization server;
and sending the security situation values of the single key equipment, the local network and the whole network, and the prediction results of the attacker source and the attack range for visual display.
In some preferred embodiments, said extracting elements from the merged data stream comprises: and calling an evaluation model, an association rule and an index library of the past historical data, and extracting element information from corresponding fields of the data stream.
In some preferred embodiments, the removing of redundant information in the data, converting the data format into a uniform format according to the type of the source, is based on Map Reduce distributed parallel computing processing.
In some preferred embodiments, the fuzzy processing calculation is based on a method of combining D-S theory and fuzzy sets, and the probability of attack occurrence support is calculated.
FIG. 2 is an architecture diagram of an apparatus for callable situational awareness analysis provided herein, the apparatus comprising:
the external interface unit is used for virtualizing the interfaces capable of receiving different information sources into an external data interface, so that other networks can be conveniently called, the different information sources are mutually independent, the interfaces of other information sources cannot be found, and the corresponding interfaces are self-adaptively corresponding; acquiring running state data of sensors, information platforms and detection equipment from different sources through an external data interface;
the preprocessing unit is used for clearing redundant information in the data after receiving the acquired data, converting the data format into a uniform format according to the type of a source, dividing the uniform format into corresponding fields and combining the fields into a data stream;
the situation understanding unit is used for extracting elements from the merged data stream, finding information of behavior actions, access objects, source addresses and instantaneous flow included in the elements, discovering high-frequency project groups from the information, generating high-frequency association rules according to the information corresponding to the high-frequency project groups, increasing the corresponding weights of the high-frequency project groups and forming a frequent pattern tree structure;
judging whether the rule queue is empty or not, if so, performing matching query with the sub-rule base, taking the queried sub-rule as a specified association rule, and performing rule detection according to the sub-rule; if not, carrying out rule detection; the rule detects and calculates a risk value and sends out corresponding alarm information;
the situation evaluation unit is used for calling the distributed database according to the frequent pattern tree structure, inquiring the asset situation information with adjacent addresses, inquiring the asset situation information of the access object belonging to the same layer, and inquiring the asset situation information with similar flow speed and flow total; judging whether a single key device has a security vulnerability identical to the adjacent similar assets of the address, judging whether a concurrent thread, a bandwidth, a network topology and an access frequency of the single key device have an alarm identical to the assets of the same layer, judging whether the inflow increase rate, the distribution proportion of different protocol data packets and the distribution proportion of different size data packets of the single key device have the same change identical to the assets similar to the flow speed and the flow total amount, and calculating the security situation value of the single key device;
forming a local network by a plurality of adjacent single key devices or a plurality of single key devices with service interaction, calling a distributed database again, introducing fuzzy processing according to service priority to calculate the security situation value of the local network by using the security loophole, concurrent threads, bandwidth, network topology, access frequency, inflow increase rate, data packet distribution proportion of different protocols and data packet distribution proportion of different sizes corresponding to each key device in the local network;
requesting a network topological relation from a distributed equalization server, and calculating a security situation value of the whole network through fuzzy processing according to the topological relations of a plurality of local networks;
the situation prediction unit is used for respectively importing the security situation values of the single key device, the local network and the whole network into a neural network model in the distributed equalization server, obtaining the prediction about the source and the attack range of an attacker in a future period of time through deduction of the neural network model, and returning the prediction result by the distributed equalization server;
and the situation output unit is used for sending the safety situation values of the single key equipment, the local network and the whole network, the attacker source and the attack range prediction results for visual display.
In some preferred embodiments, the situation understanding unit extracts elements from the merged data stream, including: and calling an evaluation model, an association rule and an index library of the past historical data, and extracting element information from corresponding fields of the data stream.
In some preferred embodiments, the preprocessing unit removes redundant information in the data, converts the data format into a uniform format according to the type of the source, and is based on Map Reduce distributed parallel computing processing.
In some preferred embodiments, the situation assessment unit calculates the probability of attack occurrence support based on a method of combining D-S theory and fuzzy sets.
In specific implementation, the present invention further provides a computer storage medium, where the computer storage medium may store a program, and the program may include some or all of the steps in the embodiments of the present invention when executed. The storage medium may be a magnetic disk, an optical disk, a read-only memory (ROM) or a Random Access Memory (RAM).
Those skilled in the art will readily appreciate that the techniques of the embodiments of the present invention may be implemented as software plus a required general purpose hardware platform. Based on such understanding, the technical solutions in the embodiments of the present invention may be embodied in the form of a software product, which may be stored in a storage medium, such as a ROM/RAM, a magnetic disk, an optical disk, etc., and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method according to the embodiments or some parts of the embodiments.
The same and similar parts in the various embodiments of the present specification may be referred to each other. In particular, for the embodiments, since they are substantially similar to the method embodiments, the description is simple, and the relevant points can be referred to the description in the method embodiments.
The above-described embodiments of the present invention should not be construed as limiting the scope of the present invention.

Claims (6)

1. A method of situation awareness analysis that may be invoked, the method comprising:
the interfaces capable of receiving different information sources are virtualized into an external data interface, so that other networks can be conveniently called, the different information sources are mutually independent, the interfaces of other information sources cannot be found, and the corresponding interfaces are self-adaptively corresponding; acquiring running state data of sensors, information platforms and detection equipment from different sources through an external data interface;
after receiving the collected data, clearing redundant information in the data, converting the data format into a uniform format according to the type of a source, dividing the uniform format into corresponding fields, and combining the fields into a data stream;
extracting elements from the merged data stream, finding information of behavior action, access object, source address and instantaneous flow included in the elements, discovering high-frequency project group, generating high-frequency association rule according to the information corresponding to the high-frequency project group, increasing the corresponding weight of the high-frequency project group, and forming a frequent pattern tree structure;
judging whether the rule queue is empty or not, if so, performing matching query with the sub-rule base, taking the queried sub-rule as a specified association rule, and performing rule detection according to the sub-rule; if not, carrying out rule detection; the rule detects and calculates a risk value and sends out corresponding alarm information;
according to the frequent pattern tree structure, calling a distributed database, inquiring the asset situation information adjacent to the address, inquiring the asset situation information of the same layer to which the access object belongs, and inquiring the asset situation information with similar flow speed and flow total;
judging whether a single key device has a security vulnerability identical to the adjacent similar assets of the address, judging whether a concurrent thread, a bandwidth, a network topology and an access frequency of the single key device have an alarm identical to the assets of the same layer, judging whether the inflow increase rate, the distribution proportion of different protocol data packets and the distribution proportion of different size data packets of the single key device have the same change identical to the assets similar to the flow speed and the flow total amount, and calculating the security situation value of the single key device;
forming a local network by a plurality of adjacent single key devices or a plurality of single key devices with service interaction, calling a distributed database again, introducing fuzzy processing according to service priority to calculate the security situation value of the local network by using the security loophole, concurrent threads, bandwidth, network topology, access frequency, inflow increase rate, data packet distribution proportion of different protocols and data packet distribution proportion of different sizes corresponding to each key device in the local network;
requesting a network topological relation from a distributed equalization server, and calculating a security situation value of the whole network through fuzzy processing according to the topological relations of a plurality of local networks;
respectively importing security situation values of a single key device, a local network and the whole network into a neural network model in a distributed equalization server, obtaining the prediction about the source and the attack range of an attacker in a future period through deduction of the neural network model, and returning the prediction result by the distributed equalization server;
sending the security situation values of a single key device, a local network and the whole network, and the prediction results of the attacker source and the attack range for visual display;
the extracting elements from the merged data stream includes: and calling an evaluation model, an association rule and an index library of the past historical data, and extracting element information from corresponding fields of the data stream.
2. The method of claim 1, wherein the removing of redundant information from the data, the converting of the data format to a unified format based on the type of source, is based on a Map Reduce distributed parallel computing process.
3. The method of claim 1, wherein the fuzzy processing calculation is based on a method of combining D-S theory and fuzzy sets, and calculates the probability of attack support.
4. An apparatus for situation awareness analysis that may be invoked, the apparatus comprising:
the external interface unit is used for virtualizing the interfaces capable of receiving different information sources into an external data interface, so that other networks can be conveniently called, the different information sources are mutually independent, the interfaces of other information sources cannot be found, and the corresponding interfaces are self-adaptively corresponding; acquiring running state data of sensors, information platforms and detection equipment from different sources through an external data interface;
the preprocessing unit is used for clearing redundant information in the data after receiving the acquired data, converting the data format into a uniform format according to the type of a source, dividing the uniform format into corresponding fields and combining the fields into a data stream;
the situation understanding unit is used for extracting elements from the merged data stream, finding information of behavior actions, access objects, source addresses and instantaneous flow included in the elements, discovering high-frequency project groups from the information, generating high-frequency association rules according to the information corresponding to the high-frequency project groups, increasing the corresponding weights of the high-frequency project groups and forming a frequent pattern tree structure;
judging whether the rule queue is empty or not, if so, performing matching query with the sub-rule base, taking the queried sub-rule as a specified association rule, and performing rule detection according to the sub-rule; if not, carrying out rule detection; the rule detects and calculates a risk value and sends out corresponding alarm information;
the situation evaluation unit is used for calling the distributed database according to the frequent pattern tree structure, inquiring the asset situation information with adjacent addresses, inquiring the asset situation information of the access object belonging to the same layer, and inquiring the asset situation information with similar flow speed and flow total; judging whether a single key device has a security vulnerability identical to the adjacent similar assets of the address, judging whether a concurrent thread, a bandwidth, a network topology and an access frequency of the single key device have an alarm identical to the assets of the same layer, judging whether the inflow increase rate, the distribution proportion of different protocol data packets and the distribution proportion of different size data packets of the single key device have the same change identical to the assets similar to the flow speed and the flow total amount, and calculating the security situation value of the single key device;
forming a local network by a plurality of adjacent single key devices or a plurality of single key devices with service interaction, calling a distributed database again, introducing fuzzy processing according to service priority to calculate the security situation value of the local network by using the security loophole, concurrent threads, bandwidth, network topology, access frequency, inflow increase rate, data packet distribution proportion of different protocols and data packet distribution proportion of different sizes corresponding to each key device in the local network;
requesting a network topological relation from a distributed equalization server, and calculating a security situation value of the whole network through fuzzy processing according to the topological relations of a plurality of local networks;
the situation prediction unit is used for respectively importing the security situation values of the single key device, the local network and the whole network into a neural network model in the distributed equalization server, obtaining the prediction about the source and the attack range of an attacker in a future period of time through deduction of the neural network model, and returning the prediction result by the distributed equalization server;
the situation output unit is used for sending the safety situation values of the single key equipment, the local network and the whole network, the source of the attacker and the prediction result of the attack range out for visual display;
the situation understanding unit extracts elements from the merged data stream, including: and calling an evaluation model, an association rule and an index library of the past historical data, and extracting element information from corresponding fields of the data stream.
5. The apparatus of claim 4, wherein the preprocessing unit removes redundant information from the data, converts the data format to a uniform format according to the type of source, and is based on a Map Reduce distributed parallel computing process.
6. The apparatus according to claim 4, wherein the situation assessment unit is configured to compute the probability of attack support based on a method combining D-S theory and fuzzy set.
CN201910757693.1A 2019-08-16 2019-08-16 Method and device for situation awareness analysis capable of being called Active CN110474805B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910757693.1A CN110474805B (en) 2019-08-16 2019-08-16 Method and device for situation awareness analysis capable of being called

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910757693.1A CN110474805B (en) 2019-08-16 2019-08-16 Method and device for situation awareness analysis capable of being called

Publications (2)

Publication Number Publication Date
CN110474805A CN110474805A (en) 2019-11-19
CN110474805B true CN110474805B (en) 2022-05-03

Family

ID=68510931

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910757693.1A Active CN110474805B (en) 2019-08-16 2019-08-16 Method and device for situation awareness analysis capable of being called

Country Status (1)

Country Link
CN (1) CN110474805B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102263410A (en) * 2010-05-31 2011-11-30 河南省电力公司 Security risk assessment model, assessment method and assessment parameter determining method
CN102624696A (en) * 2011-12-27 2012-08-01 中国航天科工集团第二研究院七〇六所 Network security situation evaluation method
WO2016172514A1 (en) * 2015-04-24 2016-10-27 Siemens Aktiengesellschaft Improving control system resilience by highly coupling security functions with control
CN108769048A (en) * 2018-06-08 2018-11-06 武汉思普崚技术有限公司 A kind of secure visualization and Situation Awareness plateform system
CN110059939A (en) * 2018-12-13 2019-07-26 成都亚信网络安全产业技术研究院有限公司 A kind of risk checking method and device

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107404400B (en) * 2017-07-20 2020-05-19 中国电子科技集团公司第二十九研究所 Network situation awareness implementation method and device
CN108494810B (en) * 2018-06-11 2021-01-26 中国人民解放军战略支援部队信息工程大学 Attack-oriented network security situation prediction method, device and system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102263410A (en) * 2010-05-31 2011-11-30 河南省电力公司 Security risk assessment model, assessment method and assessment parameter determining method
CN102624696A (en) * 2011-12-27 2012-08-01 中国航天科工集团第二研究院七〇六所 Network security situation evaluation method
WO2016172514A1 (en) * 2015-04-24 2016-10-27 Siemens Aktiengesellschaft Improving control system resilience by highly coupling security functions with control
CN108769048A (en) * 2018-06-08 2018-11-06 武汉思普崚技术有限公司 A kind of secure visualization and Situation Awareness plateform system
CN110059939A (en) * 2018-12-13 2019-07-26 成都亚信网络安全产业技术研究院有限公司 A kind of risk checking method and device

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
加权频繁模式挖掘算法研究;耿汝年;《中国博士学位论文全文数据库》;20100515;论文正文第1-7章 *
基于RAN-RBF神经网络的网络安全态势预测模型;甘文道等;《计算机科学》;20161115;全文 *

Also Published As

Publication number Publication date
CN110474805A (en) 2019-11-19

Similar Documents

Publication Publication Date Title
CN110493043B (en) Distributed situation awareness calling method and device
CN110445801B (en) Situation sensing method and system of Internet of things
US10855545B2 (en) Centralized resource usage visualization service for large-scale network topologies
Kumar et al. A Distributed framework for detecting DDoS attacks in smart contract‐based Blockchain‐IoT Systems by leveraging Fog computing
US20220124108A1 (en) System and method for monitoring security attack chains
US9647904B2 (en) Customer-directed networking limits in distributed systems
CN110474904B (en) Situation awareness method and system for improving prediction
CN111786950B (en) Network security monitoring method, device, equipment and medium based on situation awareness
CN111586046B (en) Network traffic analysis method and system combining threat intelligence and machine learning
CN110460608B (en) Situation awareness method and system including correlation analysis
CN112738040A (en) Network security threat detection method, system and device based on DNS log
CN109873790A (en) Network security detection method, device and computer readable storage medium
CN110493218B (en) Situation awareness virtualization method and device
CN110493217B (en) Distributed situation perception method and system
CN110493044B (en) Quantifiable situation perception method and system
CN110471975B (en) Internet of things situation awareness calling method and device
JP2022000775A (en) Test method, device and apparatus for traffic flow monitoring measurement system
CN110322153A (en) Monitor event processing method and system
CN110474805B (en) Method and device for situation awareness analysis capable of being called
CN110460472B (en) Weighted quantization situation perception method and system
Rivera et al. Automation of network anomaly detection and mitigation with the use of IBN: A deployment case on KOREN
CN117097578B (en) Network traffic safety monitoring method, system, medium and electronic equipment
Zhang et al. Design and analysis of an effective two-step clustering scheme to optimize prefetch cache technology
CN115858309B (en) Data monitoring method and device for distributed system and electronic equipment
CN112187623B (en) Information release management system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant