CN110493218A - A kind of method and apparatus of Situation Awareness virtualization - Google Patents

A kind of method and apparatus of Situation Awareness virtualization Download PDF

Info

Publication number
CN110493218A
CN110493218A CN201910757775.6A CN201910757775A CN110493218A CN 110493218 A CN110493218 A CN 110493218A CN 201910757775 A CN201910757775 A CN 201910757775A CN 110493218 A CN110493218 A CN 110493218A
Authority
CN
China
Prior art keywords
data
network
situation
information
single key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910757775.6A
Other languages
Chinese (zh)
Other versions
CN110493218B (en
Inventor
段彬
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wuhan Sipuleng Technology Co Ltd
Original Assignee
Wuhan Sipuleng Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wuhan Sipuleng Technology Co Ltd filed Critical Wuhan Sipuleng Technology Co Ltd
Priority to CN201910757775.6A priority Critical patent/CN110493218B/en
Publication of CN110493218A publication Critical patent/CN110493218A/en
Application granted granted Critical
Publication of CN110493218B publication Critical patent/CN110493218B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/25Integrating or interfacing systems involving database management systems
    • G06F16/258Data format conversion from or to a database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/27Replication, distribution or synchronisation of data between databases or within a distributed database system; Distributed database system architectures therefor
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/147Network analysis or design for predicting network behaviour
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/22Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks comprising specially adapted graphical user interfaces [GUI]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/146Tracing the source of attacks

Abstract

The present invention provides a kind of method and apparatus of Situation Awareness virtualization, the interface encapsulation in different information sources will be acquired, client is facilitated to call, the data flow of unified format is obtained by pre-processing, high frequency project team element is extracted from the data flow, generate high frequency correlation rule, it is sent into Situation Assessment and carries out project evaluation chain, by from the fusion of different evaluation systems, and Fuzzy Processing Data Elements, obtain individual equipment, the situation value of localized network, it is formed in conjunction with the framework of whole network, obtain the situation value of whole device, the situation value of different levels is imported neural network model to predict, finally visualize prediction result, sufficiently assessment whole network and each individual equipment, by each equipment, association is established in each layering, so as to scientifically be predicted following device, it is provided for user valuable The reference proposition of value.

Description

A kind of method and apparatus of Situation Awareness virtualization
Technical field
This application involves the method and apparatus that technical field of network security more particularly to a kind of Situation Awareness virtualize.
Background technique
Next generation network includes that car networking, Internet of Things, cloud network, industry internet, video monitoring net require to call state Gesture perceptional function, and building Situation Awareness platform is a complexity, expensive work, is thus required to provide Situation Awareness Situation Awareness is virtually that plug-in unit or component facilitate client to call by the service provider of service.
Meanwhile existing situational awareness techniques are understood using simple situation, so that it may obtain the peace about whole device For full Situation Assessment as a result, the report of Situation Assessment can not be provided quantitatively, it is even more impossible to the results based on Situation Assessment to carry out safety The prediction of situation, utility value are very limited.
The invention is intended to not only algorithmically sufficiently assess whole network and each individual equipment, but also can be based on It is established and is associated with each equipment, each layering, so as to carry out science to following device by the situation value provided Ground prediction, provides valuable reference proposition for user.
Summary of the invention
The purpose of the present invention is to provide a kind of method and apparatus of Situation Awareness virtualization, will acquire different information sources Interface encapsulation get up, facilitate client to call, obtain the data flow of unified format by pre-processing, extracted from the data flow high Frequency project team element generates high frequency correlation rule, is sent into Situation Assessment and carries out project evaluation chain, by melting from different evaluation systems Conjunction and Fuzzy Processing Data Elements, obtain the situation value of individual equipment, localized network, form in conjunction with the framework of whole network, The situation value of whole device is obtained, the situation value of different levels is imported into neural network model and is predicted, exhibition is finally visualized Show prediction result.
In a first aspect, the application provides a kind of method of Situation Awareness virtualization, which comprises
By the interface virtual that can receive different information sources at an outbound data interface, facilitate other network calls, no It is mutually independent between information source, will not find the interface in other information source, adaptively correspond to the corresponding interface;Pass through Outbound data interface acquires the running state data of the sensor of separate sources, information platform, detecting devices;
After receiving acquisition data, clear data in redundancy according to the type in source be system by Data Format Transform One format is divided into corresponding field, is merged into data flow;
Element is extracted from the data flow after merging, finds the behavior act for including in element, access object, source person Location, instantaneous flow size information, therefrom excavate high frequency project team, high frequency association generated according to the corresponding information of high frequency project team Rule increases its corresponding weight, forms the tree-shaped structure of frequent mode;
According to the tree-shaped structure of the frequent mode, distributed data base, the adjacent similar assets situation in inquiry address are called Information, the assets situation information and query flows speed of the affiliated same layer of queried access object, the similar assets state of flow total amount Gesture information;
Judge that single key equipment with the presence or absence of the identical security breaches of close assets adjacent with address, judges single crucial The concurrent thread of equipment, bandwidth, network topology, access frequency whether there is alarm identical with affiliated same layer assets, judge list Whether the influx growth rate of a key equipment, different agreement data packet distribution proportion, different size data packet distribution proportion are deposited In variation identical with flow speed, flow total amount similar property, the security postures value of single key equipment is calculated;
By several neighbouring single key equipments, or according to several the single key equipments for having service interaction, group At localized network, distributed data base is called again, by the corresponding security breaches of each key equipment, concurrent in localized network Thread, bandwidth, network topology, access frequency, influx growth rate, different agreement data packet distribution proportion and different size data Packet distribution proportion introduces the security postures value that Fuzzy Processing calculates localized network according to service priority;
Network topology is requested to distributed equalization server, according to the topological relation of multiple localized networks, obscures place Reason calculates the security postures value of whole network;
The security postures value of single key equipment, localized network and whole network is imported into distributed equalization server respectively In neural network model, deduced by neural network model, obtain following a period of time about attacker source and attack model The prediction enclosed returns to prediction result by distributed equalization server;
By the security postures value of single key equipment, localized network and whole network, attacker source and firing area Prediction result submitting is visualized.
With reference to first aspect, in a first possible implementation of that first aspect, the data flow after merging mentions Take element, comprising: assessment models, correlation rule and the index storehouse for calling previous historical data, from the respective field of data flow Extract element information.
With reference to first aspect, in a second possible implementation of that first aspect, it is described clear data in redundancy letter Data Format Transform is unified format according to the type in source by breath, is based at Map Reduce Distributed Parallel Computing Reason.
With reference to first aspect, in first aspect in the third possible implementation, the Fuzzy Processing calculating is to be based on The method that D-S theory is combined with fuzzy set calculates the probability that attack is supported.
Second aspect, the application provide a kind of device of Situation Awareness virtualization, and described device includes:
External interface unit, for the interface virtual in different information sources will to be can receive into an outbound data interface, side Just other network calls are mutually independent between different information sources, will not find the interface in other information source, adaptively Corresponding the corresponding interface;The sensor of separate sources, the operating status of information platform, detecting devices are acquired by outbound data interface Data;
Pretreatment unit, after receiving acquisition data, clear data in redundancy will according to the type in source Data Format Transform is unified format, is divided into corresponding field, is merged into data flow;
Situation understands unit, for extracting element from the data flow after merging, finds the behavior act for including in element, visits Ask object, source person address, instantaneous flow size information, therefrom excavate high frequency project team, according to high frequency, project team is corresponding Information generates high frequency correlation rule, increases its corresponding weight, forms the tree-shaped structure of frequent mode;
Situation Assessment unit inquires address phase for calling distributed data base according to the tree-shaped structure of the frequent mode Assets situation information similar in neighbour, the assets situation information and query flows speed, flow of the affiliated same layer of queried access object The similar assets situation information of total amount;Judge single key equipment with the presence or absence of the identical safe leakage of close assets adjacent with address Hole judges that the concurrent thread of single key equipment, bandwidth, network topology, access frequency whether there is and affiliated same layer assets phase Same alarm, judges influx growth rate, the different agreement data packet distribution proportion, different size data packet of single key equipment Distribution proportion whether there is variation identical with flow speed, flow total amount similar property, calculate the safety of single key equipment Situation value;
By several neighbouring single key equipments, or according to several the single key equipments for having service interaction, group At localized network, distributed data base is called again, by the corresponding security breaches of each key equipment, concurrent in localized network Thread, bandwidth, network topology, access frequency, influx growth rate, different agreement data packet distribution proportion and different size data Packet distribution proportion introduces the security postures value that Fuzzy Processing calculates localized network according to service priority;
Network topology is requested to distributed equalization server, according to the topological relation of multiple localized networks, obscures place Reason calculates the security postures value of whole network;
Tendency Prediction unit, for respectively leading the security postures value of single key equipment, localized network and whole network Enter the neural network model in distributed equalization server, deduced by neural network model, obtain following a period of time about The prediction in attacker source and firing area returns to prediction result by distributed equalization server;
Situation output unit, for by the security postures value of single key equipment, localized network and whole network, attacker The submitting of the prediction result of source and firing area is visualized.
In conjunction with second aspect, in second aspect in the first possible implementation, the situation understands unit from merging Data flow afterwards extracts element, comprising: assessment models, correlation rule and the index storehouse for calling previous historical data, from data flow Respective field in extract element information.
In conjunction with second aspect, in second of second aspect possible implementation, the pretreatment unit clears data In redundancy according to the type in source be unified format by Data Format Transform, be distributed based on Map Reduce Parallel computation processing.
In conjunction with second aspect, in second aspect in the third possible implementation, the fuzzy place of the Situation Assessment unit It is the method combined based on D-S theory with fuzzy set that reason, which calculates, calculates the probability that attack is supported.
The present invention provides a kind of method and apparatus of Situation Awareness virtualization, will acquire the interface encapsulation in different information sources Get up, client is facilitated to call, obtain the data flow of unified format by pre-processing, high frequency project team is extracted from the data flow and is wanted Element, generate high frequency correlation rule, be sent into Situation Assessment carry out project evaluation chain, by from the fusion of different evaluation systems, Yi Jimo Paste processing Data Elements, obtain the situation value of individual equipment, localized network, form in conjunction with the framework of whole network, obtain entire The situation value of device, imports neural network model for the situation value of different levels and predicts, finally visualizes prediction knot Fruit sufficiently assesses whole network and each individual equipment, and association is established in each equipment, each layering, so as to Scientifically to be predicted following device, valuable reference proposition is provided for user.
Detailed description of the invention
It to describe the technical solutions in the embodiments of the present invention more clearly, below will be to needed in the embodiment Attached drawing is briefly described, it should be apparent that, for those of ordinary skills, before not making the creative labor It puts, is also possible to obtain other drawings based on these drawings.
Fig. 1 is the flow chart of the method for Situation Awareness of the present invention virtualization;
Fig. 2 is the architecture diagram of the device of Situation Awareness of the present invention virtualization.
Specific embodiment
The preferred embodiment of the present invention is described in detail with reference to the accompanying drawing, so that advantages and features of the invention energy It is easier to be readily appreciated by one skilled in the art, so as to make a clearer definition of the protection scope of the present invention.
Fig. 1 is the flow chart of the method for Situation Awareness provided by the present application virtualization, which comprises
By the interface virtual that can receive different information sources at an outbound data interface, facilitate other network calls, no It is mutually independent between information source, will not find the interface in other information source, adaptively correspond to the corresponding interface;Pass through Outbound data interface acquires the running state data of the sensor of separate sources, information platform, detecting devices;
After receiving acquisition data, clear data in redundancy according to the type in source be system by Data Format Transform One format is divided into corresponding field, is merged into data flow;
Element is extracted from the data flow after merging, finds the behavior act for including in element, access object, source person Location, instantaneous flow size information, therefrom excavate high frequency project team, high frequency association generated according to the corresponding information of high frequency project team Rule increases its corresponding weight, forms the tree-shaped structure of frequent mode;
According to the tree-shaped structure of the frequent mode, distributed data base, the adjacent similar assets situation in inquiry address are called Information, the assets situation information and query flows speed of the affiliated same layer of queried access object, the similar assets state of flow total amount Gesture information;
Judge that single key equipment with the presence or absence of the identical security breaches of close assets adjacent with address, judges single crucial The concurrent thread of equipment, bandwidth, network topology, access frequency whether there is alarm identical with affiliated same layer assets, judge list Whether the influx growth rate of a key equipment, different agreement data packet distribution proportion, different size data packet distribution proportion are deposited In variation identical with flow speed, flow total amount similar property, the security postures value of single key equipment is calculated;
By several neighbouring single key equipments, or according to several the single key equipments for having service interaction, group At localized network, distributed data base is called again, by the corresponding security breaches of each key equipment, concurrent in localized network Thread, bandwidth, network topology, access frequency, influx growth rate, different agreement data packet distribution proportion and different size data Packet distribution proportion introduces the security postures value that Fuzzy Processing calculates localized network according to service priority;
Network topology is requested to distributed equalization server, according to the topological relation of multiple localized networks, obscures place Reason calculates the security postures value of whole network;
The security postures value of single key equipment, localized network and whole network is imported into distributed equalization server respectively In neural network model, deduced by neural network model, obtain following a period of time about attacker source and attack model The prediction enclosed returns to prediction result by distributed equalization server;
By the security postures value of single key equipment, localized network and whole network, attacker source and firing area Prediction result submitting is visualized.
In some preferred embodiments, the data flow after merging extracts element, comprising: calls previous historical data Assessment models, correlation rule and index storehouse, extract element information from the respective field of data flow.
In some preferred embodiments, it is described clear data in redundancy, according to the type in source, by data format Unified format is converted to, is handled based on Map Reduce Distributed Parallel Computing.
In some preferred embodiments, the Fuzzy Processing calculating is the method combined based on D-S theory with fuzzy set, Calculate the probability that attack is supported.
Fig. 2 is the architecture diagram of the device of Situation Awareness provided by the present application virtualization, and described device includes:
External interface unit, for the interface virtual in different information sources will to be can receive into an outbound data interface, side Just other network calls are mutually independent between different information sources, will not find the interface in other information source, adaptively Corresponding the corresponding interface;The sensor of separate sources, the operating status of information platform, detecting devices are acquired by outbound data interface Data;
Pretreatment unit, after receiving acquisition data, clear data in redundancy will according to the type in source Data Format Transform is unified format, is divided into corresponding field, is merged into data flow;
Situation understands unit, for extracting element from the data flow after merging, finds the behavior act for including in element, visits Ask object, source person address, instantaneous flow size information, therefrom excavate high frequency project team, according to high frequency, project team is corresponding Information generates high frequency correlation rule, increases its corresponding weight, forms the tree-shaped structure of frequent mode;
Situation Assessment unit inquires address phase for calling distributed data base according to the tree-shaped structure of the frequent mode Assets situation information similar in neighbour, the assets situation information and query flows speed, flow of the affiliated same layer of queried access object The similar assets situation information of total amount;Judge single key equipment with the presence or absence of the identical safe leakage of close assets adjacent with address Hole judges that the concurrent thread of single key equipment, bandwidth, network topology, access frequency whether there is and affiliated same layer assets phase Same alarm, judges influx growth rate, the different agreement data packet distribution proportion, different size data packet of single key equipment Distribution proportion whether there is variation identical with flow speed, flow total amount similar property, calculate the safety of single key equipment Situation value;
By several neighbouring single key equipments, or according to several the single key equipments for having service interaction, group At localized network, distributed data base is called again, by the corresponding security breaches of each key equipment, concurrent in localized network Thread, bandwidth, network topology, access frequency, influx growth rate, different agreement data packet distribution proportion and different size data Packet distribution proportion introduces the security postures value that Fuzzy Processing calculates localized network according to service priority;
Network topology is requested to distributed equalization server, according to the topological relation of multiple localized networks, obscures place Reason calculates the security postures value of whole network;
Tendency Prediction unit, for respectively leading the security postures value of single key equipment, localized network and whole network Enter the neural network model in distributed equalization server, deduced by neural network model, obtain following a period of time about The prediction in attacker source and firing area returns to prediction result by distributed equalization server;
Situation output unit, for by the security postures value of single key equipment, localized network and whole network, attacker The submitting of the prediction result of source and firing area is visualized.
In some preferred embodiments, the situation understands that unit extracts element from the data flow after merging, comprising: calls Assessment models, correlation rule and the index storehouse of previous historical data, extract element information from the respective field of data flow.
In some preferred embodiments, the pretreatment unit clear data in redundancy, according to the type in source, It is unified format by Data Format Transform, is handled based on Map Reduce Distributed Parallel Computing.
In some preferred embodiments, the Situation Assessment unit Fuzzy Processing calculating is based on D-S theory and fuzzy set The method combined calculates the probability that attack is supported.
In the specific implementation, the present invention also provides a kind of computer storage mediums, wherein the computer storage medium can deposit Program is contained, which may include step some or all of in each embodiment of the present invention when executing.The storage medium It can be magnetic disk, CD, read-only memory (referred to as: ROM) or random access memory (referred to as: RAM) etc..
It is required that those skilled in the art can be understood that the technology in the embodiment of the present invention can add by software The mode of general hardware platform realize.Based on this understanding, the technical solution in the embodiment of the present invention substantially or The part that contributes to existing technology can be embodied in the form of software products, which can store In storage medium, such as ROM/RAM, magnetic disk, CD, including some instructions use is so that a computer equipment (can be Personal computer, server or network equipment etc.) it executes described in certain parts of each embodiment of the present invention or embodiment Method.
The same or similar parts between the embodiments can be referred to each other for this specification.For embodiment, Since it is substantially similar to the method embodiment, so being described relatively simple, related place is referring to the explanation in embodiment of the method .
Invention described above embodiment is not intended to limit the scope of the present invention..

Claims (8)

1. a kind of method of Situation Awareness virtualization, which is characterized in that the described method includes:
By the interface virtual that can receive different information sources at an outbound data interface, facilitate other network calls, difference letter Breath is mutually independent between source, will not find the interface in other information source, adaptively correspond to the corresponding interface;By external Data-interface acquires the running state data of the sensor of separate sources, information platform, detecting devices;
After receiving acquisition data, clear data in redundancy according to the type in source be uniformly by Data Format Transform Format is divided into corresponding field, is merged into data flow;
Element is extracted from the data flow after merging, finds the behavior act for including in element, access object, source person address, wink When uninterrupted information, therefrom excavate high frequency project team, high frequency correlation rule generated according to the corresponding information of high frequency project team, Its corresponding weight is increased, the tree-shaped structure of frequent mode is formed;
According to the tree-shaped structure of the frequent mode, distributed data base is called, inquires the adjacent similar assets situation information in address, The assets situation information and query flows speed of the affiliated same layer of queried access object, the similar assets situation letter of flow total amount Breath;
Judge that single key equipment with the presence or absence of the identical security breaches of close assets adjacent with address, judges single key equipment Concurrent thread, bandwidth, network topology, access frequency whether there is alarm identical with affiliated same layer assets, judge single close The influx growth rate of button apparatus, different agreement data packet distribution proportion, different size data packet distribution proportion whether there is with Flow speed, the identical variation of flow total amount similar property, calculate the security postures value of single key equipment;
By several neighbouring single key equipments, or according to several the single key equipments for having service interaction, composition office Portion's network, calls distributed data base again, by the corresponding security breaches of each key equipment and hair line in localized network Journey, bandwidth, network topology, access frequency, influx growth rate, different agreement data packet distribution proportion and different size data packet Distribution proportion introduces the security postures value that Fuzzy Processing calculates localized network according to service priority;
Network topology is requested to distributed equalization server, according to the topological relation of multiple localized networks, Fuzzy Processing meter Calculate the security postures value of whole network;
The security postures value of single key equipment, localized network and whole network is imported in distributed equalization server respectively Neural network model is deduced by neural network model, obtains following a period of time about attacker source and firing area Prediction returns to prediction result by distributed equalization server;
By the security postures value of single key equipment, localized network and whole network, the prediction in attacker source and firing area As a result it sends out and is visualized.
2. the method according to claim 1, wherein the data flow after merging extracts element, comprising: adjust With the assessment models of previous historical data, correlation rule and index storehouse, element information is extracted from the respective field of data flow.
3. -2 described in any item methods according to claim 1, which is characterized in that it is described clear data in redundancy, root According to the type in source, be unified format by Data Format Transform, handled based on Map Reduce Distributed Parallel Computing.
4. method according to claim 1-3, which is characterized in that the Fuzzy Processing calculating is managed based on D-S By the method combined with fuzzy set, the probability that attack is supported is calculated.
5. a kind of device of Situation Awareness virtualization, which is characterized in that described device includes:
External interface unit, the interface virtual for that will can receive different information sources facilitate it at an outbound data interface His network call is mutually independent between different information sources, will not find the interface in other information source, adaptive corresponding The corresponding interface;The operating status number of the sensor of separate sources, information platform, detecting devices is acquired by outbound data interface According to;
Pretreatment unit, for receive acquisition data after, clear data in redundancy, according to the type in source, by data Format is converted to unified format, is divided into corresponding field, is merged into data flow;
Situation understands unit, for extracting element from the data flow after merging, finds the behavior act for including in element, access pair As, source person address, the information of instantaneous flow size, high frequency project team is therefrom excavated, according to the corresponding information of high frequency project team High frequency correlation rule is generated, its corresponding weight is increased, forms the tree-shaped structure of frequent mode;
Situation Assessment unit, for calling distributed data base, the adjacent phase in inquiry address according to the tree-shaped structure of the frequent mode Close assets situation information, the assets situation information and query flows speed of the affiliated same layer of queried access object, flow total amount Similar assets situation information;Judge single key equipment with the presence or absence of the identical security breaches of close assets adjacent with address, Judge the concurrent thread of single key equipment, bandwidth, network topology, access frequency with the presence or absence of identical with affiliated same layer assets Alarm judges influx growth rate, the different agreement data packet distribution proportion, the distribution of different size data packet of single key equipment Ratio whether there is variation identical with flow speed, flow total amount similar property, calculate the security postures of single key equipment Value;
By several neighbouring single key equipments, or according to several the single key equipments for having service interaction, composition office Portion's network, calls distributed data base again, by the corresponding security breaches of each key equipment and hair line in localized network Journey, bandwidth, network topology, access frequency, influx growth rate, different agreement data packet distribution proportion and different size data packet Distribution proportion introduces the security postures value that Fuzzy Processing calculates localized network according to service priority;
Network topology is requested to distributed equalization server, according to the topological relation of multiple localized networks, Fuzzy Processing meter Calculate the security postures value of whole network;
Tendency Prediction unit divides for respectively importing the security postures value of single key equipment, localized network and whole network Neural network model in cloth equalization server, is deduced by neural network model, obtains following a period of time about attack The prediction in person source and firing area returns to prediction result by distributed equalization server;
Situation output unit, for by the security postures value of single key equipment, localized network and whole network, attacker source Prediction result submitting with firing area is visualized.
6. device according to claim 5, which is characterized in that the situation understands that unit is extracted from the data flow after merging Element, comprising: assessment models, correlation rule and the index storehouse for calling previous historical data are mentioned from the respective field of data flow Take element information.
7. according to the described in any item devices of claim 5-6, which is characterized in that the pretreatment unit clear data in it is superfluous Data Format Transform is unified format, is based on Map Reduce distributed parallel by remaining information according to the type in source Calculate processing.
8. according to the described in any item devices of claim 5-7, which is characterized in that the Situation Assessment unit Fuzzy Processing calculates It is the method combined based on D-S theory with fuzzy set, calculates the probability that attack is supported.
CN201910757775.6A 2019-08-16 2019-08-16 Situation awareness virtualization method and device Active CN110493218B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910757775.6A CN110493218B (en) 2019-08-16 2019-08-16 Situation awareness virtualization method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910757775.6A CN110493218B (en) 2019-08-16 2019-08-16 Situation awareness virtualization method and device

Publications (2)

Publication Number Publication Date
CN110493218A true CN110493218A (en) 2019-11-22
CN110493218B CN110493218B (en) 2022-04-08

Family

ID=68549782

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910757775.6A Active CN110493218B (en) 2019-08-16 2019-08-16 Situation awareness virtualization method and device

Country Status (1)

Country Link
CN (1) CN110493218B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111866027A (en) * 2020-08-10 2020-10-30 武汉思普崚技术有限公司 Asset safety assessment method and system based on intelligence analysis
CN113271321A (en) * 2021-07-20 2021-08-17 成都信息工程大学 Propagation prediction processing method and system based on network abnormal attack

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102263410A (en) * 2010-05-31 2011-11-30 河南省电力公司 Security risk assessment model, assessment method and assessment parameter determining method
CN102624696A (en) * 2011-12-27 2012-08-01 中国航天科工集团第二研究院七〇六所 Network security situation evaluation method
WO2016172514A1 (en) * 2015-04-24 2016-10-27 Siemens Aktiengesellschaft Improving control system resilience by highly coupling security functions with control
CN107404400A (en) * 2017-07-20 2017-11-28 中国电子科技集团公司第二十九研究所 A kind of network situation awareness implementation method and device
CN108494810A (en) * 2018-06-11 2018-09-04 中国人民解放军战略支援部队信息工程大学 Network security situation prediction method, apparatus and system towards attack
CN108769048A (en) * 2018-06-08 2018-11-06 武汉思普崚技术有限公司 A kind of secure visualization and Situation Awareness plateform system

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102263410A (en) * 2010-05-31 2011-11-30 河南省电力公司 Security risk assessment model, assessment method and assessment parameter determining method
CN102624696A (en) * 2011-12-27 2012-08-01 中国航天科工集团第二研究院七〇六所 Network security situation evaluation method
WO2016172514A1 (en) * 2015-04-24 2016-10-27 Siemens Aktiengesellschaft Improving control system resilience by highly coupling security functions with control
CN107404400A (en) * 2017-07-20 2017-11-28 中国电子科技集团公司第二十九研究所 A kind of network situation awareness implementation method and device
CN108769048A (en) * 2018-06-08 2018-11-06 武汉思普崚技术有限公司 A kind of secure visualization and Situation Awareness plateform system
CN108494810A (en) * 2018-06-11 2018-09-04 中国人民解放军战略支援部队信息工程大学 Network security situation prediction method, apparatus and system towards attack

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
刘鹏等: "大规模网络安全态势感知及预测", 《计算机安全》 *
甘文道等: "基于RAN-RBF神经网络的网络安全态势预测模型 ", 《计算机科学》 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111866027A (en) * 2020-08-10 2020-10-30 武汉思普崚技术有限公司 Asset safety assessment method and system based on intelligence analysis
CN113271321A (en) * 2021-07-20 2021-08-17 成都信息工程大学 Propagation prediction processing method and system based on network abnormal attack

Also Published As

Publication number Publication date
CN110493218B (en) 2022-04-08

Similar Documents

Publication Publication Date Title
US10855545B2 (en) Centralized resource usage visualization service for large-scale network topologies
Jamshidi et al. Autonomic resource provisioning for cloud-based software
US9647904B2 (en) Customer-directed networking limits in distributed systems
CN104580349B (en) Secure cloud administration agent
CN110445801A (en) A kind of Situation Awareness method and system of Internet of Things
US20160308734A1 (en) System and method for sla violation mitigation via multi-level thresholds
CN110036599A (en) The programming interface of network health information
CN110460608A (en) A kind of Situation Awareness method and system comprising association analysis
CN110474904A (en) A kind of Situation Awareness method and system improving prediction
CN110493043A (en) A kind of distribution Situation Awareness call method and device
CN109840533A (en) A kind of applied topology figure recognition methods and device
Roy et al. Micro-safe: Microservices-and deep learning-based safety-as-a-service architecture for 6G-enabled intelligent transportation system
CN108833389A (en) A kind of shared processing method and processing device of information data
US20130262189A1 (en) Analyzing metered cost effects of deployment patterns in a networked computing environment
CN110493218A (en) A kind of method and apparatus of Situation Awareness virtualization
Rodrigues et al. Performance and availability evaluation of an smart hospital architecture
CN110471975A (en) A kind of Internet of Things Situation Awareness call method and device
Bai et al. Resilience-driven quantitative analysis of vehicle platooning service
Jararweh et al. Software Defined based smart grid architecture
Jacq et al. The cyber-MAR project: First results and perspectives on the use of hybrid cyber ranges for port cyber risk assessment
CN110493217A (en) A kind of distributed Situation Awareness method and system
CN110493044A (en) A kind of method and system of quantifiable Situation Awareness
CN105608380A (en) Virtual machine lifecycle-based cloud computation security assessing method
Liu et al. A clusterized firewall framework for cloud computing
US9929921B2 (en) Techniques for workload toxic mapping

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant