CN110493218A - A kind of method and apparatus of Situation Awareness virtualization - Google Patents
A kind of method and apparatus of Situation Awareness virtualization Download PDFInfo
- Publication number
- CN110493218A CN110493218A CN201910757775.6A CN201910757775A CN110493218A CN 110493218 A CN110493218 A CN 110493218A CN 201910757775 A CN201910757775 A CN 201910757775A CN 110493218 A CN110493218 A CN 110493218A
- Authority
- CN
- China
- Prior art keywords
- data
- network
- situation
- information
- single key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/25—Integrating or interfacing systems involving database management systems
- G06F16/258—Data format conversion from or to a database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/27—Replication, distribution or synchronisation of data between databases or within a distributed database system; Distributed database system architectures therefor
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/147—Network analysis or design for predicting network behaviour
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/22—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks comprising specially adapted graphical user interfaces [GUI]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2463/00—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
- H04L2463/146—Tracing the source of attacks
Abstract
The present invention provides a kind of method and apparatus of Situation Awareness virtualization, the interface encapsulation in different information sources will be acquired, client is facilitated to call, the data flow of unified format is obtained by pre-processing, high frequency project team element is extracted from the data flow, generate high frequency correlation rule, it is sent into Situation Assessment and carries out project evaluation chain, by from the fusion of different evaluation systems, and Fuzzy Processing Data Elements, obtain individual equipment, the situation value of localized network, it is formed in conjunction with the framework of whole network, obtain the situation value of whole device, the situation value of different levels is imported neural network model to predict, finally visualize prediction result, sufficiently assessment whole network and each individual equipment, by each equipment, association is established in each layering, so as to scientifically be predicted following device, it is provided for user valuable The reference proposition of value.
Description
Technical field
This application involves the method and apparatus that technical field of network security more particularly to a kind of Situation Awareness virtualize.
Background technique
Next generation network includes that car networking, Internet of Things, cloud network, industry internet, video monitoring net require to call state
Gesture perceptional function, and building Situation Awareness platform is a complexity, expensive work, is thus required to provide Situation Awareness
Situation Awareness is virtually that plug-in unit or component facilitate client to call by the service provider of service.
Meanwhile existing situational awareness techniques are understood using simple situation, so that it may obtain the peace about whole device
For full Situation Assessment as a result, the report of Situation Assessment can not be provided quantitatively, it is even more impossible to the results based on Situation Assessment to carry out safety
The prediction of situation, utility value are very limited.
The invention is intended to not only algorithmically sufficiently assess whole network and each individual equipment, but also can be based on
It is established and is associated with each equipment, each layering, so as to carry out science to following device by the situation value provided
Ground prediction, provides valuable reference proposition for user.
Summary of the invention
The purpose of the present invention is to provide a kind of method and apparatus of Situation Awareness virtualization, will acquire different information sources
Interface encapsulation get up, facilitate client to call, obtain the data flow of unified format by pre-processing, extracted from the data flow high
Frequency project team element generates high frequency correlation rule, is sent into Situation Assessment and carries out project evaluation chain, by melting from different evaluation systems
Conjunction and Fuzzy Processing Data Elements, obtain the situation value of individual equipment, localized network, form in conjunction with the framework of whole network,
The situation value of whole device is obtained, the situation value of different levels is imported into neural network model and is predicted, exhibition is finally visualized
Show prediction result.
In a first aspect, the application provides a kind of method of Situation Awareness virtualization, which comprises
By the interface virtual that can receive different information sources at an outbound data interface, facilitate other network calls, no
It is mutually independent between information source, will not find the interface in other information source, adaptively correspond to the corresponding interface;Pass through
Outbound data interface acquires the running state data of the sensor of separate sources, information platform, detecting devices;
After receiving acquisition data, clear data in redundancy according to the type in source be system by Data Format Transform
One format is divided into corresponding field, is merged into data flow;
Element is extracted from the data flow after merging, finds the behavior act for including in element, access object, source person
Location, instantaneous flow size information, therefrom excavate high frequency project team, high frequency association generated according to the corresponding information of high frequency project team
Rule increases its corresponding weight, forms the tree-shaped structure of frequent mode;
According to the tree-shaped structure of the frequent mode, distributed data base, the adjacent similar assets situation in inquiry address are called
Information, the assets situation information and query flows speed of the affiliated same layer of queried access object, the similar assets state of flow total amount
Gesture information;
Judge that single key equipment with the presence or absence of the identical security breaches of close assets adjacent with address, judges single crucial
The concurrent thread of equipment, bandwidth, network topology, access frequency whether there is alarm identical with affiliated same layer assets, judge list
Whether the influx growth rate of a key equipment, different agreement data packet distribution proportion, different size data packet distribution proportion are deposited
In variation identical with flow speed, flow total amount similar property, the security postures value of single key equipment is calculated;
By several neighbouring single key equipments, or according to several the single key equipments for having service interaction, group
At localized network, distributed data base is called again, by the corresponding security breaches of each key equipment, concurrent in localized network
Thread, bandwidth, network topology, access frequency, influx growth rate, different agreement data packet distribution proportion and different size data
Packet distribution proportion introduces the security postures value that Fuzzy Processing calculates localized network according to service priority;
Network topology is requested to distributed equalization server, according to the topological relation of multiple localized networks, obscures place
Reason calculates the security postures value of whole network;
The security postures value of single key equipment, localized network and whole network is imported into distributed equalization server respectively
In neural network model, deduced by neural network model, obtain following a period of time about attacker source and attack model
The prediction enclosed returns to prediction result by distributed equalization server;
By the security postures value of single key equipment, localized network and whole network, attacker source and firing area
Prediction result submitting is visualized.
With reference to first aspect, in a first possible implementation of that first aspect, the data flow after merging mentions
Take element, comprising: assessment models, correlation rule and the index storehouse for calling previous historical data, from the respective field of data flow
Extract element information.
With reference to first aspect, in a second possible implementation of that first aspect, it is described clear data in redundancy letter
Data Format Transform is unified format according to the type in source by breath, is based at Map Reduce Distributed Parallel Computing
Reason.
With reference to first aspect, in first aspect in the third possible implementation, the Fuzzy Processing calculating is to be based on
The method that D-S theory is combined with fuzzy set calculates the probability that attack is supported.
Second aspect, the application provide a kind of device of Situation Awareness virtualization, and described device includes:
External interface unit, for the interface virtual in different information sources will to be can receive into an outbound data interface, side
Just other network calls are mutually independent between different information sources, will not find the interface in other information source, adaptively
Corresponding the corresponding interface;The sensor of separate sources, the operating status of information platform, detecting devices are acquired by outbound data interface
Data;
Pretreatment unit, after receiving acquisition data, clear data in redundancy will according to the type in source
Data Format Transform is unified format, is divided into corresponding field, is merged into data flow;
Situation understands unit, for extracting element from the data flow after merging, finds the behavior act for including in element, visits
Ask object, source person address, instantaneous flow size information, therefrom excavate high frequency project team, according to high frequency, project team is corresponding
Information generates high frequency correlation rule, increases its corresponding weight, forms the tree-shaped structure of frequent mode;
Situation Assessment unit inquires address phase for calling distributed data base according to the tree-shaped structure of the frequent mode
Assets situation information similar in neighbour, the assets situation information and query flows speed, flow of the affiliated same layer of queried access object
The similar assets situation information of total amount;Judge single key equipment with the presence or absence of the identical safe leakage of close assets adjacent with address
Hole judges that the concurrent thread of single key equipment, bandwidth, network topology, access frequency whether there is and affiliated same layer assets phase
Same alarm, judges influx growth rate, the different agreement data packet distribution proportion, different size data packet of single key equipment
Distribution proportion whether there is variation identical with flow speed, flow total amount similar property, calculate the safety of single key equipment
Situation value;
By several neighbouring single key equipments, or according to several the single key equipments for having service interaction, group
At localized network, distributed data base is called again, by the corresponding security breaches of each key equipment, concurrent in localized network
Thread, bandwidth, network topology, access frequency, influx growth rate, different agreement data packet distribution proportion and different size data
Packet distribution proportion introduces the security postures value that Fuzzy Processing calculates localized network according to service priority;
Network topology is requested to distributed equalization server, according to the topological relation of multiple localized networks, obscures place
Reason calculates the security postures value of whole network;
Tendency Prediction unit, for respectively leading the security postures value of single key equipment, localized network and whole network
Enter the neural network model in distributed equalization server, deduced by neural network model, obtain following a period of time about
The prediction in attacker source and firing area returns to prediction result by distributed equalization server;
Situation output unit, for by the security postures value of single key equipment, localized network and whole network, attacker
The submitting of the prediction result of source and firing area is visualized.
In conjunction with second aspect, in second aspect in the first possible implementation, the situation understands unit from merging
Data flow afterwards extracts element, comprising: assessment models, correlation rule and the index storehouse for calling previous historical data, from data flow
Respective field in extract element information.
In conjunction with second aspect, in second of second aspect possible implementation, the pretreatment unit clears data
In redundancy according to the type in source be unified format by Data Format Transform, be distributed based on Map Reduce
Parallel computation processing.
In conjunction with second aspect, in second aspect in the third possible implementation, the fuzzy place of the Situation Assessment unit
It is the method combined based on D-S theory with fuzzy set that reason, which calculates, calculates the probability that attack is supported.
The present invention provides a kind of method and apparatus of Situation Awareness virtualization, will acquire the interface encapsulation in different information sources
Get up, client is facilitated to call, obtain the data flow of unified format by pre-processing, high frequency project team is extracted from the data flow and is wanted
Element, generate high frequency correlation rule, be sent into Situation Assessment carry out project evaluation chain, by from the fusion of different evaluation systems, Yi Jimo
Paste processing Data Elements, obtain the situation value of individual equipment, localized network, form in conjunction with the framework of whole network, obtain entire
The situation value of device, imports neural network model for the situation value of different levels and predicts, finally visualizes prediction knot
Fruit sufficiently assesses whole network and each individual equipment, and association is established in each equipment, each layering, so as to
Scientifically to be predicted following device, valuable reference proposition is provided for user.
Detailed description of the invention
It to describe the technical solutions in the embodiments of the present invention more clearly, below will be to needed in the embodiment
Attached drawing is briefly described, it should be apparent that, for those of ordinary skills, before not making the creative labor
It puts, is also possible to obtain other drawings based on these drawings.
Fig. 1 is the flow chart of the method for Situation Awareness of the present invention virtualization;
Fig. 2 is the architecture diagram of the device of Situation Awareness of the present invention virtualization.
Specific embodiment
The preferred embodiment of the present invention is described in detail with reference to the accompanying drawing, so that advantages and features of the invention energy
It is easier to be readily appreciated by one skilled in the art, so as to make a clearer definition of the protection scope of the present invention.
Fig. 1 is the flow chart of the method for Situation Awareness provided by the present application virtualization, which comprises
By the interface virtual that can receive different information sources at an outbound data interface, facilitate other network calls, no
It is mutually independent between information source, will not find the interface in other information source, adaptively correspond to the corresponding interface;Pass through
Outbound data interface acquires the running state data of the sensor of separate sources, information platform, detecting devices;
After receiving acquisition data, clear data in redundancy according to the type in source be system by Data Format Transform
One format is divided into corresponding field, is merged into data flow;
Element is extracted from the data flow after merging, finds the behavior act for including in element, access object, source person
Location, instantaneous flow size information, therefrom excavate high frequency project team, high frequency association generated according to the corresponding information of high frequency project team
Rule increases its corresponding weight, forms the tree-shaped structure of frequent mode;
According to the tree-shaped structure of the frequent mode, distributed data base, the adjacent similar assets situation in inquiry address are called
Information, the assets situation information and query flows speed of the affiliated same layer of queried access object, the similar assets state of flow total amount
Gesture information;
Judge that single key equipment with the presence or absence of the identical security breaches of close assets adjacent with address, judges single crucial
The concurrent thread of equipment, bandwidth, network topology, access frequency whether there is alarm identical with affiliated same layer assets, judge list
Whether the influx growth rate of a key equipment, different agreement data packet distribution proportion, different size data packet distribution proportion are deposited
In variation identical with flow speed, flow total amount similar property, the security postures value of single key equipment is calculated;
By several neighbouring single key equipments, or according to several the single key equipments for having service interaction, group
At localized network, distributed data base is called again, by the corresponding security breaches of each key equipment, concurrent in localized network
Thread, bandwidth, network topology, access frequency, influx growth rate, different agreement data packet distribution proportion and different size data
Packet distribution proportion introduces the security postures value that Fuzzy Processing calculates localized network according to service priority;
Network topology is requested to distributed equalization server, according to the topological relation of multiple localized networks, obscures place
Reason calculates the security postures value of whole network;
The security postures value of single key equipment, localized network and whole network is imported into distributed equalization server respectively
In neural network model, deduced by neural network model, obtain following a period of time about attacker source and attack model
The prediction enclosed returns to prediction result by distributed equalization server;
By the security postures value of single key equipment, localized network and whole network, attacker source and firing area
Prediction result submitting is visualized.
In some preferred embodiments, the data flow after merging extracts element, comprising: calls previous historical data
Assessment models, correlation rule and index storehouse, extract element information from the respective field of data flow.
In some preferred embodiments, it is described clear data in redundancy, according to the type in source, by data format
Unified format is converted to, is handled based on Map Reduce Distributed Parallel Computing.
In some preferred embodiments, the Fuzzy Processing calculating is the method combined based on D-S theory with fuzzy set,
Calculate the probability that attack is supported.
Fig. 2 is the architecture diagram of the device of Situation Awareness provided by the present application virtualization, and described device includes:
External interface unit, for the interface virtual in different information sources will to be can receive into an outbound data interface, side
Just other network calls are mutually independent between different information sources, will not find the interface in other information source, adaptively
Corresponding the corresponding interface;The sensor of separate sources, the operating status of information platform, detecting devices are acquired by outbound data interface
Data;
Pretreatment unit, after receiving acquisition data, clear data in redundancy will according to the type in source
Data Format Transform is unified format, is divided into corresponding field, is merged into data flow;
Situation understands unit, for extracting element from the data flow after merging, finds the behavior act for including in element, visits
Ask object, source person address, instantaneous flow size information, therefrom excavate high frequency project team, according to high frequency, project team is corresponding
Information generates high frequency correlation rule, increases its corresponding weight, forms the tree-shaped structure of frequent mode;
Situation Assessment unit inquires address phase for calling distributed data base according to the tree-shaped structure of the frequent mode
Assets situation information similar in neighbour, the assets situation information and query flows speed, flow of the affiliated same layer of queried access object
The similar assets situation information of total amount;Judge single key equipment with the presence or absence of the identical safe leakage of close assets adjacent with address
Hole judges that the concurrent thread of single key equipment, bandwidth, network topology, access frequency whether there is and affiliated same layer assets phase
Same alarm, judges influx growth rate, the different agreement data packet distribution proportion, different size data packet of single key equipment
Distribution proportion whether there is variation identical with flow speed, flow total amount similar property, calculate the safety of single key equipment
Situation value;
By several neighbouring single key equipments, or according to several the single key equipments for having service interaction, group
At localized network, distributed data base is called again, by the corresponding security breaches of each key equipment, concurrent in localized network
Thread, bandwidth, network topology, access frequency, influx growth rate, different agreement data packet distribution proportion and different size data
Packet distribution proportion introduces the security postures value that Fuzzy Processing calculates localized network according to service priority;
Network topology is requested to distributed equalization server, according to the topological relation of multiple localized networks, obscures place
Reason calculates the security postures value of whole network;
Tendency Prediction unit, for respectively leading the security postures value of single key equipment, localized network and whole network
Enter the neural network model in distributed equalization server, deduced by neural network model, obtain following a period of time about
The prediction in attacker source and firing area returns to prediction result by distributed equalization server;
Situation output unit, for by the security postures value of single key equipment, localized network and whole network, attacker
The submitting of the prediction result of source and firing area is visualized.
In some preferred embodiments, the situation understands that unit extracts element from the data flow after merging, comprising: calls
Assessment models, correlation rule and the index storehouse of previous historical data, extract element information from the respective field of data flow.
In some preferred embodiments, the pretreatment unit clear data in redundancy, according to the type in source,
It is unified format by Data Format Transform, is handled based on Map Reduce Distributed Parallel Computing.
In some preferred embodiments, the Situation Assessment unit Fuzzy Processing calculating is based on D-S theory and fuzzy set
The method combined calculates the probability that attack is supported.
In the specific implementation, the present invention also provides a kind of computer storage mediums, wherein the computer storage medium can deposit
Program is contained, which may include step some or all of in each embodiment of the present invention when executing.The storage medium
It can be magnetic disk, CD, read-only memory (referred to as: ROM) or random access memory (referred to as: RAM) etc..
It is required that those skilled in the art can be understood that the technology in the embodiment of the present invention can add by software
The mode of general hardware platform realize.Based on this understanding, the technical solution in the embodiment of the present invention substantially or
The part that contributes to existing technology can be embodied in the form of software products, which can store
In storage medium, such as ROM/RAM, magnetic disk, CD, including some instructions use is so that a computer equipment (can be
Personal computer, server or network equipment etc.) it executes described in certain parts of each embodiment of the present invention or embodiment
Method.
The same or similar parts between the embodiments can be referred to each other for this specification.For embodiment,
Since it is substantially similar to the method embodiment, so being described relatively simple, related place is referring to the explanation in embodiment of the method
.
Invention described above embodiment is not intended to limit the scope of the present invention..
Claims (8)
1. a kind of method of Situation Awareness virtualization, which is characterized in that the described method includes:
By the interface virtual that can receive different information sources at an outbound data interface, facilitate other network calls, difference letter
Breath is mutually independent between source, will not find the interface in other information source, adaptively correspond to the corresponding interface;By external
Data-interface acquires the running state data of the sensor of separate sources, information platform, detecting devices;
After receiving acquisition data, clear data in redundancy according to the type in source be uniformly by Data Format Transform
Format is divided into corresponding field, is merged into data flow;
Element is extracted from the data flow after merging, finds the behavior act for including in element, access object, source person address, wink
When uninterrupted information, therefrom excavate high frequency project team, high frequency correlation rule generated according to the corresponding information of high frequency project team,
Its corresponding weight is increased, the tree-shaped structure of frequent mode is formed;
According to the tree-shaped structure of the frequent mode, distributed data base is called, inquires the adjacent similar assets situation information in address,
The assets situation information and query flows speed of the affiliated same layer of queried access object, the similar assets situation letter of flow total amount
Breath;
Judge that single key equipment with the presence or absence of the identical security breaches of close assets adjacent with address, judges single key equipment
Concurrent thread, bandwidth, network topology, access frequency whether there is alarm identical with affiliated same layer assets, judge single close
The influx growth rate of button apparatus, different agreement data packet distribution proportion, different size data packet distribution proportion whether there is with
Flow speed, the identical variation of flow total amount similar property, calculate the security postures value of single key equipment;
By several neighbouring single key equipments, or according to several the single key equipments for having service interaction, composition office
Portion's network, calls distributed data base again, by the corresponding security breaches of each key equipment and hair line in localized network
Journey, bandwidth, network topology, access frequency, influx growth rate, different agreement data packet distribution proportion and different size data packet
Distribution proportion introduces the security postures value that Fuzzy Processing calculates localized network according to service priority;
Network topology is requested to distributed equalization server, according to the topological relation of multiple localized networks, Fuzzy Processing meter
Calculate the security postures value of whole network;
The security postures value of single key equipment, localized network and whole network is imported in distributed equalization server respectively
Neural network model is deduced by neural network model, obtains following a period of time about attacker source and firing area
Prediction returns to prediction result by distributed equalization server;
By the security postures value of single key equipment, localized network and whole network, the prediction in attacker source and firing area
As a result it sends out and is visualized.
2. the method according to claim 1, wherein the data flow after merging extracts element, comprising: adjust
With the assessment models of previous historical data, correlation rule and index storehouse, element information is extracted from the respective field of data flow.
3. -2 described in any item methods according to claim 1, which is characterized in that it is described clear data in redundancy, root
According to the type in source, be unified format by Data Format Transform, handled based on Map Reduce Distributed Parallel Computing.
4. method according to claim 1-3, which is characterized in that the Fuzzy Processing calculating is managed based on D-S
By the method combined with fuzzy set, the probability that attack is supported is calculated.
5. a kind of device of Situation Awareness virtualization, which is characterized in that described device includes:
External interface unit, the interface virtual for that will can receive different information sources facilitate it at an outbound data interface
His network call is mutually independent between different information sources, will not find the interface in other information source, adaptive corresponding
The corresponding interface;The operating status number of the sensor of separate sources, information platform, detecting devices is acquired by outbound data interface
According to;
Pretreatment unit, for receive acquisition data after, clear data in redundancy, according to the type in source, by data
Format is converted to unified format, is divided into corresponding field, is merged into data flow;
Situation understands unit, for extracting element from the data flow after merging, finds the behavior act for including in element, access pair
As, source person address, the information of instantaneous flow size, high frequency project team is therefrom excavated, according to the corresponding information of high frequency project team
High frequency correlation rule is generated, its corresponding weight is increased, forms the tree-shaped structure of frequent mode;
Situation Assessment unit, for calling distributed data base, the adjacent phase in inquiry address according to the tree-shaped structure of the frequent mode
Close assets situation information, the assets situation information and query flows speed of the affiliated same layer of queried access object, flow total amount
Similar assets situation information;Judge single key equipment with the presence or absence of the identical security breaches of close assets adjacent with address,
Judge the concurrent thread of single key equipment, bandwidth, network topology, access frequency with the presence or absence of identical with affiliated same layer assets
Alarm judges influx growth rate, the different agreement data packet distribution proportion, the distribution of different size data packet of single key equipment
Ratio whether there is variation identical with flow speed, flow total amount similar property, calculate the security postures of single key equipment
Value;
By several neighbouring single key equipments, or according to several the single key equipments for having service interaction, composition office
Portion's network, calls distributed data base again, by the corresponding security breaches of each key equipment and hair line in localized network
Journey, bandwidth, network topology, access frequency, influx growth rate, different agreement data packet distribution proportion and different size data packet
Distribution proportion introduces the security postures value that Fuzzy Processing calculates localized network according to service priority;
Network topology is requested to distributed equalization server, according to the topological relation of multiple localized networks, Fuzzy Processing meter
Calculate the security postures value of whole network;
Tendency Prediction unit divides for respectively importing the security postures value of single key equipment, localized network and whole network
Neural network model in cloth equalization server, is deduced by neural network model, obtains following a period of time about attack
The prediction in person source and firing area returns to prediction result by distributed equalization server;
Situation output unit, for by the security postures value of single key equipment, localized network and whole network, attacker source
Prediction result submitting with firing area is visualized.
6. device according to claim 5, which is characterized in that the situation understands that unit is extracted from the data flow after merging
Element, comprising: assessment models, correlation rule and the index storehouse for calling previous historical data are mentioned from the respective field of data flow
Take element information.
7. according to the described in any item devices of claim 5-6, which is characterized in that the pretreatment unit clear data in it is superfluous
Data Format Transform is unified format, is based on Map Reduce distributed parallel by remaining information according to the type in source
Calculate processing.
8. according to the described in any item devices of claim 5-7, which is characterized in that the Situation Assessment unit Fuzzy Processing calculates
It is the method combined based on D-S theory with fuzzy set, calculates the probability that attack is supported.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910757775.6A CN110493218B (en) | 2019-08-16 | 2019-08-16 | Situation awareness virtualization method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910757775.6A CN110493218B (en) | 2019-08-16 | 2019-08-16 | Situation awareness virtualization method and device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN110493218A true CN110493218A (en) | 2019-11-22 |
CN110493218B CN110493218B (en) | 2022-04-08 |
Family
ID=68549782
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910757775.6A Active CN110493218B (en) | 2019-08-16 | 2019-08-16 | Situation awareness virtualization method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110493218B (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111866027A (en) * | 2020-08-10 | 2020-10-30 | 武汉思普崚技术有限公司 | Asset safety assessment method and system based on intelligence analysis |
CN113271321A (en) * | 2021-07-20 | 2021-08-17 | 成都信息工程大学 | Propagation prediction processing method and system based on network abnormal attack |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102263410A (en) * | 2010-05-31 | 2011-11-30 | 河南省电力公司 | Security risk assessment model, assessment method and assessment parameter determining method |
CN102624696A (en) * | 2011-12-27 | 2012-08-01 | 中国航天科工集团第二研究院七〇六所 | Network security situation evaluation method |
WO2016172514A1 (en) * | 2015-04-24 | 2016-10-27 | Siemens Aktiengesellschaft | Improving control system resilience by highly coupling security functions with control |
CN107404400A (en) * | 2017-07-20 | 2017-11-28 | 中国电子科技集团公司第二十九研究所 | A kind of network situation awareness implementation method and device |
CN108494810A (en) * | 2018-06-11 | 2018-09-04 | 中国人民解放军战略支援部队信息工程大学 | Network security situation prediction method, apparatus and system towards attack |
CN108769048A (en) * | 2018-06-08 | 2018-11-06 | 武汉思普崚技术有限公司 | A kind of secure visualization and Situation Awareness plateform system |
-
2019
- 2019-08-16 CN CN201910757775.6A patent/CN110493218B/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102263410A (en) * | 2010-05-31 | 2011-11-30 | 河南省电力公司 | Security risk assessment model, assessment method and assessment parameter determining method |
CN102624696A (en) * | 2011-12-27 | 2012-08-01 | 中国航天科工集团第二研究院七〇六所 | Network security situation evaluation method |
WO2016172514A1 (en) * | 2015-04-24 | 2016-10-27 | Siemens Aktiengesellschaft | Improving control system resilience by highly coupling security functions with control |
CN107404400A (en) * | 2017-07-20 | 2017-11-28 | 中国电子科技集团公司第二十九研究所 | A kind of network situation awareness implementation method and device |
CN108769048A (en) * | 2018-06-08 | 2018-11-06 | 武汉思普崚技术有限公司 | A kind of secure visualization and Situation Awareness plateform system |
CN108494810A (en) * | 2018-06-11 | 2018-09-04 | 中国人民解放军战略支援部队信息工程大学 | Network security situation prediction method, apparatus and system towards attack |
Non-Patent Citations (2)
Title |
---|
刘鹏等: "大规模网络安全态势感知及预测", 《计算机安全》 * |
甘文道等: "基于RAN-RBF神经网络的网络安全态势预测模型 ", 《计算机科学》 * |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111866027A (en) * | 2020-08-10 | 2020-10-30 | 武汉思普崚技术有限公司 | Asset safety assessment method and system based on intelligence analysis |
CN113271321A (en) * | 2021-07-20 | 2021-08-17 | 成都信息工程大学 | Propagation prediction processing method and system based on network abnormal attack |
Also Published As
Publication number | Publication date |
---|---|
CN110493218B (en) | 2022-04-08 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10855545B2 (en) | Centralized resource usage visualization service for large-scale network topologies | |
Jamshidi et al. | Autonomic resource provisioning for cloud-based software | |
US9647904B2 (en) | Customer-directed networking limits in distributed systems | |
CN104580349B (en) | Secure cloud administration agent | |
CN110445801A (en) | A kind of Situation Awareness method and system of Internet of Things | |
US20160308734A1 (en) | System and method for sla violation mitigation via multi-level thresholds | |
CN110036599A (en) | The programming interface of network health information | |
CN110460608A (en) | A kind of Situation Awareness method and system comprising association analysis | |
CN110474904A (en) | A kind of Situation Awareness method and system improving prediction | |
CN110493043A (en) | A kind of distribution Situation Awareness call method and device | |
CN109840533A (en) | A kind of applied topology figure recognition methods and device | |
Roy et al. | Micro-safe: Microservices-and deep learning-based safety-as-a-service architecture for 6G-enabled intelligent transportation system | |
CN108833389A (en) | A kind of shared processing method and processing device of information data | |
US20130262189A1 (en) | Analyzing metered cost effects of deployment patterns in a networked computing environment | |
CN110493218A (en) | A kind of method and apparatus of Situation Awareness virtualization | |
Rodrigues et al. | Performance and availability evaluation of an smart hospital architecture | |
CN110471975A (en) | A kind of Internet of Things Situation Awareness call method and device | |
Bai et al. | Resilience-driven quantitative analysis of vehicle platooning service | |
Jararweh et al. | Software Defined based smart grid architecture | |
Jacq et al. | The cyber-MAR project: First results and perspectives on the use of hybrid cyber ranges for port cyber risk assessment | |
CN110493217A (en) | A kind of distributed Situation Awareness method and system | |
CN110493044A (en) | A kind of method and system of quantifiable Situation Awareness | |
CN105608380A (en) | Virtual machine lifecycle-based cloud computation security assessing method | |
Liu et al. | A clusterized firewall framework for cloud computing | |
US9929921B2 (en) | Techniques for workload toxic mapping |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |