CN110830467A - Network suspicious asset identification method based on fuzzy prediction - Google Patents
Network suspicious asset identification method based on fuzzy prediction Download PDFInfo
- Publication number
- CN110830467A CN110830467A CN201911066715.6A CN201911066715A CN110830467A CN 110830467 A CN110830467 A CN 110830467A CN 201911066715 A CN201911066715 A CN 201911066715A CN 110830467 A CN110830467 A CN 110830467A
- Authority
- CN
- China
- Prior art keywords
- asset
- abnormal
- assets
- representing
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 42
- 230000002159 abnormal effect Effects 0.000 claims abstract description 86
- 238000012544 monitoring process Methods 0.000 claims abstract description 21
- 230000008859 change Effects 0.000 claims abstract description 4
- 206010000117 Abnormal behaviour Diseases 0.000 claims description 35
- 230000006399 behavior Effects 0.000 claims description 21
- 230000006870 function Effects 0.000 claims description 10
- 230000004083 survival effect Effects 0.000 claims description 7
- 230000008569 process Effects 0.000 claims description 6
- 230000010354 integration Effects 0.000 claims description 5
- 230000004927 fusion Effects 0.000 claims description 3
- YHVACWACSOJLSJ-UHFFFAOYSA-N n-methyl-n-(1-oxo-1-phenylpropan-2-yl)nitrous amide Chemical compound O=NN(C)C(C)C(=O)C1=CC=CC=C1 YHVACWACSOJLSJ-UHFFFAOYSA-N 0.000 claims description 3
- 238000004422 calculation algorithm Methods 0.000 abstract description 7
- 238000001514 detection method Methods 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 3
- 238000012423 maintenance Methods 0.000 description 3
- 238000004458 analytical method Methods 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 2
- 238000011835 investigation Methods 0.000 description 2
- 230000005856 abnormality Effects 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 238000012098 association analyses Methods 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 238000012517 data analytics Methods 0.000 description 1
- 238000013480 data collection Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000010606 normalization Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000003909 pattern recognition Methods 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000011144 upstream manufacturing Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/3051—Monitoring arrangements for monitoring the configuration of the computing system or of the computing system component, e.g. monitoring the presence of processing resources, peripherals, I/O links, software programs
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N7/00—Computing arrangements based on specific mathematical models
- G06N7/02—Computing arrangements based on specific mathematical models using fuzzy logic
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q10/00—Administration; Management
- G06Q10/04—Forecasting or optimisation specially adapted for administrative or management purposes, e.g. linear programming or "cutting stock problem"
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q10/00—Administration; Management
- G06Q10/06—Resources, workflows, human or project management; Enterprise or organisation planning; Enterprise or organisation modelling
- G06Q10/063—Operations research, analysis or management
- G06Q10/0639—Performance analysis of employees; Performance analysis of enterprise or organisation operations
- G06Q10/06393—Score-carding, benchmarking or key performance indicator [KPI] analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q40/00—Finance; Insurance; Tax strategies; Processing of corporate or income taxes
- G06Q40/12—Accounting
- G06Q40/125—Finance or payroll
Landscapes
- Engineering & Computer Science (AREA)
- Business, Economics & Management (AREA)
- Human Resources & Organizations (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Strategic Management (AREA)
- Economics (AREA)
- Development Economics (AREA)
- Accounting & Taxation (AREA)
- Entrepreneurship & Innovation (AREA)
- Computing Systems (AREA)
- General Business, Economics & Management (AREA)
- Finance (AREA)
- Marketing (AREA)
- General Engineering & Computer Science (AREA)
- Quality & Reliability (AREA)
- Computer Security & Cryptography (AREA)
- Game Theory and Decision Science (AREA)
- Operations Research (AREA)
- Tourism & Hospitality (AREA)
- Software Systems (AREA)
- Educational Administration (AREA)
- Life Sciences & Earth Sciences (AREA)
- Artificial Intelligence (AREA)
- Health & Medical Sciences (AREA)
- Signal Processing (AREA)
- Automation & Control Theory (AREA)
- Biomedical Technology (AREA)
- Fuzzy Systems (AREA)
- General Health & Medical Sciences (AREA)
- Molecular Biology (AREA)
- Computer Hardware Design (AREA)
- Algebra (AREA)
- Technology Law (AREA)
- Computational Mathematics (AREA)
- Data Mining & Analysis (AREA)
- Evolutionary Computation (AREA)
- Mathematical Analysis (AREA)
- Mathematical Optimization (AREA)
Abstract
The invention belongs to the field of network security, and particularly relates to a network suspicious asset identification method based on fuzzy prediction, which comprises the following steps of 1, scanning a target network segment, acquiring asset information, open port information and asset system version information, and outputting a detailed parameter list of known assets and unknown assets; step 2, the abnormity monitoring module is responsible for monitoring index change in the asset list; step 3, calculating the trust value of the asset by combining a fuzzy prediction trust model according to the historical data and the real-time data, the abnormal times and the abnormal data of the parameters in the asset list acquired in the step 2; and 4, analyzing the trust value of the asset, and identifying suspicious asset. The invention linearly depicts the performance of the assets in the form of a fuzzy prediction algorithm and reduces the false alarm rate of early warning.
Description
Technical Field
The invention belongs to the field of network security, and particularly relates to a network suspicious asset identification method based on fuzzy prediction.
Background
In recent years, information technology has been rapidly developed and has deeply changed the appearance of the economy and society, with the accompanying increase in various network security events. Policy laws such as release and enforcement of "network security law", iso-guaranty 1.0, iso-guaranty 2.0, etc. also require promotion of network security governance and normalization of network security inspection. These are enough to prove that the network space security administration at the present stage is not very slow.
The important work for improving the network management capability is to identify network information assets in detail and completely, then formulate a security strategy covering all network assets, identify suspicious assets in time, block security holes and ensure the security of internal data. The important reason for suspicious asset identification is that the premise of safety management is to find out which devices know that safety risks exist in the link, so that safety protection can be performed on the devices. Since vulnerabilities of known assets can be identified, vulnerabilities of unknown assets can also be identified. Often, however, the unknown asset becomes an entry point or a springboard for a network attacker because the unknown asset is not managed, and then enters the core asset area. Such unknown information assets have become a "thunderstorm" area of network security. Therefore, known assets and unknown assets can be clearly identified in time, suspicious equipment can be warned in time, and the occurrence of network security events can be greatly reduced.
Software for suspicious asset identification is diversified in the market, and at present, a widely used method is to acquire, analyze and visualize security elements capable of causing network security events, analyze the security state of a target by acquiring security data such as network traffic, security logs, security alarms and the like and predict the development trend by utilizing big data analysis, machine learning technology, association analysis and the like. However, from a practical point of view, this approach has the following drawbacks:
(1) big data analytics techniques for network security data sources include identifying anomalies using rule matching, behavior detection, pattern recognition, and other techniques. The early warning speed of the technology is timely, but if the historical data, the historical abnormal times, the current abnormal data and the times of the suspicious network assets are not combined for comprehensive calculation and analysis, the early warning false alarm rate can be increased, and certain interference is brought to safety personnel handling safety events afterwards.
(2) The method lacks a prediction algorithm which comprehensively considers historical abnormity, real-time abnormal performance, historical abnormal data and real-time abnormal data, and converts random abnormal attack behaviors into objective mathematical statistics.
Disclosure of Invention
The invention aims to provide a network suspicious asset identification method based on fuzzy prediction, which linearly depicts the asset expression in the form of a fuzzy prediction algorithm and reduces the false alarm rate of early warning.
In order to solve the technical problems, the invention adopts the following technical scheme:
the invention provides a network suspicious asset identification method based on fuzzy prediction, which comprises the following steps:
step 1, scanning a target network segment, acquiring asset information, open port information and asset system version information, and outputting a detailed parameter list of known assets and unknown assets;
step 2, the abnormity monitoring module is responsible for monitoring index change in the asset list;
step 3, calculating the trust value of the asset by combining a fuzzy prediction trust model according to the historical data and the real-time data, the abnormal times and the abnormal data of the parameters in the asset list acquired in the step 2;
and 4, analyzing the trust value of the asset, and identifying suspicious asset.
Further, after the step 4, the method further comprises the following steps: and self-adaptive updating of the fuzzy prediction trust model, and adjusting abnormal parameter standard items.
Further, the specific implementation process of step 1 is as follows:
according to the preconfigured scanning information, matching the preset scanning information with the corresponding scanning rule, firstly detecting the survival assets, then carrying out full-port scanning and scanning of system version information of the survival assets, and outputting a detailed parameter list of known assets and unknown assets, wherein the detailed parameter list comprises asset IP, open ports, open services, system version information of the assets, CPU occupancy rate, memory occupancy rate, disk occupancy rate, uplink and downlink bandwidth of a network and an access peak value of a suspicious time period.
Further, the tool for scanning the assets employs NMAP or MASSCAN.
Further, the specific implementation process of step 2 is as follows:
and the abnormal monitoring module performs threshold monitoring on the CPU occupancy rate, the memory occupancy rate, the disk occupancy rate, the network uplink and downlink bandwidths and the access peak value of the suspicious time period of the assets in the asset list in a centralized manner.
Further, in the step 3, according to the CPU occupancy rate, the memory occupancy rate, the disk occupancy rate, the network uplink and downlink bandwidth, and the historical data and the real-time data of the access peak value of the suspicious time period of the asset obtained in the step 2, the abnormal times and the abnormal data of the intranet scanning abnormal behavior and the open abnormal port behavior are calculated by combining the fuzzy prediction trust model; the method comprises the following specific steps:
step 3.1, calculating the fuzzy membership degree of the abnormal behavior index of the asset, wherein the parameter basis is as follows: the method comprises the following steps that an intranet scanning behavior of the asset occurs, the abnormal times of the duration time of the behavior occur, the times of the abnormal port behavior opened by the asset and the times of the abnormal time periods of the uplink and downlink bandwidths of the asset occur are the times of the abnormal time periods; the fuzzy membership formula of the abnormal behavior index is as follows:
representing a fuzzy set of asset abnormal behavior indicators,to representMembership function of, NjRepresenting the current asset, j representing the asset number, f1(Nj) Representing a current asset NjAbnormal behavior set value of, NCThe number of key element items representing abnormal behaviors, c the types of key element items representing abnormal behaviors, i natural numbers, aiWeight coefficient representing the number of abnormal behaviors of the i-th element, ciA logical value representing the element of item ii 0A weight coefficient indicating that the number of anomalies occurring to the asset is more than a threshold value, ai 0And aiEqual, ci 0A logical reference value representing the number of times the element of item i is behaving abnormally, ci 0The value is 1;
step 3.2, calculating the fuzzy membership degree of the abnormal data index of the asset, wherein the parameter basis is as follows: comparing the acquired real-time data with historical data according to the abnormal data of the CPU occupancy rate, the memory occupancy rate and the disk occupancy rate of the asset, and if the error exceeds the allowable threshold range, considering that the property performance data of the asset is abnormal; the fuzzy membership formula of the abnormal data index is as follows:
Representing a fuzzy set of asset anomaly data indicators,to representMembership function of, NjRepresenting the current asset, j representing the asset number, f2(Nj) Representing a current asset NjOf the abnormal dataset value, nDNumber of terms, N, indicating that the actually obtained key element data is not within the allowable range of the error thresholdDRepresenting the number of key element items of the abnormal data, D representing the kind of key element items of the abnormal data, k representing a natural number, akWeight coefficient of abnormal data representing k-th element, DkThe actual value of the k-th item element,normal reference values representing the k-th element;
step 3.3, abnormal fuzzy set integration
And (3) performing DeMoore root data fusion on the abnormal behavior index fuzzy membership degree of the asset in the step (3.1) and the abnormal data index fuzzy membership degree of the asset in the step (3.2) to calculate a trust value C of the asset, wherein the formula is as follows:
further, the step 4 specifically includes: and when the trust value of the asset exceeds the error of the threshold range, judging the asset as suspicious.
Compared with the prior art, the invention has the following advantages:
1. according to the network suspicious asset identification method based on fuzzy prediction, historical data, historical abnormal times, current abnormal data, current abnormal peak values and the like of network assets are comprehensively considered, random attack behaviors are converted into objective mathematical statistics, the performance of the assets is linearly described in a mathematical algorithm mode, suspicious assets are identified and early warned, and the false warning rate is reduced.
2. By continuously collecting and scanning the expression of the network assets, an abnormal behavior index fuzzy set and an abnormal data index fuzzy set are generated, and the parameter items and the parameter weights of the corresponding fuzzy algorithm models can be adaptively adjusted and updated according to different network asset environments.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
FIG. 1 is a flow chart of a fuzzy prediction based network suspicious asset identification method according to an embodiment of the present invention;
fig. 2 is a flowchart of a network suspicious asset identification method based on fuzzy prediction according to a second embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer and more complete, the technical solutions in the embodiments of the present invention will be described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention, and based on the embodiments of the present invention, all other embodiments obtained by a person of ordinary skill in the art without creative efforts belong to the scope of the present invention.
The network assets of the present invention include: server, terminal host, printer, facsimile machine, etc.
Example one
As shown in fig. 1, the method for identifying suspicious assets in a network based on fuzzy prediction according to the embodiment of the present invention includes the following steps:
step 101, scanning a target network segment, acquiring asset information, open port information and asset system version information, and outputting a detailed parameter list of known assets and unknown assets; the method comprises the following steps:
according to the preconfigured scanning information, matching the preset scanning information with the corresponding scanning rule, firstly detecting the survival assets, then carrying out full-port scanning and scanning of system version information of the survival assets, and outputting a detailed parameter list of known assets and unknown assets, wherein the detailed parameter list comprises asset IP, open ports, open services, system version information of the assets, CPU occupancy rate, memory occupancy rate, disk occupancy rate, uplink and downlink bandwidth of a network and an access peak value of a suspicious time period. Common asset scanners have NMAP, MASSCAN, etc.
Step S102, the abnormity monitoring module is responsible for monitoring index change in the asset list; the method comprises the following steps:
and the abnormal monitoring module performs threshold monitoring on the CPU occupancy rate, the memory occupancy rate, the disk occupancy rate, the network uplink and downlink bandwidths and the access peak value of the suspicious time period of the assets in the asset list in a centralized manner. As the following steps use the index values of the monitored data and linearly depict the CPU occupancy rate and other related performances of the monitored assets, the asset information needs to be monitored, and if a data collection instruction is initiated periodically, a round of instruction can be sent every 60 seconds.
Step S103, according to the CPU occupancy rate, the memory occupancy rate, the disk occupancy rate, the network uplink and downlink bandwidths and the historical data and the real-time data of the access peak value of the suspicious time period (non-working time) of the assets obtained in the step S102, the abnormal times and the abnormal data of the intranet scanning abnormal behavior and the open abnormal port behavior are calculated by combining a fuzzy prediction trust model; the method comprises the following steps:
step S1031, calculating the fuzzy membership degree of the abnormal behavior index of the asset, wherein the parameter basis is as follows: the method comprises the following steps that an intranet scanning behavior of the asset occurs, the abnormal times of the duration time of the behavior occur, the times of the abnormal port behavior opened by the asset and the times of the abnormal time periods of the uplink and downlink bandwidths of the asset occur are the times of the abnormal time periods; the fuzzy membership formula of the abnormal behavior index is as follows:
representing a fuzzy set of asset abnormal behavior indicators,to representMembership function of, NjRepresenting the current asset, j representing the asset number, f1(Nj) Representing a current asset NjAbnormal behavior set value of, NCThe number of key element items representing abnormal behaviors, c the types of key element items representing abnormal behaviors, i natural numbers, aiWeight coefficient representing the number of abnormal behaviors of the i-th element, ciA logical value representing the element of item ii 0A weight coefficient indicating that the number of anomalies occurring to the asset is more than a threshold value, ai 0And aiEqual, ci 0A logical reference value representing the number of times the element of item i is behaving abnormally, ci 0The value is 1;
step S1032, calculating the fuzzy membership degree of the abnormal data index of the asset, wherein the parameter basis is as follows: comparing the acquired real-time data with historical data according to the abnormal data of the CPU occupancy rate, the memory occupancy rate and the disk occupancy rate of the asset, and if the error exceeds the allowable threshold range, considering that the property performance data of the asset is abnormal; the fuzzy membership formula of the abnormal data index is as follows:
Representing a fuzzy set of asset anomaly data indicators,to representMembership function of, NjRepresenting the current asset, j representing the asset number, f2(Nj) Representing a current asset NjOf the abnormal dataset value, nDNumber of terms, N, indicating that the actually obtained key element data is not within the allowable range of the error thresholdDRepresenting the number of key element items of the abnormal data, D representing the kind of key element items of the abnormal data, k representing a natural number, akWeight coefficient of abnormal data representing k-th element, DkThe actual value of the k-th item element,normal reference values representing the k-th element;
step S1033, abnormal fuzzy set integration
And D, performing DeMoore root data fusion on the fuzzy membership degree of the abnormal behavior index of the asset in the step S1031 and the fuzzy membership degree of the abnormal data index of the asset in the step S1032 to calculate a trust value C of the asset, wherein the formula is as follows:
step S1031 and step S1032 can obtain two values of the fuzzy membership degree of the abnormal behavior index of the asset and the fuzzy membership degree of the abnormal data index of the asset, and since the attack often has great concealment, several rounds of monitoring and analysis may be required, so as to issue suspicious early warning, which not only reduces the false alarm rate, but also emphasizes the early warning speed. Therefore, the two membership degrees described above are integrated by the Derman's Law. Supposing that A represents the fuzzy membership degree of the abnormal behavior index of the asset, the value of the fuzzy membership degree is 1, B represents the fuzzy membership degree of the abnormal data index of the asset, the value of the fuzzy membership degree is 1, C represents the trust value of the asset, and if A exceeds the threshold error range in the 20 th monitoring, the value of A is 0, the fuzzy set of the abnormal behavior index of the asset is marked to send out early warning in the 20 th monitoring; when B reaches the 30 th monitoring, the error range of the threshold value is exceeded, the B value is 0, and the early warning after the integration starts with the result of the 20 th monitoring, namely the early warning is startedNamely, when the first value of C is 0, suspicious early warning information is sent out.
Step S104, analyzing the trust value of the assets, and identifying suspicious assets;
and when the trust value of the asset exceeds the error of the threshold range, the asset is judged to be suspicious.
And step S105, self-adaptive updating of the fuzzy prediction trust model, and adjusting abnormal parameter standard items. For example: when the safety operation and maintenance personnel implement the method, the safety operation and maintenance personnel manually check the current situation of the corresponding target asset according to the trust value finally calculated by the system and the early warning. The specific investigation of the attacked and the investigation of the Trojan backdoor needs to be completed manually. For example, when a target host which is warned is found, after the examination, it is found that no backdoor and suspicious information are found, but the CPU utilization rate reaches 90%, and 90% of the utilization rate occurs only in the near future, then after the operation and maintenance examination, it is found that the system starts a necessary program, and at this time, the parameter weight of the CPU utilization rate needs to be adjusted according to the false alarm rate of this time, and the weight is reduced. In the specific adjustment, a parameter weight adjustment interface is reserved at the front end of the system, so that a user can configure the parameter weight of each performance index.
For ease of understanding, the following description will be made with reference to a specific example.
Example two
As shown in fig. 2, the method for identifying suspicious assets in a network based on fuzzy prediction according to this embodiment includes the following three stages:
first, obtaining key element index value stage
And carrying out port detection according to the configured network segment, and supporting to call scanners such as Nmap and MASSCAN to carry out IP survival detection and full-port scanning detection. And identifying and matching the IP and the open port and service, and monitoring parameters such as the utilization rate of a CPU, a magnetic disk and a memory of the identified host, the uplink and downlink bandwidth of the network and the like through a monitor. Outputting the process data in the following format: { < target IP, version information, port information >: < target IP, CPU occupancy, weight coefficient >, < target IP, disk occupancy, weight coefficient >, < target IP, memory occupancy, weight coefficient >, < target IP, upstream bandwidth, weight coefficient > … … }.
Second, fuzzy algorithm prediction stage
On the basis of obtaining the key elements, taking the elements in the target information data set as the key elements of fuzzy prediction, and setting corresponding safety early warning threshold values according to different weight coefficients distributed by the elements, wherein the elements which are generally larger than the set threshold values are abnormal data, specifically the following steps are carried out:
fuzzy set: in fuzzy set theoryUsually, it is only said to how much an element belongs to a fuzzy set, and it can be characterized by the membership function of the fuzzy set. I.e. assuming that U is the domain of discourse,is a fuzzy subset of U Membership function ofIs defined as U→[0,1]Where a whole universe of discussion objects, i.e. domains, of U belongs to [0,1 ]]In a particular application, X is a particular numerical value, X is a set, and X ∈ X;
determining whether a certain network asset is attacked, respectively detecting two index membership degrees of the asset by a fuzzy prediction algorithm, and respectively using the mapping f1:U→C,f2U → D, U denotes the asset set, C denotes the asset behavior fuzzy set, and D denotes the data fuzzy set.
Suppose thatRepresenting a fuzzy set of asset abnormal behavior indicators,representing a fuzzy set of asset anomaly data indicators, asset NjIndex set value f ofm(Nj) J ═ 1,2,3,4 …; m-1, 2, j represents key element item of the asset, m-1 represents asset behavior, m-2 represents asset data and is subordinate toAre defined as follows:
1. the fuzzy membership formula of the abnormal behavior index of the asset is as follows:
representing a fuzzy set of asset abnormal behavior indicators,to representMembership function of, NjRepresenting the current asset, j representing the asset number, f1(Nj) Representing a current asset NjAbnormal behavior set value of, NCThe number of key element items representing abnormal behaviors, c the types of key element items representing abnormal behaviors, i natural numbers, aiWeight coefficient representing the number of abnormal behaviors of the i-th element, ciLogic value representing the ith element, monitoring the current property NjThe number of abnormality reaches a threshold value or more ciI.e. 1, otherwise 0, ai 0A weight coefficient indicating that the number of anomalies occurring to the asset is more than a threshold value, ai 0And aiEqual, ci 0A logical reference value representing the number of times the element of item i is behaving abnormally, ci 0The value is 1; the key elements of the abnormal behavior are abnormal scanning, abnormal peak value, abnormal port opening and the like.
2. The fuzzy membership formula of the abnormal data index of the asset is as follows:
Representing a fuzzy set of asset anomaly data indicators,to representMembership function of, NjRepresenting the current asset, j representing the asset number, f2(Nj) Representing a current asset NjOf the abnormal dataset value, nDNumber of terms, N, indicating that the actually obtained key element data is not within the allowable range of the error thresholdDRepresenting the number of key element items of the abnormal data, D representing the kind of key element items of the abnormal data, k representing a natural number, akWeight coefficient of abnormal data representing k-th element, DkThe actual value of the k-th item element,normal reference values representing the k-th element; the key element items of the abnormal data comprise various indexes of asset performance.
3. Abnormal fuzzy set integration
Integrating the membership degrees of the assets by using the Demorgen law to obtain a trust value C of the assets, wherein the formula is as follows:
third, asset display stage
The suspicious assets after calculation processing are displayed through a scanning system, and the suspicious assets comprise contents such as total asset number, suspicious asset early warning display, asset trust value display, asset service display and the like, and the system supports updating of key element types, weight coefficients of the key element types, threshold values of the key elements and the like.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus.
Those of ordinary skill in the art will understand that: all or part of the steps for realizing the method embodiments can be completed by hardware related to program instructions, the program can be stored in a computer readable storage medium, and the program executes the steps comprising the method embodiments when executed; and the aforementioned storage medium includes: various media that can store program codes, such as ROM, RAM, magnetic or optical disks.
Finally, it is to be noted that: the above description is only a preferred embodiment of the present invention, and is only used to illustrate the technical solutions of the present invention, and not to limit the protection scope of the present invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention shall fall within the protection scope of the present invention.
Claims (7)
1. A network suspicious asset identification method based on fuzzy prediction is characterized by comprising the following steps:
step 1, scanning a target network segment, acquiring asset information, open port information and asset system version information, and outputting a detailed parameter list of known assets and unknown assets;
step 2, the abnormity monitoring module is responsible for monitoring index change in the asset list;
step 3, calculating the trust value of the asset by combining a fuzzy prediction trust model according to the historical data and the real-time data, the abnormal times and the abnormal data of the parameters in the asset list acquired in the step 2;
and 4, analyzing the trust value of the asset, and identifying suspicious asset.
2. The fuzzy prediction based network suspicious asset identification method according to claim 1, further comprising after step 4: and self-adaptive updating of the fuzzy prediction trust model, and adjusting abnormal parameter standard items.
3. The method for identifying suspicious assets in a network based on fuzzy prediction according to claim 1, wherein the specific implementation process of the step 1 is as follows:
according to the preconfigured scanning information, matching the preset scanning information with the corresponding scanning rule, firstly detecting the survival assets, then carrying out full-port scanning and scanning of system version information of the survival assets, and outputting a detailed parameter list of known assets and unknown assets, wherein the detailed parameter list comprises asset IP, open ports, open services, system version information of the assets, CPU occupancy rate, memory occupancy rate, disk occupancy rate, uplink and downlink bandwidth of a network and an access peak value of a suspicious time period.
4. The method according to claim 3, wherein the tool for scanning assets is NMAP or MASSCAN.
5. The method for identifying suspicious assets in a network based on fuzzy prediction according to claim 3, wherein the step 2 is implemented by the following steps:
and the abnormal monitoring module performs threshold monitoring on the CPU occupancy rate, the memory occupancy rate, the disk occupancy rate, the network uplink and downlink bandwidths and the access peak value of the suspicious time period of the assets in the asset list in a centralized manner.
6. The method for identifying suspicious assets on a network based on fuzzy prediction according to claim 5, wherein in the step 3, according to the CPU occupancy rate, the memory occupancy rate, the disk occupancy rate, the uplink and downlink bandwidth of the network, the historical data and the real-time data of the access peak value of the suspicious time period of the assets obtained in the step 2, the abnormal times and the abnormal data of the intranet scanning abnormal behavior and the open abnormal port behavior occur, and the trust value of the assets is calculated by combining with a fuzzy prediction trust model; the method comprises the following specific steps:
step 3.1, calculating the fuzzy membership degree of the abnormal behavior index of the asset, wherein the parameter basis is as follows: the method comprises the following steps that an intranet scanning behavior of the asset occurs, the abnormal times of the duration time of the behavior occur, the times of the abnormal port behavior opened by the asset and the times of the abnormal time periods of the uplink and downlink bandwidths of the asset occur are the times of the abnormal time periods; the fuzzy membership formula of the abnormal behavior index is as follows:
representing a fuzzy set of asset abnormal behavior indicators,to representMembership function of, NjWhich is indicative of the current property or properties,
j denotes asset number, f1(Nj) Representing a current asset NjAbnormal behavior set value of, NCThe number of key element items representing abnormal behaviors, c the types of key element items representing abnormal behaviors, i natural numbers, aiWeight coefficient representing the number of abnormal behaviors of the i-th element, ciA logical value representing the element of item ii 0Indicating asset occurrence of a discrepancyWeighting factors for more frequent than threshold cases, ai 0And aiEqual, ci 0A logical reference value representing the number of times the element of item i is behaving abnormally, ci 0The value is 1;
step 3.2, calculating the fuzzy membership degree of the abnormal data index of the asset, wherein the parameter basis is as follows: comparing the acquired real-time data with historical data according to the abnormal data of the CPU occupancy rate, the memory occupancy rate and the disk occupancy rate of the asset, and if the error exceeds the allowable threshold range, considering that the property performance data of the asset is abnormal; the fuzzy membership formula of the abnormal data index is as follows:
Representing a fuzzy set of asset anomaly data indicators,to representMembership function of, NjRepresenting the current asset, j representing the asset number, f2(Nj) Representing a current asset NjOf the abnormal dataset value, nDNumber of terms, N, indicating that the actually obtained key element data is not within the allowable range of the error thresholdDRepresenting the number of key element items of the abnormal data, D representing the kind of key element items of the abnormal data, k representing a natural number, akWeight coefficient of abnormal data representing k-th element, DkTo representThe actual value of the element of the k-th term,normal reference values representing the k-th element;
step 3.3, abnormal fuzzy set integration
And (3) performing DeMoore root data fusion on the abnormal behavior index fuzzy membership degree of the asset in the step (3.1) and the abnormal data index fuzzy membership degree of the asset in the step (3.2) to calculate a trust value C of the asset, wherein the formula is as follows:
7. the method for identifying suspicious assets over a network based on fuzzy prediction according to claim 6, wherein said step 4 specifically comprises: and when the trust value of the asset exceeds the error of the threshold range, judging the asset as suspicious.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201911066715.6A CN110830467A (en) | 2019-11-04 | 2019-11-04 | Network suspicious asset identification method based on fuzzy prediction |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201911066715.6A CN110830467A (en) | 2019-11-04 | 2019-11-04 | Network suspicious asset identification method based on fuzzy prediction |
Publications (1)
Publication Number | Publication Date |
---|---|
CN110830467A true CN110830467A (en) | 2020-02-21 |
Family
ID=69552655
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201911066715.6A Pending CN110830467A (en) | 2019-11-04 | 2019-11-04 | Network suspicious asset identification method based on fuzzy prediction |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110830467A (en) |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111352761A (en) * | 2020-02-28 | 2020-06-30 | 北京天融信网络安全技术有限公司 | Vehicle detection method and device, storage medium and electronic equipment |
CN112118152A (en) * | 2020-09-02 | 2020-12-22 | 紫光云(南京)数字技术有限公司 | Distributed architecture for realizing rapid scanning of network assets |
CN114745128A (en) * | 2022-03-28 | 2022-07-12 | 中国人民解放军战略支援部队信息工程大学 | Trust evaluation method and device for network terminal equipment |
CN115242463A (en) * | 2022-06-30 | 2022-10-25 | 北京华顺信安科技有限公司 | Network asset dynamic change monitoring method and system and computer equipment |
CN115909674A (en) * | 2023-02-13 | 2023-04-04 | 成都秦川物联网科技股份有限公司 | Alarm and gas meter linkage method based on intelligent gas and Internet of things system |
CN117724928A (en) * | 2023-12-15 | 2024-03-19 | 谷技数据(武汉)股份公司 | Intelligent operation and maintenance visual monitoring method and system based on big data |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106888194A (en) * | 2015-12-16 | 2017-06-23 | 国家电网公司 | Intelligent grid IT assets security monitoring systems based on distributed scheduling |
CN108810034A (en) * | 2018-08-20 | 2018-11-13 | 杭州安恒信息技术股份有限公司 | A kind of safety protecting method of industrial control system information assets |
CN110213212A (en) * | 2018-05-24 | 2019-09-06 | 腾讯科技(深圳)有限公司 | A kind of classification method and device of equipment |
CN110324310A (en) * | 2019-05-21 | 2019-10-11 | 国家工业信息安全发展研究中心 | Networked asset fingerprint identification method, system and equipment |
-
2019
- 2019-11-04 CN CN201911066715.6A patent/CN110830467A/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106888194A (en) * | 2015-12-16 | 2017-06-23 | 国家电网公司 | Intelligent grid IT assets security monitoring systems based on distributed scheduling |
CN110213212A (en) * | 2018-05-24 | 2019-09-06 | 腾讯科技(深圳)有限公司 | A kind of classification method and device of equipment |
CN108810034A (en) * | 2018-08-20 | 2018-11-13 | 杭州安恒信息技术股份有限公司 | A kind of safety protecting method of industrial control system information assets |
CN110324310A (en) * | 2019-05-21 | 2019-10-11 | 国家工业信息安全发展研究中心 | Networked asset fingerprint identification method, system and equipment |
Non-Patent Citations (1)
Title |
---|
曹晓梅: "基于模糊预测的无线传感器网络信任模型", 《计算机应用》 * |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111352761A (en) * | 2020-02-28 | 2020-06-30 | 北京天融信网络安全技术有限公司 | Vehicle detection method and device, storage medium and electronic equipment |
CN111352761B (en) * | 2020-02-28 | 2023-07-04 | 北京天融信网络安全技术有限公司 | Vehicle detection method and device, storage medium and electronic equipment |
CN112118152A (en) * | 2020-09-02 | 2020-12-22 | 紫光云(南京)数字技术有限公司 | Distributed architecture for realizing rapid scanning of network assets |
CN114745128A (en) * | 2022-03-28 | 2022-07-12 | 中国人民解放军战略支援部队信息工程大学 | Trust evaluation method and device for network terminal equipment |
CN115242463A (en) * | 2022-06-30 | 2022-10-25 | 北京华顺信安科技有限公司 | Network asset dynamic change monitoring method and system and computer equipment |
CN115242463B (en) * | 2022-06-30 | 2023-06-09 | 北京华顺信安科技有限公司 | Method, system and computer equipment for monitoring dynamic change of network asset |
CN115909674A (en) * | 2023-02-13 | 2023-04-04 | 成都秦川物联网科技股份有限公司 | Alarm and gas meter linkage method based on intelligent gas and Internet of things system |
US11989007B2 (en) | 2023-02-13 | 2024-05-21 | Chengdu Qinchuan Iot Technology Co., Ltd. | Methods for linkage between alarm based on gas and gas meter and internet of things systems thereof |
CN117724928A (en) * | 2023-12-15 | 2024-03-19 | 谷技数据(武汉)股份公司 | Intelligent operation and maintenance visual monitoring method and system based on big data |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110830467A (en) | Network suspicious asset identification method based on fuzzy prediction | |
CN114584405B (en) | Electric power terminal safety protection method and system | |
Xia et al. | An efficient network intrusion detection method based on information theory and genetic algorithm | |
CN102098180B (en) | Network security situational awareness method | |
JP2019145107A (en) | Cyber threat defense system protecting e-email network using machine learning model | |
CN112804196A (en) | Log data processing method and device | |
CN111629006B (en) | Malicious flow updating method fusing deep neural network and hierarchical attention mechanism | |
CN112819336A (en) | Power monitoring system network threat-based quantification method and system | |
CN111669384B (en) | Malicious flow detection method integrating deep neural network and hierarchical attention mechanism | |
CN112491779B (en) | Abnormal behavior detection method and device and electronic equipment | |
KR101692982B1 (en) | Automatic access control system of detecting threat using log analysis and automatic feature learning | |
CN111669385B (en) | Malicious traffic monitoring system fusing deep neural network and hierarchical attention mechanism | |
CN116366374B (en) | Security assessment method, system and medium for power grid network management based on big data | |
CN113554330A (en) | Training method and application method of security situation perception model of hydrological information platform | |
CN113612625A (en) | Network fault positioning method and device | |
CN115021997A (en) | Network intrusion detection system based on machine learning | |
CN114172699A (en) | Industrial control network security event correlation analysis method | |
CN117478433A (en) | Network and information security dynamic early warning system | |
CN117370548A (en) | User behavior risk identification method, device, electronic equipment and medium | |
CN116886335A (en) | Data security management system | |
Selim et al. | Intrusion detection using multi-stage neural network | |
CN115766096A (en) | Network security protection system based on big data | |
CN115567241A (en) | Multi-site network perception detection system | |
CN117807590B (en) | Information security prediction and monitoring system and method based on artificial intelligence | |
CN117376030B (en) | Flow anomaly detection method, device, computer equipment and readable storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200221 |
|
RJ01 | Rejection of invention patent application after publication |