CN110830467A - Network suspicious asset identification method based on fuzzy prediction - Google Patents

Network suspicious asset identification method based on fuzzy prediction Download PDF

Info

Publication number
CN110830467A
CN110830467A CN201911066715.6A CN201911066715A CN110830467A CN 110830467 A CN110830467 A CN 110830467A CN 201911066715 A CN201911066715 A CN 201911066715A CN 110830467 A CN110830467 A CN 110830467A
Authority
CN
China
Prior art keywords
asset
abnormal
assets
representing
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201911066715.6A
Other languages
Chinese (zh)
Inventor
卜佑军
沈何阳
周锟
袁征
陈博
白冰
伊鹏
马海龙
胡宇翔
胡静萍
张桥
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Information Engineering University of PLA Strategic Support Force
Network Communication and Security Zijinshan Laboratory
Original Assignee
Information Engineering University of PLA Strategic Support Force
Network Communication and Security Zijinshan Laboratory
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Information Engineering University of PLA Strategic Support Force , Network Communication and Security Zijinshan Laboratory filed Critical Information Engineering University of PLA Strategic Support Force
Priority to CN201911066715.6A priority Critical patent/CN110830467A/en
Publication of CN110830467A publication Critical patent/CN110830467A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3051Monitoring arrangements for monitoring the configuration of the computing system or of the computing system component, e.g. monitoring the presence of processing resources, peripherals, I/O links, software programs
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N7/00Computing arrangements based on specific mathematical models
    • G06N7/02Computing arrangements based on specific mathematical models using fuzzy logic
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q10/00Administration; Management
    • G06Q10/04Forecasting or optimisation specially adapted for administrative or management purposes, e.g. linear programming or "cutting stock problem"
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q10/00Administration; Management
    • G06Q10/06Resources, workflows, human or project management; Enterprise or organisation planning; Enterprise or organisation modelling
    • G06Q10/063Operations research, analysis or management
    • G06Q10/0639Performance analysis of employees; Performance analysis of enterprise or organisation operations
    • G06Q10/06393Score-carding, benchmarking or key performance indicator [KPI] analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q40/00Finance; Insurance; Tax strategies; Processing of corporate or income taxes
    • G06Q40/12Accounting
    • G06Q40/125Finance or payroll

Landscapes

  • Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Human Resources & Organizations (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Strategic Management (AREA)
  • Economics (AREA)
  • Development Economics (AREA)
  • Accounting & Taxation (AREA)
  • Entrepreneurship & Innovation (AREA)
  • Computing Systems (AREA)
  • General Business, Economics & Management (AREA)
  • Finance (AREA)
  • Marketing (AREA)
  • General Engineering & Computer Science (AREA)
  • Quality & Reliability (AREA)
  • Computer Security & Cryptography (AREA)
  • Game Theory and Decision Science (AREA)
  • Operations Research (AREA)
  • Tourism & Hospitality (AREA)
  • Software Systems (AREA)
  • Educational Administration (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Artificial Intelligence (AREA)
  • Health & Medical Sciences (AREA)
  • Signal Processing (AREA)
  • Automation & Control Theory (AREA)
  • Biomedical Technology (AREA)
  • Fuzzy Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • Molecular Biology (AREA)
  • Computer Hardware Design (AREA)
  • Algebra (AREA)
  • Technology Law (AREA)
  • Computational Mathematics (AREA)
  • Data Mining & Analysis (AREA)
  • Evolutionary Computation (AREA)
  • Mathematical Analysis (AREA)
  • Mathematical Optimization (AREA)

Abstract

The invention belongs to the field of network security, and particularly relates to a network suspicious asset identification method based on fuzzy prediction, which comprises the following steps of 1, scanning a target network segment, acquiring asset information, open port information and asset system version information, and outputting a detailed parameter list of known assets and unknown assets; step 2, the abnormity monitoring module is responsible for monitoring index change in the asset list; step 3, calculating the trust value of the asset by combining a fuzzy prediction trust model according to the historical data and the real-time data, the abnormal times and the abnormal data of the parameters in the asset list acquired in the step 2; and 4, analyzing the trust value of the asset, and identifying suspicious asset. The invention linearly depicts the performance of the assets in the form of a fuzzy prediction algorithm and reduces the false alarm rate of early warning.

Description

Network suspicious asset identification method based on fuzzy prediction
Technical Field
The invention belongs to the field of network security, and particularly relates to a network suspicious asset identification method based on fuzzy prediction.
Background
In recent years, information technology has been rapidly developed and has deeply changed the appearance of the economy and society, with the accompanying increase in various network security events. Policy laws such as release and enforcement of "network security law", iso-guaranty 1.0, iso-guaranty 2.0, etc. also require promotion of network security governance and normalization of network security inspection. These are enough to prove that the network space security administration at the present stage is not very slow.
The important work for improving the network management capability is to identify network information assets in detail and completely, then formulate a security strategy covering all network assets, identify suspicious assets in time, block security holes and ensure the security of internal data. The important reason for suspicious asset identification is that the premise of safety management is to find out which devices know that safety risks exist in the link, so that safety protection can be performed on the devices. Since vulnerabilities of known assets can be identified, vulnerabilities of unknown assets can also be identified. Often, however, the unknown asset becomes an entry point or a springboard for a network attacker because the unknown asset is not managed, and then enters the core asset area. Such unknown information assets have become a "thunderstorm" area of network security. Therefore, known assets and unknown assets can be clearly identified in time, suspicious equipment can be warned in time, and the occurrence of network security events can be greatly reduced.
Software for suspicious asset identification is diversified in the market, and at present, a widely used method is to acquire, analyze and visualize security elements capable of causing network security events, analyze the security state of a target by acquiring security data such as network traffic, security logs, security alarms and the like and predict the development trend by utilizing big data analysis, machine learning technology, association analysis and the like. However, from a practical point of view, this approach has the following drawbacks:
(1) big data analytics techniques for network security data sources include identifying anomalies using rule matching, behavior detection, pattern recognition, and other techniques. The early warning speed of the technology is timely, but if the historical data, the historical abnormal times, the current abnormal data and the times of the suspicious network assets are not combined for comprehensive calculation and analysis, the early warning false alarm rate can be increased, and certain interference is brought to safety personnel handling safety events afterwards.
(2) The method lacks a prediction algorithm which comprehensively considers historical abnormity, real-time abnormal performance, historical abnormal data and real-time abnormal data, and converts random abnormal attack behaviors into objective mathematical statistics.
Disclosure of Invention
The invention aims to provide a network suspicious asset identification method based on fuzzy prediction, which linearly depicts the asset expression in the form of a fuzzy prediction algorithm and reduces the false alarm rate of early warning.
In order to solve the technical problems, the invention adopts the following technical scheme:
the invention provides a network suspicious asset identification method based on fuzzy prediction, which comprises the following steps:
step 1, scanning a target network segment, acquiring asset information, open port information and asset system version information, and outputting a detailed parameter list of known assets and unknown assets;
step 2, the abnormity monitoring module is responsible for monitoring index change in the asset list;
step 3, calculating the trust value of the asset by combining a fuzzy prediction trust model according to the historical data and the real-time data, the abnormal times and the abnormal data of the parameters in the asset list acquired in the step 2;
and 4, analyzing the trust value of the asset, and identifying suspicious asset.
Further, after the step 4, the method further comprises the following steps: and self-adaptive updating of the fuzzy prediction trust model, and adjusting abnormal parameter standard items.
Further, the specific implementation process of step 1 is as follows:
according to the preconfigured scanning information, matching the preset scanning information with the corresponding scanning rule, firstly detecting the survival assets, then carrying out full-port scanning and scanning of system version information of the survival assets, and outputting a detailed parameter list of known assets and unknown assets, wherein the detailed parameter list comprises asset IP, open ports, open services, system version information of the assets, CPU occupancy rate, memory occupancy rate, disk occupancy rate, uplink and downlink bandwidth of a network and an access peak value of a suspicious time period.
Further, the tool for scanning the assets employs NMAP or MASSCAN.
Further, the specific implementation process of step 2 is as follows:
and the abnormal monitoring module performs threshold monitoring on the CPU occupancy rate, the memory occupancy rate, the disk occupancy rate, the network uplink and downlink bandwidths and the access peak value of the suspicious time period of the assets in the asset list in a centralized manner.
Further, in the step 3, according to the CPU occupancy rate, the memory occupancy rate, the disk occupancy rate, the network uplink and downlink bandwidth, and the historical data and the real-time data of the access peak value of the suspicious time period of the asset obtained in the step 2, the abnormal times and the abnormal data of the intranet scanning abnormal behavior and the open abnormal port behavior are calculated by combining the fuzzy prediction trust model; the method comprises the following specific steps:
step 3.1, calculating the fuzzy membership degree of the abnormal behavior index of the asset, wherein the parameter basis is as follows: the method comprises the following steps that an intranet scanning behavior of the asset occurs, the abnormal times of the duration time of the behavior occur, the times of the abnormal port behavior opened by the asset and the times of the abnormal time periods of the uplink and downlink bandwidths of the asset occur are the times of the abnormal time periods; the fuzzy membership formula of the abnormal behavior index is as follows:
Figure BDA0002259601360000031
representing a fuzzy set of asset abnormal behavior indicators,
Figure BDA0002259601360000033
to represent
Figure BDA0002259601360000034
Membership function of, NjRepresenting the current asset, j representing the asset number, f1(Nj) Representing a current asset NjAbnormal behavior set value of, NCThe number of key element items representing abnormal behaviors, c the types of key element items representing abnormal behaviors, i natural numbers, aiWeight coefficient representing the number of abnormal behaviors of the i-th element, ciA logical value representing the element of item ii 0A weight coefficient indicating that the number of anomalies occurring to the asset is more than a threshold value, ai 0And aiEqual, ci 0A logical reference value representing the number of times the element of item i is behaving abnormally, ci 0The value is 1;
step 3.2, calculating the fuzzy membership degree of the abnormal data index of the asset, wherein the parameter basis is as follows: comparing the acquired real-time data with historical data according to the abnormal data of the CPU occupancy rate, the memory occupancy rate and the disk occupancy rate of the asset, and if the error exceeds the allowable threshold range, considering that the property performance data of the asset is abnormal; the fuzzy membership formula of the abnormal data index is as follows:
Figure BDA0002259601360000041
when in useTo the error allowable range, otherwise
Figure BDA0002259601360000044
Representing a fuzzy set of asset anomaly data indicators,to represent
Figure BDA0002259601360000046
Membership function of, NjRepresenting the current asset, j representing the asset number, f2(Nj) Representing a current asset NjOf the abnormal dataset value, nDNumber of terms, N, indicating that the actually obtained key element data is not within the allowable range of the error thresholdDRepresenting the number of key element items of the abnormal data, D representing the kind of key element items of the abnormal data, k representing a natural number, akWeight coefficient of abnormal data representing k-th element, DkThe actual value of the k-th item element,
Figure BDA0002259601360000047
normal reference values representing the k-th element;
step 3.3, abnormal fuzzy set integration
And (3) performing DeMoore root data fusion on the abnormal behavior index fuzzy membership degree of the asset in the step (3.1) and the abnormal data index fuzzy membership degree of the asset in the step (3.2) to calculate a trust value C of the asset, wherein the formula is as follows:
Figure BDA0002259601360000048
further, the step 4 specifically includes: and when the trust value of the asset exceeds the error of the threshold range, judging the asset as suspicious.
Compared with the prior art, the invention has the following advantages:
1. according to the network suspicious asset identification method based on fuzzy prediction, historical data, historical abnormal times, current abnormal data, current abnormal peak values and the like of network assets are comprehensively considered, random attack behaviors are converted into objective mathematical statistics, the performance of the assets is linearly described in a mathematical algorithm mode, suspicious assets are identified and early warned, and the false warning rate is reduced.
2. By continuously collecting and scanning the expression of the network assets, an abnormal behavior index fuzzy set and an abnormal data index fuzzy set are generated, and the parameter items and the parameter weights of the corresponding fuzzy algorithm models can be adaptively adjusted and updated according to different network asset environments.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
FIG. 1 is a flow chart of a fuzzy prediction based network suspicious asset identification method according to an embodiment of the present invention;
fig. 2 is a flowchart of a network suspicious asset identification method based on fuzzy prediction according to a second embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer and more complete, the technical solutions in the embodiments of the present invention will be described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention, and based on the embodiments of the present invention, all other embodiments obtained by a person of ordinary skill in the art without creative efforts belong to the scope of the present invention.
The network assets of the present invention include: server, terminal host, printer, facsimile machine, etc.
Example one
As shown in fig. 1, the method for identifying suspicious assets in a network based on fuzzy prediction according to the embodiment of the present invention includes the following steps:
step 101, scanning a target network segment, acquiring asset information, open port information and asset system version information, and outputting a detailed parameter list of known assets and unknown assets; the method comprises the following steps:
according to the preconfigured scanning information, matching the preset scanning information with the corresponding scanning rule, firstly detecting the survival assets, then carrying out full-port scanning and scanning of system version information of the survival assets, and outputting a detailed parameter list of known assets and unknown assets, wherein the detailed parameter list comprises asset IP, open ports, open services, system version information of the assets, CPU occupancy rate, memory occupancy rate, disk occupancy rate, uplink and downlink bandwidth of a network and an access peak value of a suspicious time period. Common asset scanners have NMAP, MASSCAN, etc.
Step S102, the abnormity monitoring module is responsible for monitoring index change in the asset list; the method comprises the following steps:
and the abnormal monitoring module performs threshold monitoring on the CPU occupancy rate, the memory occupancy rate, the disk occupancy rate, the network uplink and downlink bandwidths and the access peak value of the suspicious time period of the assets in the asset list in a centralized manner. As the following steps use the index values of the monitored data and linearly depict the CPU occupancy rate and other related performances of the monitored assets, the asset information needs to be monitored, and if a data collection instruction is initiated periodically, a round of instruction can be sent every 60 seconds.
Step S103, according to the CPU occupancy rate, the memory occupancy rate, the disk occupancy rate, the network uplink and downlink bandwidths and the historical data and the real-time data of the access peak value of the suspicious time period (non-working time) of the assets obtained in the step S102, the abnormal times and the abnormal data of the intranet scanning abnormal behavior and the open abnormal port behavior are calculated by combining a fuzzy prediction trust model; the method comprises the following steps:
step S1031, calculating the fuzzy membership degree of the abnormal behavior index of the asset, wherein the parameter basis is as follows: the method comprises the following steps that an intranet scanning behavior of the asset occurs, the abnormal times of the duration time of the behavior occur, the times of the abnormal port behavior opened by the asset and the times of the abnormal time periods of the uplink and downlink bandwidths of the asset occur are the times of the abnormal time periods; the fuzzy membership formula of the abnormal behavior index is as follows:
Figure BDA0002259601360000072
representing a fuzzy set of asset abnormal behavior indicators,
Figure BDA0002259601360000073
to represent
Figure BDA0002259601360000074
Membership function of, NjRepresenting the current asset, j representing the asset number, f1(Nj) Representing a current asset NjAbnormal behavior set value of, NCThe number of key element items representing abnormal behaviors, c the types of key element items representing abnormal behaviors, i natural numbers, aiWeight coefficient representing the number of abnormal behaviors of the i-th element, ciA logical value representing the element of item ii 0A weight coefficient indicating that the number of anomalies occurring to the asset is more than a threshold value, ai 0And aiEqual, ci 0A logical reference value representing the number of times the element of item i is behaving abnormally, ci 0The value is 1;
step S1032, calculating the fuzzy membership degree of the abnormal data index of the asset, wherein the parameter basis is as follows: comparing the acquired real-time data with historical data according to the abnormal data of the CPU occupancy rate, the memory occupancy rate and the disk occupancy rate of the asset, and if the error exceeds the allowable threshold range, considering that the property performance data of the asset is abnormal; the fuzzy membership formula of the abnormal data index is as follows:
Figure BDA0002259601360000075
when in use
Figure BDA0002259601360000076
To the error allowable range, otherwise
Figure BDA0002259601360000077
Representing a fuzzy set of asset anomaly data indicators,to represent
Figure BDA00022596013600000710
Membership function of, NjRepresenting the current asset, j representing the asset number, f2(Nj) Representing a current asset NjOf the abnormal dataset value, nDNumber of terms, N, indicating that the actually obtained key element data is not within the allowable range of the error thresholdDRepresenting the number of key element items of the abnormal data, D representing the kind of key element items of the abnormal data, k representing a natural number, akWeight coefficient of abnormal data representing k-th element, DkThe actual value of the k-th item element,
Figure BDA00022596013600000711
normal reference values representing the k-th element;
step S1033, abnormal fuzzy set integration
And D, performing DeMoore root data fusion on the fuzzy membership degree of the abnormal behavior index of the asset in the step S1031 and the fuzzy membership degree of the abnormal data index of the asset in the step S1032 to calculate a trust value C of the asset, wherein the formula is as follows:
Figure BDA0002259601360000081
step S1031 and step S1032 can obtain two values of the fuzzy membership degree of the abnormal behavior index of the asset and the fuzzy membership degree of the abnormal data index of the asset, and since the attack often has great concealment, several rounds of monitoring and analysis may be required, so as to issue suspicious early warning, which not only reduces the false alarm rate, but also emphasizes the early warning speed. Therefore, the two membership degrees described above are integrated by the Derman's Law. Supposing that A represents the fuzzy membership degree of the abnormal behavior index of the asset, the value of the fuzzy membership degree is 1, B represents the fuzzy membership degree of the abnormal data index of the asset, the value of the fuzzy membership degree is 1, C represents the trust value of the asset, and if A exceeds the threshold error range in the 20 th monitoring, the value of A is 0, the fuzzy set of the abnormal behavior index of the asset is marked to send out early warning in the 20 th monitoring; when B reaches the 30 th monitoring, the error range of the threshold value is exceeded, the B value is 0, and the early warning after the integration starts with the result of the 20 th monitoring, namely the early warning is started
Figure BDA0002259601360000082
Namely, when the first value of C is 0, suspicious early warning information is sent out.
Step S104, analyzing the trust value of the assets, and identifying suspicious assets;
and when the trust value of the asset exceeds the error of the threshold range, the asset is judged to be suspicious.
And step S105, self-adaptive updating of the fuzzy prediction trust model, and adjusting abnormal parameter standard items. For example: when the safety operation and maintenance personnel implement the method, the safety operation and maintenance personnel manually check the current situation of the corresponding target asset according to the trust value finally calculated by the system and the early warning. The specific investigation of the attacked and the investigation of the Trojan backdoor needs to be completed manually. For example, when a target host which is warned is found, after the examination, it is found that no backdoor and suspicious information are found, but the CPU utilization rate reaches 90%, and 90% of the utilization rate occurs only in the near future, then after the operation and maintenance examination, it is found that the system starts a necessary program, and at this time, the parameter weight of the CPU utilization rate needs to be adjusted according to the false alarm rate of this time, and the weight is reduced. In the specific adjustment, a parameter weight adjustment interface is reserved at the front end of the system, so that a user can configure the parameter weight of each performance index.
For ease of understanding, the following description will be made with reference to a specific example.
Example two
As shown in fig. 2, the method for identifying suspicious assets in a network based on fuzzy prediction according to this embodiment includes the following three stages:
first, obtaining key element index value stage
And carrying out port detection according to the configured network segment, and supporting to call scanners such as Nmap and MASSCAN to carry out IP survival detection and full-port scanning detection. And identifying and matching the IP and the open port and service, and monitoring parameters such as the utilization rate of a CPU, a magnetic disk and a memory of the identified host, the uplink and downlink bandwidth of the network and the like through a monitor. Outputting the process data in the following format: { < target IP, version information, port information >: < target IP, CPU occupancy, weight coefficient >, < target IP, disk occupancy, weight coefficient >, < target IP, memory occupancy, weight coefficient >, < target IP, upstream bandwidth, weight coefficient > … … }.
Second, fuzzy algorithm prediction stage
On the basis of obtaining the key elements, taking the elements in the target information data set as the key elements of fuzzy prediction, and setting corresponding safety early warning threshold values according to different weight coefficients distributed by the elements, wherein the elements which are generally larger than the set threshold values are abnormal data, specifically the following steps are carried out:
fuzzy set: in fuzzy set theoryUsually, it is only said to how much an element belongs to a fuzzy set, and it can be characterized by the membership function of the fuzzy set. I.e. assuming that U is the domain of discourse,
Figure BDA0002259601360000091
is a fuzzy subset of U
Figure BDA0002259601360000092
Figure BDA0002259601360000093
Membership function of
Figure BDA0002259601360000094
Is defined as
Figure BDA0002259601360000096
U→[0,1]Where a whole universe of discussion objects, i.e. domains, of U belongs to [0,1 ]]In a particular application, X is a particular numerical value, X is a set, and X ∈ X;
determining whether a certain network asset is attacked, respectively detecting two index membership degrees of the asset by a fuzzy prediction algorithm, and respectively using the mapping f1:U→C,f2U → D, U denotes the asset set, C denotes the asset behavior fuzzy set, and D denotes the data fuzzy set.
Figure BDA0002259601360000102
Suppose that
Figure BDA0002259601360000103
Representing a fuzzy set of asset abnormal behavior indicators,
Figure BDA0002259601360000104
representing a fuzzy set of asset anomaly data indicators, asset NjIndex set value f ofm(Nj) J ═ 1,2,3,4 …; m-1, 2, j represents key element item of the asset, m-1 represents asset behavior, m-2 represents asset data and is subordinate to
Figure BDA0002259601360000105
Are defined as follows:
1. the fuzzy membership formula of the abnormal behavior index of the asset is as follows:
Figure BDA0002259601360000106
Figure BDA0002259601360000107
representing a fuzzy set of asset abnormal behavior indicators,
Figure BDA0002259601360000108
to represent
Figure BDA0002259601360000109
Membership function of, NjRepresenting the current asset, j representing the asset number, f1(Nj) Representing a current asset NjAbnormal behavior set value of, NCThe number of key element items representing abnormal behaviors, c the types of key element items representing abnormal behaviors, i natural numbers, aiWeight coefficient representing the number of abnormal behaviors of the i-th element, ciLogic value representing the ith element, monitoring the current property NjThe number of abnormality reaches a threshold value or more ciI.e. 1, otherwise 0, ai 0A weight coefficient indicating that the number of anomalies occurring to the asset is more than a threshold value, ai 0And aiEqual, ci 0A logical reference value representing the number of times the element of item i is behaving abnormally, ci 0The value is 1; the key elements of the abnormal behavior are abnormal scanning, abnormal peak value, abnormal port opening and the like.
2. The fuzzy membership formula of the abnormal data index of the asset is as follows:
Figure BDA00022596013600001010
when in use
Figure BDA00022596013600001011
To the error allowable range, otherwise
Figure BDA00022596013600001012
Figure BDA00022596013600001013
Representing a fuzzy set of asset anomaly data indicators,
Figure BDA00022596013600001014
to represent
Figure BDA00022596013600001015
Membership function of, NjRepresenting the current asset, j representing the asset number, f2(Nj) Representing a current asset NjOf the abnormal dataset value, nDNumber of terms, N, indicating that the actually obtained key element data is not within the allowable range of the error thresholdDRepresenting the number of key element items of the abnormal data, D representing the kind of key element items of the abnormal data, k representing a natural number, akWeight coefficient of abnormal data representing k-th element, DkThe actual value of the k-th item element,
Figure BDA0002259601360000111
normal reference values representing the k-th element; the key element items of the abnormal data comprise various indexes of asset performance.
3. Abnormal fuzzy set integration
Integrating the membership degrees of the assets by using the Demorgen law to obtain a trust value C of the assets, wherein the formula is as follows:
Figure BDA0002259601360000112
third, asset display stage
The suspicious assets after calculation processing are displayed through a scanning system, and the suspicious assets comprise contents such as total asset number, suspicious asset early warning display, asset trust value display, asset service display and the like, and the system supports updating of key element types, weight coefficients of the key element types, threshold values of the key elements and the like.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus.
Those of ordinary skill in the art will understand that: all or part of the steps for realizing the method embodiments can be completed by hardware related to program instructions, the program can be stored in a computer readable storage medium, and the program executes the steps comprising the method embodiments when executed; and the aforementioned storage medium includes: various media that can store program codes, such as ROM, RAM, magnetic or optical disks.
Finally, it is to be noted that: the above description is only a preferred embodiment of the present invention, and is only used to illustrate the technical solutions of the present invention, and not to limit the protection scope of the present invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention shall fall within the protection scope of the present invention.

Claims (7)

1. A network suspicious asset identification method based on fuzzy prediction is characterized by comprising the following steps:
step 1, scanning a target network segment, acquiring asset information, open port information and asset system version information, and outputting a detailed parameter list of known assets and unknown assets;
step 2, the abnormity monitoring module is responsible for monitoring index change in the asset list;
step 3, calculating the trust value of the asset by combining a fuzzy prediction trust model according to the historical data and the real-time data, the abnormal times and the abnormal data of the parameters in the asset list acquired in the step 2;
and 4, analyzing the trust value of the asset, and identifying suspicious asset.
2. The fuzzy prediction based network suspicious asset identification method according to claim 1, further comprising after step 4: and self-adaptive updating of the fuzzy prediction trust model, and adjusting abnormal parameter standard items.
3. The method for identifying suspicious assets in a network based on fuzzy prediction according to claim 1, wherein the specific implementation process of the step 1 is as follows:
according to the preconfigured scanning information, matching the preset scanning information with the corresponding scanning rule, firstly detecting the survival assets, then carrying out full-port scanning and scanning of system version information of the survival assets, and outputting a detailed parameter list of known assets and unknown assets, wherein the detailed parameter list comprises asset IP, open ports, open services, system version information of the assets, CPU occupancy rate, memory occupancy rate, disk occupancy rate, uplink and downlink bandwidth of a network and an access peak value of a suspicious time period.
4. The method according to claim 3, wherein the tool for scanning assets is NMAP or MASSCAN.
5. The method for identifying suspicious assets in a network based on fuzzy prediction according to claim 3, wherein the step 2 is implemented by the following steps:
and the abnormal monitoring module performs threshold monitoring on the CPU occupancy rate, the memory occupancy rate, the disk occupancy rate, the network uplink and downlink bandwidths and the access peak value of the suspicious time period of the assets in the asset list in a centralized manner.
6. The method for identifying suspicious assets on a network based on fuzzy prediction according to claim 5, wherein in the step 3, according to the CPU occupancy rate, the memory occupancy rate, the disk occupancy rate, the uplink and downlink bandwidth of the network, the historical data and the real-time data of the access peak value of the suspicious time period of the assets obtained in the step 2, the abnormal times and the abnormal data of the intranet scanning abnormal behavior and the open abnormal port behavior occur, and the trust value of the assets is calculated by combining with a fuzzy prediction trust model; the method comprises the following specific steps:
step 3.1, calculating the fuzzy membership degree of the abnormal behavior index of the asset, wherein the parameter basis is as follows: the method comprises the following steps that an intranet scanning behavior of the asset occurs, the abnormal times of the duration time of the behavior occur, the times of the abnormal port behavior opened by the asset and the times of the abnormal time periods of the uplink and downlink bandwidths of the asset occur are the times of the abnormal time periods; the fuzzy membership formula of the abnormal behavior index is as follows:
Figure FDA0002259601350000021
Figure FDA0002259601350000022
representing a fuzzy set of asset abnormal behavior indicators,
Figure FDA0002259601350000023
to represent
Figure FDA0002259601350000024
Membership function of, NjWhich is indicative of the current property or properties,
j denotes asset number, f1(Nj) Representing a current asset NjAbnormal behavior set value of, NCThe number of key element items representing abnormal behaviors, c the types of key element items representing abnormal behaviors, i natural numbers, aiWeight coefficient representing the number of abnormal behaviors of the i-th element, ciA logical value representing the element of item ii 0Indicating asset occurrence of a discrepancyWeighting factors for more frequent than threshold cases, ai 0And aiEqual, ci 0A logical reference value representing the number of times the element of item i is behaving abnormally, ci 0The value is 1;
step 3.2, calculating the fuzzy membership degree of the abnormal data index of the asset, wherein the parameter basis is as follows: comparing the acquired real-time data with historical data according to the abnormal data of the CPU occupancy rate, the memory occupancy rate and the disk occupancy rate of the asset, and if the error exceeds the allowable threshold range, considering that the property performance data of the asset is abnormal; the fuzzy membership formula of the abnormal data index is as follows:
Figure FDA0002259601350000031
when in use
Figure FDA0002259601350000032
To the error allowable range, otherwise
Figure FDA0002259601350000033
Figure FDA0002259601350000036
Representing a fuzzy set of asset anomaly data indicators,
Figure FDA0002259601350000038
to represent
Figure FDA0002259601350000037
Membership function of, NjRepresenting the current asset, j representing the asset number, f2(Nj) Representing a current asset NjOf the abnormal dataset value, nDNumber of terms, N, indicating that the actually obtained key element data is not within the allowable range of the error thresholdDRepresenting the number of key element items of the abnormal data, D representing the kind of key element items of the abnormal data, k representing a natural number, akWeight coefficient of abnormal data representing k-th element, DkTo representThe actual value of the element of the k-th term,
Figure FDA0002259601350000034
normal reference values representing the k-th element;
step 3.3, abnormal fuzzy set integration
And (3) performing DeMoore root data fusion on the abnormal behavior index fuzzy membership degree of the asset in the step (3.1) and the abnormal data index fuzzy membership degree of the asset in the step (3.2) to calculate a trust value C of the asset, wherein the formula is as follows:
Figure FDA0002259601350000035
7. the method for identifying suspicious assets over a network based on fuzzy prediction according to claim 6, wherein said step 4 specifically comprises: and when the trust value of the asset exceeds the error of the threshold range, judging the asset as suspicious.
CN201911066715.6A 2019-11-04 2019-11-04 Network suspicious asset identification method based on fuzzy prediction Pending CN110830467A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911066715.6A CN110830467A (en) 2019-11-04 2019-11-04 Network suspicious asset identification method based on fuzzy prediction

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911066715.6A CN110830467A (en) 2019-11-04 2019-11-04 Network suspicious asset identification method based on fuzzy prediction

Publications (1)

Publication Number Publication Date
CN110830467A true CN110830467A (en) 2020-02-21

Family

ID=69552655

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911066715.6A Pending CN110830467A (en) 2019-11-04 2019-11-04 Network suspicious asset identification method based on fuzzy prediction

Country Status (1)

Country Link
CN (1) CN110830467A (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111352761A (en) * 2020-02-28 2020-06-30 北京天融信网络安全技术有限公司 Vehicle detection method and device, storage medium and electronic equipment
CN112118152A (en) * 2020-09-02 2020-12-22 紫光云(南京)数字技术有限公司 Distributed architecture for realizing rapid scanning of network assets
CN114745128A (en) * 2022-03-28 2022-07-12 中国人民解放军战略支援部队信息工程大学 Trust evaluation method and device for network terminal equipment
CN115242463A (en) * 2022-06-30 2022-10-25 北京华顺信安科技有限公司 Network asset dynamic change monitoring method and system and computer equipment
CN115909674A (en) * 2023-02-13 2023-04-04 成都秦川物联网科技股份有限公司 Alarm and gas meter linkage method based on intelligent gas and Internet of things system
CN117724928A (en) * 2023-12-15 2024-03-19 谷技数据(武汉)股份公司 Intelligent operation and maintenance visual monitoring method and system based on big data

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106888194A (en) * 2015-12-16 2017-06-23 国家电网公司 Intelligent grid IT assets security monitoring systems based on distributed scheduling
CN108810034A (en) * 2018-08-20 2018-11-13 杭州安恒信息技术股份有限公司 A kind of safety protecting method of industrial control system information assets
CN110213212A (en) * 2018-05-24 2019-09-06 腾讯科技(深圳)有限公司 A kind of classification method and device of equipment
CN110324310A (en) * 2019-05-21 2019-10-11 国家工业信息安全发展研究中心 Networked asset fingerprint identification method, system and equipment

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106888194A (en) * 2015-12-16 2017-06-23 国家电网公司 Intelligent grid IT assets security monitoring systems based on distributed scheduling
CN110213212A (en) * 2018-05-24 2019-09-06 腾讯科技(深圳)有限公司 A kind of classification method and device of equipment
CN108810034A (en) * 2018-08-20 2018-11-13 杭州安恒信息技术股份有限公司 A kind of safety protecting method of industrial control system information assets
CN110324310A (en) * 2019-05-21 2019-10-11 国家工业信息安全发展研究中心 Networked asset fingerprint identification method, system and equipment

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
曹晓梅: "基于模糊预测的无线传感器网络信任模型", 《计算机应用》 *

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111352761A (en) * 2020-02-28 2020-06-30 北京天融信网络安全技术有限公司 Vehicle detection method and device, storage medium and electronic equipment
CN111352761B (en) * 2020-02-28 2023-07-04 北京天融信网络安全技术有限公司 Vehicle detection method and device, storage medium and electronic equipment
CN112118152A (en) * 2020-09-02 2020-12-22 紫光云(南京)数字技术有限公司 Distributed architecture for realizing rapid scanning of network assets
CN114745128A (en) * 2022-03-28 2022-07-12 中国人民解放军战略支援部队信息工程大学 Trust evaluation method and device for network terminal equipment
CN115242463A (en) * 2022-06-30 2022-10-25 北京华顺信安科技有限公司 Network asset dynamic change monitoring method and system and computer equipment
CN115242463B (en) * 2022-06-30 2023-06-09 北京华顺信安科技有限公司 Method, system and computer equipment for monitoring dynamic change of network asset
CN115909674A (en) * 2023-02-13 2023-04-04 成都秦川物联网科技股份有限公司 Alarm and gas meter linkage method based on intelligent gas and Internet of things system
US11989007B2 (en) 2023-02-13 2024-05-21 Chengdu Qinchuan Iot Technology Co., Ltd. Methods for linkage between alarm based on gas and gas meter and internet of things systems thereof
CN117724928A (en) * 2023-12-15 2024-03-19 谷技数据(武汉)股份公司 Intelligent operation and maintenance visual monitoring method and system based on big data

Similar Documents

Publication Publication Date Title
CN110830467A (en) Network suspicious asset identification method based on fuzzy prediction
CN114584405B (en) Electric power terminal safety protection method and system
Xia et al. An efficient network intrusion detection method based on information theory and genetic algorithm
CN102098180B (en) Network security situational awareness method
JP2019145107A (en) Cyber threat defense system protecting e-email network using machine learning model
CN112804196A (en) Log data processing method and device
CN111629006B (en) Malicious flow updating method fusing deep neural network and hierarchical attention mechanism
CN112819336A (en) Power monitoring system network threat-based quantification method and system
CN111669384B (en) Malicious flow detection method integrating deep neural network and hierarchical attention mechanism
CN112491779B (en) Abnormal behavior detection method and device and electronic equipment
KR101692982B1 (en) Automatic access control system of detecting threat using log analysis and automatic feature learning
CN111669385B (en) Malicious traffic monitoring system fusing deep neural network and hierarchical attention mechanism
CN116366374B (en) Security assessment method, system and medium for power grid network management based on big data
CN113554330A (en) Training method and application method of security situation perception model of hydrological information platform
CN113612625A (en) Network fault positioning method and device
CN115021997A (en) Network intrusion detection system based on machine learning
CN114172699A (en) Industrial control network security event correlation analysis method
CN117478433A (en) Network and information security dynamic early warning system
CN117370548A (en) User behavior risk identification method, device, electronic equipment and medium
CN116886335A (en) Data security management system
Selim et al. Intrusion detection using multi-stage neural network
CN115766096A (en) Network security protection system based on big data
CN115567241A (en) Multi-site network perception detection system
CN117807590B (en) Information security prediction and monitoring system and method based on artificial intelligence
CN117376030B (en) Flow anomaly detection method, device, computer equipment and readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20200221

RJ01 Rejection of invention patent application after publication