CN111818017B - Railway network security prediction method and system and electronic equipment - Google Patents

Railway network security prediction method and system and electronic equipment Download PDF

Info

Publication number
CN111818017B
CN111818017B CN202010531403.4A CN202010531403A CN111818017B CN 111818017 B CN111818017 B CN 111818017B CN 202010531403 A CN202010531403 A CN 202010531403A CN 111818017 B CN111818017 B CN 111818017B
Authority
CN
China
Prior art keywords
railway network
detection period
future
legal
error
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010531403.4A
Other languages
Chinese (zh)
Other versions
CN111818017A (en
Inventor
朱广劼
杨轶杰
姚洪磊
司群
周泽岩
付晓丹
卫婧
王张超
李琪
尹虹
陈彤
王云鹏
张德栋
王红伟
冯凯亮
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Institute of Computing Technologies of CARS
Original Assignee
Institute of Computing Technologies of CARS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Computing Technologies of CARS filed Critical Institute of Computing Technologies of CARS
Priority to CN202010531403.4A priority Critical patent/CN111818017B/en
Publication of CN111818017A publication Critical patent/CN111818017A/en
Application granted granted Critical
Publication of CN111818017B publication Critical patent/CN111818017B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Abstract

The embodiment of the invention provides a method, a system and electronic equipment for predicting the safety of a railway network, wherein the method comprises the following steps: predicting the number of legal users accessing the railway network in the next detection period in the future according to the number of legal users accessing the railway network in a plurality of historical detection period periods; calculating the error between the predicted legal user number and the actual legal user number of the railway network accessed in the next detection period time period in the future; and when the error is larger than a preset error threshold value, calculating the probability that the threat exists in the next detection period time period in the future of the railway network. The embodiment of the invention can predict the future behavior of the user according to the existing illegal attack behavior of the user, make a new coping strategy, solve and process the harm and threat brought by the security vulnerability in time, and ensure the safe operation of the railway network and the timely response to the accident.

Description

Railway network security prediction method and system and electronic equipment
Technical Field
The invention belongs to the technical field of network security, and particularly relates to a railway network security prediction method, a railway network security prediction system and electronic equipment.
Background
In the network operation, safety is an important factor to be considered, and in the network of the railway system, network attacks on railway transportation, travel service, scheduling and the like are increasingly severe. Over the past few years, the number of cyber-security incidents that have occurred and the number of cyber-security threat events that have been detected have increased. Processing network security accidents and dealing with network threats are always one of the research hotspots of railway scientific research institutions.
In the existing protection technology, the protection strategy mainly includes active protection and passive protection, the active protection strategy mainly takes intrusion detection, online behavior audit and other strategies, the above strategies take detection of unauthorized user access, user identity misuse and unauthorized behavior of authorized users as main detection objects, and the system and the local network are used for field detection and analysis to provide corresponding protection strategies. The passive protection against network security is mainly based on policies such as installing a firewall.
With the diversification of network scale, attacks against the network and threats to system security are more and more, and the consequences brought by network security events cannot be effectively dealt with in defense in the middle of affairs and recovery after the affairs.
In network security protection, a pre-protection strategy mainly depends on threat information issued by an authority, such as a virus library, a vulnerability library and the like, and in actual network security protection, targeted detection is performed by means of known threat information. In the protection process, according to the characteristics of the network and the actual requirements of the network security, the railway network security adopts a method of updating a vulnerability library and maintaining a vulnerability patch to protect the current network in advance, and the safe operation of the railway network can be guaranteed to a certain extent through periodical vulnerability scanning and periodical patch completion.
However, the information on which such detection is based has a certain hysteresis, and for the latest threat types and vulnerability types, if the vulnerability database cannot be updated and the vulnerability patches cannot be completed in time, countermeasures such as interception and blocking cannot be made in time for the novel threats in vulnerability scanning.
Disclosure of Invention
In order to overcome the problem that the existing illegal attacks are of new types, and current protection measures such as a leak library cannot release and update timely, or at least partially solve the problem, the embodiment of the invention provides a method and a system for predicting the railway network security and electronic equipment.
According to a first aspect of the embodiments of the present invention, there is provided a method for predicting railway network security, including:
predicting the number of legal users accessing the railway network in the next detection period in the future according to the number of legal users accessing the railway network in a plurality of historical detection period periods;
calculating the error between the predicted legal user number and the actual legal user number of the railway network accessed in the next detection period time period in the future;
and when the error is larger than a preset error threshold value, calculating the probability that the threat exists in the next detection period time period in the future of the railway network.
On the basis of the above technical solutions, the embodiments of the present invention may be further improved as follows.
Optionally, the predicting, according to the number of valid users accessing the railway network in the plurality of historical detection cycle time periods, the number of valid users accessing the railway network in the next detection cycle time period in the future includes:
and predicting the number of legal users accessing the railway network in the next detection period in the future by using the local weighted linear regression algorithm by taking the number of the legal users accessing the railway network in each historical detection period and each detection period as input quantities.
Optionally, the predicting, by using a local weighted linear regression algorithm, the number of legal users accessing the railway network in the next future detection period includes:
giving an optimal weight value to the number of legal users accessing the railway network in each historical detection period;
performing local linear fitting according to the number of legal users accessed to the railway network in each detection period and the corresponding weight value;
and calculating the number of legal users accessed to the railway network in the next detection period according to the curve obtained after the local linear fitting.
Optionally, the assigning an optimal weight value to the number of valid users accessing the railway network in each historical detection period includes:
giving an initial weight value to the number of legal users accessing the railway network in each historical detection period;
according to the number of legal users accessed to the railway network in each detection period and the corresponding initial weight value, performing local linear fitting to obtain a fitting curve, and calculating the square error of the fitting curve;
carrying out weight assignment on the number of legal users accessing the railway network in each historical detection period time period repeatedly, carrying out local linear fitting to obtain a plurality of fitting curves, and calculating the square error of each fitting curve;
and determining a group of weight values corresponding to the minimum square error as the optimal weight value.
Optionally, the assigning an initial weight value to the number of valid users accessing the railway network in each historical detection period includes:
calculating an initial weight value of the number of legal users accessing the railway network in each historical detection period time by adopting a Gaussian kernel function, wherein the expression of the Gaussian kernel function is as follows:
Figure BDA0002535361230000031
where d is the distance between each detection cycle time segment of the history and the next detection cycle time segment in the future, and τ is 50.
Optionally, the calculating an error value between the predicted legal user number and an actual legal user number of the future next detection cycle time period for accessing the railway network includes:
adopting a root mean square error to represent the error between the predicted legal user number and the actual legal user number of the railway network accessed in the next detection period time period in the future;
wherein the root mean square error is expressed as:
Figure BDA0002535361230000041
wherein m is the number of prediction rounds, yiIs the legal number of users, y ', accessing the railway network in the ith round of prediction'iIs the actual number of users accessing the railway network in the ith round of prediction.
Optionally, when the error is greater than a preset error threshold, the calculating the probability of the future threat of the railway network includes:
when | epsilon | ≧ Tr, the probability of occurrence of the threat existing in the next detection period time period in the future of the railway network is
Figure BDA0002535361230000042
Wherein epsilon is the error between the predicted legal user number and the actual legal user number accessed to the railway network in the next detection period time period in the future, Tr is a preset error threshold value, P isTrIs the corresponding error probability, which can be calculated from the random property of the standard distribution of errors.
Optionally, when the error is greater than the preset error threshold, the calculating the probability of the future threat of the railway network further includes:
and when the error is smaller than a preset error threshold value, determining that the railway network has no threat in the next future detection period time under the corresponding network safety protection requirement.
According to a second aspect of the embodiments of the present invention, there is provided a railway network security prediction system, including:
the prediction module is used for predicting the number of legal users accessing the railway network in the next detection period in the future according to the number of legal users accessing the railway network in a plurality of historical detection period periods;
the first calculation module is used for calculating the error between the predicted legal user number and the actual legal user number of the railway network accessed in the next detection period time period in the future;
and the second calculation module is used for calculating the probability of the threat of the railway network in the next future detection period time when the error is larger than the preset error threshold.
According to a third aspect of the embodiments of the present invention, there is also provided an electronic device, including a memory, a processor, and a computer program stored in the memory and executable on the processor, where the processor calls the program instructions to perform the method for predicting the safety of the railway network provided in any one of the possible implementations of the first aspect.
According to a fourth aspect of the embodiments of the present invention, there is also provided a non-transitory computer-readable storage medium storing computer instructions for causing a computer to execute the method for predicting railway network security provided in any one of the various possible implementations of the first aspect.
The embodiment of the invention provides a railway network security prediction method and a railway network security prediction system, which can predict future behaviors of a user according to the existing illegal attack behaviors of the user, make a new coping strategy, solve and process hazards and threats brought by security vulnerabilities in time, and ensure the safe operation of a railway network and the timely response to accidents.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and those skilled in the art can also obtain other drawings according to the drawings without creative efforts.
Fig. 1 is a schematic overall flow chart of a railway network security prediction method provided in an embodiment of the present invention;
FIG. 2 is a comparison of three weighting kernel functions;
fig. 3 is a schematic overall structure diagram of a railway network security prediction system according to an embodiment of the present invention;
fig. 4 is a schematic view of an overall structure of an electronic device according to an embodiment of the present invention.
Detailed Description
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and those skilled in the art can also obtain other drawings according to the drawings without creative efforts.
Fig. 1 is a schematic overall flow chart of a railway network security prediction method provided in an embodiment of the present invention, where the method includes:
predicting the number of legal users accessing the railway network in the next detection period in the future according to the number of legal users accessing the railway network in a plurality of historical detection period periods;
calculating the error between the predicted legal user number and the actual legal user number of the railway network accessed in the next detection period time period in the future;
and when the error is larger than a preset error threshold value, calculating the probability that the threat exists in the next detection period time period in the future of the railway network.
It can be understood that at present, for attacks and threats of the railway network, strategies of defense in the event and recovery after the event are mainly adopted, but the strategies cannot effectively deal with the consequences caused by network security events. In order to improve the capability of dealing with network security threats, the embodiment of the invention provides a method for predicting the security of a railway network, which can predict the network security in a future time, and particularly predict the number of legal users accessing the railway network in a future period of time according to the number of the legal users accessing the railway network historically. For example, the number of legal users accessing the railway network in the 1001 st 30s in the future is predicted according to the historical number of legal users accessing the railway network in the 1000 30 s.
After the number of legal users accessing the railway network in a future period of time is predicted, the predicted number of the legal users accessing the railway network in the future period of time is compared with the actual number of the legal users accessing the railway network in the period of time, and the error between the two is calculated. If the error is greater than the preset error threshold, it indicates that the railway network may be threatened in the future, and whether the threat will occur or not, further determination is needed.
Therefore, when the error is larger than the preset error threshold, the probability that the threat exists in the next detection period time period in the future of the railway network is calculated, and corresponding protective measures are possibly taken according to the probability that the threat exists.
The embodiment of the invention can predict the future behavior of the user according to the existing illegal attack behavior of the user, make a new coping strategy, solve and process the harm and threat brought by the security vulnerability in time, and ensure the safe operation of the railway network and the timely response to the accident.
As an optional embodiment, predicting the number of valid users accessing the railway network in the next future detection cycle time period according to the number of valid users accessing the railway network in the plurality of historical detection cycle time periods comprises:
and predicting the number of legal users accessing the railway network in the next detection period in the future by using the local weighted linear regression algorithm by taking the number of the legal users accessing the railway network in each historical detection period and each detection period as input quantities.
It can be understood that, in a historical detection period, after a user accesses a railway network, whether the user is a legitimate user can be detected through a firewall by analyzing attacks, threats, security holes and the like faced by the network. For each detection period of the history, the number of legal users accessing the railway network can be counted.
The linear regression prediction has the advantages of easy understanding of results, low algorithm complexity and high practicability, and has the disadvantage of poor fitting degree on nonlinear data. In order to utilize the advantages of linear regression and aim at the shortcomings of linear regression, after the assignment mode of the weight value is analyzed, the corresponding weight values are respectively assigned according to the attributes of data points to avoid the phenomenon of low fitting degree, such as the phenomenon of under-fitting.
The local weighted linear regression is one of linear regressions, and is a linear regression with variable weight values, which is provided on the basis of analyzing the weight value assignment mode of the linear regression. As a method of fitting and analyzing known data, in data prediction and analysis, each point near the point to be predicted is given a certain weight, and a conventional linear regression is performed on the corresponding subset based on the minimum mean square error.
According to the characteristics of the local weighted linear regression algorithm, the method and the device predict the number of legal users accessing the railway network in the next detection period time period by using the algorithm. Specifically, the number of valid users accessing the railway network in each historical detection period time period and each detection period time period is used as an input quantity, that is, each time point and the corresponding number of valid users are used as two-dimensional vectors and input into the local weighted linear regression algorithm, so that the number of valid users accessing the railway network in the next detection period time period can be output.
As an alternative embodiment, the predicting the number of legal users accessing the railway network in the next future detection period by using the local weighted linear regression algorithm includes:
giving an optimal weight value to the number of legal users accessing the railway network in each historical detection period;
performing local linear fitting according to the number of legal users accessed to the railway network in each detection period and the corresponding weight value;
and calculating the number of legal users accessed to the railway network in the next detection period according to the curve obtained after the local linear fitting.
As an optional embodiment, the assigning an optimal weight value to the number of valid users accessing the railway network in each detection cycle time period in the history includes:
giving an initial weight value to the number of legal users accessing the railway network in each historical detection period;
according to the number of legal users accessed to the railway network in each detection period and the corresponding initial weight value, performing local linear fitting to obtain a fitting curve, and calculating the square error of the fitting curve;
carrying out weight assignment on the number of legal users accessing the railway network in each historical detection period time period repeatedly, carrying out local linear fitting to obtain a plurality of fitting curves, and calculating the square error of each fitting curve;
and determining a group of weight values corresponding to the minimum square error as the optimal weight value.
It can be understood that the main idea of using the local weighted linear regression algorithm is to find a group of optimal weight values of the number of legal users accessing the railway network in each detection period of the history, so that according to the number of legal users accessing the railway network in each detection period of the history and the corresponding group of optimal weight values, the square error of the fitted linear curve obtained by fitting is minimum, that is, the fitted linear curve is the optimal curve at this time.
And according to the obtained best fit curve, the number of legal users accessing the railway network in the next detection period can be calculated.
As an alternative embodiment, assigning an initial weight value to the number of legitimate users accessing the railway network in each detection cycle period of the history includes:
calculating an initial weight value of the number of legal users accessing the railway network in each historical detection period time by adopting a Gaussian kernel function, wherein the expression of the Gaussian kernel function is as follows:
Figure BDA0002535361230000091
where d is the distance between each detection cycle time segment of the history and the next detection cycle time segment in the future, and τ is 50.
In order to better understand the idea of predicting the number of legal users accessing the railway network in the next detection period in the future by using the local weighted linear regression algorithm, the local weighted linear regression algorithm is described in detail below.
For a given input vector, the following equation can be derived:
Figure BDA0002535361230000092
wherein w is [ omega ]12,…,ωn],X=[x1,x2,…,xn]TThe weight value vector and each detection period time quantum are respectively, and y is the legal user number which is corresponding to each detection period time quantum and is accessed into the railway network. To obtain the appropriate weight coefficients, let ω be writtenj(j ═ 1,2 …, n) is the corresponding weight coefficient, and the square error can be obtained as follows:
Figure BDA0002535361230000093
in the formula, w is ∈ RnIs a weight coefficient, xiDenotes the i-th detection cycle period, yiAnd the legal user number of the access railway network corresponding to the ith detection period time period is represented.
The cost function is defined as:
J(ω)=(Xω-Y)T(Xω-Y);
deriving the above equation by ω and letting equation be 0, one can obtain:
Figure BDA0002535361230000101
the obtained weight coefficient is:
Figure BDA0002535361230000102
briefly, the idea is to assign a group of initial weight values to the number of legal users accessing the railway network in each detection period, calculate the square error of a fitting curve based on the group of initial weight value fitting curves, and then assign weight values in a circulating manner until the square error of the fitted curve is minimum, so as to find a group of optimal weight values.
When a group of initial weight values are given to the number of legal users accessing the railway network in each detection period, three ways, namely a mean Weighting kernel Function (mean Weighting Function), a three-dimensional Weighting kernel Function (Tri-cube Function) and a Gaussian kernel Function (Gaussian Function), can be selected to calculate the initial weight values of the number of the legal users accessing the railway network in each detection period. Three ways of calculating the weights are explained in detail below:
(1) the mean weight kernel is expressed as follows:
Figure BDA0002535361230000103
in the above formula, d represents the distance between each detection cycle time period and the time period to be predicted, dmaxIndicating a distance threshold when the distance between the two is within the range of the distance thresholdAnd when the distance between the two exceeds a distance threshold value, the value is considered to be invalid, namely the weight value is given to be 0, and the weight changes obviously at the distance threshold value.
(2) The expression of the triangular weight kernel is as follows:
Figure BDA0002535361230000111
d and d in the above formulamaxAnd d in the mean weight kernelmaxThe same meaning, when d ═ d can be seen from the expression of the functionmaxThen, the maximum weight can be obtained, and as the distance between the two increases, the weight gradually decreases until the weight is 0. The triangular weight kernel can change smoothly compared to the mean weight kernel, and furthermore the function is continuous and has a second derivative.
(3) The expression of the gaussian kernel is as follows:
Figure BDA0002535361230000112
in the formula, d has the same meaning as the expression, and has no constraint of a distance threshold, but has the constraint of tau; given the value of τ, the range of decreasing weights can be determined, defining the width of the function as the fast decay region. The rapid decay is within a certain range of variation, and the decay rate is reduced when the variation range is exceeded. For a given value of τ, the gaussian kernel function is a symmetric function and peaks at 0, with the weight value decreasing gradually as the distance increases, with a weight close to 0 but not 0.
In the three typical weight kernel functions, compared with the average weight kernel function, the average weight kernel function is simple and easy to implement, is relatively intuitive in weight assignment, can clearly and limitedly assign the weight to the number of legal users accessing the railway network in each detection period, but carries out weight assignment at the distance threshold value dmaxThe weight mutation can occur due to the nature of the kernel function, and the weight assignment can occur in some sample dataThe drastic change of the value leads to a reduction of the prediction accuracy and even to unpredictable phenomena due to the absence of derivatives. The stereo weight function avoids the change of weight assignment on the basis of the mean weight function, and the weight assignment is gradually reduced along with the gradual increase of the distance between each detection cycle time period and the time period to be predicted in the range of the given detection cycle time period to be predicted. This trend of change predictively reduces its effect, but there are some disadvantages: the weight also becomes 0 when the distance between each detection cycle period and the period to be predicted is at the distance threshold. Although the weight of the kernel function decreases rapidly as the distance between the kernel function and the kernel function increases, directly assigning the weight to 0 in the historical detection period time period beyond the distance threshold value has a negative effect to some extent in actual prediction. Since the influence of each historical detection cycle time period on the detection cycle time period to be predicted can be infinitely reduced but cannot be 0 in actual prediction, directly assigning the weight to 0 lacks rigor. The weight assignment method of the Gaussian kernel function has better convergence and gradient among the three, and as can be seen from the mathematical expression of the Gaussian kernel function, when a width constraint coefficient tau is given, the attenuation range of the distance d between the detection period time period to be predicted and the historical detection period time period is determined, along with the increase of d, the weight coefficient rapidly decreases within a certain range, and when the value of d is larger, the weight is close to 0 but is not 0. Three typical weighting functions are shown in fig. 2, where τ is 50 and d is selected in fig. 2 to make the three functions clearly contrasted with each othermax=100。
As can be seen from fig. 2, the weight assignment method of the gaussian kernel function has better convergence and gradual change in the three methods, and therefore, the embodiment of the present invention uses the gaussian kernel function to calculate the number of valid users accessing the railway network in each detection period and assigns a group of initial weight values to the valid users.
As an optional embodiment, in the above embodiment, the number of valid users accessing the railway network within the detection period to be predicted is predicted by using a local weighted linear regression algorithm, and the embodiment of the present invention calculates an error between the predicted number of valid users and the actual number of valid users.
The embodiment of the invention adopts Root Mean Square Root Error (RMSE) to describe the Error between the predicted legal user number and the actual legal user number aiming at the network behavior in the railway network.
Wherein the root mean square error is expressed as:
Figure BDA0002535361230000121
wherein m is the number of prediction rounds, yiIs the legal number of users, y ', accessing the railway network in the ith round of prediction'iIs the actual number of users accessing the railway network in the ith round of prediction. According to the central limit theorem and the law of large numbers, the error between the obtained prediction result and the actual result obeys normal distribution under the condition of obtaining enough data of data, and the mean value is zero. The probability density function of the error can be expressed as:
Figure BDA0002535361230000131
from the above formula, when the probability distribution histogram of the error and the corresponding error are obtained, the standard deviation σ can be deduced, and finally the probability distribution of the error is obtained.
Suppose that
Figure BDA0002535361230000132
m=-logσ,
Figure BDA0002535361230000133
y=x2The following linear relationship functions are available:
l=m+h·y;
for known errors and corresponding probability distribution histogram (x)i,f(xi) The above formula can also be expressed as:
li=m+h·yi
in the formula, i is 1,2, …, n, and in order to solve the equation system, the observation equation method is used in the embodiment of the present invention. The variables in the above formula can be expressed as a matrix equation by using vectors, and the expression and the vectors represented by the elements are as follows:
V=B·X-L;
wherein V ═ V1,v2,…,vn]T
Figure BDA0002535361230000134
Obviously, solving the standard deviation of the prediction error distribution can be converted into an optimization problem, and minimizing the vector V by using the least square method can obtain:
Figure BDA0002535361230000135
σ can be derived from the above formula and m ═ log σ.
As an optional embodiment, when the error between the predicted legal user number and the actual legal user number accessing the railway network in the next detection period does not exceed the set error threshold, it is considered that the network in the detection period to be predicted has no threat under the corresponding network security protection requirement, and the network can be treated by using a conventional security defense measure. The actual legal user number in the detection period time period to be predicted can be used as the historical data of the next subsequent prediction.
When the predicted error between the number of legal users accessing the railway network in the next detection period time exceeds the set error threshold value, the network in the detection period time to be predicted has threat under the corresponding network safety protection requirement, threat data needs to be analyzed, the existing probability needs to be calculated, and a corresponding defense strategy is guided.
It can be understood that, because the network data behaviors have randomness, in actual operation, aiming at a scenario in which a legal network data transmission behavior and a network attack, a threat and a network vulnerability occur simultaneously, the embodiment of the invention deduces the minimum probability of the existence of the network threat according to the probabilities and the respective numbers of the legal network behavior, the network attack behavior and the potential threat in the network.
In the derivation of the probability formula of existence of network threat, the number of legal users accessing the network is assumed to be NPUFor each network user in the detection, the active probability is rhopuAnd are independent of each other; respectively setting the network attack behaviors and the number of potential network threats as NPUEAnd NSUThe active probabilities of the two factors are respectively rhopueAnd ρsuAnd are independent of each other.
In the railway network, the error between the predicted number of legal users and the actual number of the legal users is set as epsilon. According to the law of large numbers, when the error exceeds a specified threshold Tr (Tr is more than or equal to 0), namely | epsilon | > Tr, the probability of the network threat in the detection period time period to be predicted is
Figure BDA0002535361230000141
Wherein P isTrIs the corresponding error probability, which can be calculated from the random nature of the standard distribution of errors.
When | ε | ≧ Tr, the minimum probability of a cyber threat exists is:
Ppue_min=Pε·Ppue1+Pε·Ppue2
in the above formula, Ppue1Representing a minimum probability of detection, P, of the presence of a network threat when the actual error is greater than a preset error thresholdpue2And representing the minimum probability of the network threat when the actual error is smaller than the opposite number of the preset error threshold value, namely the actual value of the legal behavior is smaller than the predicted value and the phase difference value is larger than the error threshold value Tr.
When the actual number of the valid users is greater than the predicted number and the difference between the two exceeds a preset error threshold value Tr, the minimum probability of the existence of the network threat at this time may be represented as:
Figure BDA0002535361230000151
when the actual number of the valid users is smaller than the predicted number and the difference between the two exceeds the preset error threshold Tr, the minimum probability of the network threat at this time may be represented as:
Figure BDA0002535361230000152
the comprehensive formula can be that when | epsilon | > is more than or equal to Tr, the minimum probability of the existence of the network threat in the detection is as follows:
Figure BDA0002535361230000153
as can be seen from the above derivation, when the error between the predicted legal user number and the actual legal user number exceeds a specified threshold Tr (Tr ≧ 0), i.e. | ε | ≧ Tr, the probability of the network threat occurring within the detection period to be predicted is
Figure BDA0002535361230000154
Referring to fig. 3, there is provided a railway network security prediction system, including:
the prediction module 31 is configured to predict the number of valid users accessing the railway network in the next detection cycle time period in the future according to the number of valid users accessing the railway network in the plurality of historical detection cycle time periods;
a first calculating module 32, configured to calculate an error between the predicted legal user number and an actual legal user number of the future next detection cycle time period accessing the railway network;
and a second calculating module 33, configured to calculate a probability that the threat exists in the railway network in a next future detection cycle time period when the error is greater than a preset error threshold.
The railway network security prediction system provided by the embodiment of the invention corresponds to the railway network security prediction methods provided by the embodiments, and the relevant technical features of the railway network security prediction system can refer to the relevant technical features of the railway network security prediction methods of the embodiments, and are not described herein again.
Fig. 4 illustrates a physical structure diagram of an electronic device, which may include, as shown in fig. 4: a processor (processor)410, a communication Interface 420, a memory (memory)430 and a communication bus 440, wherein the processor 410, the communication Interface 420 and the memory 430 are communicated with each other via the communication bus 440. The processor 410 may call logic instructions in the memory 430 to perform the following method: predicting the number of legal users accessing the railway network in the next detection period in the future according to the number of legal users accessing the railway network in a plurality of historical detection period periods; calculating the error between the predicted legal user number and the actual legal user number of the railway network accessed in the next detection period time period in the future; and when the error is larger than a preset error threshold value, calculating the probability that the threat exists in the next detection period time period in the future of the railway network.
In addition, the logic instructions in the memory 430 may be implemented in the form of software functional units and stored in a computer readable storage medium when the software functional units are sold or used as independent products. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
The present embodiments provide a non-transitory computer-readable storage medium storing computer instructions that cause a computer to perform the methods provided by the above method embodiments, for example, including: predicting the number of legal users accessing the railway network in the next detection period in the future according to the number of legal users accessing the railway network in a plurality of historical detection period periods; calculating the error between the predicted legal user number and the actual legal user number of the railway network accessed in the next detection period time period in the future; and when the error is larger than a preset error threshold value, calculating the probability that the threat exists in the next detection period time period in the future of the railway network.
The railway network security prediction method, the system and the electronic equipment provided by the embodiment of the invention are based on the current artificial intelligence strategy, are applied to the railway network security guarantee system, can predict future attacks and threats on the basis of detecting network threats and illegal access, and make counter measures in advance. The method combines illegal access and threat detection and real-time analysis in network security protection, evaluates the current security-affected states of network threats and the like from the aspects of real-time and comprehensive, has important significance on scenes with fast network environment change, high real-time requirements and accurate disposal requirements, and has strong practicability in railway network security comprehensive guarantee. By means of existing threat data, illegal access behavior and other data, the threshold value can be analyzed in real time and adjusted according to the environment of the network to adapt to the requirement of network security, and the method can be used for dynamic management and control of different requirements of network security in emergency.
Those of ordinary skill in the art will understand that: all or part of the steps for implementing the method embodiments may be implemented by hardware related to program instructions, and the program may be stored in a computer readable storage medium, and when executed, the program performs the steps including the method embodiments; and the aforementioned storage medium includes: various media that can store program codes, such as ROM, RAM, magnetic or optical disks.
The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims (9)

1. A railway network security prediction method is characterized by comprising the following steps:
predicting the number of legal users accessing the railway network in the next detection period in the future according to the number of legal users accessing the railway network in a plurality of historical detection period periods;
calculating the error between the predicted legal user number and the actual legal user number of the railway network accessed in the next detection period time period in the future;
when the error is larger than a preset error threshold value, calculating the probability that the threat exists in the next detection period time period in the future of the railway network;
the step of predicting the number of legal users accessing the railway network in the next detection period in the future according to the number of legal users accessing the railway network in a plurality of historical detection period periods comprises the following steps:
and predicting the number of legal users accessing the railway network in the next detection period in the future by using the local weighted linear regression algorithm by taking the number of the legal users accessing the railway network in each historical detection period and each detection period as input quantities.
2. The railway network security prediction method of claim 1, wherein the predicting the number of legal users accessing the railway network in the next future detection cycle time period by using a local weighted linear regression algorithm comprises:
giving an optimal weight value to the number of legal users accessing the railway network in each historical detection period;
performing local linear fitting according to the number of legal users accessed to the railway network in each detection period and the corresponding weight value;
and calculating the number of legal users accessed to the railway network in the next detection period according to the curve obtained after the local linear fitting.
3. The railway network security prediction method of claim 2, wherein the step of giving the optimal weight value to the number of legal users accessing the railway network in each detection cycle time period in the history comprises the following steps:
giving an initial weight value to the number of legal users accessing the railway network in each historical detection period;
according to the number of legal users accessed to the railway network in each detection period and the corresponding initial weight value, performing local linear fitting to obtain a fitting curve, and calculating the square error of the fitting curve;
carrying out weight assignment on the number of legal users accessing the railway network in each historical detection period time period repeatedly, carrying out local linear fitting to obtain a plurality of fitting curves, and calculating the square error of each fitting curve;
and determining a group of weight values corresponding to the minimum square error as the optimal weight value.
4. The railway network security prediction method of claim 3, wherein the assigning an initial weight value to the number of legal users accessing the railway network in each detection cycle time period of the history comprises:
calculating an initial weight value of the number of legal users accessing the railway network in each historical detection period time by adopting a Gaussian kernel function, wherein the expression of the Gaussian kernel function is as follows:
Figure FDA0003128316810000021
where d is the distance between each detection cycle time segment of the history and the next detection cycle time segment in the future, and τ is 50.
5. The method of claim 1, wherein calculating an error value between the predicted number of valid users and an actual number of valid users accessing the railway network for the future next detection cycle time period comprises:
adopting a root mean square error to represent the error between the predicted legal user number and the actual legal user number of the railway network accessed in the next detection period time period in the future;
wherein the root mean square error is expressed as:
Figure FDA0003128316810000022
wherein m is the number of prediction rounds, yiIs the legal number of users, y ', accessing the railway network in the ith round of prediction'iIs the actual number of users accessing the railway network in the ith round of prediction.
6. The railway network security prediction method of claim 1, wherein calculating the probability of the future threat of the railway network when the error is greater than a preset error threshold comprises:
when | epsilon | ≧ Tr, the probability of occurrence of the threat existing in the next detection period time period in the future of the railway network is
Figure FDA0003128316810000031
Wherein epsilon is the error between the predicted legal user number and the actual legal user number accessed to the railway network in the next detection period time period in the future, Tr is a preset error threshold value, P isTrIs the corresponding error probability, which can be calculated from the random property of the standard distribution of errors.
7. The method for predicting the safety of the railway network according to claim 1, wherein the calculating the probability of the threat of the railway network in the future when the error is larger than a preset error threshold value further comprises:
and when the error is smaller than a preset error threshold value, determining that the railway network has no threat in the next future detection period time under the corresponding network safety protection requirement.
8. A railway network security prediction system, comprising:
the prediction module is used for predicting the number of legal users accessing the railway network in the next detection period in the future according to the number of legal users accessing the railway network in a plurality of historical detection period periods;
the first calculation module is used for calculating the error between the predicted legal user number and the actual legal user number of the railway network accessed in the next detection period time period in the future;
the second calculation module is used for calculating the probability of the threat of the railway network in the next detection period time period in the future when the error is larger than a preset error threshold value;
the prediction module is further used for predicting the number of legal users accessing the railway network in the next detection period in the future by using the local weighted linear regression algorithm with each historical detection period time period and the number of legal users accessing the railway network in each detection period time period as input quantities.
9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor when executing the program performs the steps of the railway network security prediction method according to any one of claims 1 to 7.
CN202010531403.4A 2020-06-11 2020-06-11 Railway network security prediction method and system and electronic equipment Active CN111818017B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010531403.4A CN111818017B (en) 2020-06-11 2020-06-11 Railway network security prediction method and system and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010531403.4A CN111818017B (en) 2020-06-11 2020-06-11 Railway network security prediction method and system and electronic equipment

Publications (2)

Publication Number Publication Date
CN111818017A CN111818017A (en) 2020-10-23
CN111818017B true CN111818017B (en) 2021-08-17

Family

ID=72845983

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010531403.4A Active CN111818017B (en) 2020-06-11 2020-06-11 Railway network security prediction method and system and electronic equipment

Country Status (1)

Country Link
CN (1) CN111818017B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102098180A (en) * 2011-02-17 2011-06-15 华北电力大学 Network security situational awareness method
US9058486B2 (en) * 2011-10-18 2015-06-16 Mcafee, Inc. User behavioral risk assessment
CN109873790A (en) * 2017-12-04 2019-06-11 中国电信股份有限公司 Network security detection method, device and computer readable storage medium
CN111178598A (en) * 2019-12-16 2020-05-19 中国铁道科学研究院集团有限公司 Passenger flow prediction method and system for railway passenger station, electronic device and storage medium

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102098180A (en) * 2011-02-17 2011-06-15 华北电力大学 Network security situational awareness method
US9058486B2 (en) * 2011-10-18 2015-06-16 Mcafee, Inc. User behavioral risk assessment
CN109873790A (en) * 2017-12-04 2019-06-11 中国电信股份有限公司 Network security detection method, device and computer readable storage medium
CN111178598A (en) * 2019-12-16 2020-05-19 中国铁道科学研究院集团有限公司 Passenger flow prediction method and system for railway passenger station, electronic device and storage medium

Also Published As

Publication number Publication date
CN111818017A (en) 2020-10-23

Similar Documents

Publication Publication Date Title
CN108833416B (en) SCADA system information security risk assessment method and system
US20070113281A1 (en) Method used in the control of a physical system affected by threats
US20200252422A1 (en) Risk score generation for assets of an enterprise system utilizing user authentication activity
US20210234877A1 (en) Proactively protecting service endpoints based on deep learning of user location and access patterns
CN111507597A (en) Network information security risk assessment model and method
CN106713233B (en) Network security state judging and protecting method
CN110266723A (en) A kind of safety of cloud service methods of risk assessment
CN111126836A (en) Security vulnerability risk assessment method and device for high-speed train operation control system
EP4049433A1 (en) User impact potential for security alert management
Chan et al. Policy-enhanced ANFIS model to counter SOAP-related attacks
CN111818017B (en) Railway network security prediction method and system and electronic equipment
CN116776324A (en) Abnormal user behavior processing method and system based on cloud computing service
CN116527317A (en) Access control method, system and electronic equipment
Osliak et al. Towards Collaborative Cyber Threat Intelligence for Security Management.
Wei Application of Bayesian algorithm in risk quantification for network security
Liu et al. Data-driven zero trust key algorithm
CN112269988B (en) Dynamic defense method, system, medium, equipment and application of model extraction attack
Zhang et al. A qualitative and quantitative risk assessment method in software security
US20140359780A1 (en) Anti-cyber attacks control vectors
Mukhin Adaptive approach to safety control and security system modification in computer systems and networks
CN113824699B (en) Network security detection method and device
CN115834140B (en) Railway network security management method and device, electronic equipment and storage medium
Li et al. Network security risk assessment based on item response theory
Makaryan et al. Conceptual Approach to the Implementation of the Proactive Defense Subsystem of the Operational Cybersecurity Center
Zhang Dynamic access control model based on user access behavior in the Internet of Things environment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant