CN111885040A - Distributed network situation perception method, system, server and node equipment - Google Patents

Abstract

The invention belongs to the technical field of network security, and in particular relates to a distributed network situational awareness method, system, server and node device. The method includes: for network node security data sources, by invoking a HADOOP interface and using a MapReduce model for data fusion, obtaining current Security events within a time period; network security situation assessment by quantifying the threat risk of security events; based on the attack stages identified in the quantification process and combined with the network attack map, the security situation is predicted to obtain attack intentions. The invention expands the computing and storage that requires huge computing power in the system to each node in the HADOOP cluster, utilizes the parallel computing and storage capabilities of the cluster for computing and processing, and uses MapReduce to realize parallel computing, which can realize large-scale data-oriented computing and processing. Distributed network security situational awareness, optimize the storage scale and timeliness of network security situational awareness, and improve the perception and protection capabilities of covert, coordinated, large-scale and multi-stage attacks such as APT attacks.

Description

Distributed network situational awareness method, system, server and node device

technical field

The invention belongs to the technical field of network security, and in particular relates to a distributed network situational awareness method, system, server and node device.

Background technique

With the rapid development of information technology, cyberspace security faces more and more attacks and threats, and traditional security products are increasingly unable to meet the protection needs. As a new protection method, network security situational awareness technology is to recognize, understand and predict the security status and development trend of the network in the complex and changeable network environment, which helps managers to grasp the network security status in a timely manner, and respond to the situation of network security in a timely manner. Threats that may arise in the future are protected in advance. In order to realize the awareness of the network security situation in a comprehensive, accurate and real-time manner. Tim Bass of the U.S. Air Force Communications and Information Center first proposed the concept of network situational awareness in 1999, and pointed out that the technology will be the focus of next-generation network defense research. After more than ten years of development, network security situational awareness has achieved many results.

At present, a large amount of research work has been devoted to network security situational awareness, but it is mainly oriented to single-step and simple attacks. It uses network security sensors as data sources and adopts a hierarchical analysis method for situational awareness, which makes it unable to accurately reflect the new APT. Attacks, ransomware attacks, etc. gradually show the characteristics of large-scale, coordinated, covert and multi-stage. How to identify potential APT attacks from massive, complex, multi-source heterogeneous network security logs and traffic, and mine nonlinear attack characteristics, requires server clusters with large-scale computing capabilities. The characteristics of APT attacks and the complex data computing and processing required for the integration of existing large-scale data networks and network multi-node devices have brought many challenging problems to network security situational awareness and protection.

SUMMARY OF THE INVENTION

To this end, the present invention provides a distributed network situational awareness method, system, server and node device, using HADOOP to realize distributed network security situational awareness, optimize the storage scale and timeliness of network security situational awareness, and improve protection against attacks such as APT. The perception and protection capability of covert, coordinated, large-scale and multi-stage attacks can accurately and timely perceive network attack actions to ensure network security and reliability.

According to the design scheme provided by the present invention, a distributed network situational awareness method includes the following contents:

For network node security data sources, by calling the HADOOP interface, the MapReduce model is used for data fusion to obtain security events in the current time period;

The network security situation is assessed by quantifying the threat risk of security events; based on the attack stages identified in the quantification process and combined with the network attack map, the security situation is predicted to obtain the attack intent.

As the distributed network situational awareness method of the present invention, further, the security data source includes both attack and defense data and network environment data, wherein the attacker includes atomic attack action information; the defender includes network protection strategy and security configuration information; the network environment data includes Host, server and terminal device information, network connectivity information and network vulnerability scanning information.

As the distributed network situational awareness method of the present invention, further, for the security data source, first preprocess it, set filtering rules, eliminate irregular data, and perform data formatting processing through the XML public data model to obtain a unified format of data. XML file.

As the distributed network situational awareness method of the present invention, further, call the HADOOP interface on the data integration server, complete the operation processing and storage of XML file clustering in HADOOP, and return the result to the data integration server after the clustering is completed. Data fusion is performed in the data integration server to obtain the security events of the current time period.

As the distributed network situational awareness method of the present invention, further, the threat risk of security events is quantified, and the quantification is divided into system layer, host layer and service layer according to the scale and hierarchical relationship of the network system; On the other hand, the evaluation strategy is based on the local first and then the whole.

As the distributed network situational awareness method of the present invention, further, the bottom-up evaluation strategy of the part and then the whole includes the following content: taking the security event as a clue and combining the consumption of network resources to obtain the threat situation of the services provided by each host , Statistically analyze the severity, frequency and network bandwidth occupancy rate of security events, evaluate the security threat status of each service; comprehensively evaluate the security status of each host in the network system; evaluate the security threat status of the entire LAN system according to the network system structure.

As the distributed network situational awareness method of the present invention, further, the service threat index is obtained through the service attack severity, the number of attacks, the network bandwidth occupancy rate and the APT attack threat level vector within a given time period; 、The weight vector of the service in all service centers of the host and the service threat index are used to obtain the host threat index within a given time period; the network system within a given time period is obtained through the host threat index and the importance weight of the host in the LAN to be evaluated. LAN threat index.

Further, the present invention also provides a distributed network situational awareness system, comprising: a data integration server, a HADOOP platform, and a situational awareness visualization server connected to the two, wherein,

The data integration server is used to obtain the security data sources of each node of the network, and uses the MapReduce model in the HADOOP platform to perform data fusion by calling the HADOOP interface to obtain security events in the current time period;

The situational awareness visualization server is used to call the data integration server and the security data on the HADOOP platform, quantify the threat risk of security incidents, predict the current situation and display it graphically.

Beneficial effects of the present invention:

The invention establishes a network security situational awareness framework, performs data fusion processing on the original security data through the HADOOP platform, and then completes the network security situation assessment and prediction; the computing and storage that require huge computing power in the system are extended to each node in the HADOOP cluster On the other hand, the parallel computing and storage capabilities of the cluster are used for computing and processing; by using HDFS in the HADOOP platform to store files and data and using MapReduce to realize parallel computing, distributed network security situation awareness for large-scale data can be realized, and network security situation can be optimized. Perceive the storage scale and timeliness, and improve the perception and protection capabilities of covert, coordinated, large-scale and multi-stage attacks such as APT attacks.

Description of drawings:

1 is a schematic flowchart of a distributed network situational awareness method in an embodiment;

2 is a schematic diagram of a distributed situational awareness framework in an embodiment;

FIG. 3 is a schematic diagram of the HDFS structure of distributed situation storage in the embodiment;

4 is a schematic diagram of a distributed situation MapReduce framework in an embodiment;

5 is a schematic diagram of the working principle of the distributed situational awareness system in the embodiment;

6 is a schematic diagram of a distributed situational awareness system framework in an embodiment;

7 is a schematic diagram of the workflow of the distributed situational awareness system in the embodiment;

8 is a schematic diagram of a network topology in an embodiment;

FIG. 9 is a schematic diagram showing the visualization of the network security situation in the embodiment;

10 is a schematic diagram showing a real-time attack scenario in an embodiment;

FIG. 11 is a schematic diagram of displaying real-time alarm information in an embodiment.

Detailed ways:

In order to make the objectives, technical solutions and advantages of the present invention clearer and more comprehensible, the present invention will be described in further detail below with reference to the accompanying drawings and technical solutions.

HADOOP is a framework platform that can perform distributed parallel computing in a large number of cluster computers, can handle PB level data volume, and has the advantages of high reliability, high efficiency and scalability. The main components include distributed storage HDFS and distributed computing MapReduce. HDFS adopts the master/slave structure, which is responsible for the storage and management of cluster data, and has the characteristics of high data throughput and high fault tolerance. MapReduce is a distributed programming model that includes two operations, Map and Reduce. An embodiment of the present invention, as shown in FIG. 1 , provides a distributed network situational awareness method, including the following content:

S101. For the security data source of the network node, use the MapReduce model to perform data fusion by invoking the HADOOP interface, and obtain security events in the current time period;

S102 , assessing the network security situation by quantifying the threat risk of security events; predicting the security situation according to the attack stages identified in the quantification process and in combination with the network attack graph, so as to obtain attack intentions.

Referring to FIG. 2 , the embodiment of the present invention combines HADOOP to optimize the storage scale and timeliness of network security situational awareness. Firstly, the framework of situational awareness system is established, and the idea adopted is "distributed acquisition, structured processing", which mainly includes four parts: data preprocessing, situational awareness, situational display and situational decision-making. Among them, data preprocessing collects information such as equipment performance, equipment logs and traffic information, and performs data cleaning and data transformation on them to form a basic situation information database; situation awareness takes the situation assessment information database as the processing object, and acquires knowledge about it. , and use the acquired knowledge for situation judgment; situation display shows the results of situation assessment; situation decision is a series of actions taken by network administrators based on situation conclusions.

HDFS is a master-slave structure, which includes a NameNode and several DataNodes. The former manages access operations to files; the latter is responsible for storing data, as shown in Figure 3. From the internal point of view of the data, the file is divided into several data blocks. Under normal circumstances, the file will be divided into several data blocks according to the 64M standard, and each data block will be dispersed as much as possible, and stored on multiple DataNode nodes. The NameNode is responsible for operations such as file opening, closing, and renaming, and generates a mapping table between DataNodes and data blocks. The DataNode is responsible for responding to file read/write requests, creating, replicating, and deleting data blocks. The MapReduce architecture is used to process large-scale data on the Internet. Its data processing interface is simple and powerful, and it can better encapsulate distributed parallel operations, which can be used in data analysis and machine learning applications. The core of MapReduce is Map (mapping) and Reduce (simplification), which disassembles the program to be executed into Map and Reduce methods. Convert an input <key, value> pair to another or a batch of <key, value> pairs output. The data processing process is shown in Figure 4, and the specific workflow is as follows:

Map side: 1. Slice: Cut the input text (the default is the largest slice (Long maximum value), the smallest slice (>=1), and the block size (default 128M) is the middle value of the three) to form slices (number of maps), Execute concurrently in the cluster; 2. Execute the task: Usually, the map function is executed as many times as there are rows in the input slice. Finally, a set of <key, value> (key-value pairs) will be formed; 3. Write the output of the map to the buffer, each map has a ring memory buffer (default 100), when the threshold (0.8) is reached, it overflows to Disk, and merge and sort the overflow file; 4. Partition: Partition the result of each map, the number of partitions is usually the number of reduce, and the partitioning rule is to perform Hash (random) partition on the key; 5. Sort : Sort the data of different partitions; 6. Aggregation (Combiner): Use the Combiner function to aggregate the sorted results; 7. After a map is finished, through HTTP, the TaskTracker will get the message and report it to the JobTracker, Reduce will get the message regularly ; 8. Copy: Copy data from each map to the buffer; 9. Merge sort: Use heap sort to merge all maps in a reduce, sorted by key; 10. Group: The same key is grouped into a group to form a set Department K.list(V).

Reduce side: 1. Execution task: the same group of reduce data executes the reduce function once; 2. Output: one reduce corresponds to one file output.

Based on the above method, an embodiment of the present invention further provides a distributed network situational awareness system, as shown in FIGS. 5 and 6 , including: a data integration server, a HADOOP platform, and a situational awareness visualization server connected to both, wherein,

The data integration server is used to obtain the security data sources of each node of the network, and uses the MapReduce model in the HADOOP platform to perform data fusion by calling the HADOOP interface to obtain security events in the current time period;

The situational awareness visualization server is used to call the data integration server and the security data on the HADOOP platform, quantify the threat risk of security incidents, predict the current situation and display it graphically.

In the embodiment of the present invention, further, the security data source includes the data of both attacking and defending parties and network environment data, wherein the attacking party includes atomic attack action information; the defending party includes network protection strategy and security configuration information; the network environment data includes host, server and Terminal device information, network connectivity information and network vulnerability scanning information.

Through a variety of security sensors deployed in the network, the security elements that affect the network security status are collected to provide data support for the subsequent situation analysis, which is the premise of situational awareness; The elements are preprocessed to provide basic data for the subsequent situation analysis, and format the alarms, logs, and system operation and maintenance information. The main data sources for situation analysis include attackers, defenders, and environmental information. The attackers’ information is mainly atomic attack actions; the defenders’ information includes a summary of solutions such as network protection strategies and security configuration information; the network environment information includes network Various types of host, server and terminal equipment information, network topology and other connectivity information in the network; use the scan tool Scanner to collect network vulnerability information, use the topology analysis tool to collect network topology information, and obtain network connectivity information based on firewall configuration information.

In the embodiment of the present invention, further, for the security data source, firstly preprocess it, set filtering rules to eliminate irregular data, and perform data formatting processing through the XML public data model to obtain an XML file in a unified format.

As shown in Figure 7, the original security data collected by the network security sensors deployed in each node of the network system, in order to ensure the accuracy and standardization of the data, first perform data fusion on the original security data to generate security events. done in the integration server. In the process of data fusion, first clean the data, set filtering rules, and eliminate irregular data. For example, field defaults, etc., use the current common XML public data model to realize data formatting. Then cluster the XML files in a unified format. During clustering, the algorithm needs to face a large amount of original data, which requires a huge amount of calculation. In order to meet its real-time processing, the HADOOP interface is called on the data integration server at this stage to integrate the calculation and storage. Done in HADOOP. At present, the research of clustering algorithm in HADOOP is relatively mature, and good results have been achieved in this system. After the clustering is completed, the clustering results are sent back to the MySQL database of the data integration server, and the data volume is greatly reduced compared with the original alarm data. Finally, data fusion is performed on it. This stage has a relatively small amount of computation. It directly performs read and write operations in the traditional database, and its algorithm is also completed in the data integration server. Finally, the security events in the current time period are obtained, which can be implemented by C language, and the clustering algorithm is implemented by MapReduce language in HADOOP.

In the embodiment of the present invention, further, the threat risk of security events is quantified, and the quantification is divided into a system layer, a host layer and a service layer according to the scale and hierarchical relationship of the network system; the overall evaluation strategy.

After the data fusion gets the security event, the system starts the network security situation assessment stage, and this module mainly runs in the situation analysis & visualization server. This module quantifies the threat risk of different security events by accessing the security events in the MySQL database of the data integration server, considering that the actual network system can be decomposed into three layers: system, host and service according to the scale and hierarchical relationship, and most attacks are aimed at the system. a service on the host.

In the embodiment of the present invention, further, the bottom-up, first-part, and then-whole evaluation strategy includes the following content: taking security events as clues, combining network resource consumption, obtaining the threat situation of services provided by each host, and performing statistical analysis on security The severity of the event, the number of occurrences and the network bandwidth occupancy rate, evaluate the security threat status of each service; comprehensively evaluate the security status of each host in the network system; evaluate the security threat status of the entire LAN system according to the network system structure.

In the embodiment of the present invention, further, the service threat index is obtained through the service attack severity, the number of attacks, the network bandwidth occupancy rate, and the APT attack threat level vector within a given time period; The weight vector of all service centers and the service threat index are used to obtain the host threat index in a given time period; the threat index of the network system LAN in a given time period is obtained through the host threat index and the importance weight of the host in the LAN to be evaluated. .

The degree of threat to services caused by security incidents is related to the normal access volume, threat intensity, and attack severity of the service. Moreover, the normal access volume of the service in different time periods is different, that is, the same attack has different impacts on the service in different time periods. Determine the analysis time window Δt, and define the threat index of service S _j at time t as

in:

为正常访问量向量，h为把一天划分的时段数，比如一天分为3个时段：Δt₁＝Night(0:00-8:00)，Δt₂＝OfficeHour(8:00-18:00)，Δt₃＝Evening(18:00-24:00)，即

的元素初值由系统管理员根据被保护网络系统不同时段的正常平均访问量F_i(i＝1,…,h)进行定量赋值，分别用1,2,3,4,5表示访问量，非常低、低、中、高、非常高，其取值越大，表示访问量越大，然后，对此进行归一化处理，得到

的元素值，即

(1)

is the normal traffic vector, h is the number of time periods divided a day, for example, a day is divided into 3 time periods: Δt ₁ =Night(0:00-8:00), Δt ₂ =OfficeHour(8:00-18:00) , Δt ₃ =Evening (18:00-24:00), that is

The initial value of the element of is quantitatively assigned by the system administrator according to the normal average access volume F _i (i=1,...,h) of the protected network system in different periods, and the access volume is represented by 1, 2, 3, 4, and 5, respectively. Very low, low, medium, high, and very high, the larger the value, the greater the number of visits. Then, normalize this to get

the element value of , that is

分别为t时刻攻击严重程度和发生次数向量，其元素

为第i个时段内从t至t+Δt时刻，针对服务 S_j的各种攻击的严重程度和发生次数，u为Δt时间内攻击种类数，u和

的取值通过统计攻击事件日志数据库得到。(2)

are the vector of attack severity and occurrence times at time t, respectively, and its elements

is the severity and the number of occurrences of various attacks on service S _j from t to t+Δt in the i-th period, u is the number of attack types within Δt, and u and

The value of is obtained from the statistical attack event log database.

分别为网络带宽占用率和APT攻击的威胁等级向量，其元素

为第i个时段内各个时间窗的网络带宽占用率和APT攻击的威胁等级，v为第i个时段内的分析时间窗口数，

的系数100是为了把网络带宽占用率转为整数，进而评估APT攻击的威胁。(3)

are the network bandwidth occupancy rate and the threat level vector of APT attacks, respectively, and its elements

is the network bandwidth occupancy rate and the threat level of APT attacks in each time window in the ith period, v is the number of analysis time windows in the ith period,

The coefficient of 100 is to convert the network bandwidth occupancy rate to an integer, and then evaluate the threat of APT attacks.

值越大，表示威胁程度越高，应该引起管理员的高度重视，而且，计算

的意义在于计算出一段连续时期内的安全威胁值，绘制服务级安全态势图，将这些值进行比较，从而判断出服务S_j的安全威胁趋势。(4)

The larger the value is, the higher the threat level is, and the administrator should pay great attention to it.

The significance of is to calculate the security threat value in a continuous period, draw the service-level security situation map, and compare these values, so as to judge the security threat trend of service _Sj .

其中：Host level: the threat index of the host H _k at time t is

in:

为t时刻主机H_k的服务安全威胁向量，元素

为计算出来的服务S_i的安全威胁指数，m为主机H_k开通的服务数。(1)

is the service security threat vector of the host H _k at time t, element

is the calculated security threat index of the service Si, m is the _{number of services opened by the host H k .}

为服务在主机开通的所有服务中所占权重向量，其元素取值根据主机H_k提供服务的重要性IM_i(i＝1,…,m)来确定，分别用1，2，3表示服务的的重要程度：低、中、高。然后，对重要性IM_i进行归一化处理得到向量

的元素值，即(2)

The weight vector occupied by the service in all the services opened by the host, the value of its elements is determined according to the importance IM _i (i=1,...,m) of the service provided by the host H _k , and the services are represented by 1, 2, and 3 respectively. of importance: low, medium, high. Then, normalize the importance IM _i to get the vector

the element value of , that is

取值越大，表示主机H_k威胁程度越高，其意义还在于计算出一段连续时期内

值，并进行比较，从而判断主机H_k在这一段时期内的安全威胁趋势。(3) Threat Index

The larger the value is, the higher the threat level of the host H _k is, and its significance lies in the calculation of a continuous period of time.

value, and compare them, so as to judge the security threat trend of the host H _k in this period.

Network (system) level: The threat index of the network system LAN at time t is

in:

为t时刻网络系统内主机的安全威胁向量，元素

为计算出来的主机H_l的威胁指数，n为网络系统内的主机数。(1)

is the security threat vector of the host in the network system at time t, element

is the calculated threat index of the host H _l , and n is the number of hosts in the network system.

为主机在被评估局域网中所占重要性的权重向量，其元素取值根据各主机在局域网中的地位ST_i(i＝1,…,n)来确定。(2)

is the weight vector of the importance of the host in the evaluated local area network, and the value of its elements is determined according to the position ST _i (i=1, . . . , n) of each host in the local area network.

(3) The larger the value of the network system threat index _RL is, the higher the degree of danger is, and its meaning is also to calculate the value of _RL in a continuous period of time, and compare them, and then judge the security threat trend of the network system during this period. .

The network attack graph is generated using network topology and vulnerability information, and the attack behavior is predicted according to the attack stages identified in the quantization process and combined with the generated attack graph. Then, the security situation of the network is predicted, and the attack intent is identified according to the situation prediction result. The above attack graph generation and behavior prediction can be completed in the situation analysis & visualization server. The situation behavior prediction algorithm can be implemented in HADOOP using MapReduce language.

In order to further verify the validity of the technical solution of the present invention, a simulation test is done by building a concrete platform below:

Build a HADOOP platform with 5 nodes, including 1 master node and 4 slave nodes. The platform is based on the Ubuntu operating system, and the version is HADOOP 2.0.2. The data acquisition module adopts C language to transmit the data generated by the sensor to the server through Socket. In the situational understanding, C and Map/Reduce parallel language are used cross-purpose. The underlying program of the situation assessment and prediction module is developed in C language, and the visualization part is developed using Eclipse, and the system is based on Windows7 system. For data management and use, according to the data scale, the traditional MySQL database and HDFS are used in cross-use mode, and the data that requires a large amount of storage and calculation is stored on HDFS. Build the monitored network topology and connectivity, and its interface is shown in Figure 8. Carry out situational assessment and prediction, and obtain the situation diagram as shown in Figure 9, which includes the situational changes of each host and the situation of the overall network. Through the analysis, the obtained attack scene reconstruction diagram is shown in Figure 10, through which the attacker's intrusion path can be clearly seen. The real-time alarm for network security events is shown in Figure 11, which includes security events that occur in real time.

Through the platform constructed above, the changing trend of the network situation can be displayed more clearly and intuitively, and it can be further verified that the technical solution of the present invention can realize distributed network security situational awareness for large-scale data, and can optimize the storage scale and timeliness of network security situational awareness, so as to improve the Perceptual protection against covert, coordinated, large-scale and multi-stage attacks such as APT attacks.

The relative steps, numerical expressions and numerical values of the components and steps set forth in these embodiments do not limit the scope of the invention unless specifically stated otherwise.

Based on the above system, an embodiment of the present invention further provides a server, including: one or more processors; and a storage device for storing one or more programs, when the one or more programs are stored by the one or more programs Execution of the one or more processors causes the one or more processors to implement the system described above.

Based on the above system, an embodiment of the present invention further provides a computer-readable node device on which a computer program is stored, wherein the above-mentioned system is implemented when the program is executed by a processor.

The implementation principle and technical effect of the device provided by the embodiment of the present invention are the same as those of the foregoing system embodiment. For brief description, for the parts not mentioned in the device embodiment, reference may be made to the corresponding content in the foregoing system embodiment.

Those skilled in the art can clearly understand that, for the convenience and brevity of description, for the specific working process of the system and device described above, reference may be made to the corresponding process in the foregoing system embodiments, which will not be repeated here.

In all examples shown and described herein, any specific value should be construed as merely exemplary and not as limiting, as other examples of exemplary embodiments may have different values.

It should be noted that like numerals and letters refer to like items in the following figures, so once an item is defined in one figure, it does not require further definition and explanation in subsequent figures.

The flowchart and block diagrams in the Figures illustrate the architecture, functionality, and operation of possible implementations of systems, systems and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code that contains one or more functions for implementing the specified logical function(s) executable instructions. It should also be noted that, in some alternative implementations, the functions noted in the blocks may occur out of the order noted in the figures. For example, two blocks in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It is also noted that each block of the block diagrams and/or flowchart illustrations, and combinations of blocks in the block diagrams and/or flowchart illustrations, can be implemented in dedicated hardware-based systems that perform the specified functions or actions. , or can be implemented in a combination of dedicated hardware and computer instructions.

In the several embodiments provided in this application, it should be understood that the disclosed systems, devices and systems may be implemented in other manners. The apparatus embodiments described above are only illustrative. For example, the division of the units is only a logical function division. In actual implementation, there may be other division methods. For example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored, or not implemented. On the other hand, the shown or discussed mutual coupling or direct coupling or communication connection may be through some communication interfaces, indirect coupling or communication connection of devices or units, which may be in electrical, mechanical or other forms.

In addition, each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may exist physically alone, or two or more units may be integrated into one unit.

The functions, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a processor-executable non-volatile computer-readable storage medium. Based on such understanding, the technical solution of the present invention can be embodied in the form of a software product in essence, or the part that contributes to the prior art or the part of the technical solution. The computer software product is stored in a storage medium, including Several instructions are used to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to execute all or part of the steps of the system described in various embodiments of the present invention. The aforementioned storage medium includes: U disk, removable hard disk, Read-Only Memory (ROM, Read-Only Memory), Random Access Memory (RAM, Random Access Memory), magnetic disk or optical disk and other media that can store program codes .

Finally, it should be noted that the above-mentioned embodiments are only specific implementations of the present invention, and are used to illustrate the technical solutions of the present invention, but not to limit them. The protection scope of the present invention is not limited thereto, although referring to the foregoing The embodiment has been described in detail the present invention, those of ordinary skill in the art should understand: any person skilled in the art who is familiar with the technical field within the technical scope disclosed by the present invention can still modify the technical solutions described in the foregoing embodiments. Or can easily think of changes, or equivalently replace some of the technical features; and these modifications, changes or replacements do not make the essence of the corresponding technical solutions deviate from the spirit and scope of the technical solutions of the embodiments of the present invention, and should be covered in the present invention. within the scope of protection. Therefore, the protection scope of the present invention should be based on the protection scope of the claims.

Claims (10)

1. A distributed network situation awareness method is characterized by comprising the following contents:

aiming at a network node security data source, carrying out data fusion by calling a HADOOP interface and utilizing a MapReduce model to obtain a security event in the current time period;

network security situation assessment is carried out by quantifying security event threat risks; and predicting the security situation according to the identified attack stage in the quantization process and combining a network attack graph to obtain an attack intention.

2. The distributed network situation awareness method according to claim 1, wherein the secure data source includes data of both attacking and defending parties and network environment data, wherein the attacking party includes atomic attack action information; the defender comprises a network protection strategy and security configuration information; the network environment data comprises information of a host, a server and terminal equipment, network connectivity information and network vulnerability scanning information.

3. The distributed network situation awareness method according to claim 1 or 2, characterized in that for the secure data source, preprocessing is performed first, filtering rules are set, non-standard data are eliminated, and data formatting processing is performed through an XML public data model to obtain an XML file with a uniform format.

4. The distributed network situation awareness method according to claim 3, wherein an HADOOP interface is called on the data integration server, operation processing and storage of XML file clustering are completed in the HADOOP, a result is transmitted back to the data integration server after clustering is completed, and data fusion is performed in the data integration server to obtain a security event of a current time period.

5. The distributed network situational awareness method of claim 1, wherein the security event threat risk is quantified, and the quantification is divided into a system layer, a host layer and a service layer according to the network system scale and hierarchical relationship; and according to the organization structure of the network system, adopting an evaluation strategy of from bottom to top, firstly, locally and then integrally.

6. The distributed network situational awareness method of claim 5, wherein the bottom-up local-first-then-global evaluation strategy comprises the following: the method comprises the steps of taking a security event as a clue, combining network resource consumption, obtaining threat conditions of services provided by each host, carrying out statistical analysis on the severity, the occurrence frequency and the network bandwidth occupancy rate of the security event, and evaluating the security threat conditions of each service; comprehensively evaluating the safety condition of each host in the network system; and evaluating the security threat situation of the whole local area network system according to the network system structure.

7. The distributed network situation awareness method according to claim 5, wherein a service threat index is obtained by a service attack severity, an attack occurrence frequency, a network bandwidth occupancy rate and an APT attack threat level vector within a given time period; obtaining a host threat index in a given time period through a service security threat vector of the host, weight vectors occupied by the service in all service centers of the host and the service threat index; and obtaining the threat index of the network system local area network in a given time period through the host threat index and the importance weight of the host in the local area network to be evaluated.

8. A distributed network situational awareness system, comprising: a data integration server, a HADOOP platform and a situation awareness visualization server connected with the data integration server and the HADOOP platform, wherein,

the data integration server is used for acquiring the security data source of each node of the network, performing data fusion by calling the HADOOP interface and utilizing a MapReduce model in the HADOOP platform, and acquiring the security event in the current time period;

and the situation awareness visualization server is used for calling the safety data on the data integration server and the HADOOP platform, quantifying the threat risk of the safety event, predicting the current situation and graphically displaying the current situation.

9. A server, comprising: a memory, and one or more processors coupled to the memory; the processor is configured to execute the method of any one of claims 1-7 based on instructions stored in the memory.

10. A computer readable node device having stored thereon a computer program for execution by a processor, the computer program being adapted to perform the method of any of claims 1 to 7.

Images