CN111917747A - Campus network security situation awareness system and method - Google Patents
Campus network security situation awareness system and method Download PDFInfo
- Publication number
- CN111917747A CN111917747A CN202010691108.5A CN202010691108A CN111917747A CN 111917747 A CN111917747 A CN 111917747A CN 202010691108 A CN202010691108 A CN 202010691108A CN 111917747 A CN111917747 A CN 111917747A
- Authority
- CN
- China
- Prior art keywords
- index
- situation
- network security
- security situation
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 23
- 230000008447 perception Effects 0.000 claims abstract description 24
- 230000004927 fusion Effects 0.000 claims abstract description 13
- 238000007499 fusion processing Methods 0.000 claims abstract description 8
- 230000008859 change Effects 0.000 claims description 12
- 230000006870 function Effects 0.000 claims description 11
- 241000700605 Viruses Species 0.000 claims description 6
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 claims description 6
- 230000008569 process Effects 0.000 claims description 5
- 238000007781 pre-processing Methods 0.000 claims description 3
- 238000013499 data model Methods 0.000 description 6
- 238000010586 diagram Methods 0.000 description 5
- 238000007726 management method Methods 0.000 description 5
- 238000011160 research Methods 0.000 description 4
- 238000013528 artificial neural network Methods 0.000 description 3
- 238000010276 construction Methods 0.000 description 3
- 238000013461 design Methods 0.000 description 3
- 238000001514 detection method Methods 0.000 description 3
- 238000011161 development Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 238000004458 analytical method Methods 0.000 description 2
- 238000013398 bayesian method Methods 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000007423 decrease Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 238000003672 processing method Methods 0.000 description 1
- 238000012549 training Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention relates to a campus network security situation perception system and a method, wherein the system comprises an index acquisition module, a situation perception module and a situation prediction module which are sequentially connected, wherein the index acquisition module is used for acquiring index parameters influencing the campus network security; the situation perception module generates and obtains a corresponding network security situation according to the collected index parameters, wherein the classification and rating unit is used for classifying and rating the collected index parameters to obtain an index layering result; the fusion unit is used for carrying out upward fusion processing on the index layering result step by step to generate and obtain a network security situation, and the situation prediction module is used for solving and obtaining a network security situation result changing along with time according to the network security situation data sequence. Compared with the prior art, the method can highlight key influence index parameters by establishing the influence index grading model, can accurately and objectively obtain the network security situation by combining the generalization capability of the Bayesian network, and can ensure the safe operation of the campus network.
Description
Technical Field
The invention relates to the technical field of network information security, in particular to a campus network security situation awareness system and method.
Background
As the popularity of the internet has become more widespread with the development of computer technology, network environments have also begun to become increasingly security-risky and challenging. In order to prevent or avoid similar events as much as possible, network users need to be familiar with the current working network environment at any time, perceive the current network security situation, and make corresponding precaution or plan, so as to reduce risks and property loss to the greatest extent. Therefore, the research on the network security situation perception related aspect has very important research significance now. Network Security Situation Awareness (NSSA) is a novel Security technology, and aims to learn the Security Situation state of a Network in advance so as to provide a certain help for a decision maker and reduce the occurrence probability of an asset loss event through Awareness of the Security Situation.
The current campus network is transited to an intelligent campus network through a traditional closed internal network, on one hand, more convenient network services can be provided for campus users, and meanwhile, more potential safety hazards are brought, such as campus credit, network attacks from the internal network and an external network, and safety event cooperative processing. Therefore, it is necessary to perform security situation awareness on the campus network to ensure the safe operation of the campus network. In the current network security situation perception research, there is the security situation perception model based on neural network construction, utilize neural network to find out the nonlinear mapping relation of network situation value, thereby adopt machine learning algorithm to optimize the situation information of perception safety to the parameter, but neural network algorithm mainly relies on experience risk minimization principle, lead to the decline of generalization ability easily, and the model structure is difficult to confirm, when learning sample quantity has the limit, the learning process error converges in local minimum easily, the learning precision is difficult to guarantee, when learning sample quantity is many, then sink into the dimension disaster easily, the generalization performance is relatively poor.
In addition, most of the current research focuses on the construction of a situation awareness basic model, the analysis of the influence indexes of the network situation is weak, the influence of different indexes on the network security situation is not considered, and the accuracy and the objectivity of the subsequent situation awareness result cannot be guaranteed.
Disclosure of Invention
The invention aims to overcome the defects of the prior art and provide a campus network security situation perception system and method, which achieve the purpose of effectively, accurately and objectively predicting the campus network security situation by establishing a situation perception basic model and a hierarchical influence index hierarchical model and performing model fusion based on a Bayesian method.
The purpose of the invention can be realized by the following technical scheme: a campus network security situation awareness system comprises an index acquisition module, a situation awareness module and a situation prediction module which are sequentially connected, wherein the index acquisition module is used for acquiring index parameters influencing the campus network security;
the situation perception module generates and obtains a corresponding network security situation according to the collected index parameters;
and the situation prediction module is used for solving to obtain a network security situation result changing along with time according to the network security situation data sequence.
Furthermore, the index acquisition module comprises a network element information acquisition unit, a flow information acquisition unit, an alarm information acquisition unit, a vulnerability information acquisition unit and a configuration information acquisition unit, wherein the network element information acquisition unit is used for acquiring the number of hosts, the version of an operating system and the index parameters of the open ports of the hosts;
the traffic information acquisition unit is used for acquiring bandwidth utilization rate, distribution and change rate of data packets, total amount and change rate of data streams, protocol type, data stream proportion and data source IP distribution index parameters;
the alarm information acquisition unit is used for acquiring virus attack, Trojan attack, DOS attack, worm attack, attack occurrence frequency and security log information index parameters;
the vulnerability information acquisition unit is used for acquiring network vulnerabilities, host vulnerabilities, software vulnerabilities and equipment vulnerability index parameters;
the configuration information acquisition unit is used for acquiring network topology structure, safety software installation condition and safety equipment condition index parameters.
Furthermore, the situation perception module comprises a classification and rating unit and a fusion unit which are sequentially connected, the classification and rating unit is connected with the index acquisition module, the fusion unit is also connected with the situation prediction module, and the classification and rating unit is used for classifying and rating a plurality of acquired index parameters to obtain an index layering result;
and the fusion unit is used for performing upward fusion processing on the index layering result step by step so as to generate and obtain a network security situation.
A campus network security situation awareness method comprises the following steps:
s1, the index acquisition module acquires index parameters affecting campus network security and transmits the acquired index parameters to the situation awareness module;
s2, classifying and grading the acquired index parameters by the situation perception module according to the influence index grading model to obtain index grading results;
s3, based on the Bayesian network, the situation perception module carries out upward fusion processing step by step on the index layering result to generate a network security situation;
s4, the situation prediction module collects the network security situation and the corresponding time data from the situation perception module, and establishes a relational expression of the network security situation and the time in a curve fitting mode to obtain a network security situation result changing along with the time.
Further, the hierarchical model of influence indicators in step S2 includes a first level layer, a second level layer, and a third level layer from bottom to top, where the indicator parameters in the first level layer include a network topology, a security software installation condition, the number of hosts, an operating system version, a bandwidth utilization rate, a distribution and a change rate of data packets, a total amount and a change rate of data streams, a protocol type, a data stream proportion, a data source IP distribution, and an attack occurrence frequency;
the index parameters in the secondary layer comprise security equipment conditions, host open ports, security log information, DOS attacks, worm attacks, network vulnerabilities and equipment vulnerabilities;
index parameters in the three-level layer comprise Trojan attack, software vulnerability, virus attack and host computer vulnerability.
Further, the step S2 specifically includes the following steps:
s21, acquiring continuous data from the acquired index parameter data set D to form a continuous data set G, and forming a discrete data set M by the rest data;
s22, carrying out discretization preprocessing operation on the continuous data set G by adopting a probability density function to obtain a discrete data set G';
s23, reconstructing the discrete data sets G 'and M to form a new data set D';
and S24, layering the index parameters in the data set D' according to the influence index hierarchical model to obtain an index layering result.
Further, the probability density function in step S22 is specifically:
wherein, muc,iAnd
the mean and variance of the values of the ith index, x, of the layer ciIs the ith index parameter, p (x)i| c) is xiProbability value of occurrence at layer c.
Further, the step S3 specifically includes the following steps:
s31, constructing an initial Bayesian network by taking data of each layer in the index layering result as the node attribute of the Bayesian network;
and S32, correcting the initial Bayesian network by a method of calculating posterior probability, and fusing data of a first level in the index layering result step by step upwards until a network security situation is generated.
Further, the specific process of generating and obtaining the network security posture in step S32 is as follows: and acquiring a first-level layer situation index and a middle-layer situation factor at the current moment to calculate the top-layer security situation, namely the generated network security situation.
Further, the first-level layer situation index is:
VSk={VS1=0,VS2=1,...,VSk=k-1}
wherein R isxIs a first-level layer state potential index, n is the number of all index parameters of a first-level layer, m is the number of all discretization intervals, PSkTaking the value of the first-level index parameter as VSkIf the continuous index parameter is discretized into m different intervals Sk( k 1, 2.. multidot.m), the value corresponding to each discrete interval is VSk;
The intermediate layer situation factor comprises a secondary layer index parameter and a tertiary layer index parameter, and specifically comprises the following steps:
wherein R isyThe intermediate layer situation factor is, and the affinity _ Value is an influence factor of a first-level index parameter corresponding to a second-level index parameter and a third-level index parameter;
the top layer security situation is as follows:
the three-level index parameters include four, so that j takes the value of 1,2,3,4, thetajIs the conditional probability value of the j index parameter of the three levels.
Compared with the prior art, the invention has the following advantages:
the invention classifies and grades index parameters capable of influencing network security situation, establishes a hierarchical model structure with a multi-level architecture, then performs stepwise upward fusion on indexes by using a Bayesian method until the indexes successfully reach the topmost layer, performs situation assessment on the current network security situation through the finally obtained influence indexes, generates corresponding network situation values, considers a plurality of influence indexes more comprehensively, highlights the effect of key influence indexes, combines the generalization performance of a Bayesian network, can accurately and objectively obtain the network security situation, is beneficial to accurately predicting the network security situation subsequently, and effectively ensures the safe operation of a campus network.
The invention uses a processing method for grading different influence indexes, namely, the indexes with smaller influence degree are assigned with lower grade, and the indexes with larger influence degree are assigned with higher grade. In view of layering, the indexes with lower levels can be placed at lower levels, and the indexes with higher levels can be placed at higher levels, so that the important influence indexes can be more emphasized when the model is subjected to fusion processing, and the network security situation can be better reflected.
Drawings
FIG. 1 is a schematic diagram of the system of the present invention;
FIG. 2 is a schematic flow diagram of the process of the present invention;
FIG. 3 is a diagram illustrating a hierarchical model structure of an influence indicator;
FIG. 4 is a diagram of an embodiment of a campus network security situation awareness system architecture;
FIG. 5 is a schematic diagram of a system use case in an embodiment;
the notation in the figure is: 1. the system comprises an index acquisition module 101, a network element information acquisition unit 102, a traffic information acquisition unit 103, an alarm information acquisition unit 104, a vulnerability information acquisition unit 105, a configuration information acquisition unit 2, a situation perception module 201, a classification and rating unit 202, a fusion unit 3 and a situation prediction module.
Detailed Description
The invention is described in detail below with reference to the figures and specific embodiments.
Examples
As shown in fig. 1, a campus network security situation awareness system includes an index acquisition module 1, a situation awareness module 2, and a situation prediction module 3, which are connected in sequence, where the index acquisition module 1 is configured to acquire index parameters affecting campus network security, the index acquisition module 1 includes a network element information acquisition unit 101, a traffic information acquisition unit 102, an alarm information acquisition unit 103, a vulnerability information acquisition unit 104, and a configuration information acquisition unit 105, and the network element information acquisition unit 101 is configured to acquire the number of hosts, the version of an operating system, and the index parameters of a host open port;
the traffic information collecting unit 102 is configured to collect a bandwidth utilization rate, a distribution and a change rate of data packets, a total amount and a change rate of data streams, a protocol type, a data stream proportion, and a data source IP distribution index parameter;
the alarm information acquisition unit 103 is used for acquiring virus attack, Trojan horse attack, DOS attack, worm attack, attack occurrence frequency and security log information index parameters;
the vulnerability information acquisition unit 104 is used for acquiring network vulnerabilities, host vulnerabilities, software vulnerabilities and equipment vulnerability index parameters;
the configuration information acquisition unit 105 is used for acquiring a network topology structure, a security software installation condition and a security equipment condition index parameter;
the situation awareness module 2 generates and obtains a corresponding network security situation according to the collected index parameters, the situation awareness module 2 comprises a classification rating unit 201 and a fusion unit 202 which are sequentially connected, the classification rating unit 201 is connected with the index collection module 1, and the classification rating unit 201 is used for classifying and rating the collected index parameters to obtain an index layering result;
the fusion unit 202 is connected with the situation prediction module 3, and the fusion unit 202 is configured to perform gradual upward fusion processing on the index layering result to generate and obtain a network security situation;
and the situation prediction module 3 is used for solving to obtain a network security situation result changing along with time according to the network security situation data sequence.
The system is applied to practice, and the specific method flow is shown in fig. 2, and comprises the following steps:
s1, the index acquisition module 1 acquires index parameters affecting campus network security and transmits the acquired index parameters to the situation awareness module 2;
s2, classifying and grading the collected index parameters according to an influence index grading model, and obtaining an index grading result by the situation perception module 2, wherein the influence index grading model is shown in FIG. 3 and comprises a first-level layer, a second-level layer and a third-level layer from bottom to top, and the index parameters in the first-level layer comprise a network topology structure, a security software installation condition, the number of hosts, an operating system version, a bandwidth utilization rate, the distribution and change rate of data packets, the total amount and change rate of data streams, a protocol type, a data stream proportion, data source IP distribution and attack occurrence frequency;
index parameters in the secondary layer comprise security equipment condition, host open port, security log information, DOS attack, worm attack, network vulnerability and equipment vulnerability;
index parameters in the three-level layer comprise Trojan attack, software vulnerability, virus attack and host computer vulnerability;
specifically, when classification and rating are performed, continuous data are obtained from an acquired index parameter data set D to form a continuous data set G, and the rest data form a discrete data set M;
then the probability density function is adopted:
wherein, muc,iAnd
the mean and variance of the values of the ith index, x, of the layer ciIs the ith index parameter, p (x)i| c) is xiCarrying out discretization preprocessing operation on the continuous data set G based on a probability density function to obtain a discrete data set G' according to the probability value appearing in the layer c;
then reconstructing the discrete data sets G 'and M to form a new data set D';
finally, according to the influence index grading model, the index parameters in the data set D' are layered to obtain an index layering result;
s3, based on the Bayesian network, the situation awareness module 2 performs gradual upward fusion processing on the index layering result to generate and obtain a network security situation:
firstly, constructing an initial Bayesian network by taking data of each layer in an index layering result as a node attribute of the Bayesian network;
then, correcting the initial Bayesian network by a posterior probability calculation method, and fusing the data of the first level layer in the index layering result step by step upwards until the network security situation is generated and obtained, wherein when the network security situation is generated and obtained, the first level layer situation index and the middle level situation factor at the current moment need to be obtained, and the top level security situation is obtained by calculation, namely the generated network security situation;
the first level situation indexes are as follows:
VSk={VS1=0,VS2=1,...,VSk=k-1}
wherein R isxIs a first-level layer state potential index, n is the number of all index parameters of a first-level layer, m is the number of all discretization intervals, PSkTaking the value of the first-level index parameter as VSkIf the continuous index parameter is discretized into m different intervals Sk( k 1, 2.. multidot.m), the value corresponding to each discrete interval is VSk;
The intermediate layer situation factor comprises a second-level layer index parameter and a third-level layer index parameter, and specifically comprises the following steps:
wherein R isyThe intermediate layer situation factor is, and the affinity _ Value is an influence factor of a first-level index parameter corresponding to a second-level index parameter and a third-level index parameter;
the top layer security situation is as follows:
the three-level index parameters include four, so that j takes the value of 1,2,3,4, thetajThe conditional probability value of the jth index parameter of the third-level layer;
s4, the situation prediction module 3 collects the network security situation and the corresponding time data from the situation perception module, and establishes a relational expression between the network security situation and the time in a curve fitting mode to obtain a network security situation result changing along with the time.
The system and the method are applied to B/S framework construction based on a flash framework, and a design framework model with a front end and a rear end is adopted. Specifically, the display layer, the logic layer and the data layer can be divided, and the specific architecture distribution thereof is as shown in fig. 4:
the logic layer is composed of all functional modules and is responsible for analyzing and processing data, and mainly comprises a flow detection module, an index acquisition module, a situation perception module, a situation prediction module and a user management module. Some modules need to process HTTP requests related to users to execute specific operations, and interact the requests of the users with a background database model to obtain complete data information, it should be noted that, in this embodiment, a traffic detection module and a user management module are added, a main function of the traffic detection is to obtain traffic information, including a source access IP of traffic, a source access mode, an access frequency, and the like, which passes through a current network system environment in real time through Wireshark, and after analyzing and disassembling the traffic data, a final result can be displayed in a front-end page for a system administrator to refer to;
the design of the user management module is mainly used for identifying system login personnel, mainly comprises a system administrator, a common user and a visitor login, and is mainly realized by using an html5+ Bootstrap development technology.
The data layer is mainly composed of data models, and the data models encapsulate corresponding data types and provide data model support for the logic layer, wherein the data models comprise a flow data model, a data source model, a situation index model and a user data model.
The database adopts a Mysql database as a background database to realize the data storage function, and the Mysql is one of the current popular relational database management systems and has better influence on WEB application development. The data in the self-relation database is stored in different tables instead of being placed in a large warehouse, so that the query speed and the query flexibility can be improved, and the fault tolerance rate is improved to a certain extent.
A specific example is schematically shown in fig. 5, wherein a general user, a guest and a system administrator respectively have the following responsibilities:
(1) system administrator
The system administrator has the highest authority of the system, and needs to perform related configuration work on the system regularly to ensure the smooth operation of the system. A system administrator often needs to have certain network security knowledge, and sometimes needs to achieve the requirement of becoming the system administrator through a certain degree of training, for example, when the system is in a network attack risk, the system needs to react in time and deploy a relevant plan; when the system runs for a long time and is in a risk of downtime, a system administrator needs to respond in time and adjust the running power of the system so as to ensure that the system runs normally. In addition, the system administrator needs to perform authority configuration on related users, and for some malicious users, access limitation needs to be performed to control the access frequency of the malicious users. Because the system administrator has the highest authority, the system administrator has the main functions of performing various important contents such as system configuration, user management configuration, system use configuration and the like.
(2) General users
The common users have common authority of the system, and the main functions of the system mainly include basic functions of user login, user registration, user information modification, network security situation checking and the like in order to better utilize the security situation perception system to perform network risk prevention during design. Ordinary users do not need to have sufficient network security knowledge to smoothly use the network security situation awareness system, the system can be well used by being familiar with all functional modules of the security situation awareness system, and if related ordinary users can have certain network security basic knowledge, the contents presented by the security situation awareness system can be better identified and understood. Ordinary users meet the requirements of the ordinary users on the perception of the security situation of the network environment through daily login, and the identities of the ordinary users need to be verified during login.
(3) Visitor
The guest user is primarily designed to meet his likely needs because the potential for access by anonymous users may exist when the present security posture awareness system is deployed over an external network. The visitor user generally does not have any permission, and only can access each main page of the network security situation awareness system to meet browsing requirements. In addition, special attention needs to be paid to the existence of malicious anonymous guest users, and malicious access traffic can be detected through the traffic analysis module to achieve the purposes of identifying and filtering the traffic.
Claims (10)
1. A campus network security situation awareness system is characterized by comprising an index acquisition module (1), a situation awareness module (2) and a situation prediction module (3) which are sequentially connected, wherein the index acquisition module (1) is used for acquiring index parameters influencing the campus network security;
the situation perception module (2) generates and obtains a corresponding network security situation according to the collected index parameters;
and the situation prediction module (3) is used for solving to obtain a network security situation result changing along with time according to the network security situation data sequence.
2. The campus network security situation awareness system according to claim 1, wherein the index acquisition module (1) includes a network element information acquisition unit (101), a traffic information acquisition unit (102), an alarm information acquisition unit (103), a vulnerability information acquisition unit (104), and a configuration information acquisition unit (105), and the network element information acquisition unit (101) is configured to acquire the number of hosts, the operating system version, and the host open port index parameters;
the traffic information acquisition unit (102) is used for acquiring bandwidth utilization rate, distribution and change rate of data packets, total amount and change rate of data streams, protocol type, data stream proportion and data source IP distribution index parameters;
the alarm information acquisition unit (103) is used for acquiring virus attack, Trojan horse attack, DOS attack, worm attack, attack occurrence frequency and security log information index parameters;
the vulnerability information acquisition unit (104) is used for acquiring network vulnerabilities, host vulnerabilities, software vulnerabilities and equipment vulnerability index parameters;
the configuration information acquisition unit (105) is used for acquiring network topology, safety software installation conditions and safety equipment condition index parameters.
3. The campus network security situation awareness system according to claim 1, wherein the situation awareness module (2) comprises a classification rating unit (201) and a fusion unit (202) connected in sequence, the classification rating unit (201) is connected to the index collection module (1), the fusion unit (202) is further connected to the situation prediction module (3), and the classification rating unit (201) is configured to classify and rate the collected multiple index parameters to obtain an index layering result;
and the fusion unit (202) is used for performing upward fusion processing on the index layering result step by step to generate and obtain a network security situation.
4. A campus network security situation awareness method using the system of claim 1, comprising the steps of:
s1, the index acquisition module (1) acquires index parameters affecting campus network security and transmits the acquired index parameters to the situation awareness module (2);
s2, classifying and grading the collected index parameters by the situation perception module (2) according to the influence index grading model to obtain index grading results;
s3, based on the Bayesian network, the situation perception module (2) carries out upward fusion processing step by step on the index layering result to generate and obtain a network security situation;
s4, the situation prediction module (3) collects the network security situation and the corresponding time data from the situation perception module (2), and a relational expression of the network security situation and the time is established in a curve fitting mode, so that a network security situation result changing along with the time is obtained.
5. The campus network security situation awareness method according to claim 4, wherein the influence index hierarchical model in step S2 includes a first level layer, a second level layer, and a third level layer from bottom to top, and index parameters in the first level layer include network topology, security software installation, number of hosts, operating system version, bandwidth usage, distribution and change rate of packets, total amount and change rate of data streams, protocol type, data stream ratio, data source IP distribution, and attack occurrence frequency;
the index parameters in the secondary layer comprise security equipment conditions, host open ports, security log information, DOS attacks, worm attacks, network vulnerabilities and equipment vulnerabilities;
index parameters in the three-level layer comprise Trojan attack, software vulnerability, virus attack and host computer vulnerability.
6. The campus network security situation awareness method according to claim 5, wherein the step S2 specifically comprises the following steps:
s21, acquiring continuous data from the acquired index parameter data set D to form a continuous data set G, and forming a discrete data set M by the rest data;
s22, carrying out discretization preprocessing operation on the continuous data set G by adopting a probability density function to obtain a discrete data set G';
s23, reconstructing the discrete data sets G 'and M to form a new data set D';
and S24, layering the index parameters in the data set D' according to the influence index hierarchical model to obtain an index layering result.
7. The method as claimed in claim 6, wherein the probability density function in step S22 is specifically:
wherein, muc,iAnd
the mean and variance of the values of the ith index, x, of the layer ciIs the ith index parameter, p (x)i| c) is xiProbability value of occurrence at layer c.
8. The campus network security situation awareness method according to claim 6, wherein the step S3 specifically comprises the following steps:
s31, constructing an initial Bayesian network by taking data of each layer in the index layering result as the node attribute of the Bayesian network;
and S32, correcting the initial Bayesian network by a method of calculating posterior probability, and fusing data of a first level in the index layering result step by step upwards until a network security situation is generated.
9. The method for sensing campus network security situation according to claim 8, wherein the specific process of generating and obtaining the network security situation in step S32 is as follows: and acquiring a first-level layer situation index and a middle-layer situation factor at the current moment to calculate the top-layer security situation, namely the generated network security situation.
10. The campus network security situation awareness method of claim 9, wherein the primary level situation indicators are:
VSk={VS1=0,VS2=1,...,VSk=k-1}
wherein R isxIs a first-level layer state potential index, n is the number of all index parameters of a first-level layer, m is the number of all discretization intervals, PSkTaking the value of the first-level index parameter as VSkIf the continuous index parameter is discretized into m different intervals Sk(k 1, 2.. multidot.m), the value corresponding to each discrete interval is VSk;
The intermediate layer situation factor comprises a secondary layer index parameter and a tertiary layer index parameter, and specifically comprises the following steps:
wherein R isyThe intermediate layer situation factor is, and the affinity _ Value is an influence factor of a first-level index parameter corresponding to a second-level index parameter and a third-level index parameter;
the top layer security situation is as follows:
the three-level index parameters include four, so that j takes the value of 1,2,3,4, thetajIs the conditional probability value of the j index parameter of the three levels.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010691108.5A CN111917747A (en) | 2020-07-17 | 2020-07-17 | Campus network security situation awareness system and method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010691108.5A CN111917747A (en) | 2020-07-17 | 2020-07-17 | Campus network security situation awareness system and method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111917747A true CN111917747A (en) | 2020-11-10 |
Family
ID=73281278
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010691108.5A Pending CN111917747A (en) | 2020-07-17 | 2020-07-17 | Campus network security situation awareness system and method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111917747A (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112541548A (en) * | 2020-12-14 | 2021-03-23 | 百果园技术(新加坡)有限公司 | Relational network generation method and device, computer equipment and storage medium |
| CN112995019A (en) * | 2021-03-23 | 2021-06-18 | 上海纽盾科技股份有限公司 | Method for displaying network security situation awareness information and client |
| CN113779566A (en) * | 2021-09-08 | 2021-12-10 | 滨州学院 | Computer network security situation sensing system and method |
| CN114884694A (en) * | 2022-04-06 | 2022-08-09 | 北京北卡星科技有限公司 | Industrial control network security risk assessment method based on layered modeling |
| CN115567323A (en) * | 2022-11-22 | 2023-01-03 | 深圳麦客存储科技有限公司 | Network information analysis method of improved neural network model |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104506385A (en) * | 2014-12-25 | 2015-04-08 | 西安电子科技大学 | Software defined network security situation assessment method |
| CN108494810A (en) * | 2018-06-11 | 2018-09-04 | 中国人民解放军战略支援部队信息工程大学 | Network security situation prediction method, apparatus and system towards attack |
| CN110995649A (en) * | 2019-10-25 | 2020-04-10 | 深圳猛犸电动科技有限公司 | Bayesian network-based network security situation prediction method and device |
-
2020
- 2020-07-17 CN CN202010691108.5A patent/CN111917747A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104506385A (en) * | 2014-12-25 | 2015-04-08 | 西安电子科技大学 | Software defined network security situation assessment method |
| CN108494810A (en) * | 2018-06-11 | 2018-09-04 | 中国人民解放军战略支援部队信息工程大学 | Network security situation prediction method, apparatus and system towards attack |
| CN110995649A (en) * | 2019-10-25 | 2020-04-10 | 深圳猛犸电动科技有限公司 | Bayesian network-based network security situation prediction method and device |
Non-Patent Citations (2)
| Title |
|---|
| 丁华东: "基于贝叶斯方法的网络安全态势感知模型", 《计算机工程》 * |
| 叶健健: "基于贝叶斯方法的网络安全态势感知方法研究", 《信息科技辑》 * |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112541548A (en) * | 2020-12-14 | 2021-03-23 | 百果园技术(新加坡)有限公司 | Relational network generation method and device, computer equipment and storage medium |
| CN112995019A (en) * | 2021-03-23 | 2021-06-18 | 上海纽盾科技股份有限公司 | Method for displaying network security situation awareness information and client |
| CN113779566A (en) * | 2021-09-08 | 2021-12-10 | 滨州学院 | Computer network security situation sensing system and method |
| CN114884694A (en) * | 2022-04-06 | 2022-08-09 | 北京北卡星科技有限公司 | Industrial control network security risk assessment method based on layered modeling |
| CN114884694B (en) * | 2022-04-06 | 2023-05-30 | 北京北卡星科技有限公司 | Industrial control network security risk assessment method based on hierarchical modeling |
| CN115567323A (en) * | 2022-11-22 | 2023-01-03 | 深圳麦客存储科技有限公司 | Network information analysis method of improved neural network model |
| CN115567323B (en) * | 2022-11-22 | 2023-11-07 | 合肥市贵谦信息科技有限公司 | Network information analysis method of improved neural network model |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111917747A (en) | Campus network security situation awareness system and method | |
| Ullah et al. | Architectural tactics for big data cybersecurity analytics systems: a review | |
| Khan et al. | Malicious insider attack detection in IoTs using data analytics | |
| US10938845B2 (en) | Detection of user behavior deviation from defined user groups | |
| Ramaki et al. | A systematic mapping study on intrusion alert analysis in intrusion detection systems | |
| CN101459537A (en) | Network security situation sensing system and method based on multi-layer multi-angle analysis | |
| CN111641653A (en) | Network security threat situation perception system based on cloud platform | |
| CN111629006A (en) | Malicious flow updating method fusing deep neural network and hierarchical attention mechanism | |
| CN111669384A (en) | Malicious flow detection method integrating deep neural network and hierarchical attention mechanism | |
| Brahmi et al. | Towards a multiagent-based distributed intrusion detection system using data mining approaches | |
| CN113642023A (en) | Data security detection model training method, data security detection device and equipment | |
| Fallahi et al. | Automated flow-based rule generation for network intrusion detection systems | |
| Garcia-Teodoro et al. | Automatic generation of HTTP intrusion signatures by selective identification of anomalies | |
| Teng et al. | A collaborative and adaptive intrusion detection based on SVMs and decision trees | |
| Sen et al. | On using contextual correlation to detect multi-stage cyber attacks in smart grids | |
| CN113938401A (en) | Naval vessel network security visualization system | |
| RU148692U1 (en) | COMPUTER SECURITY EVENTS MONITORING SYSTEM | |
| Liu et al. | Malicious traffic detection combined deep neural network with hierarchical attention mechanism | |
| Liu et al. | Cyberattack detection model using deep learning in a network log system with data visualization | |
| Songma et al. | Classification via k-means clustering and distance-based outlier detection | |
| Zhang et al. | Hierarchical network security situation awareness data fusion method in cloud computing environment | |
| RU180789U1 (en) | DEVICE OF INFORMATION SECURITY AUDIT IN AUTOMATED SYSTEMS | |
| Shukla et al. | UInDeSI4. 0: An efficient Unsupervised Intrusion Detection System for network traffic flow in Industry 4.0 ecosystem | |
| Majidpour et al. | Application of deep learning to enhance the accuracy of intrusion detection in modern computer networks | |
| Suyal et al. | Performance evaluation of rough set based classification models to intrusion detection system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20201110 |