CN111953660A - Multi-source heterogeneous security data hierarchical aggregation management system - Google Patents
Multi-source heterogeneous security data hierarchical aggregation management system Download PDFInfo
- Publication number
- CN111953660A CN111953660A CN202010710949.6A CN202010710949A CN111953660A CN 111953660 A CN111953660 A CN 111953660A CN 202010710949 A CN202010710949 A CN 202010710949A CN 111953660 A CN111953660 A CN 111953660A
- Authority
- CN
- China
- Prior art keywords
- data
- security
- aggregation
- module
- management system
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000002776 aggregation Effects 0.000 title claims abstract description 74
- 238000004220 aggregation Methods 0.000 title claims abstract description 74
- 238000012545 processing Methods 0.000 claims abstract description 25
- 238000012544 monitoring process Methods 0.000 claims abstract description 12
- 230000010354 integration Effects 0.000 claims abstract description 8
- 230000008447 perception Effects 0.000 claims abstract description 8
- 230000004927 fusion Effects 0.000 claims abstract description 7
- 238000001514 detection method Methods 0.000 claims description 10
- 238000004458 analytical method Methods 0.000 abstract description 15
- 238000006243 chemical reaction Methods 0.000 abstract description 4
- 238000011160 research Methods 0.000 description 11
- 238000005516 engineering process Methods 0.000 description 10
- 231100000279 safety data Toxicity 0.000 description 10
- 238000013461 design Methods 0.000 description 8
- 238000007726 management method Methods 0.000 description 6
- 238000000034 method Methods 0.000 description 5
- 230000005540 biological transmission Effects 0.000 description 4
- 238000010586 diagram Methods 0.000 description 4
- 230000008569 process Effects 0.000 description 3
- 230000008093 supporting effect Effects 0.000 description 2
- 206010063385 Intellectualisation Diseases 0.000 description 1
- 230000004931 aggregating effect Effects 0.000 description 1
- 230000002155 anti-virotic effect Effects 0.000 description 1
- 238000012098 association analyses Methods 0.000 description 1
- 238000010219 correlation analysis Methods 0.000 description 1
- 238000013523 data management Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000011156 evaluation Methods 0.000 description 1
- 238000002474 experimental method Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000010606 normalization Methods 0.000 description 1
- 238000006116 polymerization reaction Methods 0.000 description 1
- 238000010248 power generation Methods 0.000 description 1
- 230000004044 response Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Alarm Systems (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a multi-source heterogeneous security data hierarchical aggregation management system, which comprises: the data integration module is used for integrating the safety monitoring data as original data; the data processing module is used for carrying out standardization processing on the integrated original data and converting the integrated original data into standard data according to data types; the data aggregation module is used for performing data processing on the standard data to form a 3-type output result, and specifically comprises the following steps: counting results, security events and security knowledge; and the data fusion module is used for associating the security events in the output result of the data aggregation module with the multi-source data, and selecting data from top to bottom for data aggregation to form the output of security knowledge or security decision, namely the data security situation is realized. The invention provides basic support for security event analysis, security situation perception and the like, and forms low-capacity and high-value security events or security knowledge for higher-level security analysis through operations such as conversion, duplication removal, combination, association and the like.
Description
Technical Field
The invention relates to a multi-source heterogeneous security data hierarchical aggregation management system, and belongs to the technical field of data management.
Background
Along with the continuous popularization and use of networks, the scale of the networks is getting larger, the intrusion attack is developing towards the direction of scale, complication and intellectualization, various threats brought to the networks are more and more, and the loss caused by the attacks is also larger and more. Under the situation, a deep defense system based on a series of security devices such as intrusion detection, firewall and anti-virus system is established, but new problems also occur: the intrusion detection system has high false alarm rate and missing report rate, and meanwhile, with the continuous increase of the security system, various alarm information and logs grow in a magnitude order, so that a security administrator faces a large amount of information to hardly know the security threat condition of the system, and cannot take effective response measures in time. In this case, research is intended on an effective multisource heterogeneous security information analysis processing technology.
Disclosure of Invention
The technical problem to be solved by the invention is to overcome the defects of the prior art, and provide a multi-source heterogeneous security data hierarchical aggregation management system, so as to provide basic support for further security event analysis, security situation perception and the like.
The invention specifically adopts the following technical scheme to solve the technical problems:
a multi-source heterogeneous secure data hierarchical aggregation management system, comprising:
the data integration module is used for integrating the safety monitoring data as original data;
the data processing module is used for carrying out standardization processing on the integrated original data and converting the integrated original data into standard data according to data types;
the data aggregation module is used for performing data processing on the standard data to form a 3-type output result, and specifically comprises the following steps: counting results, security events and security knowledge;
and the data fusion module is used for associating the security events in the output result of the data aggregation module with the multi-source data, and selecting data from top to bottom for data aggregation to form the output of security knowledge or security decision, namely the data security situation is realized.
Further, as a preferred technical solution of the present invention: the safety monitoring data comprises safety alarm log data, network log data and system log data.
Further, as a preferred technical solution of the present invention: the safety monitoring data come from the Internet of things of electric power.
Further, as a preferred technical solution of the present invention: the data types are classified into safety alarm log type standard data, weblog type standard data and system log type standard data.
Further, as a preferred technical solution of the present invention: and the data aggregation module performs data processing on the standard data, including operations of data statistics, event aggregation and knowledge aggregation.
Further, as a preferred technical solution of the present invention: the data fusion module forms security knowledge or security decision for network security situation perception, network and system security anomaly detection and network and system attack modeling.
By adopting the technical scheme, the invention can produce the following technical effects:
the multi-source data association and security event aggregation are started from a specific analysis purpose, and specific data are selected from top to bottom for association and aggregation, so that powerful data support is provided for generation of security decisions.
The invention can summarize the advantages and the disadvantages of the prior art and the framework design according to the characteristics of the safety data, aims to deeply research the multi-source heterogeneous safety data hierarchical polymerization framework, designs a theoretical guidance framework for data processing in the field of safety analysis, and provides basic support for further safety event analysis, safety situation perception and the like. And through operations such as conversion, duplicate removal, combination, association and the like, a low-capacity and high-value security event or security knowledge is formed and used for higher-level security analysis.
Drawings
Fig. 1 is a schematic diagram of the working principle of the system.
FIG. 2 is a schematic diagram of the research architecture of the present system.
Fig. 3 is a schematic diagram of a layered architecture of the power internet of things of the system.
Fig. 4 is a schematic diagram of the structure of the secure data aggregation and other domain relationships of the present system.
Detailed Description
The following describes embodiments of the present invention with reference to the drawings.
The invention designs a multi-source heterogeneous security data hierarchical aggregation management system, the working principle of which is shown in figure 1, and the system specifically comprises the following components:
the data integration module is used for integrating the safety monitoring data as original data;
the data processing module is used for carrying out standardization processing on the integrated original data and converting the integrated original data into standard data according to data types;
the data aggregation module is used for performing data processing on the standard data to form a 3-type output result, and specifically comprises the following steps: counting results, security events and security knowledge;
and the data fusion module is used for associating the security events in the output result of the data aggregation module with the multi-source data, and selecting data from top to bottom for data aggregation to form the output of security knowledge or security decision, namely the data security situation is realized.
Wherein the integration of the raw data is the collection of safety monitoring data; the safety monitoring data are as follows: security alarm log data, weblog data, and system log data.
The raw data normalization refers to: carrying out standardization processing on the safety monitoring data in the step 1, namely converting the safety monitoring data into standard data according to data types; the data types are classified into safety alarm log type standard data, weblog type standard data and system log type standard data.
The data aggregation module is used for aggregating homologous indicating data in the standard data, and respectively processing the safety alarm log standard data, the weblog standard data and the system log standard data; the data processing comprises the operations of data statistics, event aggregation and knowledge aggregation, and 3 types of output results are formed, and specifically comprise the following steps: counting results, security events and security knowledge; wherein, the security event comprises 2 types: access events, alarm events.
The integration of the original data in the data integration module and the homologous representation data aggregation in the data aggregation module are to perform basic processing on the data from the level of the data to the top, and the processing result can be shared by a plurality of upper processing modules.
In the data fusion module, multi-source data association is mainly oriented to different scenes and different targets to perform association analysis on security events, so that alarm security events with definite meanings and rich expressive force are formed;
the same-source data aggregation, namely the security event aggregation, is oriented to security situation awareness, and evaluates the security events to form situation description information to serve for situation evaluation and prediction. The security data is associated with the multi-source data, namely the security event is associated with the multi-source data, and the security data is the security event; the multi-source data association and security event aggregation are started from specific analysis purposes, and specific data are selected from top to bottom for association and aggregation, so that powerful data support is provided for generation of security decisions.
The design of the system summarizes the advantages and the disadvantages of the prior art and the framework design according to the characteristics of the safety data, aims to deeply research a multi-source heterogeneous safety data hierarchical aggregation framework, designs a theoretical guidance framework for data processing in the field of safety analysis, and provides basic support for further safety event analysis, safety situation perception and the like.
Further, a multi-source heterogeneous security data hierarchical aggregation framework on which the system can be based is shown in fig. 2, and plays a supporting role in other security fields, namely, data which needs to be basic for anomaly detection, particularly label-free log data; therefore, on the hierarchical management system, data are obtained from components at lower levels in the framework, and attack modeling and security situation perception need higher-level security information, so that final security knowledge or security decision output is formed, and the data security situation is realized.
In the invention, data aggregation is based on a general technology and a safety data aggregation technology, and a specific application environment and a data source thereof are combined to intensively research a homologous aggregation model based on attributes and an aggregation model facing multisource safety data; the safety data aggregation in the invention is an information aggregation process, namely, high-capacity and low-value alarms and logs generated by one or more safety devices are converted, deduplicated, combined, associated and the like to form low-capacity and high-value safety events or safety knowledge for higher-level safety analysis.
With reference to fig. 3, further, in the present invention, the raw data comes from the power internet of things; the electric power internet of things is an application of the internet of things in a smart grid and is divided into a four-layer framework of a sensing layer, a network layer/transmission layer, a platform layer/data layer and an application layer; the original data specifically come from a tail end sensing node of a sensing layer; the end sensing node covers all links, all equipment and even all elements for power generation, transmission, distribution, storage and use of the power system; the result of the safety data aggregation is used for network safety situation perception, network and system safety abnormity detection and network and system attack modeling.
As shown in fig. 3, a basic theory and an application technology research about the power internet of things have been started in China over a decade ago, and the power internet of things is an application of the internet of things in a smart grid and mainly comprises a four-layer architecture of a sensing layer, a network (transmission) layer, a platform (data) layer and an application layer.
The sensing nodes at the tail ends of the sensing layers are large in scale, collected data are comprehensive, and links, equipment and elements for power transmission, distribution, storage and use of the power system are covered. From the current development, secure data aggregation is mainly used for network security situation awareness.
In order to deal with the increasingly prominent network security problem, research on intrusion detection systems and various network security products in recent years has gradually shifted from improving the efficiency and accuracy of security event alarm to security event correlation analysis to provide more comprehensive overall control on network security situation. How to correlate low-level alarms and network security events to information and information useful to network security administrators has become a major focus in the field of network security research. In the process of generating information and further generating knowledge by data, two important conversion processes are mainly involved: on one hand, the conversion from data to information mainly adopts the related technology of data aggregation to convert the collected basic data generated by the information system into an organized and meaningful information base so as to facilitate further analysis; on the other hand, the method is characterized in that information is converted into knowledge, and original information generated by a machine is converted into effective global knowledge which is easier to understand and grasp by a decision maker mainly through a multi-source information association and aggregation technology, so that a manager can make corresponding decisions better.
As shown in fig. 1, a specific research system architecture of a multi-source heterogeneous security information analysis processing technology is provided, which focuses on research on an attribute-based homogeneous aggregation model and a multi-source security data-oriented aggregation model by combining a specific application environment and a data source thereof on the basis of a general data aggregation technology and a security data aggregation technology.
As shown in fig. 2, in the system of the present invention: the safety data aggregation is based on three parts of a safety data aggregation model, a data aggregation general technology and an alarm data aggregation method. The architecture framework design for secure data aggregation includes: the system comprises a security data classification part, a multi-source security data aggregation framework part and an IDMEF-based unified interface design part 3. The core technical research on secure data aggregation includes 2 parts of homogeneous data aggregation and multisource data aggregation.
As shown in FIG. 4, the security data aggregation in the invention comprises three parts of situation awareness, attack modeling and anomaly detection. The security data aggregation is mainly used in the fields of network security situation awareness, network and system security anomaly detection, network and system attack modeling and the like.
Therefore, from the perspective of data flow, the main processing flow of the multi-source heterogeneous security data hierarchical aggregation framework of the system is divided into four stages, namely, original data integration, homologous data aggregation, multi-source data association and security information aggregation. The multi-source heterogeneous security data hierarchical aggregation framework has a supporting effect on other security fields, more basic data is often needed for anomaly detection, particularly label-free log data, and therefore data is mainly obtained from components at lower levels in the framework. And higher-level security information is needed for attack modeling and security situation awareness, so that final security knowledge or security decision is formed.
Specific embodiments of the present invention have been described above in detail. It should be understood that numerous modifications and variations could be devised by those skilled in the art in light of the present teachings without departing from the inventive concepts. Therefore, the technical solutions available to those skilled in the art through logic analysis, reasoning and limited experiments based on the prior art according to the concept of the present invention should be within the scope of protection defined by the claims.
Claims (6)
1. A multi-source heterogeneous secure data hierarchical aggregation management system, comprising:
the data integration module is used for integrating the safety monitoring data as original data;
the data processing module is used for carrying out standardization processing on the integrated original data and converting the integrated original data into standard data according to data types;
the data aggregation module is used for performing data processing on the standard data to form a 3-type output result, and specifically comprises the following steps: counting results, security events and security knowledge;
and the data fusion module is used for associating the security events in the output result of the data aggregation module with the multi-source data, and selecting data from top to bottom for data aggregation to form the output of security knowledge or security decision, namely the data security situation is realized.
2. The multi-source heterogeneous secure data hierarchical aggregation management system according to claim 1, wherein: the safety monitoring data comprises safety alarm log data, network log data and system log data.
3. The multi-source heterogeneous secure data hierarchical aggregation management system according to claim 1, wherein: the safety monitoring data come from the Internet of things of electric power.
4. The multi-source heterogeneous secure data hierarchical aggregation management system according to claim 1, wherein: the data types are classified into safety alarm log type standard data, weblog type standard data and system log type standard data.
5. The multi-source heterogeneous secure data hierarchical aggregation management system according to claim 1, wherein: and the data aggregation module performs data processing on the standard data, including operations of data statistics, event aggregation and knowledge aggregation.
6. The multi-source heterogeneous secure data hierarchical aggregation management system according to claim 1, wherein: the data fusion module forms security knowledge or security decision for network security situation perception, network and system security anomaly detection and network and system attack modeling.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010710949.6A CN111953660A (en) | 2020-07-22 | 2020-07-22 | Multi-source heterogeneous security data hierarchical aggregation management system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010710949.6A CN111953660A (en) | 2020-07-22 | 2020-07-22 | Multi-source heterogeneous security data hierarchical aggregation management system |
Publications (1)
Publication Number | Publication Date |
---|---|
CN111953660A true CN111953660A (en) | 2020-11-17 |
Family
ID=73341032
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202010710949.6A Pending CN111953660A (en) | 2020-07-22 | 2020-07-22 | Multi-source heterogeneous security data hierarchical aggregation management system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN111953660A (en) |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104852927A (en) * | 2015-06-01 | 2015-08-19 | 国家电网公司 | Safety comprehensive management system based on multi-source heterogeneous information |
CN109873785A (en) * | 2017-12-01 | 2019-06-11 | 广州明领基因科技有限公司 | Multi-source heterogeneous secure data acquisition system based on semantic Agent |
-
2020
- 2020-07-22 CN CN202010710949.6A patent/CN111953660A/en active Pending
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104852927A (en) * | 2015-06-01 | 2015-08-19 | 国家电网公司 | Safety comprehensive management system based on multi-source heterogeneous information |
CN109873785A (en) * | 2017-12-01 | 2019-06-11 | 广州明领基因科技有限公司 | Multi-source heterogeneous secure data acquisition system based on semantic Agent |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN105119750B (en) | A kind of safe operation management platform system of distributed information based on big data | |
CN104852927A (en) | Safety comprehensive management system based on multi-source heterogeneous information | |
CN104616205A (en) | Distributed log analysis based operation state monitoring method of power system | |
CN113225359A (en) | Safety flow analysis system based on brain-like calculation | |
Efstathopoulos et al. | Operational data based intrusion detection system for smart grid | |
CN107104951B (en) | Method and device for detecting network attack source | |
CN102546274A (en) | Alarm monitoring method and alarm monitoring equipment in communication service | |
Jia et al. | Big-data analysis of multi-source logs for anomaly detection on network-based system | |
Wang et al. | A centralized HIDS framework for private cloud | |
CN113347170A (en) | Intelligent analysis platform design method based on big data framework | |
Dalmazo et al. | Expedite feature extraction for enhanced cloud anomaly detection | |
CN116257021A (en) | Intelligent network security situation monitoring and early warning platform for industrial control system | |
CN115664703A (en) | Attack tracing method based on multi-dimensional information | |
Xue et al. | Prediction of computer network security situation based on association rules mining | |
Gong et al. | Multi-agent intrusion detection system using feature selection approach | |
CN111953660A (en) | Multi-source heterogeneous security data hierarchical aggregation management system | |
Hu et al. | Classification of Abnormal Traffic in Smart Grids Based on GACNN and Data Statistical Analysis | |
CN114493339A (en) | Power grid information safety early warning system based on data feature extraction | |
CN110503131B (en) | Wind driven generator health monitoring system based on big data analysis | |
Hossain et al. | Detection of undesired events on real-world scada power system through process monitoring | |
Hoang et al. | An efficient IDS using FIS to detect DDoS in IoT networks | |
Yang et al. | Intrusion Detection Technology of Natural Resource Information System in The Internet of Things Environment | |
Polozhentsev et al. | Novel Cyber Incident Management System for 5G-based Critical Infrastructures | |
Gao et al. | An Intelligent Threat-Detection Method for Power Monitoring System Based on Attack Chain Knowledge | |
Lyu et al. | Research on the Construction of Data Middle Platform for Smart Hydropower Station |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20201117 |