CN112838956B - User-oriented network space resource analysis method and equipment - Google Patents
User-oriented network space resource analysis method and equipment Download PDFInfo
- Publication number
- CN112838956B CN112838956B CN202110124432.3A CN202110124432A CN112838956B CN 112838956 B CN112838956 B CN 112838956B CN 202110124432 A CN202110124432 A CN 202110124432A CN 112838956 B CN112838956 B CN 112838956B
- Authority
- CN
- China
- Prior art keywords
- network
- user
- network space
- resources
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a user-oriented network space resource analysis method and equipment, wherein the user-oriented network space resource analysis method comprises the following steps: acquiring network flow; extracting network space resource information from network traffic to represent the state, attribute and relationship of each layer of network space resources and cross-layer resources; wherein the network space resource information includes resource information extracted for a physical layer, a logical layer, and a cognitive layer of the network space, and resource information extracted for a specific asset and/or a specific user. The invention is based on network flow monitoring and analysis, and takes the network user as an access point under the condition of not consuming a large amount of resources to accurately analyze the network space resources so as to solve the problem that the network space entity resources and the network user information can not be effectively analyzed and correlated at present.
Description
Technical Field
The invention relates to the field of network security, in particular to a user-oriented network space resource analysis method and device.
Background
In the related art, the research on cyberspace resources mainly focuses on the detection, fusion analysis and drawing of cyberspace resources and their attributes, that is, the technical aspect of cyberspace resource mapping. The acquisition of the cyberspace resource information is mainly completed in a detection mode, and the analysis of the cyberspace resource is mainly focused on the aspects of geographic position and classified distribution statistics. The network space resource is used as network space basic data, and has great application value for security analysis and protection of the network space. In recent years, network situation awareness in terms of cyberspace security is also considered as a cyberspace mapping application from cyberspace resource information, and security analysis and prediction are performed from macroscopic aspects such as geographic positions, classification distribution statistics and the like. However, situational awareness of large-area cyberspace resources is not suitable for security analysis of key resources such as specific assets or users. The network space entity resources and the network user information cannot be effectively correlated. Moreover, the existing network space resource analysis method is mostly based on hierarchical relationship description, and cross-layer relation among network resources cannot be shown. Meanwhile, the network security evaluation index is single, and the security of the whole network and specific assets or users cannot be comprehensively evaluated.
Disclosure of Invention
The embodiment of the invention provides a user-oriented network space resource analysis method and equipment, which are used for at least solving the problem that the correlation between network space entity resources and network user information cannot be effectively analyzed in the prior art.
The user-oriented network space resource analysis method provided by the embodiment of the invention comprises the following steps:
acquiring network flow;
extracting network space resource information from the network flow to represent the state, attribute and relationship of each layer of network space resources and cross-layer resources;
wherein the cyberspace resource information includes resource information extracted for a physical layer, a logical layer, and a cognitive layer of the cyberspace, and resource information extracted for a specific asset and/or a specific user.
According to some embodiments of the invention, the obtaining network traffic comprises:
actively acquiring network flow; and/or the presence of a gas in the gas,
network traffic is passively acquired.
According to some embodiments of the invention, the extracting network space resource information from the network traffic to characterize the state, the attribute and the relationship of each layer resource and cross-layer resource of the network space comprises:
based on the network flow, acquiring network space resource information through a constructed regular expression;
and establishing a network space resource information label based on the preprocessing characteristics extracted from the regular expression so as to represent the state, the attribute and the relationship of each layer of resource and cross-layer resource of the network space.
According to some embodiments of the invention, the extracting network space resource information from the network traffic comprises:
extracting the user account and the IP information of the user account from the network flow, extracting the association of the network space resource information of the user account, extracting the association of other account information related to the user account on the network space resource, and extracting the association of the network space resource information of other accounts.
According to some embodiments of the invention, the method further comprises:
classifying and storing the network space resource information, wherein the stored classification comprises at least one of the following classifications: the system comprises a switching device, an access device, a virtual service, virtual content and a virtual man;
and updating the stored content according to the change of the IP where the user account is located.
According to some embodiments of the invention, the method further comprises:
based on the network space resource information, comprehensively evaluating the safety of the whole network space and the specific assets and/or specific users by adopting multi-aspect indexes;
and visualizing the evaluation result, and performing network security early warning and response aiming at the evaluation result.
According to some embodiments of the invention, the multi-aspect indicator comprises at least one of the following indicators: user, control, management, IP address, traffic, data packets, objective network, local network, host, service, network attack, and vulnerability.
According to some embodiments of the invention, the visually assessing the result comprises:
regarding a specific asset and/or a specific user, regarding a plurality of accounts generating network communication in the same time on the same network space resource as accounts of the same user, and establishing a user account group;
when two or more same accounts exist in a plurality of user account groups, merging the user account groups;
taking a user account group as a keyword, and extracting network space resource information associated with each account;
establishing a time axis, calculating the geographic position of related network space resources, and displaying the use condition and the position condition of the entity resources of the user in the network space;
when a certain account in the user account group does not generate application flow on an IP for a certain time, deleting the association between the account and the IP and the corresponding network space resource;
the user account, the network space resource, the physical space position and the time shaft are effectively integrated and unified and visualized.
The user-oriented network space resource analysis equipment provided by the embodiment of the invention comprises the following components: a memory, a processor and a computer program stored on the memory and executable on the processor, the computer program when executed by the processor implementing the steps of the user-oriented network space resource analysis method as described above.
According to the computer readable storage medium of the embodiment of the present invention, the computer readable storage medium stores an implementation program of information transfer, and the program when executed by a processor implements the steps of the user-oriented network space resource analysis method as described above.
By adopting the embodiment of the invention, the network space resources are accurately analyzed by taking the network users as the access points on the basis of network flow monitoring and analysis under the condition of not consuming a large amount of resources, so that the problem that the network space entity resources and the network user information can not be effectively analyzed and correlated at present is solved.
The above description is only an overview of the technical solutions of the present invention, and the present invention can be implemented in accordance with the content of the description so as to make the technical means of the present invention more clearly understood, and the above and other objects, features, and advantages of the present invention will be more clearly understood.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. In the drawings:
FIG. 1 is a flow chart of a user-oriented cyberspace resource analysis method in an embodiment of the present invention;
FIG. 2 is a flow chart of a user-oriented cyberspace resource analysis method in an embodiment of the present invention;
FIG. 3 is a user-oriented network space resource analysis device architecture diagram in an embodiment of the present invention;
FIG. 4 is a user-oriented network space resource analysis system architecture diagram in an embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present invention will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the invention are shown in the drawings, it should be understood that the invention may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art.
The network space resource refers to the sum of various elements such as a carrier, information and a main body in a network space, and not only includes the physical resources of the communication infrastructure, an IP network, an overlay network, an application support system and other internet infrastructures, but also includes information content carried on the physical resources, virtual resources of users and the like. The network space may be divided into a physical layer, a logical layer, and a cognitive layer. The connotation of the physical layer is that the spatial position information of the entities and the connection relation among the entities exist in the physical world, can be directly observed and is easy to perceive; the logic layer is a complex network formed by logic topology, service flow and user operation, cannot be directly observed, and must be sensed by means of tools; the cognitive layer is used as the externalization of the objective spirit of the network space, bears the conscious morphological superstructure, cannot be directly observed, and can only be presumed according to the extrinsic products.
Situation awareness is an ability to dynamically and integrally know security risks based on environment, and is a way to improve the capabilities of discovery, identification, understanding, analysis, response and handling of security threats from a global perspective based on security big data, and finally falls on the ground of security capabilities for decision and action. The network situation awareness (CSA) aims at acquiring, understanding and displaying security elements which can cause network situation changes in a large-scale network environment and conducting sequential prediction of recent development trends, so that a decision and action situation awareness technology can actively collect dynamic network situation information, analyze and predict the information to help managers make accurate defense and acute decisions, and is suitable for current ultra-large-scale network management. The situation awareness system has the capability of continuously monitoring the security of a network space and can find various attack threats and anomalies in time; the system has the capability of threat investigation analysis and visualization, and can quickly judge the influence range, attack path, purpose and means related to the threat, thereby supporting effective security decision and response; a safety early warning mechanism can be established to perfect the levels of risk control, emergency response and overall safety protection. The network situation awareness identifies the behaviors of various activities in the network, carries out intention understanding and influence evaluation from a macroscopic perspective, further provides reasonable decision support, and has important significance in the aspects of improving the monitoring capability and emergency response capability of the network, predicting the development trend of network security and the like.
An embodiment of a first aspect of the present invention provides a user-oriented network space resource analysis method, as shown in fig. 1, including:
s1, acquiring network flow;
s2, extracting network space resource information from the network flow to represent the state, the attribute and the relationship of each layer of network space resources and cross-layer resources;
wherein the cyberspace resource information includes resource information extracted for a physical layer, a logical layer, and a cognitive layer of the cyberspace, and resource information extracted for a specific asset and/or a specific user.
By adopting the embodiment of the invention, the network space resources are accurately analyzed by taking the network users as the access points on the basis of network flow monitoring and analysis under the condition of not consuming a large amount of resources, so that the problem that the network space entity resources and the network user information can not be effectively analyzed and correlated at present is solved.
On the basis of the above-described embodiment, modified embodiments are further proposed, and it is to be noted here that, in order to make the description brief, only the differences from the above-described embodiment are described in each modified embodiment.
According to some embodiments of the invention, the obtaining network traffic comprises:
actively acquiring network flow; and/or the presence of a gas in the gas,
network traffic is passively acquired.
According to some embodiments of the present invention, the extracting network space resource information from the network traffic to characterize the state, the attribute and the relationship of each layer resource and cross-layer resource of the network space includes:
based on the network flow, acquiring network space resource information through a constructed regular expression;
and establishing a network space resource information label based on the preprocessing characteristics extracted from the regular expression so as to represent the state, the attribute and the relationship of each layer of resource and cross-layer resource of the network space.
According to some embodiments of the invention, the extracting network space resource information from the network traffic comprises:
extracting the user account and the IP information of the user account from the network flow, extracting the association of the network space resource information of the user account, extracting the association of other account information related to the user account on the network space resource, and extracting the association of the network space resource information of the other account.
According to some embodiments of the invention, the method further comprises:
classifying and storing the network space resource information, wherein the stored classification comprises at least one of the following classifications: the system comprises a switching device, an access device, a virtual service, virtual content and a virtual man;
and updating the stored content according to the change of the IP where the user account is located.
According to some embodiments of the invention, the method further comprises:
based on the network space resource information, comprehensively evaluating the safety of the whole network space and the specific assets and/or specific users by adopting multi-aspect indexes;
and visualizing the evaluation result, and performing network security early warning and response aiming at the evaluation result.
According to some embodiments of the invention, the multi-aspect indicator comprises at least one of the following indicators: user, control, management, IP address, traffic, data packets, objective network, local network, host, service, network attack, and vulnerability.
According to some embodiments of the invention, the visually assessing the result comprises:
regarding a specific asset and/or a specific user, regarding a plurality of accounts generating network communication in the same time on the same network space resource as accounts of the same user, and establishing a user account group;
when two or more same accounts exist in a plurality of user account groups, merging the user account groups;
taking a user account group as a keyword, and extracting network space resource information associated with each account;
establishing a time axis, calculating the geographic position of related network space resources, and displaying the use condition and the position condition of the entity resources of the user in the network space;
when application flow is not generated any more for a certain account number in a user account group on an IP for a certain time, the association between the account number and the IP and the corresponding network space resource is deleted;
the user account, the network space resource, the physical space position and the time shaft are effectively integrated and unified and visualized.
It will be appreciated by those skilled in the art that the steps of the present invention described above may be implemented in a general purpose computing device, centralized on a single computing device or distributed across a network of computing devices, or alternatively, may be implemented in program code executable by a computing device, such that the steps shown and described may be executed by a computing device stored in a memory device and, in some cases, executed in a different order than that shown or described herein, or as separate integrated circuit modules, or as a plurality or steps within a single integrated circuit module. Thus, the present invention is not limited to any specific combination of hardware and software.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on this understanding, the technical solutions of the present invention may be embodied in the form of software products, which essentially or partially contribute to the prior art.
The user-oriented network space resource analysis method according to the embodiment of the present invention is described in detail with reference to fig. 2 as a specific embodiment. It is to be understood that the following description is illustrative only and is not intended to be in any way limiting. All similar structures and similar variations thereof adopted by the invention are intended to fall within the scope of the invention.
As shown in fig. 2, the method for analyzing user-oriented cyberspace resources according to the embodiment of the present invention includes:
passive traffic acquisition is used as a normalization means, such as bypass acquisition of network traffic, and is used for acquiring information of equipment, networks, users and the like so as to analyze network space resources and monitor the security state of the network space;
when network space resources need to be deeply analyzed or network security response is carried out aiming at threats, an active flow obtaining mode is adopted, such as actively sending request data packets and the like, so as to mine network data and deal with security problems;
reference may be made to active probing and passive listening within the network security domain.
102, analyzing network information based on the acquired flow, and representing states, attributes and relationships among resources of each hierarchy of a network space and among resources of a cross-layer network; specifically, the method comprises the following steps:
extracting network space resource information aiming at a physical layer, a logic layer and a cognitive layer of a network space, particularly extracting information of key resources such as specific assets or users and the like, wherein the extracting comprises extracting and recording user accounts and IP information of the user accounts, the associated extraction of the network space resource information of the user accounts, the associated extraction of other account information on the network space resources and the associated extraction of the network space resource information of other accounts from network flow;
carrying out rule configuration in a formatted file mode (such as an XML format), further uniformly analyzing and converting rule definitions into regular expressions, and simultaneously extracting appropriate feature strings as preprocessing features;
the feature string is part of a rule that is used to extract cyber-space resource information from network traffic. Different characteristics extracted by different rules correspond to different resource information labels, and different resource information has different attributes and can represent information, states and even relations of different resources;
based on the extracted features, network space resource information labels are established, and states, attributes and relationships among resources of each hierarchy of the network space and among cross-layer network resources are represented in the forms of maps and the like.
103, storing the network information, and updating the stored content according to the result of the network information analysis; specifically, the method comprises the following steps:
based on the states, attributes and relationships among resources of each hierarchy of a network space and among cross-layer network resources, switching equipment such as a switch, a router, wifi and a base station, access equipment such as an internet of things/industrial control, virtual services such as a DNS/CDN and a website/mail, virtual contents such as chatting/communication and text/video, particularly virtual people such as various network accounts, and the like are classified and stored for subsequent accurate analysis;
and simultaneously, updating the stored content by using the network flow acquisition and network information analysis results along with the change of the IP of the user account.
104, comprehensively evaluating the safety of the whole network and key resources such as specific assets or users and the like aiming at indexes in multiple aspects based on the analyzed and stored network information; specifically, the method comprises the following steps:
based on the analyzed and stored network information, evaluating the security state of a physical layer, a logic layer and a cognitive layer of a network space and cross-layer resources, and perceiving the situation of the whole network;
evaluating the safety state of key resources such as specific assets or users from a plurality of aspects such as user accounts, IP information of the user accounts, network space resource information of the user accounts and the like;
the security of the whole network and specific assets or key resources such as users and the like is comprehensively evaluated according to indexes of multiple aspects such as users, control, management, IP addresses, flow, data packets, objective networks, local networks, hosts, services, network attacks, vulnerabilities and the like.
According to the evaluation method in step 104, the security of the whole network space resource and the key resources such as the specific assets or the users are evaluated from bottom to top, first from local to whole. For example: and discovering the vulnerability condition of the service provided by each host system by taking information such as attack alarm, scanning result, network flow and the like as original data, and further evaluating the safety condition of each service. On the basis, the safety condition of each key device in the network system is comprehensively evaluated, the safety situations of a plurality of local area networks are evaluated according to the network system structure, and then the safety situations of the whole macro network are comprehensively analyzed and counted. When displaying, the safety condition of specific assets or key resources such as users and the like can be displayed hierarchically according to the organization structure of the network system; and further, the evaluation result and the logic relation of the network space resources are comprehensively evaluated, and the safety condition of the whole network space resources is displayed.
105, visually displaying the whole network space resource and the specific asset or the key resource such as the user and the like; specifically, the method comprises the following steps:
based on the results of network information analysis and network security evaluation, methods such as network security situation maps and the like are adopted to display the whole network space resources and specific assets or key resources such as users and the like so as to know the future change trend of the network and discover the network security threat;
for a specific asset or a user, a plurality of accounts which generate network communication in the same time on the same network space resource can be regarded as accounts of the same user, and a user account group is established; when two or more same accounts exist in a plurality of user account groups, merging the user account groups; taking a user account group as a keyword, and extracting network space resource information associated with each account; establishing a time axis, calculating the geographic position of related network space resources, and displaying the use condition and the position condition of the entity resources of the user in the network space; when a certain account in the user account group does not generate application flow on an IP for a certain time, deleting the association between the account and the IP and the corresponding network space resource; the information such as the user account, the network space resource, the physical space position, the time shaft and the like is effectively integrated and unified and visualized.
106, performing network security early warning and response aiming at the network security evaluation result; specifically, the method comprises the following steps:
aiming at the result of network security evaluation, automatically discovering security threat in the network, reporting information such as account information and IP addresses, carrying out security early warning, and displaying early warning information in real time based on the result of network space resource visualization;
meanwhile, the extraction and analysis strength of specific network information is increased by an active flow acquisition mode, and network security threats are dealt with by methods such as intrusion tracking and vulnerability repair.
It should be explained here that a specific asset refers to a specific kind of asset with specific attributes, such as a mobile end asset or an IP asset; the specific user refers to a user of a specific type or focused attention, such as a user with potential safety hazard; cross-layer resources refer to resources of the same type that may span different spatial hierarchies of the network. For example, a hardware device contains both location attributes (physical layer) and logical topological relationships between devices (logical layer); network users include both location attributes (physical layer), user operations (logical layer), and awareness modalities (cognitive layer).
The technical scheme of the invention has the following beneficial effects:
1. meanwhile, the analysis of resources of the whole network space and key resources such as specific assets or users and the like is considered, and the safety of the whole network and the key resources such as the specific assets or the users and the like is comprehensively evaluated;
2. the proposed network space resource analysis method can represent the state, attribute and relationship among the resources of each layer of the network space and among the resources of the cross-layer network;
3. the analysis method and the visual display method can effectively integrate and uniformly visualize information such as user accounts, network space resources, physical space positions, time axes and the like;
4. the safety of network and user resources is comprehensively evaluated according to indexes of multiple aspects such as users, control, management, IP addresses, flow, data packets, objective networks, local networks, hosts, services, network attacks, vulnerabilities and the like.
It should be noted that the above-mentioned embodiments are only preferred embodiments of the present invention, and are not intended to limit the present invention, and those skilled in the art will appreciate that various modifications and variations can be made in the present invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
A second embodiment of the present invention provides a user-oriented network space resource analysis device 1000, as shown in fig. 3, including: a memory 1010, a processor 1020 and a computer program stored on the memory 1010 and executable on the processor 1020, the computer program, when executed by the processor 1020, implementing the steps of the user-oriented network space resource analysis method as described in the first aspect of the embodiments.
By adopting the embodiment of the invention, the network space resources are accurately analyzed by taking the network users as the access points on the basis of network flow monitoring and analysis under the condition of not consuming a large amount of resources, so that the problem that the correlation between the network space entity resources and the network user information cannot be effectively analyzed at present is solved.
In an embodiment of the third aspect of the present invention, a computer-readable storage medium is provided, where an implementation program of information transmission is stored, and when the program is executed by a processor, the program implements the steps of the user-oriented network space resource analysis method described in the embodiment of the first aspect.
It should be noted that the computer-readable storage medium in this embodiment includes, but is not limited to: ROM, RAM, magnetic or optical disks, and the like. The program can be a mobile phone, a computer, a server, an air conditioner, or a network device.
By adopting the embodiment of the invention, the network space resources are accurately analyzed by taking the network users as the access points on the basis of network flow monitoring and analysis under the condition of not consuming a large amount of resources, so that the problem that the network space entity resources and the network user information can not be effectively analyzed and correlated at present is solved.
An embodiment of a fourth aspect of the present invention provides a user-oriented network space resource analysis system, including:
the network flow acquisition module is used for acquiring network flow;
the network information analysis module is used for extracting network space resource information from the network flow so as to represent the state, the attribute and the relationship of each layer of resource and cross-layer resource of a network space;
wherein the cyber space resource information includes resource information extracted for a physical layer, a logical layer, and a cognitive layer of a cyber space, and resource information extracted for a specific asset and/or a specific user.
By adopting the embodiment of the invention, the network space resources are accurately analyzed by taking the network users as the access points on the basis of network flow monitoring and analysis under the condition of not consuming a large amount of resources, so that the problem that the network space entity resources and the network user information can not be effectively analyzed and correlated at present is solved.
On the basis of the above-described embodiment, various modified embodiments are further proposed, and it is to be noted herein that, in order to make the description brief, only the differences from the above-described embodiment are described in the various modified embodiments.
According to some embodiments of the invention, the network traffic obtaining module is configured to:
actively acquiring network flow; and/or the presence of a gas in the gas,
network traffic is passively acquired.
According to some embodiments of the invention, the network information analysis module is configured to:
based on the network flow, acquiring network space resource information through a constructed regular expression;
and establishing a network space resource information label based on the preprocessing characteristics extracted from the regular expression so as to represent the state, the attribute and the relationship of each layer of resource and cross-layer resource of the network space.
According to some embodiments of the invention, the network information analysis module is configured to:
extracting the user account and the IP information of the user account from the network flow, extracting the association of the network space resource information of the user account, extracting the association of other account information related to the user account on the network space resource, and extracting the association of the network space resource information of other accounts.
According to some embodiments of the invention, the system further comprises:
the network information storage module is used for classifying and storing the network space resource information, and the stored classes comprise at least one of the following classes: a switching system, an access system, a virtual service, virtual content, and a avatar;
and updating the stored content according to the change of the IP where the user account is located.
According to some embodiments of the invention, the system further comprises:
the network security evaluation module is used for comprehensively evaluating the security of the whole network space, specific assets and/or specific users by adopting multi-aspect indexes based on the network space resource information;
and the network space resource visualization module is used for visualizing the evaluation result and carrying out network security early warning and response aiming at the evaluation result.
According to some embodiments of the invention, the multi-aspect indicator comprises at least one of the following indicators: user, control, management, IP address, traffic, data packets, objective network, local network, host, service, network attack, and vulnerability.
According to some embodiments of the invention, the cyberspace resource visualization module is to:
regarding a specific asset and/or a specific user, regarding a plurality of accounts generating network communication in the same time on the same network space resource as accounts of the same user, and establishing a user account group;
when two or more same accounts exist in a plurality of user account groups, merging the user account groups;
taking a user account group as a keyword, and extracting network space resource information associated with each account;
establishing a time axis, calculating the geographic position of related network space resources, and displaying the use condition and the position condition of the entity resources of the user in the network space;
when a certain account in the user account group does not generate application flow on an IP for a certain time, deleting the association between the account and the IP and the corresponding network space resource;
the user account, the network space resource, the physical space position and the time axis are effectively integrated and are uniformly visualized.
The user-oriented cyberspace resource analysis system according to an embodiment of the present invention is described in detail with reference to fig. 4 as a specific embodiment. It is to be understood that the following description is illustrative only and is not intended to be in any way limiting. All similar structures and similar variations thereof adopted by the invention are intended to fall within the scope of the invention.
As shown in fig. 4, the user-oriented cyberspace resource analysis system according to the embodiment of the present invention includes:
the network traffic obtaining module 201:
the method has the functions of passive flow acquisition and active flow acquisition; passive traffic acquisition is used as a normalization means for acquiring information of equipment, networks, users and the like so as to analyze network space resources and monitor the network space security state; when network space resources need to be deeply analyzed or network security response is carried out aiming at threats, an active flow acquisition mode is adopted to mine network data and deal with security problems; provide data and information to the network information analysis module 202;
the network information analysis module 202:
acquiring data and information from a network flow acquisition module 201, and providing the data and the information for a network information storage module 203, a network security evaluation module 204 and a network space resource visualization module 205; the main functions include: extracting network space resource information aiming at a physical layer, a logic layer and a cognitive layer of a network space, in particular extracting information of key resources such as specific assets or users and the like, wherein the extracting comprises extracting and recording user accounts and IP information of the user accounts, the correlation extraction of the network space resource information of the user accounts, the correlation extraction of other account information on the network space resources and the correlation extraction of the network space resource information of other accounts from network flow; further, rule configuration is carried out in a formatted file mode (such as an XML format), rule definitions are further analyzed and converted into regular expressions in a unified mode, and meanwhile, proper feature strings are extracted to serve as preprocessing features; establishing a network space resource information label based on the extracted features, and representing states, attributes and relationships among resources of each hierarchy of a network space and among cross-layer network resources in the form of a map and the like;
the network information storage module 203:
acquiring data and information from the network information analysis module 202 and providing the data and information for the network security evaluation module 204; the main functions include: based on the states, attributes and relationships among resources of each layer of a network space and among cross-layer network resources, switching equipment such as an exchanger, a router, wifi and a base station, access equipment such as an internet of things and industrial control, virtual services such as a DNS (domain name system)/CDN (content distribution network) and a website/mail, virtual contents such as chatting/communication and text/video, particularly virtual people such as various network accounts are classified and stored for subsequent accurate analysis; meanwhile, with the change of the IP of the user account, the stored content is updated by using the results of network flow acquisition and network information analysis;
the network security evaluation module 204:
acquiring data and information from the network information analysis module 202 and the network information storage module 203, and providing the data and information for the cyberspace resource visualization module 205 and the cyberspace early warning and response module 206; the main functions include: based on the analyzed and stored network information, evaluating the security state of a physical layer, a logic layer and a cognitive layer of a network space and cross-layer resources, and sensing the situation of the whole network; further, evaluating the safety state of key resources such as specific assets or users from a plurality of aspects such as user accounts, IP information of the user accounts, network space resource information of the user accounts and the like; therefore, the safety of the whole network and specific assets or key resources such as users and the like is comprehensively evaluated according to indexes of multiple aspects such as users, control, management, IP addresses, flow, data packets, objective networks, local networks, hosts, services, network attacks, vulnerabilities and the like;
the cyber space resource visualization module 205:
acquiring data and information from the network information analysis module 202 and the network security evaluation module 204, and acquiring network security state early warning and response information from the network security early warning and response module 206; the main functions include: based on the results of network information analysis and network security evaluation, methods such as network security situation maps and the like are adopted to display the whole network space resources and specific assets or key resources such as users and the like so as to know the future change trend of the network and discover the network security threat; for a specific asset or a user, a plurality of accounts which generate network communication in the same time on the same network space resource can be regarded as accounts of the same user, and a user account group is established; when two or more same accounts exist in a plurality of user account groups, merging the user account groups; taking a user account group as a keyword, and extracting network space resource information associated with each account; establishing a time axis, calculating the geographic position of related network space resources, and displaying the use condition and the position condition of the entity resources of the user in the network space; when application flow is not generated any more for a certain account number in a user account group on an IP for a certain time, the association between the account number and the IP and the corresponding network space resource is deleted; information such as user accounts, network space resources, physical space positions, time axes and the like is effectively integrated and unified and visualized;
the network security pre-warning and response module 206:
data and information from the network security assessment module 204 and provide network security status pre-warning and response information for the network space resource visualization module 205; the main functions include: aiming at the result of network security evaluation, automatically discovering security threats in the network, reporting information such as account information and IP addresses, carrying out security early warning, and displaying early warning information in real time based on the result of network space resource visualization; meanwhile, the extraction and analysis strength of specific network information is increased by an active flow acquisition mode, and network security threats are dealt with by methods such as intrusion tracking and vulnerability repair.
The technical scheme of the invention has the following beneficial effects:
1. meanwhile, the analysis of resources of the whole network space and key resources such as specific assets or users and the like is considered, and the safety of the whole network and the key resources such as the specific assets or the users and the like is comprehensively evaluated;
2. the proposed network space resource analysis method can represent the state, attribute and relationship among the resources of each layer of the network space and among the resources of the cross-layer network;
3. the analysis method and the visual display method can effectively integrate and uniformly visualize information such as user accounts, network space resources, physical space positions, time axes and the like;
4. the security of network and user resources is comprehensively evaluated according to indexes of multiple aspects such as users, control, management, IP addresses, flow, data packets, objective networks, local networks, hosts, services, network attacks, vulnerabilities and the like.
In the description herein, although some embodiments described herein include some but not other features included in other embodiments, combinations of features of different embodiments are meant to be within the scope of the invention and form different embodiments. The particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples. For example, in the claims, any of the claimed embodiments may be used in any combination.
In addition, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrases "comprising a component of' 8230; \8230;" does not exclude the presence of another like element in a process, method, article, or apparatus that comprises the element. Any reference signs placed between parentheses shall not be construed as limiting the claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The usage of the words first, second and third, etcetera do not indicate any ordering. These words may be interpreted as names.
In the description provided herein, numerous specific details are set forth. It is understood, however, that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
Claims (8)
1. A user-oriented network space resource analysis method is characterized by comprising the following steps:
acquiring network flow;
extracting network space resource information from the network flow to represent the state, attribute and relationship of each layer of network space resources and cross-layer resources;
wherein the cyber space resource information includes resource information extracted for a physical layer, a logical layer, and a cognitive layer of a cyber space, and resource information extracted for a specific asset and/or a specific user;
based on the network space resource information, comprehensively evaluating the safety of the whole network space and the specific assets and/or specific users by adopting multi-aspect indexes;
visualizing the evaluation result, and performing network security early warning and response aiming at the evaluation result;
the visual evaluation result comprises:
regarding a specific asset and/or a specific user, regarding a plurality of accounts generating network communication in the same time on the same network space resource as accounts of the same user, and establishing a user account group;
when two or more same accounts exist in a plurality of user account groups, merging the user account groups;
taking a user account group as a keyword, and extracting network space resource information associated with each account;
establishing a time axis, calculating the geographic position of related network space resources, and displaying the use condition and the position condition of the entity resources of the user in the network space;
when a certain account in the user account group does not generate application flow on an IP for a certain time, deleting the association between the account and the IP and the corresponding network space resource;
the user account, the network space resource, the physical space position and the time axis are effectively integrated and are uniformly visualized.
2. The method of claim 1, wherein the obtaining network traffic comprises:
actively acquiring network flow; and/or the presence of a gas in the atmosphere,
network traffic is passively acquired.
3. The method of claim 1, wherein extracting cyberspace resource information from the network traffic to characterize the state, attributes and relationships of cyberspace layer resources and cross-layer resources comprises:
based on the network flow, network space resource information is obtained through a constructed regular expression;
and establishing a network space resource information label based on the preprocessing characteristics extracted from the regular expression so as to represent the state, the attribute and the relationship of each layer of resource and cross-layer resource of the network space.
4. The method of claim 1, wherein said extracting network space resource information from said network traffic comprises:
extracting the user account and the IP information of the user account from the network flow, extracting the association of the network space resource information of the user account, extracting the association of other account information related to the user account on the network space resource, and extracting the association of the network space resource information of the other account.
5. The method of claim 1, further comprising:
classifying and storing the network space resource information, wherein the stored classification comprises at least one of the following classifications: the system comprises a switching device, an access device, a virtual service, virtual content and a virtual man;
and updating the stored content according to the change of the IP where the user account is located.
6. The method of claim 1, wherein the multi-aspect indicators include at least one of: user, control, management, IP address, traffic, data packets, objective network, local network, host, service, network attack, and vulnerability.
7. A user-oriented cyberspace resource analysis device, comprising: memory, processor and computer program stored on the memory and executable on the processor, the computer program when executed by the processor implementing the steps of the user-oriented cyberspace resource analysis method according to any of claims 1 to 6.
8. A computer-readable storage medium, on which an information transfer implementing program is stored, which, when executed by a processor, implements the steps of the user-oriented network space resource analysis method according to any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110124432.3A CN112838956B (en) | 2021-01-29 | 2021-01-29 | User-oriented network space resource analysis method and equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110124432.3A CN112838956B (en) | 2021-01-29 | 2021-01-29 | User-oriented network space resource analysis method and equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112838956A CN112838956A (en) | 2021-05-25 |
| CN112838956B true CN112838956B (en) | 2022-10-21 |
Family
ID=75932566
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110124432.3A Active CN112838956B (en) | 2021-01-29 | 2021-01-29 | User-oriented network space resource analysis method and equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112838956B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114205243B (en) * | 2021-12-10 | 2024-03-01 | 中国电子科技集团公司第十五研究所 | Logic topology hierarchical layout method for comprehensive hierarchical partition |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101436967A (en) * | 2008-12-23 | 2009-05-20 | 北京邮电大学 | Method and system for evaluating network safety situation |
| CN104753946A (en) * | 2015-04-01 | 2015-07-01 | 浪潮电子信息产业股份有限公司 | Security analysis framework based on network traffic metadata |
| CN108900541A (en) * | 2018-08-10 | 2018-11-27 | 哈尔滨工业大学(威海) | One kind being directed to cloud data center SDN Security Situation Awareness Systems and method |
| CN109728934A (en) * | 2018-12-03 | 2019-05-07 | 清华大学 | Cyberspace cartographic model creation method and device |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US11282017B2 (en) * | 2015-07-11 | 2022-03-22 | RiskRecon Inc. | Systems and methods for monitoring information security effectiveness |
-
2021
- 2021-01-29 CN CN202110124432.3A patent/CN112838956B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101436967A (en) * | 2008-12-23 | 2009-05-20 | 北京邮电大学 | Method and system for evaluating network safety situation |
| CN104753946A (en) * | 2015-04-01 | 2015-07-01 | 浪潮电子信息产业股份有限公司 | Security analysis framework based on network traffic metadata |
| CN108900541A (en) * | 2018-08-10 | 2018-11-27 | 哈尔滨工业大学(威海) | One kind being directed to cloud data center SDN Security Situation Awareness Systems and method |
| CN109728934A (en) * | 2018-12-03 | 2019-05-07 | 清华大学 | Cyberspace cartographic model creation method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112838956A (en) | 2021-05-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113486351A (en) | Civil aviation air traffic control network safety detection early warning platform | |
| Mansmann et al. | Visual analysis of network traffic for resource planning, interactive monitoring, and interpretation of security threats | |
| Bendler et al. | Taming uncertainty in big data: Evidence from social media in urban areas | |
| Shi et al. | Visual analytics of anomalous user behaviors: A survey | |
| CA3150193A1 (en) | Privacy score | |
| Nouh et al. | Towards designing a multipurpose cybercrime intelligence framework | |
| CN112838956B (en) | User-oriented network space resource analysis method and equipment | |
| CN112801359A (en) | Industrial internet security situation prediction method and device, electronic equipment and medium | |
| Colace et al. | A multigraph approach for supporting computer network monitoring systems | |
| Xue et al. | Prediction of computer network security situation based on association rules mining | |
| Folino et al. | An ensemble-based framework for user behaviour anomaly detection and classification for cybersecurity | |
| CN112596984A (en) | Data security situation sensing system under weak isolation environment of service | |
| WO2023108832A1 (en) | Network space map generation method and apparatus, and device and storage medium | |
| Sun et al. | Data analytics of crowdsourced resources for cybersecurity intelligence | |
| Almolhis et al. | Requirements for IoT forensic models: A review | |
| Zhao et al. | Analysis of visualization systems for cyber security | |
| Jerônimo et al. | Using open data to analyze urban mobility from social networks | |
| Wu et al. | Security Evaluation Method of Smart Home Cloud Platform | |
| CN115659351A (en) | Information security analysis method, system and equipment based on big data office | |
| Kopylec et al. | Visualizing cascading failures in critical cyber infrastructures | |
| Hou et al. | Survey of cyberspace resources scanning and analyzing | |
| KR101923996B1 (en) | Detection system of cyber information leaking action | |
| Sun et al. | A novel device identification method based on passive measurement | |
| Mtsweni et al. | Technical Guidelines for Evaluating and Selecting Data Sources for Cybersecurity Threat Intelligence | |
| Abdelrahman et al. | Research trends in the application of big data in smart cities—A literature review |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |