CN112887268B - Network security guarantee method and system based on comprehensive detection and identification - Google Patents

Network security guarantee method and system based on comprehensive detection and identification Download PDF

Info

Publication number
CN112887268B
CN112887268B CN202110021876.4A CN202110021876A CN112887268B CN 112887268 B CN112887268 B CN 112887268B CN 202110021876 A CN202110021876 A CN 202110021876A CN 112887268 B CN112887268 B CN 112887268B
Authority
CN
China
Prior art keywords
security
safety
management
service
identification
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110021876.4A
Other languages
Chinese (zh)
Other versions
CN112887268A (en
Inventor
戚建淮
郑伟范
唐娟
刘建辉
周杰
彭华
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Y&D Electronics Information Co Ltd
Original Assignee
Shenzhen Y&D Electronics Information Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Y&D Electronics Information Co Ltd filed Critical Shenzhen Y&D Electronics Information Co Ltd
Priority to CN202110021876.4A priority Critical patent/CN112887268B/en
Publication of CN112887268A publication Critical patent/CN112887268A/en
Application granted granted Critical
Publication of CN112887268B publication Critical patent/CN112887268B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/23Clustering techniques
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/145Network analysis or design involving simulating, designing, planning or modelling of a network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/10Active monitoring, e.g. heartbeat, ping or trace-route
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Abstract

The invention relates to a network security guarantee method based on comprehensive detection and identification, which comprises the following steps: s1, deploying each safety component and managing a safety management and control platform of each safety component; s2, each safety component actively collects the service information of the service object and reports the operation log of the safety component and the collected service information to the safety management and control platform; and S3, the safety management and control platform comprehensively analyzes the collected service information and processes the service information according to preset rules, so as to generate a safety strategy and issue the safety strategy to the safety component, so that the safety component instantiates the received safety strategy, thereby comprehensively detecting and identifying the service object. The network security guarantee method and the system based on comprehensive detection and identification can meet the requirements of concurrency, real-time performance and comprehensive identification of the OSI seven-layer model based on comprehensive detection and identification.

Description

Network security guarantee method and system based on comprehensive detection and identification
Technical Field
The invention relates to the technical field of network information security, in particular to a network security guarantee method and system based on comprehensive detection and identification.
Background
At present, under heterogeneous network communication environment, the composition of the national railway ticket system is increasingly complex, and particularly in spring transportation, holidays and other high peak periods, the railway ticket system can face high concurrency of access of different users; meanwhile, according to the existing requirements, the time for single ticket selling is generally not more than 4 seconds, so that the system has extremely high real-time performance; furthermore, railway ticketing requires a real-name rule and a plurality of convenient ticketing methods such as the internet, so that the railway ticketing system is also confronted with increasingly severe network security threats.
Aiming at a national railway ticket System type large-scale service System, security technologies such as vulnerability scanning, firewall, intrusion detection and the like are generally adopted to carry out security identification and detection on a network in order to prevent the network from being attacked by the outside, but the content of identification and detection of the existing identification and detection System is relatively single, only relates to a certain layer of (Open System Interconnection Reference Model, OSI), and cannot completely cover the OSI seven-layer Model architecture. Therefore, it is difficult to perform comprehensive detection and identification in the actual large complex business system, and the safety guarantee capability of whole, comprehensive and deep depth cannot be provided.
Therefore, the network security assurance method in the prior art generally has the following defects:
(1) different functions and equipment of the existing network security identification and detection system act independently relatively, information isolated islands are often formed, substantial security protection capability is difficult to form, and the security protection requirements of complex services cannot be met;
(2) the existing network security identification and detection system mostly adopts a single detection and identification means, and lacks a technical system which completely covers an OSI seven-layer model;
(3) with the development of informatization, an application system continuously tends to be large and complex, extremely high computational performance requirements are provided for event identification, detection and the like of a safety guarantee system, and the current safety system has less capability of comprehensive identification and detection.
Disclosure of Invention
The technical problem to be solved by the present invention is to provide a network security assurance method and system based on comprehensive detection and identification, which can satisfy concurrency, real-time performance and comprehensively identify the OSI seven-layer model, aiming at the above defects in the prior art.
The technical scheme adopted by the invention for solving the technical problems is as follows: a network security guarantee method based on comprehensive detection and identification is constructed, and comprises the following steps:
s1, deploying each safety component and managing a safety management and control platform of each safety component;
s2, each safety component actively collects the service information of the service object and reports the operation log of the safety component and the collected service information to the safety management and control platform;
and S3, the security management and control platform comprehensively analyzes the collected service information and processes the service information according to preset rules, so as to generate a security policy and send the security policy to the security component, so that the security component instantiates the received security policy, thereby comprehensively detecting and identifying the service object.
In the network security assurance method based on comprehensive detection and identification, the step S3 further includes:
s31, the safety management and control platform analyzes the service information and carries out clustering operation on the analyzed protocol frames;
s32, establishing a service identification feature library, configuring a black and white list of the service identification feature library based on a CIA requirement and a target to create a security service model, and sending the security service model as the security policy to the security component;
and S33, the safety component instantiates the received safety strategy and maps and matches the black-and-white list content of the managed business object based on the normal business operation workflow of OSI seven layers.
In the network security assurance method based on comprehensive detection and identification, the step S31 further includes:
s311, the safety management and control platform analyzes the service information covering each layer of OSI to obtain a protocol frame;
s312, preprocessing the protocol frame, and selecting a proper splitting granularity to perform feature extraction according to the Ziff distribution condition and the Kard parameter value of the protocol frame;
s313, marking the protocol frame based on the extracted feature set;
and S314, selecting the number of the types of the clusters and a clustering algorithm to perform clustering operation on the unknown protocol frames and outputting a clustering result.
In the network security assurance method based on comprehensive detection and identification of the present invention, in the step S314, the number of the clustered categories is automatically selected through the Dunn parameter and the cost function, and the clustering algorithm includes a K-means algorithm, an EM algorithm, and a DBSCANA algorithm.
In the network security assurance method based on comprehensive detection and identification of the present invention, the step S32 further includes
S321, establishing a service identification feature library, wherein the service identification feature library comprises service information of OSI seven layers and corresponding relation thereof;
s322, forming a safety baseline according to the service state machine and the workflow of the normal service;
s323, configuring a black-and-white list of the service identification feature library based on CIA requirements and targets to create a safe service model, wherein the white list is service operation allowed by each layer in the OSI seven layers;
and S234, issuing the security service model as the security policy to the security component.
In the network security guarantee method based on comprehensive detection and identification of the present invention, in the step S33, when mapping and matching are performed, a mechanism based on second-level search is adopted, first-level search matching of the major classes of the OSI seven layers is performed, and then search matching of the minor classes in each layer is performed.
In the network security assurance method based on comprehensive detection and identification, the step S2 further includes:
and S21, actively acquiring the service information in real time by each safety component according to a training mechanism or a configured acquisition cycle, caching and encrypting the operation log and the acquired service information, and reporting the operation log and the acquired service information to the safety management and control platform in real time.
In the network security guarantee method based on comprehensive detection and identification, the security components comprise a network controller, a core controller, a host security agent module and a firewall; the security management and control platform comprises a security management module, a security monitoring and auditing module, a configuration management module, a situation perception module, a continuous security evolution module and a special security management control communication assembly; the safety component and the safety management and control platform communicate through a safety communication module.
Another technical solution adopted by the present invention to solve the technical problems is to construct a network security assurance system based on comprehensive detection and identification, comprising a plurality of security components, a security management and control platform for managing each of the security components, and a security communication module, wherein the security components and the security management and control platform communicate through the security communication module; and a computer program is stored on the safety management and control platform, and when being executed by a processor on the safety management and control platform, the computer program realizes the network safety guarantee method based on comprehensive detection and identification.
In the network security guarantee system based on comprehensive detection and identification, the security components comprise a network controller, a core controller, a host security agent module and a firewall; the safety management and control platform comprises a safety management module, a safety monitoring and auditing module, a configuration management module, a situation perception module, a continuous safety evolution module and a special safety management control communication assembly.
The network security guarantee method and the system based on comprehensive detection and identification can meet the requirements of concurrency, real-time performance and comprehensive identification of the OSI seven-layer model based on comprehensive detection and identification.
Drawings
The invention will be further described with reference to the accompanying drawings and examples, in which:
FIG. 1 is a flow chart of a first preferred embodiment of the network security and assurance method based on comprehensive detection and identification of the present invention;
FIG. 2 is a flow chart of the detection and identification steps of the preferred embodiment of the network security and assurance method based on comprehensive detection and identification of the present invention;
FIG. 3 is a model diagram of the operation mechanism of the clustering algorithm of the preferred embodiment of the network security and security method based on comprehensive detection and identification of the present invention;
FIG. 4 is a schematic block diagram of a brain-like computing system of a preferred embodiment of the network security assurance method based on comprehensive detection and identification of the present invention;
fig. 5 is a schematic structural diagram of a preferred embodiment of the network security and security system based on comprehensive detection and identification of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
The invention is based on a private safety management control protocol and a safety communication system, adopts a distributed management and control mode, deploys each safety component in a distributed mode, collects service information managed by each safety component, reports the service information to a safety management and control platform of a safety management center in a unified way, carries out centralized management, comprehensive analysis and decision making on the collected various service information by the safety management and control platform, and processes the service information according to preset rules. The safety management and control platform analyzes the received service information, and the collected service information covers each layer of OSI, so that clustering and pattern recognition operations are required to be carried out on the analyzed protocol frames; after clustering operation is carried out on the service information, a service identification feature library is established, and a safety baseline is formed according to a service state machine and a workflow; then, a brain-like computing system is combined to provide strong computing and secondary searching capability support, and a closed-loop system with automation, intellectualization and comprehensive security detection and identification is formed according to the white list and black list mechanism and the Map Matching (Map-Matching) mapping and table function Matching technology.
Fig. 1 is a flowchart of a first preferred embodiment of the network security and assurance method based on comprehensive detection and identification of the present invention. As shown in fig. 1, in step S1, each safety component and a safety management and control platform managing each safety component are deployed. In a preferred embodiment of the present invention, the security component may include, for example, a network hypervisor, a core hypervisor, a host security agent module, a firewall, and the like. The firewall may further include a manageable firewall, a manageable application firewall (cloud), and the like.
Preferably, the network management controller may be configured to monitor and compare the configuration, the port state, the flow rate, and the operation state of the network device according to the security standard configuration of the network device, send a security event if the comparison is inconsistent, monitor access of a terminal in the network in real time, block access of a non-authentication terminal, generate an alarm report, and prevent an illegal inline.
The core management controller is used for being responsible for security monitoring and auditing of a core service domain and an access database, and comprises security conditions such as user operation records, service application, monitoring processes and the like. Preferably, the core hypervisor may capture data packets of the entire network by using a monitoring system for protocol analysis and by using a bypass monitoring method, and use the data packets for some large database systems such as Sybase to transmit data by using a TDS protocol. The core management controller is responsible for security monitoring and auditing of a core service domain and an access database, comprises security conditions such as user operation records, service application, monitoring processes and the like, records the operation of all users on the core database in different time periods by analyzing interactive data between the users and the database server, and provides detailed information for data recovery and positioning illegal operation in the future.
The host controller can adopt a centralized and distributed management idea, the security management and control platform performs centralized management, receives the security policy of the security management and control platform, instantiates the security policy according to the managed host type, and realizes the decentralized control of the host. And monitoring and comparing the user, the configuration file, the process, the service and the interface of the host according to the safety reference configuration of the host, and sending a safety event if the comparison is inconsistent.
The controllable firewall has the functions of partition area, boundary protection and access control; can be used to form a security barrier between the internal network and the untrusted world according to the security rules set by the system administrator. Through a safe and efficient kernel, perfect security setting and transmission control are implemented, and potential intrusion damage is prevented. The controllable firewall can integrate the security technologies such as a content filtering function, an intrusion protection function, an anti-virus function, a vpn function, a flow control function, a user management function, a role authentication function and the like, and comprehensively support the functions such as QoS, High Availability (HA), log audit and the like. The system realizes intrusion detection and virus protection, helps a user to master the whole network information security situation in real time, and carries out early warning and emergency treatment on the outbreak network information security event in time.
The controllable application firewall (cloud) can further increase functions of intrusion detection, an anti-virus engine, application identification and control, web application protection and the like on the basis of the firewall. And supporting cloud deployment to form a fireproof cloud.
The host security agent module is used for authenticating and authorizing the identity of a host user, acquiring the state, reporting data and the like.
The safety management and control platform mainly provides safety basic services such as passwords and the like based on a PKI system, is supported by strong computing power provided by a brain-like computing system, adopts a PDRR model and a PDCA model to realize self-adaptive comprehensive detection, analysis, identification, response and management control, and has automatic and intelligent safety detection and identification capabilities. Therefore, the security management and control platform mainly comprises a security management module, a security monitoring and auditing module, a configuration management module, a situation awareness module and a continuous security evolution module.
Preferably, the security management module has functions of label management, authorization management, security domain management, security baseline management, policy management, monitoring management, response management and the like.
The configuration management module is used for carrying out unified centralized configuration and management on the managed and controlled objects (safety components, network equipment and the like), and has the functions of user management, asset management, topology management, upgrading management and the like. Preferably, in a preferred embodiment of the present invention, when the network security assurance method based on comprehensive detection and identification of the present invention is applied to a railway ticket system, it may mainly provide a method for managing and monitoring the operation condition of a railway ticket security system to an end user in a visual graphical interface and an intuitive manner, and provide a security management and system management operation interface for the user to configure and manage security components, such as issuing firewall (cloud) rules and issuing firewall (cloud) black and white lists. The configuration management module can be further used for supporting automatic scanning of the system, discovering the online running safety component and monitoring the state of the node of the safety component; the method provides management to users, performs identity authentication and authorization operation to an identity card, authorizes the users to be high-level administrators, has a topological graph of an authority management system, can perform initialization operation to a part center and a region center, creates a safety component node in the topological graph, and the like.
The safety monitoring and auditing module has the functions of safety event monitoring, safety state monitoring and conformity checking, safety auditing strategy management, risk management and the like. The method can be used for performing safety audit and risk analysis on the operation condition of each safety component, and performing responsibility audit and emergency recovery on the components.
The situation awareness module has asset security, risk, attack and threat situation awareness functions, is used for collecting various data reported by security components, such as a network controller, a core controller and a host controller, relates to various threat data generated, processed, transmitted and stored by a third party, performs data fusion, data cleaning, data mining, feature extraction, dynamic response and prediction and machine learning on the full-essential-factor information of an ISO (international organization system) system structure of physics, network, system and application and the like, automatically learns, models and analyzes the data to form a rule, performs network situation assessment, network threat assessment and network situation prediction on a network space by utilizing the rule, and further performs visual, known, manageable, controllable, traceable and early warning on the security situation of the network space, thereby constructing multi-level, multi-angle, multi-granularity, complete and detailed data based on human, data, and the situation awareness of the security situation of the network space, And the security situation perception platform comprises resource objects such as machines and objects, space-time range, incidence relation and other elements.
The continuous safety evolution module has the functions of safety arrangement, treatment and recovery. The system is used for organizing the security application, flexibly calling a corresponding security strategy according to the behavior of an attacker, and further quickly, stably and consistently preparing the security coping capability; and configuring, controlling and managing the resources and operation of the system, wherein the configuration comprises user identity, system resource configuration, system loading and starting, exception handling of system operation, data and equipment backup and recovery and the like.
With the large-scale and complicated business system, the unknown risks faced by the network are continuously increased, and the brain-like computing system is required to provide strong computing power support in order to carry out comprehensive and real-time risk assessment on the OSI seven-layer model. Furthermore, due to the number of the working processes and the flow states of the service system and the complexity of conversion, real-time detection and filtering effects are achieved, the system service is not interfered, and a large computing force platform is required for support. Therefore, in the preferred embodiment, the security management and control platform includes a brain-like computing module, and the brain-like computing module adopts a parallel computing hypercube architecture system integrating computing, storage and communication. The method is characterized in that a basic parallel type brain neuron computing unit is realized based on a stable Hopfield neural network structure without self-feedback, a fully-meshed decentralized advanced computing system is realized under the support of a customized operating system, an SDN fully-switched network and a big data elastic storage network, super computing capacity is achieved, elastic expansion of computing nodes and resources is supported, and deployment and installation are facilitated. The method provides great computing power for constructing the operation tree by analyzing and matching a plurality of operation sequence state record tracks of massive users. The PKI system provides various cryptographic services, security authentication and other functions required by the security system based on the national cryptographic algorithm.
In a further preferred embodiment of the invention, the security management and control platform may further comprise a dedicated security management control (YD-SOMN) communication component. The special safety management control (YD-SOMN) communication component provides data exchange and conversion standards of a safety management and control platform and each safety component based on a private safety protocol, and supports distributed automatic safety collaborative linkage control.
The safety component and the safety management and control platform communicate through a safety communication module. The safety communication module can be used as boundary equipment of a network and is used for automatically carrying out imperceptible data encryption and decryption on data in the network and providing services of key generation, safety management, data packet encryption operation and decryption operation. A multi-encryption algorithm is provided, and data is signed and encrypted, so that confidentiality, authenticity and non-repudiation of transmitted data are guaranteed; the integrity of the trusted path setting is completed, the safety of a transmission path and the safety of transmission data content are ensured, the national password standard is supported, and a complete system is formed by combining background service and can be applied to various safety communication scenes.
In a preferred embodiment of the present invention, the deploying of the security management and control platform includes deploying the security management and control platform in a security management center, performing centralized management and control on the distributed deployed security components by the security management and control platform, performing comprehensive analysis and processing on the service information reported by the security components, and issuing a security policy in a unified manner.
In a preferred embodiment of the present invention, the deploying of the security component includes deploying various security components that can be managed and controlled by the security management and control platform in a distributed manner in the managed and controlled service object system according to the importance of the service and the requirements and targets of security guarantee, detecting the service objects managed by the different security components, and reporting the collected different service information to the security management and control platform. In a preferred embodiment of the present invention, the security component may include, for example, a network hypervisor, a core hypervisor, a host security agent module, a firewall, and the like. The firewall may further include a manageable firewall, a manageable application firewall (cloud), and the like.
In step S2, each security component actively collects the service information of the service object, and reports its own operation log and the collected service information to the security management and control platform.
In a preferred embodiment of the present invention, each of the security components actively performs real-time acquisition of service information according to a round-robin scheme or a configured acquisition cycle, caches and encrypts an operation log of the security component and the acquired service information, and reports the operation log and the acquired service information to the security management and control platform in real time.
In a further preferred embodiment of the present invention, the distributed manageable security component actively performs real-time detection and collection of service information on the managed service objects, such as the network switch, the router, the service computing environment host, the server, and the database, according to the collection cycle and the instruction configured by the polling mechanism or the security management and control platform. The service information includes, but is not limited to, an operating system, a log, software and hardware configuration, a vulnerability, a security label, a state, performance, a user role authority, an operation, an application workflow, a service chain, an attack chain, and the like of the network security protection system. Because the information content detected by different safety components is different, the collected service information is different. For example, the host security agent module mainly detects the identity, authority class information, etc. of the host user. The firewall mainly detects access control information such as network area boundaries, security marks and the like. The host computer management controller mainly detects host computer user, configuration file, process, service, interface, performance, vulnerability and state information. The core manager mainly detects user operation and service application information of the database. The network management controller mainly detects user, configuration, port and flow information of the network equipment. The fire prevention cloud further increases the detection of the information of the intrusion class and the virus class, so the detected and collected service information comprehensively covers the content of the OSI7 layer. The safety component caches the collected service information, encrypts the service information through the safety communication module and reports the encrypted service information to the safety management and control platform in real time, so that confidentiality, authenticity and non-repudiation of transmitted data are guaranteed.
In step S3, the security management and control platform performs comprehensive analysis on the collected service information and processes the service information according to preset rules, so as to generate a security policy and issue the security policy to the security component, so that the security component instantiates the received security policy, thereby performing comprehensive detection and identification on the service object. Fig. 2 is a flowchart of the detection and identification steps of the preferred embodiment of the network security and assurance method based on comprehensive detection and identification of the present invention.
As shown in fig. 2, in step S31, the security management and control platform parses the service information, and performs a clustering operation on the parsed protocol frame. In a preferred embodiment of the present invention, the security management and control platform parses the service information covering each layer of OSI to obtain a protocol frame; preprocessing the protocol frame, and selecting a proper splitting granularity for feature extraction according to the Ziff distribution condition and the Kard parameter value of the protocol frame; marking the protocol frame based on the extracted feature set; and selecting the number of the types of clustering and a clustering algorithm to perform clustering operation on the unknown protocol frames and outputting a clustering result. Preferably, the number of classes of clustering is automatically selected by the Dunn parameter and the cost function, and the clustering algorithm includes a K-means algorithm, an EM algorithm, and a DBSCANA algorithm.
Specifically, fig. 3 is a model diagram of an operation mechanism of a clustering algorithm according to a preferred embodiment of the network security and protection method based on comprehensive detection and identification of the present invention. In the preferred embodiment of the present invention, the security management and control platform parses the received service information. Since the collected service information covers each layer of the OSI, clustering operation is required for the parsed protocol frames. The specific process of the clustering operation is as follows:
1) characteristic extraction: firstly, preprocessing the obtained protocol frame, removing the protocol data frame with abnormal and disordered format or the frame only containing the data part, and then selecting proper splitting granularity for feature extraction according to the ziff distribution condition of the protocol frame and the parameter value of the card (jaccard).
2) The characteristics are as follows: the clustering algorithm mainly performs clustering according to the distance between data, the similarity relation between the same kind of data and the difference between different kinds of data. In order to represent the data in the sample in a computable form, it needs to be correspondingly transformed in the form of a feature vector. For the resulting feature set, if the feature appears in the protocol frame, the corresponding location is marked as TRUE, otherwise it is marked as FALSE.
3) And (3) clustering algorithm: the clustering category number is automatically selected through Dunn parameters and a cost function elbow method, then a proper algorithm is selected to carry out corresponding operation, and the clustering operation is carried out on the unknown protocol frame.
4) Clustering results: and finally outputting a clustering result.
The clustering algorithm we adopt includes K-means algorithm, EM (expectation maximization association algorithm) algorithm, DBSCANA (sensitivity-based spatial clustering of application switching Noise) algorithm, and the like. Preferably, clustering is performed on different types of protocols by using a clustering algorithm, which mainly comprises three steps, namely data preprocessing, parameter setting and clustering operation. The data preprocessing mainly refers to extracting the characteristics of sample data before clustering, and then selecting a proper modeling method and an algorithm to enable the sample data to be computable, and simplifying the calculation process as much as possible. The parameter setting mainly refers to parameter setting related to an algorithm, such as selection of different seed values of the EM algorithm and setting of the number of clusters, and can be automatically operated and selected through a program. The clustering operation mainly refers to selecting which clustering algorithm. Different clustering algorithms are adopted, then the clustering results are compared and analyzed through parameter setting in the second step, the optimal clustering effect is obtained, and powerful parallel computing capability support needs to be provided by combining a brain-like computing system to achieve the operation.
Fig. 4 is a schematic block diagram of a brain-like computing system of the preferred embodiment of the network security assurance method based on comprehensive detection and identification of the present invention. As shown in fig. 4, the brain-like computing system implements a basic parallel brain-like neuron computing unit based on a stable Hopfield neural network structure without self-feedback, and implements a fully-meshed decentralized advanced computing system under the support of a customized operating system, an SDN full-switching network, and a large data elastic storage network; integrating various learning algorithms, mainly comprising: a brain-like deep learning algorithm, a brain-like width learning algorithm, a brain-like reinforcement learning algorithm, a brain-like migration learning algorithm, a brain-like symbol learning algorithm, a brain-like comprehensive learning algorithm and the like. The system is a system combining artificial intelligence and a brain-like learning framework, can fully apply human knowledge, such as descriptive knowledge about decision problems, procedural knowledge in the decision process and reasoning knowledge for solving problems, and helps solve complex decision problems through logical reasoning. The system searches the knowledge base according to a certain reasoning strategy to obtain the answer of the problem by using rules, data and control according to the problem to be solved. The data mart module meets the requirements of a specific department or user, stores the data mart module in a multidimensional mode, and generates a data cube facing the requirements of decision analysis, wherein the data cube comprises defined dimensions, indexes needing to be calculated, dimension levels and the like. The data warehouse stores various data of inference decisions.
In step S32, a service identification feature library is established, a black and white list of the service identification feature library is configured based on the CIA requirement and the target to create a secure service model, and the secure service model is issued to the security component as the security policy. In the preferred embodiment of the invention, a service identification feature library is established, and the service identification feature library comprises OSI seven-layer service information and the corresponding relation thereof; forming a safety baseline according to the service state machine and the workflow of the normal service; configuring a black and white list of the service identification feature library based on CIA requirements and targets to create a safe service model, wherein the white list is service operation allowed by each layer in OSI seven layers; and issuing the security service model serving as the security policy to the security component. In a further preferred embodiment of the present invention, the white list includes, but is not limited to, a secure network behavior, a host behavior, and the like, so that the secure service model is issued to the security component as a security policy.
In step S33, the security component instantiates the received security policy, and maps and matches the black-and-white list content of the managed business objects based on the normal business operation workflow of OSI seven layers. Preferably, the security component instantiates the received security policy, and performs map-match mapping and matching of black and white list content on the managed business object based on normal business operation workflow of OSI seven layers. When mapping and matching are carried out, a first-level search matching of OSI seven-layer major categories is carried out firstly based on a second-level search mechanism, and then a minor category search matching in each layer is carried out; the two-stage searching mechanism based on the method is performed in parallel and efficiently, so that the security events can be detected and identified comprehensively at high speed.
The network security guarantee method based on comprehensive detection and identification has the following beneficial effects: (1) the detection components are uniformly controlled, interconnected and coordinated. The safety management and control platform carries out comprehensive identification and detection, and carries out integral linkage control and information collection on the safety components, thereby not only ensuring the integral protection capability of network safety, but also solving the problems of relative independence of different functions and equipment and safety information omission; (2) the various detection components form the overall identification and detection of OSIs. And constructing a feature library based on a black and white list of a service identification feature library of the CIA requirement and target configuration, and performing map-match mapping and matching of black and white list contents on the managed service object to form a multi-means comprehensive identification and detection technical system which comprehensively covers OSI seven layers. (3) Provides great computational power and supports the seven layers of OSI comprehensive identification and detection. Based on a brain-like computing system, various brain learning algorithms are integrated, and the huge computing power requirement required when the large-scale and complicated application system carries out comprehensive identification on OSI seven layers at present is met.
Fig. 5 is a schematic block diagram of a first preferred embodiment of the network security and security system based on comprehensive detection and identification of the present invention. As shown in fig. 5, the network security and assurance system based on comprehensive detection and identification includes a plurality of security components 100 and a security management and control platform 200 for managing each of the security components 100. As shown in fig. 5, the security component 100 includes a network manager 110, a core manager 120, a host manager 130, a host security agent module 140, and a firewall 150. The security management and control platform comprises a security management module 210, a security monitoring and auditing module 220, a configuration management module 230, a situation awareness module 240, a persistent security evolution module 250, a dedicated security management control communication component 260 and a brain-like computing module 270. Preferably, the safety component 100 and the safety management and control platform 200 may communicate via a safety communication module. The security management and control platform 200 stores a computer program, and the computer program is executed by a processor on the security management and control platform 200 to implement the network security assurance method based on comprehensive detection and identification.
The invention adopts a distributed management idea and a private security management control protocol, is based on a PKI system and a brain-like computing system, is centrally managed by a security management and control platform, receives the reported information of security components such as a network management controller, a host management controller, a core management controller, a host security agent, a firewall, a security communication module and the like which are distributed and deployed, generates a security management and control strategy through security analysis and processing, and sends the security management and control strategy to the security components for automatic execution, thereby handling and blocking security events and reducing the risk of the security events to an acceptable degree. The purposes of distributed deployment, centralized management and control, automation and intelligent safety management and control are achieved, and the requirement of high-reliability high-efficiency continuous safe operation of a complex business system is met.
It is known to those skilled in the art that the network security and security system based on comprehensive detection and identification can be constructed based on the teaching of the network security and security method based on comprehensive detection and identification shown in fig. 1-4. Based on the teaching of the present invention, those skilled in the art can implement the network security and security system based on comprehensive detection and identification, and will not be described again here.
The network security guarantee system based on comprehensive detection and identification has the following beneficial effects: (1) and the detection components are uniformly controlled, interconnected and coordinated. The safety management and control platform carries out comprehensive identification and detection, and carries out integral linkage control and information collection on the safety components, thereby not only ensuring the integral protection capability of network safety, but also solving the problems of relative independence of different functions and equipment and safety information omission; (2) the various detection components form the overall identification and detection of OSIs. And constructing a feature library based on a black and white list of a service identification feature library of the CIA requirement and target configuration, and performing map-match mapping and matching of black and white list contents on the managed service object to form a multi-means comprehensive identification and detection technical system which comprehensively covers OSI seven layers. (3) Provides great computational power and supports the seven layers of OSI comprehensive identification and detection. Based on a brain-like computing system, various brain learning algorithms are integrated, and the huge computing power requirement required when the large-scale and complicated application system carries out comprehensive identification on OSI seven layers at present is met.
Accordingly, the present invention can be realized in hardware, software, or a combination of hardware and software. The present invention can be realized in a centralized fashion in at least one computer system, or in a distributed fashion where different elements are spread across several interconnected computer systems. Any kind of computer system or other apparatus adapted for carrying out the methods of the present invention is suited. A typical combination of hardware and software could be a general purpose computer system with a computer program that, when being loaded and executed, controls the computer system such that it carries out the methods described herein.
The present invention may also be implemented by a computer program product, comprising all the features enabling the implementation of the methods of the invention, when loaded in a computer system. The computer program in this document refers to: any expression, in any programming language, code or notation, of a set of instructions intended to cause a system having an information processing capability to perform a particular function either directly or after either or both of the following: a) conversion to other languages, codes or symbols; b) reproduced in a different format.
While the invention has been described with reference to specific embodiments, it will be understood by those skilled in the art that various changes may be made and equivalents may be substituted without departing from the scope of the invention. In addition, many modifications may be made to adapt a particular situation or material to the teachings of the invention without departing from its scope. Therefore, it is intended that the invention not be limited to the particular embodiment disclosed, but that the invention will include all embodiments falling within the scope of the appended claims.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents and improvements made within the spirit and principle of the present invention are intended to be included within the scope of the present invention.

Claims (7)

1. A network security guarantee method based on comprehensive detection and identification is characterized by comprising the following steps:
s1, deploying each safety component and managing each safety component safety management and control platform, wherein the safety component comprises a network controller, a core controller, a host safety agent module and a firewall;
s2, each safety component actively collects the service information of the service object and reports the operation log of the safety component and the collected service information to the safety management and control platform;
s3, the security management and control platform comprehensively analyzes the collected service information and processes the service information according to preset rules, so as to generate a security policy and send the security policy to the security component, so that the security component instantiates the received security policy, and the service object is comprehensively detected and identified;
the step S3 further includes:
s31, the safety management and control platform analyzes the service information and carries out clustering operation on the analyzed protocol frames;
s32, establishing a service identification feature library, configuring a black and white list of the service identification feature library based on a CIA requirement and a target to create a security service model, and sending the security service model as the security policy to the security component;
s33, the safety component instantiates the received safety strategy and maps and matches the black and white list content of the managed business object based on the normal business operation workflow of OSI seven layers;
the step S31 further includes:
s311, the safety management and control platform analyzes the service information covering each layer of OSI to obtain a protocol frame;
s312, preprocessing the protocol frame, and selecting a proper splitting granularity for feature extraction according to the Ziff distribution condition and the Kard parameter value of the protocol frame;
s313, marking the protocol frame based on the extracted feature set;
s314, selecting the number of the clustered categories and a clustering algorithm to perform clustering operation on the unknown protocol frames and outputting a clustering result, wherein in the step S314, the number of the clustered categories is automatically selected through Dunn parameters and a cost function, and the clustering algorithm comprises a K-means algorithm, an EM algorithm and a DBSCANA algorithm.
2. The network security assurance method based on comprehensive detection and identification according to claim 1, wherein the step S32 further comprises:
s321, establishing a service identification feature library, wherein the service identification feature library comprises OSI seven-layer service information and a corresponding relation thereof;
s322, forming a safety baseline according to the service state machine and the workflow of the normal service;
s323, configuring a black-and-white list of the service identification feature library based on CIA requirements and targets to create a safe service model, wherein the white list is service operation allowed by each layer in the OSI seven layers;
s324, the safety service model is used as the safety strategy to be issued to the safety component.
3. The network security assurance method based on comprehensive detection and identification according to claim 2, wherein in the step S33, when mapping and matching are performed, a mechanism based on two-level search is adopted, first level search matching of the major classes of OSI seven layers is performed, and then search matching of the minor classes in each layer is performed.
4. The network security assurance method based on comprehensive detection and identification according to any one of claims 1 to 3, wherein the step S2 further comprises:
and S21, actively acquiring the service information in real time by each safety component according to a polling mechanism or a configured acquisition cycle, caching and encrypting the operation log of the safety component and the acquired service information, and reporting the encrypted operation log and the acquired service information to the safety management and control platform in real time.
5. The network security assurance method based on comprehensive detection and identification according to claim 4, wherein the security management and control platform comprises a security management module, a security monitoring and auditing module, a configuration management module, a situation awareness module, a persistent security evolution module and a dedicated security management control communication component; the safety component and the safety management and control platform communicate through a safety communication module.
6. A network security guarantee system based on comprehensive detection and identification is characterized by comprising a plurality of security components, a security management and control platform for managing each security component and a security communication module, wherein the security components and the security management and control platform are communicated through the security communication module; the security management and control platform stores a computer program thereon, and the computer program, when executed by a processor on the security management and control platform, implements the network security assurance method based on comprehensive detection and identification according to any one of claims 1 to 5.
7. The comprehensive detection and identification based network security assurance system according to claim 6, wherein the security components include a network hypervisor, a core hypervisor, a host security agent module and a firewall; the safety management and control platform comprises a safety management module, a safety monitoring and auditing module, a configuration management module, a situation perception module, a continuous safety evolution module and a special safety management control communication assembly.
CN202110021876.4A 2021-01-07 2021-01-07 Network security guarantee method and system based on comprehensive detection and identification Active CN112887268B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110021876.4A CN112887268B (en) 2021-01-07 2021-01-07 Network security guarantee method and system based on comprehensive detection and identification

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110021876.4A CN112887268B (en) 2021-01-07 2021-01-07 Network security guarantee method and system based on comprehensive detection and identification

Publications (2)

Publication Number Publication Date
CN112887268A CN112887268A (en) 2021-06-01
CN112887268B true CN112887268B (en) 2022-07-12

Family

ID=76047125

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110021876.4A Active CN112887268B (en) 2021-01-07 2021-01-07 Network security guarantee method and system based on comprehensive detection and identification

Country Status (1)

Country Link
CN (1) CN112887268B (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11770299B2 (en) * 2021-02-26 2023-09-26 Hewlett Packard Enterprise Development Lp Systems and methods for preprocessing automated network device configuration generation templates
CN113794717A (en) * 2021-09-14 2021-12-14 京东科技信息技术有限公司 Safety scheduling method, device and related equipment
CN114666170B (en) * 2022-05-25 2022-10-28 深圳市永达电子信息股份有限公司 Hierarchical security distributed management and control method and system
CN114745139B (en) * 2022-06-08 2022-10-28 深圳市永达电子信息股份有限公司 Network behavior detection method and device based on brain-like memory
CN114741426B (en) * 2022-06-08 2022-11-15 深圳市永达电子信息股份有限公司 Brain-like storage and calculation integration-based business behavior detection method and device

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10484334B1 (en) * 2013-02-26 2019-11-19 Zentera Systems, Inc. Distributed firewall security system that extends across different cloud computing networks

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040015719A1 (en) * 2002-07-16 2004-01-22 Dae-Hyung Lee Intelligent security engine and intelligent and integrated security system using the same
US9609023B2 (en) * 2015-02-10 2017-03-28 International Business Machines Corporation System and method for software defined deployment of security appliances using policy templates
CN105141604B (en) * 2015-08-19 2019-03-08 国家电网公司 A kind of network security threats detection method and system based on trusted service stream
US10715554B2 (en) * 2018-09-26 2020-07-14 EMC IP Holding Company LLC Translating existing security policies enforced in upper layers into new security policies enforced in lower layers
CN212259006U (en) * 2020-07-15 2020-12-29 中创为(成都)量子通信技术有限公司 Network security management equipment

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10484334B1 (en) * 2013-02-26 2019-11-19 Zentera Systems, Inc. Distributed firewall security system that extends across different cloud computing networks

Also Published As

Publication number Publication date
CN112887268A (en) 2021-06-01

Similar Documents

Publication Publication Date Title
CN112887268B (en) Network security guarantee method and system based on comprehensive detection and identification
CN112769825B (en) Network security guarantee method, system and computer storage medium
US11522887B2 (en) Artificial intelligence controller orchestrating network components for a cyber threat defense
CN112866219B (en) Safety management and control method and system
CN112766672A (en) Network security guarantee method and system based on comprehensive evaluation
CN109587174B (en) Collaborative defense method and system for network protection
Brahmi et al. Towards a multiagent-based distributed intrusion detection system using data mining approaches
Al Haddad et al. A collaborative framework for intrusion detection (C-NIDS) in Cloud computing
CN112560029A (en) Website content monitoring and automatic response protection method based on intelligent analysis technology
Sharma et al. Survey of intrusion detection techniques and architectures in cloud computing
CN113794276A (en) Power distribution network terminal safety behavior monitoring system and method based on artificial intelligence
Wang et al. A centralized HIDS framework for private cloud
Ouiazzane et al. A multi-agent model for network intrusion detection
CN113364745A (en) Log collecting and analyzing processing method
Gnatyuk et al. Studies on Cloud-based Cyber Incidents Detection and Identification in Critical Infrastructure.
Momand et al. A systematic and comprehensive survey of recent advances in intrusion detection systems using machine learning: deep learning, datasets, and attack taxonomy
Agrawal et al. A SURVEY ON ATTACKS AND APPROACHES OF INTRUSION DETECTION SYSTEMS.
CN116232770A (en) Enterprise network safety protection system and method based on SDN controller
CN112437070B (en) Operation-based spanning tree state machine integrity verification calculation method and system
CN114697141A (en) C4ISR situation perception analysis system and method based on state machine
Singh et al. Mitigation of Cyber Attacks in SDN-Based IoT Systems Using Machine Learning Techniques
Funchal et al. Security for a Multi-Agent Cyber-Physical Conveyor System using Machine Learning
Abou Haidar et al. High perception intrusion detection system using neural networks
CN112866220B (en) Safety management and control method and system based on CIA state machine
Kishore et al. Intrusion Detection System a Need

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant