CN113271318A - Network threat perception system and method - Google Patents
Network threat perception system and method Download PDFInfo
- Publication number
- CN113271318A CN113271318A CN202110811260.7A CN202110811260A CN113271318A CN 113271318 A CN113271318 A CN 113271318A CN 202110811260 A CN202110811260 A CN 202110811260A CN 113271318 A CN113271318 A CN 113271318A
- Authority
- CN
- China
- Prior art keywords
- threat
- attack
- network
- unit
- sensing
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/24—Classification techniques
Abstract
The invention provides a network threat perception system and a method, wherein the system comprises: the system comprises a feature collector, a threat detector, an attack classifier and an attack responder; the characteristic collector is used for collecting data and sending the data to the threat detector and the attack classifier; the threat detector is used for sensing and detecting the network environment in real time, generating a threat alarm notification or a normal notification and sending the threat alarm notification or the normal notification to the feature collector and the attack classifier in real time; the attack classifier is used for determining a classification result by using a preset neural network model based on the threat alarm notification and the collected data and sending a classification result mapping table to the attack responder; and the attack responder is used for calling a preset response strategy according to the classification result mapping table to respond. The four devices are reasonably deployed in the network, and efficient defense for network attack is realized through multipoint cooperation and a full-period security closed-loop defense process in the network, so that the overall security of a security protection target network is improved.
Description
Technical Field
The invention relates to the technical field of information security, in particular to a network threat perception system and a network threat perception method.
Background
With the rapid development of computer technology, the threats caused by various network threats are increasing. In recent years, attackers have been more inclined to use hybrid cyber attacks in launching targeted cyber threat events, i.e., to launch attacks against targets using multiple different types of cyber attacks simultaneously when launching a cyber threat event. Currently, hybrid cyber attacks have become a main development trend of cyber threat events, which also brings greater challenges to defense works such as detection, response and the like of the cyber threats.
Compared with a single network attack, the hybrid network attack comprises a plurality of types of attacks with different principles. The traditional threat detection method based on the distributed mode focuses on improving the detection success rate and the detection speed when the threat occurs, and does not attach importance to the specific attack category in the threat event, so that the traditional threat detection method lacks a normalization detection method facing various attacks when facing mixed attacks, and the detection efficiency and the accuracy are relatively low. From the perspective of detection algorithms, various attacks have different characteristics in the aspect of network traffic expression, and the characteristics are distributed differently, so that the detection methods of various attacks cannot be roughly and directly stacked and applied to the detection of the hybrid attacks, on one hand, more computing resources are consumed, and on the other hand, the accuracy of the detection algorithms suitable for specific types of attacks in the detection of the hybrid attacks is greatly reduced.
Meanwhile, the neglect of attack categories by the traditional threat detection method results in the lack of a critical classification step between attack detection and response. Response measures such as blocking, tracing, repairing and the like generated by the intrusion response system in the face of different attacks are different, so once an accurate attack category cannot be obtained, important information support is lacked when a response strategy is rapidly and accurately generated in the next step, network attack defense closed-loop fracture is caused, and effective defense against mixed network attack cannot be performed.
Disclosure of Invention
Aiming at the problems in the prior art, the embodiment of the invention provides a network threat perception system and a network threat perception method.
In a first aspect, an embodiment of the present invention provides a cyber-threat awareness system, including:
the system comprises a feature collector, a threat detector, an attack classifier and an attack responder; wherein:
the characteristic collector is used for receiving a threat alarm notification or a normal notification sent by the threat detector in real time and sending collected data to the threat detector and the attack classifier;
the threat detector is used for sensing and detecting the network environment in real time according to the received acquired data sent by the feature collector, generating a threat alarm notification or a normal notification according to the sensing and detecting result, and sending the threat alarm notification or the normal notification to the feature collector and the attack classifier in real time;
the attack classifier is used for receiving the threat alarm notification sent by the threat detector and receiving the collected data sent by the feature collector; determining a classification result by using a preset neural network model based on a threat alarm notification and the acquired data, and sending a classification result mapping table to the attack responder;
and the attack responder is used for receiving the classification result mapping table sent by the attack classifier and calling a preset response strategy according to the classification result mapping table to respond.
Further, the threat detector is to:
and when the attack is sensed, sending an instruction for increasing the fine-grained sensing of the feature information to the feature collector.
Further, the feature collector includes: the system comprises a high-dimensional characteristic data acquisition unit, a light-weight portrait data acquisition unit, an alarm receiving unit and an acquired data reporting unit; wherein:
the collected data reporting unit is used for receiving a threat alarm notification or a normal notification sent by the threat detector in real time;
the high-dimensional characteristic data acquisition unit is used for receiving the threat alarm notification from the acquired data reporting unit and outputting high-dimensional characteristic data to the alarm receiving unit;
the light-weight image data acquisition unit is used for receiving the normal notification from the acquired data reporting unit and outputting light-weight image data to the alarm receiving unit;
and the alarm receiving unit is used for sending the collected data to the threat detector and the attack classifier.
Further, the threat detector comprises: the system comprises a first data receiving unit, a network threat sensing and detecting unit, an alarm generating and issuing unit and an attack classification point dynamic selecting unit; wherein:
the first data receiving unit is used for receiving the collected data from the feature collector;
the network threat sensing and detecting unit is used for sensing and detecting the network environment in real time and sending a detection result;
the alarm generating and issuing unit is used for sending the threat alarm notification or normally notifying the feature collector and the attack classifier;
and the attack classification point dynamic selection unit is used for sending a request for selecting an attack classifier to the attack classifier.
Further, the attack classifier includes: the system comprises a second data receiving unit, a feature processing unit, an attack classification unit and a classification result packaging and issuing unit; wherein:
the second data receiving unit is configured to receive the threat alarm notification sent by the threat detector, and receive the collected data sent by the feature collector;
the characteristic processing unit is used for generating and outputting a characteristic matrix;
the attack classification unit is used for carrying out attack classification and outputting a network attack type;
and the classification result packaging and issuing unit is used for receiving the network attack type and sending a classification result mapping table to the attack responder.
Further, the attack classifier includes: threat intelligence sharing unit and self-response unit; wherein:
the self-response unit is used for receiving the classification result mapping table sent by the attack classifier and calling a preset response strategy according to the classification result mapping table to respond;
and the threat intelligence sharing unit is used for receiving the classification result mapping table and the response result completed by the self-response unit and generating threat intelligence.
In a second aspect, an embodiment of the present invention provides a method for sensing a cyber threat sensing system, including:
cooperatively sensing the network threat by utilizing the feature collector and the threat detector, or cooperatively sensing the network threat by utilizing the threat detector;
determining to send a threat alarm notification or a normal notification based on the cooperative perception network threat result;
if the sent notification is a threat alarm notification, starting the attack classifier and determining a classification result;
and calling a preset response strategy to respond based on a classification result mapping table corresponding to the classification result.
Further, still include:
after the response is completed, threat intelligence is generated.
In a third aspect, an embodiment of the present invention further provides an electronic device, including a memory, a processor, and a computer program stored in the memory and executable on the processor, where the processor implements the steps of the sensing method of the cyber-threat sensing system according to the second aspect when executing the program.
In a fourth aspect, the present invention further provides a non-transitory computer readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the steps of the sensing method of the cyber-threat sensing system according to the second aspect.
According to the technical scheme, the system and the method for sensing the network threat provided by the embodiment of the invention are characterized in that the system consists of a feature collector, a threat detector, an attack classifier and an attack responder; wherein: the characteristic collector is used for receiving a threat alarm notification or a normal notification sent by the threat detector in real time and sending collected data to the threat detector and the attack classifier; the threat detector is used for sensing and detecting the network environment in real time according to the received acquired data sent by the feature collector, generating a threat alarm notification or a normal notification according to the sensing and detecting result, and sending the threat alarm notification or the normal notification to the feature collector and the attack classifier in real time; the attack classifier is used for receiving the threat alarm notification sent by the threat detector and receiving the collected data sent by the feature collector; determining a classification result by using a preset neural network model based on a threat alarm notification and the acquired data, and sending a classification result mapping table to the attack responder; and the attack responder is used for receiving the classification result mapping table sent by the attack classifier and calling a preset response strategy according to the classification result mapping table to respond. The four devices are reasonably deployed in the network, and efficient defense for network attack is realized through multipoint cooperation and a full-period security closed-loop defense process in the network, so that the overall security of a security protection target network is improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
Fig. 1 is a schematic structural diagram of a cyber-threat awareness system according to an embodiment of the present invention;
fig. 2 is a schematic structural diagram of a cyber-threat awareness system according to another embodiment of the present invention;
fig. 3 is a schematic flowchart of a sensing method of the cyber-threat sensing system according to an embodiment of the present invention;
fig. 4 is a schematic flow chart of a sensing method of the cyber-threat sensing system according to another embodiment of the present invention;
fig. 5 is a schematic physical structure diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some embodiments, but not all embodiments, of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention. The cyber threat awareness system provided by the present invention will be explained and illustrated in detail by specific embodiments.
Fig. 1 is a schematic structural diagram of a cyber-threat awareness system according to an embodiment of the present invention; as shown in fig. 1, the system includes: the system comprises a feature collector, a threat detector, an attack classifier and an attack responder; wherein:
the characteristic collector is used for receiving a threat alarm notification or a normal notification sent by the threat detector in real time and sending collected data to the threat detector and the attack classifier;
the threat detector is used for sensing and detecting the network environment in real time according to the received acquired data sent by the feature collector, generating a threat alarm notification or a normal notification according to the sensing and detecting result, and sending the threat alarm notification or the normal notification to the feature collector and the attack classifier in real time;
the attack classifier is used for receiving the threat alarm notification sent by the threat detector and receiving the collected data sent by the feature collector; determining a classification result by using a preset neural network model based on a threat alarm notification and the acquired data, and sending a classification result mapping table to the attack responder;
and the attack responder is used for receiving the classification result mapping table sent by the attack classifier and calling a preset response strategy according to the classification result mapping table to respond.
In this embodiment, it should be noted that, for a current flooding network attack such as a hybrid network attack, a network attack detection system based on multi-point cooperation is designed. The system comprises a collection component (i.e., a feature collector), a detection component (i.e., a threat detector), a classification component (i.e., an attack classifier), and a response component (i.e., an attack responder). The four types of components (or devices) are reasonably deployed in a network, lightweight network security situation characteristics are collected in real time, on the basis of an information entropy theory, the situation characteristics are analyzed in a normalized mode, whether a threat event occurs in the current network or not is quickly judged, when the threat occurs, the situation characteristic collection granularity is refined, the current network threat is accurately classified through an attack classification model (namely a preset neural network model) based on the neural network, classification results (namely a classification result mapping table) can be provided for response components (namely an attack responder) and/or other security systems, and effective response is carried out on the determined various types of network attacks (preset response strategies are called according to the classification result mapping table for response). The embodiment of the invention realizes the high-efficiency defense aiming at the network attack or the network hybrid attack through the multipoint cooperation and the full-period (detection, response, report and the like) security closed-loop defense process in the network, and improves the overall security of the security protection target network.
According to the technical scheme, the network threat sensing system provided by the embodiment of the invention comprises a feature collector, a threat detector, an attack classifier and an attack responder; wherein: the characteristic collector is used for receiving a threat alarm notification or a normal notification sent by the threat detector in real time and sending collected data to the threat detector and the attack classifier; the threat detector is used for sensing and detecting the network environment in real time according to the received acquired data sent by the feature collector, generating a threat alarm notification or a normal notification according to the sensing and detecting result, and sending the threat alarm notification or the normal notification to the feature collector and the attack classifier in real time; the attack classifier is used for receiving the threat alarm notification sent by the threat detector and receiving the collected data sent by the feature collector; determining a classification result by using a preset neural network model based on a threat alarm notification and the acquired data, and sending a classification result mapping table to the attack responder; and the attack responder is used for receiving the classification result mapping table sent by the attack classifier and calling a preset response strategy according to the classification result mapping table to respond. The four devices are reasonably deployed in the network, and efficient defense for network attack is realized through multipoint cooperation and a full-period security closed-loop defense process in the network, so that the overall security of a security protection target network is improved.
In order to better understand the present invention, the following examples are further provided to illustrate the content of the present invention, but the present invention is not limited to the following examples.
For example, see fig. 2:
the network threat sensing system provided by the embodiment of the invention provides guarantee means such as reasonable arrangement of detection points, timely threat discovery, dynamic starting of classification points, accurate attack classification and the like for security targets such as servers, enterprise networks, clouds and the like aiming at various mixed network attacks. The embodiment of the invention can rapidly discover the mixed network attack aiming at the security target in a large-scale network, accurately judge the included attack category, simultaneously, the system has attack response capability, realizes complete security protection closed loop, can also provide an interface for communicating with other intrusion response systems, and has friendly compatibility.
As shown in fig. 2, the system includes: the system comprises a feature collector, a threat detector, an attack classifier and an attack responder.
(1) The feature collector provides an interface compatible with various collection methods, and the component can comprise four working units. The high-dimensional characteristic data acquisition unit and the lightweight portrait data acquisition unit realize the purpose of providing two different acquisition modes, and the alarm receiving unit receives a threat alarm notice or a normal notice from the threat detector in real time as input and switches the different acquisition modes. And the collected data reporting unit acquires the characteristic data corresponding to the collection mode as output and reports the output to the threat detector and the attack classifier. Under normal conditions (namely receiving a normal notice), the feature collector counts coarse-grained portrait information such as network data flow, host state and the like of the node, for example, data flow rate, CPU occupation and the like, and sends the rough-grained portrait information to the threat detector. When the threat detector senses an attack (sends a threat alarm notification), the feature collector is required to increase the fine-grained sensing of the feature information (carries an instruction for increasing the fine-grained sensing of the feature information), such as a data stream connection state, a process state and the like.
(2) The threat detector provides an interface compatible with various threat detection methods and models, and the device can comprise four working units. The data receiving unit (i.e. the first data receiving unit) acquires collected data (such as portrait data) sensed in real time from the feature collector as device input. The alarm generating and issuing unit generates a threat alarm notification or a normal notification as output. The network threat sensing and detecting unit can be used for realizing real-time sensing and detecting of a network environment and judging whether the network data flow and the host state of the current node are normal or not. The attack classification point dynamic selection unit may be configured to: and when the network threat exists, judging whether the attack classifier needs to be requested to be started or not.
(3) The attack classifier provides an interface compatible with various attack classification methods, and the device can comprise four working units. The data receiving unit (i.e., the second data receiving unit) obtains, as input, the threat alarm notification or the normal notification generated by the threat collector and the collected data (e.g., the feature data) reported by the feature collector. The classification result packaging and issuing unit generates a 'network flow-attack category' classification result mapping table as output and sends the mapping table to the attack responder. The feature processing unit performs feature engineering processing on the original data (namely, the acquired data) reported by the feature acquisition unit to generate a feature matrix as the input of the attack classification unit. The attack classification unit operates a neural network classification model (namely a preset neural network model) according to the feature matrix data processed by the feature processing unit, performs multi-classification on the real-time traffic, and distinguishes the network attack type contained in the current traffic.
(4) The attack responder provides an interface compatible with various response methods, and the device can comprise two working units. The self-response unit receives as input the classification result mapping table from the attack classifier and performs supported response operations at the deployed node. The threat intelligence sharing unit integrates the classification result and the self response condition into threat intelligence information to be provided for an external response main body, and the threat event is responded and handled in a coordinated mode.
In the actual work flow, as shown in fig. 4, each feature collector collects coarse/fine granularity feature information in real time according to the situation of the network. The system supports the threat detector and the attack classifier to be deployed on the same node as two different working modes, and can be deployed independently as the only working mode of the node. The threat detectors are deployed in each key node in the network to detect attacks in real time according to the actual network topology, when a certain threat detector detects an attack, a plurality of key threat detectors are selected according to the real-time network environment and the actual network threat situation, an attack classification mode is started to serve as the role of an attack classifier, the attacks in the threat event are classified in a mutual cooperation mode, the attack complete set contained in the threat event is confirmed, a network flow-attack category mapping table is generated, and an attack responder receives the mapping table and responds to the attack.
In the attack classification, the advantages of providing dynamic selection of the attack classifier are as follows: on one hand, attack flows existing in different links are not completely consistent, attack classification at a single node is not comprehensive, and omission may exist on partial attacks; on the other hand, not all links will be attacked, and turning on all attack classifiers causes a waste of resources.
1) Detection framework (i.e., cyber threat awareness system) initialization and component (or device) deployment
After the security protection target object is determined, further specifying security requirements is required, and determining a node set in a network, where each component of the threat detection framework (i.e., the cyber-threat awareness system) provided by the embodiment of the present invention needs to be deployed, as shown in step 1 of the flowchart shown in fig. 4. The specific security requirements include, but are not limited to, determining that a detection framework has the capability of rapid detection and accurate classification for specific types of network threats and attacks, determining the amount of resources such as basic computation, storage and the like owned by the actual deployment of the detection framework, the detection framework needing self-realized response operation and capability, the detection framework needing an external response subject object sharing threat information, and the like. And finally confirming the deployment positions of the feature collector, the threat detector, the attack classifier and the attack responder by combining a topological graph of a network where the protection target object is located according to the security requirement.
(1) The feature collector can collect traffic and host features in all directions, is a bottom sensing component of the whole detection framework, occupies less node resources and is generally deployed at all nodes in a network.
(2) The threat detector and the attack classifier are usually deployed at the same node and are the core of calculation and decision of a detection framework, and the threat detector and the attack classifier detect the network environment in real time, receive high-dimensional features for calculation during attack classification, and occupy a large amount of resources such as calculation, storage, communication and the like, so on the basis of a near-source end selection rule and a minimum full-coverage detection point set selection rule, on the premise of ensuring the detection effect, the minimum defense resources are used, and attacks can be found in time at a near-attack source as far as possible.
(3) The deployment position of the attack responder is determined according to the response operation which needs to be realized, and the attack responder can be deployed on a must-pass node of the attack flow when the data flow blocking needs to be realized; when operations such as bug fixing, malicious software searching and killing, software updating and the like need to be realized, the method can be deployed on a safety protection target host and a key defense node; when the operations of firewall policy control, routing policy control, gateway policy control and the like need to be realized, the method can be deployed on the corresponding third-party equipment node.
2) Cyber threat collaboration awareness
As shown in steps 2 and 3 of the flowchart shown in fig. 4, in a normal network environment, the feature collector collects light-weight portrait feature data of each node in the network in real time and reports the light-weight portrait feature data to the threat detector, where the light-weight portrait feature data refers to network traffic and real-time coarse-grained statistical information of a host state, and does not relate to a detailed certain data stream or an index of the host state, and the light-weight portrait feature data includes, but is not limited to: the network data ingress and egress rate, the ingress and egress size of the network data, the number of the network data stream sources and the destination IP, the number of the network data stream sources and the destination ports, the number of active processes of the host, the number of established network connections of the host, and the like. The threat detector receives the characteristic data and operates a threat detection algorithm to quickly analyze whether a threat event exists in the current network, and in order to ensure quick response to the threat event under the actual environment, the detection algorithm of the threat detector usually only selects a small amount of portrait state data as input, so that the characteristic collector only needs to report corresponding coarse-grained data.
When a threat detector analyzes and finds that a threat event exists in the current network, a threat alarm is generated immediately, and a feature collector and other threat detectors are sent; and if the threat detector judges that the current network environment is normal, regularly sending a normal notice to the feature collector.
3) Network attack collaborative classification
As shown in step 4 of the flowchart shown in fig. 4, a threat detector that detects a network threat event immediately sends a threat alarm to all other threat detectors, a plurality of nodes are dynamically and quickly selected among the threat detectors in real time based on a designed election method to form an attack classification point set, all nodes in the point set start the working mode of an attack classifier, simultaneously, feature collectors corresponding to all attack classifiers change the acquisition mode, and fine-grained feature data of corresponding nodes are acquired in real time and reported to the attack classifier, wherein the fine-grained feature data refer to high-dimensional system features, and the high-dimensional feature data describe detailed network data streams and host states, including but not limited to: the number of each TCP state of the network data flow, the average, maximum, minimum and median packet size of the network data flow, the average, maximum, minimum and median idle time of the network data flow, the average, maximum, minimum and median packet interval time of the network data flow, the active time of each process of the host, the establishment time of each network connection of the host and the like.
The attack classifier operates a neural network-based classification algorithm, receives fine-grained high-dimensional feature data, classifies the current network threats, judges the specific attack categories or normal categories to which each data stream belongs and generates a 'network flow-attack category' mapping table. In this embodiment, preferably, a < source ip, destination ip, source port, and destination port > quintuple is used as a unique identifier of a network data stream, the unique identifier of the quintuple is used as a key, a class to which the data stream belongs is used as a value to generate a mapping table (i.e., a classification result mapping table), and the mapping table is sent to each attack responder.
4) Cyber threat collaborative response
As shown in steps 5 and 6 of the flowchart shown in fig. 4, an attack responder deployed in a network receives a "network flow-attack category" mapping table (classification result mapping table) as an important basis for a threat response to perform a real-time response, which may be divided into two steps:
(1) the network threat self-response, attack responder possess threat response ability, carry out the response to the threat according to mapping table and self-protection ability, mainly appear to have certain control ability to the node deployed, including but not limited to: threat data stream blocking, host security protection (malware killing, bug fixing, software updating, etc.), third party device policy optimization (firewalls, gateways, routers, etc.).
(2) Threat intelligence sharing, generally, a mixed network threat has wide sources and is difficult to prevent, so that a detection framework (namely a network threat perception system) designed by the embodiment of the invention not only needs to have rapid resolution and defense on the network threat, but also needs to cooperate with other external response bodies in a network to block attack from the source and eliminate the threat. Based on the above idea, the attack responder will share threat intelligence information with the external response main body, wherein the threat intelligence information includes: a mapping table of 'network flow-attack category', response operation executed by the node, and the like; the external response body includes: network operators, regulatory bodies, open servers, etc.
In this embodiment: 1) aiming at the hybrid network attack, the rapid discovery, the accurate classification and the effective response of the hybrid network attack are cooperatively realized. 2) And determining a deployment mode in the network, such as a generation mode of a threat detector deployment node set, according to information such as security requirements, network topology, defense resources and the like. 3) According to the coarse-grained image information such as network flow, host state and the like, the safety of the network is calculated and analyzed in real time, and whether the current network is attacked by the hybrid network can be quickly judged. 4) When the network is threatened, selecting an attack classification point set according to information such as real-time flow, safety resources and the like of each threat detection point. 5) Classifying the current network data flow according to fine-grained characteristic information such as the network data flow, the host state and the like, and judging the specific category of each network data flow.
The network threat perception system provided by the embodiment of the invention has the following advantages:
1. when the hybrid attack is faced, a complete set of safe closed-loop protection processes of rapid discovery (threat detector), accurate classification (attack classifier) and rapid response (attack responder) are provided, the modularization degree and the compatibility are high, and the hybrid attack protection method can be adapted to various schemes of threat detection, attack classification, attack response, detection point selection, classification point dynamic opening and the like.
2. The embodiment of the invention can design a threat detection point deployment scheme for providing a minimum detection point deployment set, can cover a safe target network under the condition of limited defense resources and can play the maximum safety protection effect.
3. Whether the hybrid network threat exists in the current network or not is detected in real time and rapidly, compared with the existing scheme, the method is less in dependence on calculation and storage resources, and the occurrence of the hybrid network threat event can be detected efficiently.
4. The attack classification point dynamic selection scheme provided by the embodiment of the invention can select the most appropriate classification point set to achieve the best classification effect, and saves calculation and storage resources when an attack occurs.
5. When the attack occurs, each node can accurately classify the current network data stream, and the classification model has short required training time and good classification effect.
On the basis of the above embodiment, in this embodiment, the threat detector is configured to:
and when the attack is sensed, sending an instruction for increasing the fine-grained sensing of the feature information to the feature collector.
According to the technical scheme, the network threat sensing system provided by the embodiment of the invention sends the instruction for increasing the fine-grained sensing of the feature information to the feature collector, so that the feature collector switches the working mode and outputs the light-weight image data.
On the basis of the above embodiment, in this embodiment, the feature collector includes: the system comprises a high-dimensional characteristic data acquisition unit, a light-weight portrait data acquisition unit, an alarm receiving unit and an acquired data reporting unit; wherein:
the collected data reporting unit is used for receiving a threat alarm notification or a normal notification sent by the threat detector in real time;
the high-dimensional characteristic data acquisition unit is used for receiving the threat alarm notification from the acquired data reporting unit and outputting high-dimensional characteristic data to the alarm receiving unit;
the light-weight image data acquisition unit is used for receiving the normal notification from the acquired data reporting unit and outputting light-weight image data to the alarm receiving unit;
and the alarm receiving unit is used for sending the collected data to the threat detector and the attack classifier.
According to the technical scheme, the network threat sensing system provided by the embodiment of the invention completes data acquisition through the feature acquisition unit, can provide two working modes based on the high-dimensional feature data acquisition unit and the light-weight portrait data acquisition unit, is favorable for assisting the threat detector to quickly find network attacks, and is favorable for an attack classifier to quickly classify.
On the basis of the above embodiment, in the present embodiment, the threat detector includes: the system comprises a first data receiving unit, a network threat sensing and detecting unit, an alarm generating and issuing unit and an attack classification point dynamic selecting unit; wherein:
the first data receiving unit is used for receiving the collected data from the feature collector;
the network threat sensing and detecting unit is used for sensing and detecting the network environment in real time and sending a detection result;
the alarm generating and issuing unit is used for sending the threat alarm notification or normally notifying the feature collector and the attack classifier;
and the attack classification point dynamic selection unit is used for sending a request for selecting an attack classifier to the attack classifier.
As can be seen from the above technical solutions, the network threat sensing system provided in the embodiment of the present invention can dynamically select an attack classifier during attack classification through the alarm generation and issuing unit, and has the following advantages: on one hand, attack flows existing in different links are not completely consistent, attack classification at a single node is not comprehensive, and omission may exist on partial attacks; on the other hand, not all links will be attacked, and turning on all attack classifiers causes a waste of resources.
On the basis of the foregoing embodiment, in this embodiment, the attack classifier includes: the system comprises a second data receiving unit, a feature processing unit, an attack classification unit and a classification result packaging and issuing unit; wherein:
the second data receiving unit is configured to receive the threat alarm notification sent by the threat detector, and receive the collected data sent by the feature collector;
the characteristic processing unit is used for generating and outputting a characteristic matrix;
the attack classification unit is used for carrying out attack classification and outputting a network attack type;
and the classification result packaging and issuing unit is used for receiving the network attack type and sending a classification result mapping table to the attack responder.
According to the technical scheme, the network threat sensing system provided by the embodiment of the invention realizes efficient defense against network attack through multipoint cooperation and a full-period security closed-loop defense process in the network, so that the overall security of a security protection target network is improved.
On the basis of the foregoing embodiment, in this embodiment, the attack classifier includes: threat intelligence sharing unit and self-response unit; wherein:
the self-response unit is used for receiving the classification result mapping table sent by the attack classifier and calling a preset response strategy according to the classification result mapping table to respond;
and the threat intelligence sharing unit is used for receiving the classification result mapping table and the response result completed by the self-response unit and generating threat intelligence.
According to the technical scheme, the network threat sensing system provided by the embodiment of the invention can realize threat information sharing and can complete self-response through the self-response unit and the threat information sharing unit, so that a complete safety protection closed loop is provided.
Fig. 3 is a schematic flowchart of a sensing method of a cyber-threat sensing system according to an embodiment of the present invention, and as shown in fig. 3, the method includes:
step 101: and cooperatively sensing the network threat by utilizing the feature collector and the threat detector, or cooperatively sensing the network threat by utilizing the threat detector.
Step 102: and determining to send a threat alarm notification or a normal notification based on the cooperative awareness network threat result.
Step 103: and if the sent notification is a threat alarm notification, starting the attack classifier and determining a classification result.
Step 104: and calling a preset response strategy to respond based on a classification result mapping table corresponding to the classification result.
In this embodiment, it should be noted that sensing a network threat by using the feature collector and the threat detector in cooperation refers to cooperation between the feature collector and the threat detector in the longitudinal direction, for example, a plurality of feature collectors are deployed at different nodes in a network to collect light-weight network portrait data in real time and send the data to the threat detector, and the threat detector collects, analyzes and senses a network threat situation; the cooperative sensing of the network threat by the threat detectors refers to cooperation among the threat detectors, for example, if a plurality of threat detectors are deployed at each key node in a network where a safety protection target is located, a communication link of the safety protection target is covered in an all-around mode, and network threats possibly from different directions are sensed in real time.
Preferably, there is also cooperative classification work among the attack classifiers, for example, several attack classifiers are deployed at each key node in the network where the security protection target is located. After the threat detector generates an alarm, because the network threat traffic may be located in a plurality of communication links, a part of attack classifiers need to be started to cooperatively classify the threat traffic; a single attack classifier working alone may not be able to learn all attacks (because some attack traffic does not pass through the node), so the multi-attack classifier working in concert allows for a comprehensive identification of the attack category.
On the basis of the above embodiment, in this embodiment, the method further includes:
after the response is completed, threat intelligence is generated.
The sensing method of the cyber-threat sensing system provided by the embodiment of the present invention can be specifically executed by the cyber-threat sensing system of the above embodiment, and the technical principle and the beneficial effect thereof are similar, and reference may be specifically made to the above embodiment, and details are not repeated herein.
Based on the same inventive concept, an embodiment of the present invention provides an electronic device, and referring to fig. 5, the electronic device specifically includes the following contents: a processor 301, a communication interface 303, a memory 302, and a communication bus 304;
the processor 301, the communication interface 303 and the memory 302 complete mutual communication through the communication bus 304; the communication interface 303 is used for realizing information transmission between related devices such as modeling software, an intelligent manufacturing equipment module library and the like; the processor 301 is used for calling the computer program in the memory 302, and the processor executes the computer program to implement the method provided by the above method embodiments, for example, the processor executes the computer program to implement the following steps: cooperatively sensing the network threat by utilizing the feature collector and the threat detector, or cooperatively sensing the network threat by utilizing the threat detector; determining to send a threat alarm notification or a normal notification based on the cooperative perception network threat result; if the sent notification is a threat alarm notification, starting the attack classifier and determining a classification result; and calling a preset response strategy to respond based on a classification result mapping table corresponding to the classification result.
Based on the same inventive concept, another embodiment of the present invention further provides a non-transitory computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, is implemented to perform the methods provided by the above method embodiments, for example, cooperatively sensing a cyber threat using the feature collector and the threat detector, or cooperatively sensing a cyber threat using the threat detector; determining to send a threat alarm notification or a normal notification based on the cooperative perception network threat result; if the sent notification is a threat alarm notification, starting the attack classifier and determining a classification result; and calling a preset response strategy to respond based on a classification result mapping table corresponding to the classification result.
The above-described system embodiments are merely illustrative, and the units described as separate parts may or may not be physically separate, and the parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium, such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods of the various embodiments or some parts of the embodiments.
In addition, in the present invention, terms such as "first" and "second" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include at least one such feature. In the description of the present invention, "a plurality" means at least two, e.g., two, three, etc., unless specifically limited otherwise.
Moreover, in the present invention, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
Furthermore, in the description herein, reference to the description of the term "one embodiment," "some embodiments," "an example," "a specific example," or "some examples," etc., means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the invention. In this specification, the schematic representations of the terms used above are not necessarily intended to refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples. Furthermore, various embodiments or examples and features of different embodiments or examples described in this specification can be combined and combined by one skilled in the art without contradiction.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (10)
1. A cyber-threat awareness system, comprising: the system comprises a feature collector, a threat detector, an attack classifier and an attack responder; wherein:
the characteristic collector is used for receiving a threat alarm notification or a normal notification sent by the threat detector in real time and sending collected data to the threat detector and the attack classifier;
the threat detector is used for sensing and detecting the network environment in real time according to the received acquired data sent by the feature collector, generating a threat alarm notification or a normal notification according to the sensing and detecting result, and sending the threat alarm notification or the normal notification to the feature collector and the attack classifier in real time;
the attack classifier is used for receiving the threat alarm notification sent by the threat detector and receiving the collected data sent by the feature collector; determining a classification result by using a preset neural network model based on a threat alarm notification and the acquired data, and sending a classification result mapping table to the attack responder;
and the attack responder is used for receiving the classification result mapping table sent by the attack classifier and calling a preset response strategy according to the classification result mapping table to respond.
2. The cyber-threat awareness system according to claim 1, wherein the threat detector is configured to:
and when the attack is sensed, sending an instruction for increasing the fine-grained sensing of the feature information to the feature collector.
3. The cyber-threat awareness system according to claim 1, wherein the feature collector comprises: the system comprises a high-dimensional characteristic data acquisition unit, a light-weight portrait data acquisition unit, an alarm receiving unit and an acquired data reporting unit; wherein:
the collected data reporting unit is used for receiving a threat alarm notification or a normal notification sent by the threat detector in real time;
the high-dimensional characteristic data acquisition unit is used for receiving the threat alarm notification from the acquired data reporting unit and outputting high-dimensional characteristic data to the alarm receiving unit;
the light-weight image data acquisition unit is used for receiving the normal notification from the acquired data reporting unit and outputting light-weight image data to the alarm receiving unit;
and the alarm receiving unit is used for sending the collected data to the threat detector and the attack classifier.
4. The cyber-threat awareness system according to claim 1, wherein the threat detector comprises: the system comprises a first data receiving unit, a network threat sensing and detecting unit, an alarm generating and issuing unit and an attack classification point dynamic selecting unit; wherein:
the first data receiving unit is used for receiving the collected data from the feature collector;
the network threat sensing and detecting unit is used for sensing and detecting the network environment in real time and sending a detection result;
the alarm generating and issuing unit is used for sending the threat alarm notification or normally notifying the feature collector and the attack classifier;
and the attack classification point dynamic selection unit is used for sending a request for selecting an attack classifier to the attack classifier.
5. The cyber-threat awareness system according to claim 1, wherein the attack classifier comprises: the system comprises a second data receiving unit, a feature processing unit, an attack classification unit and a classification result packaging and issuing unit; wherein:
the second data receiving unit is configured to receive the threat alarm notification sent by the threat detector, and receive the collected data sent by the feature collector;
the characteristic processing unit is used for generating and outputting a characteristic matrix;
the attack classification unit is used for carrying out attack classification and outputting a network attack type;
and the classification result packaging and issuing unit is used for receiving the network attack type and sending a classification result mapping table to the attack responder.
6. The cyber-threat awareness system according to claim 1, wherein the attack classifier comprises: threat intelligence sharing unit and self-response unit; wherein:
the self-response unit is used for receiving the classification result mapping table sent by the attack classifier and calling a preset response strategy according to the classification result mapping table to respond;
and the threat intelligence sharing unit is used for receiving the classification result mapping table and the response result completed by the self-response unit and generating threat intelligence.
7. A method for sensing by a cyber-threat sensing system according to any one of claims 1 to 6, comprising:
cooperatively sensing the network threat by utilizing the feature collector and the threat detector, or cooperatively sensing the network threat by utilizing the threat detector;
determining to send a threat alarm notification or a normal notification based on the cooperative perception network threat result;
if the sent notification is a threat alarm notification, starting the attack classifier and determining a classification result;
and calling a preset response strategy to respond based on a classification result mapping table corresponding to the classification result.
8. The perception method according to claim 7, further comprising:
after the response is completed, threat intelligence is generated.
9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor, when executing the program, implements the method of sensing of the cyber-threat sensing system of claim 7 or 8.
10. A non-transitory computer readable storage medium having stored thereon a computer program, wherein the computer program, when executed by a processor, implements the method of sensing of the cyber-threat sensing system of claim 7 or 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110811260.7A CN113271318B (en) | 2021-07-19 | 2021-07-19 | Network threat perception system and method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110811260.7A CN113271318B (en) | 2021-07-19 | 2021-07-19 | Network threat perception system and method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113271318A true CN113271318A (en) | 2021-08-17 |
| CN113271318B CN113271318B (en) | 2021-09-21 |
Family
ID=77236719
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110811260.7A Active CN113271318B (en) | 2021-07-19 | 2021-07-19 | Network threat perception system and method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113271318B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113746843A (en) * | 2021-09-03 | 2021-12-03 | 天津芯海创科技有限公司 | Method for quantifying attack success rate of mimicry switch |
| CN114697123A (en) * | 2022-04-11 | 2022-07-01 | 穆聪聪 | Active immune security defense method suitable for sensing node of Internet of things |
| CN115913738A (en) * | 2022-11-30 | 2023-04-04 | 广西电网有限责任公司 | Network security event handling system, method, electronic device and storage medium |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104539594A (en) * | 2014-12-17 | 2015-04-22 | 南京晓庄学院 | SDN (software defined network) framework, system and working method combining DDoS (distributed denial of service) threat filtering and routing optimization |
| US20170063930A1 (en) * | 2015-08-24 | 2017-03-02 | Empow Cyber Security Ltd. | Generation of cyber-attacks investigation policies |
| CN107888607A (en) * | 2017-11-28 | 2018-04-06 | 新华三技术有限公司 | A kind of Cyberthreat detection method, device and network management device |
| CN108769048A (en) * | 2018-06-08 | 2018-11-06 | 武汉思普崚技术有限公司 | A kind of secure visualization and Situation Awareness plateform system |
| CN110855687A (en) * | 2019-11-18 | 2020-02-28 | 惠州学院 | Network space security situation perception detection analysis system and method |
| US10581898B1 (en) * | 2015-12-30 | 2020-03-03 | Fireeye, Inc. | Malicious message analysis system |
| CN111970300A (en) * | 2020-08-27 | 2020-11-20 | 广东电网有限责任公司东莞供电局 | Network intrusion prevention system based on behavior inspection |
-
2021
- 2021-07-19 CN CN202110811260.7A patent/CN113271318B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104539594A (en) * | 2014-12-17 | 2015-04-22 | 南京晓庄学院 | SDN (software defined network) framework, system and working method combining DDoS (distributed denial of service) threat filtering and routing optimization |
| US20170063930A1 (en) * | 2015-08-24 | 2017-03-02 | Empow Cyber Security Ltd. | Generation of cyber-attacks investigation policies |
| US10581898B1 (en) * | 2015-12-30 | 2020-03-03 | Fireeye, Inc. | Malicious message analysis system |
| CN107888607A (en) * | 2017-11-28 | 2018-04-06 | 新华三技术有限公司 | A kind of Cyberthreat detection method, device and network management device |
| CN108769048A (en) * | 2018-06-08 | 2018-11-06 | 武汉思普崚技术有限公司 | A kind of secure visualization and Situation Awareness plateform system |
| CN110855687A (en) * | 2019-11-18 | 2020-02-28 | 惠州学院 | Network space security situation perception detection analysis system and method |
| CN111970300A (en) * | 2020-08-27 | 2020-11-20 | 广东电网有限责任公司东莞供电局 | Network intrusion prevention system based on behavior inspection |
Non-Patent Citations (1)
| Title |
|---|
| 李凤华等: "复杂网络环境下面向威胁监测的采集策略精化方法", 《通信学报》 * |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113746843A (en) * | 2021-09-03 | 2021-12-03 | 天津芯海创科技有限公司 | Method for quantifying attack success rate of mimicry switch |
| CN113746843B (en) * | 2021-09-03 | 2024-01-05 | 天津芯海创科技有限公司 | Method for quantifying attack success rate of mimicry switch |
| CN114697123A (en) * | 2022-04-11 | 2022-07-01 | 穆聪聪 | Active immune security defense method suitable for sensing node of Internet of things |
| CN115913738A (en) * | 2022-11-30 | 2023-04-04 | 广西电网有限责任公司 | Network security event handling system, method, electronic device and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113271318B (en) | 2021-09-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113271318B (en) | Network threat perception system and method | |
| Tan et al. | A new framework for DDoS attack detection and defense in SDN environment | |
| Kumar et al. | A Distributed framework for detecting DDoS attacks in smart contract‐based Blockchain‐IoT Systems by leveraging Fog computing | |
| Alkasassbeh et al. | Detecting distributed denial of service attacks using data mining techniques | |
| An et al. | Sample selected extreme learning machine based intrusion detection in fog computing and MEC | |
| Zhou et al. | Decentralized multi-dimensional alert correlation for collaborative intrusion detection | |
| CN109766695A (en) | A kind of network security situational awareness method and system based on fusion decision | |
| Al Haddad et al. | A collaborative framework for intrusion detection (C-NIDS) in Cloud computing | |
| Chen et al. | FCM technique for efficient intrusion detection system for wireless networks in cloud environment | |
| Agrawal et al. | An SDN-assisted defense mechanism for the shrew DDoS attack in a cloud computing environment | |
| Khedr et al. | FMDADM: A multi-layer DDoS attack detection and mitigation framework using machine learning for stateful SDN-based IoT networks | |
| CN111800419B (en) | DDoS attack detection system and method in SDN environment | |
| Ramprasath et al. | Mitigation of malicious flooding in software defined networks using dynamic access control list | |
| CN100502356C (en) | Multilevel aggregation-based abnormal flow control method and system | |
| Singh et al. | Prevention mechanism for infrastructure based denial-of-service attack over software defined network | |
| Ghosh et al. | Agent-based distributed intrusion alert system | |
| Peng et al. | ADVICE: Towards adaptive scheduling for data collection and DDoS detection in SDN | |
| Dinh et al. | Dynamic economic-denial-of-sustainability (EDoS) detection in SDN-based cloud | |
| Fenil et al. | Towards a secure software defined network with adaptive mitigation of dDoS attacks by machine learning approaches | |
| Das et al. | Flood control: Tcp-syn flood detection for software-defined networks using openflow port statistics | |
| Aslam et al. | Machine learning based SDN-enabled distributed denial-of-services attacks detection and mitigation system for Internet of Things | |
| TW202017337A (en) | Method and system for backbone network flow anomaly detection | |
| CN114978604A (en) | Security gateway system for software defined service perception | |
| Cao et al. | A cross-plane cooperative DDoS detection and defense mechanism in software-defined networking | |
| Lussi et al. | A lightweight fog-based internal intrusion detection system for smart environments |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |