CN113472754A - Security protection configuration method based on network security big data and network security system - Google Patents

Abstract

The embodiment of the disclosure provides a security configuration method based on network security big data and a network security system, which can match protection rules of a first predicted network security protection rule based on a plurality of second predicted network security protection rules to obtain target protection rule information corresponding to each second predicted network security protection rule, so that a target protection rule key field and target linkage protection rule information can be obtained, and thus, deep mining of the target protection rule key field is realized and integrity of the target linkage protection rule information is ensured. Therefore, when the target excavation network safety protection rule corresponding to the first prediction network safety protection rule is determined, the key field of the excavated protection rule can be considered as much as possible, so that the correlation between the target excavation network safety protection rule and the key field of the excavated protection rule is ensured, and the configuration precision and efficiency of the subsequent protection rule are improved.

Description

Security protection configuration method based on network security big data and network security system

Technical Field

The present disclosure relates to the field of network security technologies, and in an exemplary embodiment, to a security protection configuration method based on network security big data and a network security system.

Background

While the economy is rapidly developed, the science and technology are continuously improved, and the network becomes an indispensable important component in the current social production life, so that great convenience is brought to users. Meanwhile, the network system also suffers from certain security threats, which brings adverse effects to normal use of the network system by people. Especially in the big data era, a large amount of important information is stored in the network system, and once the network system has a security problem, great loss is caused.

Based on this, in the related art, for some network security protection cloud services of major concern, a user is required to perform data analysis on the network security big data of the network security protection cloud services, to know the security portrait of the network security protection cloud services, and further to know the security operation condition of the network security cloud services so as to perform targeted protection rule configuration and/or update. However, in the related art solution, the configuration accuracy and efficiency of the protection rule are limited by the way that the user performs individual analysis and arrangement based on the data analysis tool.

Disclosure of Invention

In order to overcome at least the above disadvantages in the prior art, an object of the present disclosure is to provide a security configuration method based on network security big data and a network security system.

In a first aspect, the present disclosure provides a security protection configuration method based on network security big data, which is applied to a network security system, where the network security system is in communication connection with a plurality of network security monitoring terminals, and the method includes:

according to a security portrait collection aiming at network security protection cloud service, screening from the security portrait collection to obtain a target security portrait meeting preset portrait characteristics according to the security portrait collection aiming at network security protection cloud service, and obtaining a first predicted network security protection rule based on the target security portrait;

carrying out protection rule matching on the first prediction network safety protection rule by utilizing a plurality of second prediction network safety protection rules related to the network safety protection cloud service obtained in advance to obtain target protection rule information corresponding to the plurality of second prediction network safety protection rules respectively;

acquiring a target protection rule key field and target linkage protection rule information based on target protection rule information respectively corresponding to the plurality of second prediction network safety protection rules and mining network safety protection rules with preset rule attributes respectively corresponding to the plurality of second prediction network safety protection rules;

and acquiring a target mining network safety protection rule corresponding to the first prediction network safety protection rule based on the target protection rule key field and the target linkage protection rule information.

In a second aspect, an embodiment of the present disclosure further provides a network security big data-based security configuration system, where the network security big data-based security configuration system includes a network security system and a plurality of network security monitoring terminals communicatively connected to the network security system;

the network security system is configured to:

according to a security portrait collection aiming at network security protection cloud service, screening from the security portrait collection to obtain a target security portrait meeting preset portrait characteristics according to the security portrait collection aiming at network security protection cloud service, and obtaining a first predicted network security protection rule based on the target security portrait;

carrying out protection rule matching on the first prediction network safety protection rule by utilizing a plurality of second prediction network safety protection rules related to the network safety protection cloud service obtained in advance to obtain target protection rule information corresponding to the plurality of second prediction network safety protection rules respectively;

acquiring a target protection rule key field and target linkage protection rule information based on target protection rule information respectively corresponding to the plurality of second prediction network safety protection rules and mining network safety protection rules with preset rule attributes respectively corresponding to the plurality of second prediction network safety protection rules;

and acquiring a target mining network safety protection rule corresponding to the first prediction network safety protection rule based on the target protection rule key field and the target linkage protection rule information.

According to any one of the aspects, in the embodiments provided by the present disclosure, protection rule matching can be performed on the first predicted network security protection rule based on a plurality of second predicted network security protection rules to obtain target protection rule information corresponding to each second predicted network security protection rule, so that a target protection rule key field and target linkage protection rule information can be obtained through a mining network security protection rule having a preset rule attribute corresponding to the target protection rule information and each second predicted network security protection rule, thereby implementing deep mining on the target protection rule key field and ensuring the integrity of the target linkage protection rule information. Therefore, when the target excavation network safety protection rule corresponding to the first prediction network safety protection rule is determined, the key field of the excavated protection rule can be considered as much as possible, so that the correlation between the target excavation network safety protection rule and the key field of the excavated protection rule is ensured, and the configuration precision and efficiency of the subsequent protection rule are improved.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present disclosure, the drawings that need to be called in the embodiments are briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present disclosure, and therefore should not be considered as limiting the scope, and for those skilled in the art, other related drawings can be obtained according to the drawings without inventive efforts.

Fig. 1 is a schematic application scenario diagram of a security configuration system based on network security big data according to an embodiment of the present disclosure;

fig. 2 is a schematic flowchart of a security configuration method based on network security big data according to an embodiment of the present disclosure;

fig. 3 is a functional module schematic diagram of a security configuration device based on network security big data according to an embodiment of the present disclosure;

fig. 4 is a schematic block diagram of a network security system for implementing the above-described network security big data-based security protection configuration method according to an embodiment of the present disclosure.

Detailed Description

The following describes in detail aspects of embodiments of the present disclosure with reference to the drawings attached hereto.

In the following description, for purposes of explanation and not limitation, specific details are set forth such as particular system structures, interfaces, techniques, etc. in order to provide a thorough understanding of the particular embodiments of the disclosure.

In the field of network security analysis, the security portrait is an ordered portrait sequence depicting the overall knowledge of a security service user about a certain network security protection cloud service, and can help the security service user to quickly learn about a network security protection cloud service, so that the time cost for primarily learning a large number of network security behavior events is reduced. Current techniques for generating security representations often rely on manual extraction of the security representation, which is time consuming and inefficient.

Some terms of the embodiments of the present disclosure are explained below so that those skilled in the art can more clearly understand the aspects of the embodiments described below.

Safe portrait: the method refers to an ordered image sequence for integrally knowing the safe operation condition of the network security cloud service. For a network security cloud service (such as a file transmission security cloud service, an audio/video interaction security cloud service, and the like), a network security behavior event with a large data level is often accompanied. The security portrait refers to key situation information which can describe the network security cloud service and is extracted from the redundant network security behavior event information. Based on the method for generating the security portrait in the embodiment of the disclosure, a security portrait set, namely an ordered set of security portraits, aiming at the network security protection cloud service can be generated quickly and accurately.

Safe portrait classification network: an artificial intelligence network for generating an ordered set of security figures is presented in an embodiment of the present disclosure.

Fig. 1 is an explanatory diagram of a security configuration system 10 based on network security big data according to an embodiment of the present disclosure. The network security big data based security protection configuration system 10 may include a network security system 100 and a network security monitoring terminal 200 communicatively connected to the network security system 100. The network security big data based security protection configuration system 10 shown in fig. 1 is only one possible example, and in other possible embodiments, the network security big data based security protection configuration system 10 may also include only at least some of the components shown in fig. 1 or may also include other components.

In this embodiment, the network security system 100 and the network security monitoring terminal 200 in the security configuration system 10 based on the network security big data may cooperatively perform the security configuration method based on the network security big data described in the following method embodiment, and for the specific steps of the network security system 100 and the network security monitoring terminal 200, reference may be made to the detailed description of the following method embodiment.

To solve the technical problem in the foregoing background, fig. 2 is a schematic flow chart of a security configuration method based on network security big data according to an embodiment of the present disclosure, where the security configuration method based on network security big data according to the embodiment may be executed by the network security system 100 shown in fig. 1, and the security configuration method based on network security big data is described in detail below.

Step S110, according to a security portrait collection aiming at network security protection cloud services, a target security portrait meeting preset portrait characteristics is screened from the security portrait collection, and a first prediction network security protection rule is obtained based on the target security portrait.

For example, the target security representation may correspond to protection rules of a plurality of security protection policies, the first predicted network security protection rule indicating how to configure the protection rules for the target security representation.

In one embodiment, the "obtaining a target security portrait meeting a preset portrait characteristic from a security portrait collection for network security protection cloud services and obtaining a first predicted network security protection rule based on the target security portrait" described in the foregoing steps may include: acquiring a target security portrait corresponding to an initial network security protection rule; and carrying out integral safety protection rule identification on the initial network safety protection rule included in the target safety portrait to obtain the first prediction network safety protection rule.

For example, the initial network security protection rule may be a pre-existing network security protection rule for recording the protection rule distribution of the target security representation, including but not limited to the protection rule distribution amount, the protection rule distribution type, the protection rule distribution period, and the protection rule distribution object. The overall safety protection rule identification is carried out on the initial network safety protection rule, and can be understood as continuous and uninterrupted safety protection rule identification carried out on the initial network safety protection rule.

Step S120, protection rule matching is carried out on the first prediction network safety protection rule by utilizing a plurality of second prediction network safety protection rules related to the network safety protection cloud service, which are obtained in advance, so that target protection rule information corresponding to the plurality of second prediction network safety protection rules respectively is obtained.

For example, the second predicted network security protection rule is different from the first predicted network security protection rule, and the configuration service node of the second predicted network security protection rule may be before the configuration service node of the first predicted network security protection rule or after the configuration service node of the first predicted network security protection rule. The protection rule matching is used for extracting target protection rule information corresponding to a plurality of second prediction network safety protection rules from the first prediction network safety protection rules.

In an embodiment, the "performing protection rule matching on the first predicted network security protection rule by using a plurality of second predicted network security protection rules related to the network security protection cloud service, which are obtained in advance, to obtain target protection rule information corresponding to each of the plurality of second predicted network security protection rules" described in the above step may include the following contents: and performing protection rule distribution and citation on the plurality of second prediction network safety protection rules and the first prediction network safety protection rule to obtain target protection rule information corresponding to the plurality of second prediction network safety protection rules respectively.

For example, the distribution reference of the protection rules may be understood as querying and counting a flow direction of the configured protection rules, so that complete collection of the configured protection rules may be ensured, and thus, the protection rules having associations between the plurality of second prediction network security protection rules and the first prediction network security protection rules may be determined by the configured protection rules, so that target protection rule information corresponding to each of the plurality of second prediction network security protection rules may be accurately and completely obtained.

In one embodiment, the plurality of second predicted network security protection rules may be obtained in advance according to the following manner: acquiring a plurality of groups of sample security figures corresponding to the sample network security protection rules; and aiming at each group of sample security images in the plurality of groups of sample security images, carrying out integral security protection rule identification on the sample network security protection rules included in each group of sample security images to obtain second prediction network security protection rules corresponding to each group of sample security images.

For example, regarding "acquiring multiple sets of sample security representations corresponding to sample network security protection rules; for each group of sample security images in the plurality of groups of sample security images, performing overall security protection rule identification on the sample network security protection rules included in each group of sample security images to obtain a second prediction network security protection rule corresponding to each group of sample security images, for further explanation, reference may be made to the above-mentioned pair "obtaining a target security image corresponding to an initial network security protection rule; and performing overall security protection rule identification on the initial network security protection rule included in the target security portrait to obtain an explanation of the first predicted network security protection rule ", which is not described herein again.

Step S130, obtaining a target protection rule key field and target linkage protection rule information based on the target protection rule information corresponding to each of the plurality of second predicted network security protection rules and the mining network security protection rule having the preset rule attribute corresponding to each of the plurality of second predicted network security protection rules.

For example, the preset rule attribute is used to distinguish different protection rules, such as an audio/video stream protection rule, a fund flow protection rule, a privacy action flow protection rule, or a document service flow protection rule. The mined network security protection rule is used for representing a delayed or hidden network security protection rule corresponding to the second prediction network security protection rule, and has higher mining value compared with the second prediction network security protection rule. Further, the target protection rule key field may be used to characterize a field condition of a protection rule, such as a field condition of an audio/video stream protection rule, a fund flow protection rule, a privacy action stream protection rule, or a document service stream protection rule. In addition, the target linkage protection rule information is used for representing the protection rule information that the incidence relation exists between the first prediction network safety protection rule and the second prediction network safety protection rule in time sequence and is in a real-time updating state.

In one embodiment, the target protection rule key field may include at least one of: the target protection rule attack identification field, the target protection rule attack library calling field and the target protection rule attack updating field. Further, the protection rule key fields corresponding to the plurality of mining network security protection rules respectively include at least one of the following: and the protection rule attack updating field, the protection rule attack identification field and the protection rule attack library calling field which correspond to each group of configured protection rules in the plurality of groups of configured protection rules of the mining network security protection rules. The protection rule attack identification field, the protection rule attack library calling field and the protection rule attack updating field respectively correspond to different protection rule operation behaviors. On the basis, the key field of the target protection rule can be determined and obtained according to different conditions. In practical implementation, the target protection rule key field can be obtained through, but is not limited to, the following three implementation manners.

In a first embodiment, if the target protection rule key field includes a target protection rule attack identification field, the obtaining the target protection rule key field based on the target protection rule information corresponding to each of the plurality of second predicted network security protection rules and the mining network security protection rule having the preset rule attribute corresponding to each of the plurality of second predicted network security protection rules includes: and based on the target protection rule information respectively corresponding to the second prediction network security protection rules, carrying out attack identification field detection on protection rule attack identification fields respectively corresponding to the excavation network security protection rules to obtain the target protection rule attack identification fields.

In the first embodiment, when the target protection rule key field includes the target protection rule attack identification field, attack identification field detection may be performed on the protection rule attack identification fields corresponding to the plurality of mining network security protection rules, and validity of the protection rule attack identification field can be ensured by the attack identification field detection, so as to ensure security and validity of the obtained target protection rule attack identification field. For example, the attack identification field detection may be one or more of signature detection, identity detection, or digital certificate detection, and may also be other detection methods. It can be understood that the target protection rule attack identification fields are protection rule attack identification fields corresponding to the mining network security protection rules respectively detected by the attack identification fields.

In a second embodiment, if the target protection rule key field includes a target protection rule attack library call field, the obtaining the target protection rule key field based on the target protection rule information corresponding to each of the plurality of second predicted network security protection rules and the mining network security protection rule with the preset rule attribute corresponding to each of the plurality of second predicted network security protection rules includes: and based on the target protection rule information respectively corresponding to the plurality of second prediction network security protection rules, carrying out attack library calling field detection on the protection rule attack library calling fields respectively corresponding to the plurality of mining network security protection rules to obtain the target protection rule attack library calling fields.

In a third embodiment, if the target protection rule key field includes a target protection rule attack update field, the obtaining the target protection rule key field based on the target protection rule information corresponding to each of the plurality of second predicted network security protection rules and the mining network security protection rule with the preset rule attribute corresponding to each of the plurality of second predicted network security protection rules includes: updating protection rule attack updating fields corresponding to the plurality of mining network security protection rules into rule updating fields, and performing rule object identification processing on the rule updating fields to obtain rule updating fields carrying rule object labels; and based on the target protection rule information corresponding to the second prediction network security protection rules, performing field screening processing on the rule update fields carrying the rule object tags corresponding to the excavation network security protection rules to obtain the target protection rule attack update fields.

In the third embodiment, since the target protection rule key field includes the target protection rule attack update field, and the target protection rule attack update field relates to modification and adjustment of the protection rule with a larger amplitude, for this reason, when the target protection rule key field is obtained, the protection rule attack update fields corresponding to the plurality of mining network security protection rules respectively need to be updated to the rule update field, so as to ensure consistency between the previous protection rule attack update fields. Therefore, the rule object identification processing can be carried out on the rule updating field to obtain the rule updating field carrying the rule object label. For example, the rule object tag may be used to distinguish the rule object, the rule object tag may be a name or a number, and the rule update field carrying the rule object tag may be used to trace back the rule object/library object, so that, based on the target protection rule information corresponding to each of the plurality of second prediction network security protection rules, the rule update fields carrying the rule object tag corresponding to each of the plurality of mining network security protection rules may be field-screened to obtain the target protection rule attack update field, that is, the rule update field carrying the rule object tag is considered, so as to facilitate effective trace back of the rule object/library object in the subsequent attack update behavior.

In one embodiment, the mining the network security protection rule may include: and the defense scene attribute of the mined network safety protection rule is linked protection rule information relative to the past defense scene attribute of the past mined network safety protection rule obtained in advance. For example, the defense scene attribute may be understood as defense category information in the defense scene (e.g., defense category in online shopping process, defense category in browsing private data, etc.). On this basis, the target linkage protection rule information obtained based on the target protection rule information corresponding to the plurality of second prediction network security protection rules respectively and the mining network security protection rule with the preset rule attribute corresponding to the plurality of second prediction network security protection rules respectively described in the above description can be realized by the following implementation modes: and acquiring target linkage protection rule information of target defense scene attributes of the target excavation network safety protection rules relative to the past defense scene attributes based on target protection rule information corresponding to the second prediction network safety protection rules respectively and linkage protection rule information included in the excavation network safety protection rules respectively.

For example, protection rule information integration may be performed on target protection rule information corresponding to each of the plurality of second prediction network security protection rules and linkage protection rule information included in each of the plurality of mining network security protection rules, so as to screen out to-be-processed protection rule information with a higher degree of correlation, and then the target linkage protection rule information of the target defense scene attribute of the target mining network security protection rule relative to the past defense scene attribute is determined through the to-be-processed protection rule information. In this way, since the target linkage protection rule information is associated with the target defense scene attribute of the target mining network safety protection rule, the target defense scene attribute of the target mining network safety protection rule can be subsequently determined through the target linkage protection rule information, and high matching of the subsequently generated real-time protection rule distribution field of the target mining network safety protection rule is further ensured.

In other possible embodiments, the step of "obtaining the target linkage protection rule information of the target defense scene attribute of the target mining network security protection rule relative to the past defense scene attribute based on target protection rule information corresponding to the plurality of second prediction network security protection rules respectively and linkage protection rule information included in the plurality of mining network security protection rules respectively" may include the following: performing network attack simulation updating test on target protection rule information respectively corresponding to the plurality of second prediction network security protection rules; and updating the tested target protection rule information and the linkage protection rule information respectively included in the mined network security protection rule based on the network attack simulation to obtain the target linkage protection rule information.

For example, performing a network attack simulation update test on the target protection rule information corresponding to each of the plurality of second prediction network security protection rules may be understood as performing denoising on the target protection rule information corresponding to each of the plurality of second prediction network security protection rules, so that when performing protection rule information integration on the target protection rule information after the network attack simulation update test and the linkage protection rule information included in each of the mining network security protection rules, the influence of noise information may be reduced as much as possible.

In some other embodiments, mining network security protection rules with preset rule attributes corresponding to the plurality of second predicted network security protection rules may be obtained by: acquiring a unit mining network security protection rule with preset rule attributes corresponding to each second prediction network security protection rule in the plurality of second prediction network security protection rules; acquiring linkage protection rule information of the excavation network safety protection rule corresponding to each second prediction network safety protection rule relative to past excavation network safety protection rules based on a plurality of groups of preset linkage protection rule information relative to the past excavation network safety protection rules; updating the unit defense scene attribute in the unit mining network safety protection rule by using the linkage protection rule information, and acquiring the mining network safety protection rule of each second prediction network safety protection rule based on the updated unit defense scene attribute and the unit protection rule key field of the unit mining network safety protection rule.

For example, the element mining network security protection rules may be obtained by time division. And the multiple groups of preset linkage protection rule information relative to the past mining network safety protection rules can be understood as the preset linkage protection rule information associated with the past mining network safety protection rules. Therefore, the linkage protection rule information of the excavation network safety protection rule corresponding to each second prediction network safety protection rule relative to the past excavation network safety protection rule can be obtained based on the multiple groups of preset linkage protection rule information relative to the past excavation network safety protection rule. And the mining network safety protection rule corresponding to each second prediction network safety protection rule can be understood as protection rule information in which association exists between the mining network safety protection rule corresponding to each second prediction network safety protection rule and the past mining network safety protection rule relative to the linkage protection rule information of the past mining network safety protection rule. By the design, the linkage protection rule information can be utilized to update the unit defense scene attribute in the unit mining network safety protection rule in a time layer manner, so that the accuracy of the updated unit defense scene attribute is ensured. And further combining the key fields of the unit protection rules before and after updating to obtain the mining network safety protection rule of each second prediction network safety protection rule, so that the influence of the time sequence deviation on the mining network safety protection rule of each second prediction network safety protection rule can be considered, and the credibility of the mining network safety protection rule of each second prediction network safety protection rule on the time sequence is ensured.

Step S140, obtaining a target mining network safety protection rule corresponding to the first prediction network safety protection rule based on the target protection rule key field and the target linkage protection rule information.

In this embodiment, the target protection rule key field and the target linkage protection rule information can be obtained through the target protection rule information and the mining network security protection rule with the preset rule attribute corresponding to each second predicted network security protection rule, so that the deep mining of the target protection rule key field is realized, and the integrity of the target linkage protection rule information is ensured. Therefore, when the target excavation network safety protection rule corresponding to the first prediction network safety protection rule is determined, the key field of the excavated protection rule can be considered as much as possible, so that the correlation between the target excavation network safety protection rule and the key field of the excavated protection rule is ensured, and the configuration precision and efficiency of the subsequent protection rule are improved.

In one embodiment, the step of obtaining the target mining network security protection rule corresponding to the first predicted network security protection rule based on the target protection rule key field and the target linkage protection rule information may be implemented by the following implementation manners: based on the target protection rule key field and scene attribute correlation information between the past protection rule key field and past defense scene attributes in the past mining network safety protection rule, carrying out field classification processing on the past defense scene attributes to obtain unit defense scene attributes; based on the target linkage protection rule information, performing association processing on the unit defense scene attribute to obtain a target defense scene attribute; and generating the target mining network safety protection rule based on the target protection rule key field and the target defense scene attribute.

For example, first scene attribute correlation information between the target protection rule key field and past defense scene attributes and second scene attribute correlation information between the past protection rule key field and the past defense scene attributes in the past mining network security protection rules may be determined. The scene attribute correlation information may be implemented by a pre-trained correlation identification model (such as a neural network model), so that the past defense scene attributes may be subjected to field classification processing according to correlation identification items in the first scene attribute correlation information and the second scene attribute correlation information to obtain the unit defense scene attributes. For example, the past defense scene attributes may be split according to the correlation identification items, and then different fields obtained by splitting may be classified to obtain the unit defense scene attributes. That is, the element defense scene attributes are part of the past defense scene attributes. Therefore, the unit defense scene attributes can be associated and processed by combining target linkage protection rule information to obtain target defense scene attributes, and the target defense scene attributes have strong association, so that the continuity of the protection fields and the depth of the protection fields can be comprehensively considered in the process of generating the target excavation network safety protection rules through the target protection rule key fields and the target defense scene attributes, the correlation between the target excavation network safety protection rules and the excavated protection rule key fields is ensured, and the configuration precision and efficiency of subsequent protection rules are improved.

In summary, the security configuration method and the server based on the network security big data provided in the embodiments of the present disclosure can match the protection rule of the first predicted network security protection rule based on the plurality of second predicted network security protection rules to obtain the target protection rule information corresponding to each second predicted network security protection rule, so that the target protection rule key field and the target linkage protection rule information can be obtained through the target protection rule information and the mined network security protection rule with the preset rule attribute corresponding to each second predicted network security protection rule, thereby implementing deep mining on the target protection rule key field and ensuring the integrity of the target linkage protection rule information. Therefore, when the target excavation network safety protection rule corresponding to the first prediction network safety protection rule is determined, the key field of the excavated protection rule can be considered as much as possible, so that the correlation between the target excavation network safety protection rule and the key field of the excavated protection rule is ensured, and the configuration precision and efficiency of the subsequent protection rule are improved.

For example, for some alternative embodiments, the method may further include the following: issuing a target configuration protection rule to the network security monitoring terminal according to the target mining network security protection rule; after the target configuration protection rule is issued, determining a related protection event corresponding to protection behavior track information through protection behavior track information in different candidate protection operation records; determining track time sequence information corresponding to the protection behavior track information based on the associated protection event corresponding to the protection behavior track information, so as to analyze threat situation information of the protection behavior track information to obtain threat situation information; generating target protection behavior track information according to the protection behavior track information and track time sequence information and threat situation information corresponding to the protection behavior track information; and the target protection behavior track information is used for carrying out safety performance analysis of the target configuration protection rule.

It can be understood that after issuing the target configuration protection rule, the network security monitoring terminal can perform related protection rule configuration based on the target configuration protection rule, and in this case, the network security system can analyze the candidate protection operation record corresponding to the network security monitoring terminal, thereby determining target protection behavior track information that can be used by the network security monitoring terminal, and facilitating the security performance analysis of the target configuration protection rule at the network security monitoring terminal.

In view of the above, the step "determines, through the safeguard behavior trajectory information in different candidate safeguard operation records, an associated safeguard event corresponding to the safeguard behavior trajectory information; determining track time sequence information corresponding to the protection behavior track information based on the associated protection event corresponding to the protection behavior track information, so as to analyze threat situation information of the protection behavior track information to obtain threat situation information; generating target protection behavior track information according to the protection behavior track information and track time sequence information and threat situation information corresponding to the protection behavior track information; the following embodiments may implement that the target protection behavior trajectory information is used to perform the security performance analysis of the target configuration protection rule.

Step S210, determining a related protection event corresponding to protection behavior track information through protection behavior track information in different candidate protection operation records.

Step S220, determining track time sequence information corresponding to the protection behavior track information based on the associated protection event corresponding to the protection behavior track information, and analyzing threat situation information of the protection behavior track information to obtain threat situation information.

Step S230, generating target protection behavior track information according to the protection behavior track information and track time sequence information and threat situation information corresponding to the protection behavior track information; and the target protection behavior track information is used for carrying out safety performance analysis of the target configuration protection rule.

It can be understood that, the above steps S210 to S230 are applied to a network security system communicating with a network security monitoring terminal, where the data processing capability of the network security monitoring terminal is weaker and the data processing capability of the network security system is stronger, so that the target protection behavior trajectory information used for performing the security performance analysis of the target configuration protection rule is generated by the network security system, and the data size of the target protection behavior trajectory information can be reduced as much as possible on the premise of ensuring the correlation with the analyzed security performance, so that when the target protection behavior trajectory information is issued to the network security monitoring terminal, the network security monitoring terminal can also perform accurate security performance analysis of the target configuration protection rule by using the target protection behavior trajectory information.

Based on the above, the method may further include the following content described in step S240, and in step S240, the target protection behavior trajectory information is sent to a network security monitoring terminal, the network security monitoring terminal is instructed to determine the currently analyzed security performance according to the target protection behavior trajectory information, and the cloud service network security protection cloud service output is performed according to the analyzed security performance.

Generally speaking, the analyzed safety performance can be obtained by mining big data of the target protection behavior track information, and because the data gauge of the target protection behavior track information is small and the data feature recognition degree is high, the analyzed safety performance can be rapidly mined through the network safety monitoring terminal at the front end, and related cloud service network safety protection cloud service output can be performed according to the analyzed safety performance. Therefore, the mining of the analyzed safety performance can be sunk to the business end from the cloud end, so that the distributed processing of the mining of the analyzed safety performance is realized, and the mining efficiency of the analyzed safety performance is improved.

For example, some alternative embodiments will be described below, which should be understood as examples and not as technical features essential for implementing the present solution. It should be understood that the following embodiments can be adaptively combined with the above embodiments to form a new and fully implementable technical solution, without conflict between technical solutions.

For step S210, the step is to determine the associated protection event corresponding to the protection behavior trace information, in this embodiment, the network security system may obtain a candidate protection operation record based on the data communication record of the network security monitoring terminal, where the candidate protection operation record may be log information that is specifically available for presentation. Further, the protection behavior trace information in step S210 is used to represent record data corresponding to the protection operation executed by the network security monitoring terminal, such as execution process information of the service node, such as protection blocking, release, and further secondary confirmation process. On the basis, the associated protection event can be understood as a protection related record having a correlation with the protection behavior track information in the rule updating layer, and the associated protection event can record the change condition of the behavior track data according to the time sequence and the sequence.

For step S210, in an embodiment, the content described in the step "determining the associated protection event corresponding to the protection behavior trace information by using the protection behavior trace information in different candidate protection operation records" may be implemented in the following manner: determining an associated protection event corresponding to first protection behavior track information as an initial protection event according to the first protection behavior track information in a first candidate protection operation record, wherein the first candidate protection operation record comprises at least one group of protection behavior track information; determining an associated protection event corresponding to a second candidate protection operation record as a target protection event according to the second candidate protection operation record; and the second candidate protection operation record is used for representing the track element information and/or the track element reference information of the target protection behavior track information.

In one embodiment, the first candidate protection operation record and the second candidate protection operation record respectively represent different contents, the first candidate protection operation record emphasizes protection behavior trace information, and the second candidate protection operation record emphasizes trace element information and/or trace element reference information of the target protection behavior trace information. The track element information can be understood as tendency in the privacy behavior stream interactive service, and the track element reference information can be understood as tendency of protection operation behavior.

Therefore, through the first candidate protection operation record and the second candidate protection operation record, it can be determined that the associated protection event corresponding to the first protection behavior trajectory information is used as the initial protection event and the associated protection event corresponding to the second candidate protection operation record is used as the target protection event, so that the classification processing of the associated protection events corresponding to the first candidate protection operation record and the second candidate protection operation record is realized, and the mutual influence between the associated protection events corresponding to the first candidate protection operation record and the second candidate protection operation record is avoided.

In some examples, the first candidate safeguard operation record includes a plurality of different sets of first safeguard behavior track information belonging to the same access source, and based on this, the step of "determining an associated safeguard event corresponding to the first safeguard behavior track information as an initial safeguard event" may include the following steps: and determining an associated protection event corresponding to each group of first protection behavior track information in the first candidate protection operation record as an initial protection event corresponding to the first protection behavior track information.

For example, in other possible embodiments, the content described in the step "determining, according to a second candidate guard operation record, an associated guard event corresponding to the second candidate guard operation record as a target guard event" may be implemented by: when the second candidate protection operation record comprises a target protection source object, determining a related protection event according to the target protection source object as a target protection event; or when the second candidate protection operation record is second protection behavior track information, determining a related protection event according to the second protection behavior track information, and using the related protection event as a target protection event; wherein the second safeguard behavior track information is not identical to the first safeguard behavior track information.

In other possible embodiments, the target guard source object is used to characterize the guard source object corresponding to the digital service that is more frequent.

In other possible embodiments, if the second candidate protection operation record is second protection behavior trajectory information that is not identical to the first protection behavior trajectory information, the associated protection event may be determined according to the second protection behavior trajectory information, so that effective distinction between the target protection event and the initial protection event may be achieved, thereby facilitating generation of subsequent target protection behavior trajectory information.

For step S220, in some embodiments, the content described in the step "determining, based on the associated protection event corresponding to the protection behavior trajectory information, trajectory timing information corresponding to the protection behavior trajectory information, so as to analyze the threat situation information of the protection behavior trajectory information to obtain threat situation information" may be implemented in the following manner: and determining track time sequence information corresponding to the first protection behavior track information according to the initial protection event and the target protection event, and performing threat situation information analysis on the first protection behavior track information according to the track time sequence information to obtain threat situation information corresponding to the first protection behavior track information.

In some embodiments, feature extraction may be performed on the initial protective event and the target protective event respectively to obtain a protective event feature, and then, in combination with the timing feature of the first protective behavior trajectory information, trajectory timing information corresponding to the first protective behavior trajectory information is determined. Generally speaking, the track timing information may correspond to the protection source object, so that the data volume scale of the track timing information may be reduced on the premise of accurately representing the meaning of the protection behavior track information, and on this basis, the threat situation information analysis is performed on the first protection behavior track information through the track timing information, so that the data volume scale of the threat situation information may be reduced on the premise of accurately representing the threat situation information.

For step S230, target safeguard behavior track information can be used by the network security monitoring terminal, and therefore, in order to ensure the simplicity of the target safeguard behavior track information, the safeguard behavior track information and the track timing information and threat situation information corresponding to the safeguard behavior track information need to be analyzed and processed integrally, and for this reason, the step "generates the target safeguard behavior track information according to the safeguard behavior track information and the track timing information and threat situation information corresponding to the safeguard behavior track information; the target protection behavior trajectory information is used to perform security performance analysis of the target configuration protection rule, and may include the following: according to the first protection behavior track information and track time sequence information and threat situation information corresponding to the first protection behavior track information, obtaining track abnormal label information and frequency information attribute information corresponding to the first protection behavior track information through a machine decision network; and generating the target protection behavior track information according to the first protection behavior track information and track time sequence information, track abnormal label information and frequent information attribute information corresponding to the first protection behavior track information.

For example, the machine decision network can be obtained by pre-training, and is used for identifying and extracting the track abnormal label information and the frequent intelligence attribute information, and the track abnormal label information is used for representing the access intention of the access source, the frequent intelligence attribute information can be expressed by the form of graph data, used for recording the time sequence distribution situation, the scene distribution situation and the access source object distribution situation of different frequent protection behaviors, therefore, the target safeguard action track information can be accurately generated by combining the first safeguard action track information and the track time sequence information, the track abnormal label information and the frequent information attribute information corresponding to the first safeguard action track information, the method and the device can ensure the simplification of the target protection behavior track information, so that the target protection behavior track information can be used by the network security monitoring terminal.

In some other embodiments, the step of "generating the target safeguard behavior track information according to the first safeguard behavior track information and the track timing information, the track anomaly tag information, and the frequency information attribute information corresponding to the first safeguard behavior track information" may include the following steps: performing time sequence characteristic optimization on track time sequence information corresponding to the first protection behavior track information according to track abnormal label information corresponding to the first protection behavior track information to obtain time sequence characteristic content corresponding to the first protection behavior track information; threat situation information analysis is carried out on the first protective behavior track information according to the time sequence characteristic content corresponding to the first protective behavior track information to obtain target threat situation information corresponding to the first protective behavior track information; and generating the target protection behavior track information according to the target threat situation information and the frequency information attribute information corresponding to the first protection behavior track information.

For example, the track anomaly tag information corresponding to the first protection behavior track information may be used to characterize a change condition of a track anomaly feature of the first protection behavior track information. Therefore, the time sequence characteristic optimization of the track time sequence information can be realized by combining the track abnormal label information, and the time sequence characteristic content corresponding to the first protection behavior track information can be accurately obtained. On this basis, threat situation information analysis can be performed on the first protective behavior track information through the time sequence feature content corresponding to the first protective behavior track information, so that the obtained target threat situation information corresponding to the first protective behavior track information is ensured to be matched with the latest time sequence feature. And then, generating the target protection behavior track information through the target threat situation information and the frequent information attribute information so as to be conveniently issued to a network security monitoring terminal for use.

For example, in some examples, on the basis of the above steps S210 to S230, the following may be further included: and carrying out threat strengthening field identification on the target protection behavior track information through an access source field identification network to obtain threat strengthening field information output by the access source field identification network. The network security system can call a pre-trained access source field identification network to perform threat enhancement field identification on target protection behavior track information so as to obtain threat enhancement field information, wherein the threat enhancement field information can comprise a general threat enhancement field and a mining threat enhancement field.

In some other embodiments, the second candidate protection operation record may include a plurality of sets of target protection source objects in an order in which protection behaviors exist or second protection behavior trace information in an order in which protection behaviors exist, where the order of protection behaviors may be understood as an order of existence time. Based on this, the content described in the above step "determining the associated protection event corresponding to the second candidate protection operation record as the target protection event according to the second candidate protection operation record" may include the following steps: when the second candidate protection operation record comprises a plurality of groups of target protection source objects with the protection behavior sequence, determining an associated protection event corresponding to the target protection source object as a target protection event corresponding to the target protection source object for each group of target protection source objects according to the protection behavior sequence; when the second candidate protection operation record comprises a plurality of groups of second protection behavior track information with the protection behavior sequence, determining an associated protection event corresponding to the second protection behavior track information as a target protection event corresponding to the second protection behavior track information according to the protection behavior sequence aiming at each group of second protection behavior track information.

It can be understood that, when determining the associated protection events corresponding to the second candidate protection operation record, the determination may be performed according to multiple groups of target protection source objects having the sequence of the protection behaviors or multiple groups of second protection behavior trace information having the sequence of the protection behaviors, so that the discrimination between the associated protection events corresponding to the target protection source objects and the second protection behavior trace information may be ensured, which is convenient for performing different associated protection event analyses in a subsequent targeted manner, and avoids mutual influence between the associated protection events corresponding to the target protection source objects and the second protection behavior trace information.

On the basis that the second candidate protection operation record may include a plurality of sets of target protection source objects in an order in which protection behaviors exist or a plurality of sets of second protection behavior trace information in an order in which protection behaviors exist, the following steps may be performed for each target protection event in the order of protection behaviors: and determining track time sequence information corresponding to the first protection behavior track information according to the initial protection event and the target protection event. It can be understood that, with regard to a further implementation manner of "determining trajectory timing information corresponding to the first safeguard behavior trajectory information according to the initial safeguard event and the target safeguard event", reference may be made to the foregoing embodiment, and a description thereof is omitted here.

On the basis that the second candidate safeguard operation record may include a plurality of sets of target safeguard source objects in an order in which safeguard behaviors exist or a plurality of sets of second safeguard behavior trace information in an order in which safeguard behaviors exist, the method may further include the following steps: and generating a track data set related in time sequence according to the sequence of the protection behaviors of the target protection events and the track information of the target protection behaviors generated on the basis of each target protection event. The time-series related track data set can be understood as a series of continuous protective behavior track information, and the track data set has a time-series characteristic, so that the track data set can be used for analyzing the dynamic persistence condition of the access source. Based on this, the network security system can also receive a calling instruction for the chronologically related track data set, and call the chronologically related track data set according to the calling instruction. In this way, analysis of the dynamic persistence of the access source may be performed based on the time-series correlated trace data sets.

For example, in some alternative embodiments, what is described in the above-mentioned step "generating the target threat situation information and the frequency intelligence attribute information according to the target threat situation information and the frequency intelligence attribute information corresponding to the first protective behavior trace information" may be implemented by the following steps S310 to S340.

Step S310, obtaining the intelligence matching information of the attack example to be identified and the execution information of each example through the intelligence attribute information of the target threat situation information and the threat intelligence information of the frequent intelligence attribute information.

For example, the intelligence attribute information of the target threat situation information is used for distinguishing intelligence blocks in the target threat situation information, different intelligence attribute information corresponds to different threat situation information tendencies, the threat intelligence information of the frequent intelligence attribute information is used for distinguishing intelligence blocks in the frequent intelligence attribute information, and different threat intelligence information corresponds to different service event categories. Therefore, the intelligence attribute information of the target threat situation information and the threat intelligence information of the frequent intelligence attribute information can be comprehensively considered, so that the intelligence matching information of the attack example to be identified and the execution information of each example can be completely obtained.

In addition, the attack instance to be identified may be extracted from the first safeguard behavior track information, or may be extracted from safeguard behavior track information associated with the first safeguard behavior track information. Further, the intelligence matching information is used for recording intelligence matching conditions of the attack instance to be identified, and the instance execution information is used for recording access source behavior information of the attack instance to be identified, such as actual access attack behavior data (with a larger value) or procedural access attack data (with a smaller value).

Step S320, on the premise that the attack example to be identified contains the dynamic intelligence attribute based on the intelligence matching information, based on the example execution information and the intelligence expansion amount information under the dynamic intelligence attribute of the access source behavior event of the first protection behavior track information, determining the correlation degree between the example execution information under the static intelligence attribute of the attack example to be identified and the example execution information under the dynamic intelligence attribute of the attack example to be identified; and collecting target instance execution information similar to the instance execution information under the dynamic intelligence attribute of the attack instance to be identified in the instance execution information under the static intelligence attribute of the attack instance to be identified under the corresponding dynamic intelligence attribute.

For example, the dynamic intelligence attribute corresponds to actual access attack behavior data (with a greater mining value), the static intelligence attribute corresponds to flow access attack data (with a lesser mining value), and the intelligence augmentation information is used to characterize the intelligence data size of the instance execution information. In this way, the optimization and adjustment of the dynamic intelligence attribute and the instance execution information under the static intelligence attribute can be realized by determining the correlation degree between the instance execution information under the static intelligence attribute of the attack instance to be identified and the instance execution information under the dynamic intelligence attribute of the attack instance to be identified, so that the condition of the prior misclassification is improved.

Step S330, under the premise that the current static intelligence attribute of the attack example to be identified contains a plurality of example execution information, based on the example execution information and the intelligence expansion amount information under the dynamic intelligence attribute of the access source behavior event of the first protection behavior track information, determining the correlation degree between the example execution information under the current static intelligence attribute of the attack example to be identified, and classifying the example execution information under the current static intelligence attribute based on the correlation degree between the example execution information; and setting a dynamic behavior description value for each type of instance execution information obtained by the classification based on the instance execution information and the intelligence expansion amount information of the access source behavior event of the first protection behavior track information under the dynamic intelligence attribute, and collecting the instance execution information of each type under the dynamic intelligence attribute represented by the dynamic behavior description value.

And step S340, generating the target protection behavior track information according to the instance execution information under the dynamic intelligence attribute.

Therefore, the track time sequence information can be acquired by determining the associated protection event of the protection behavior track information, the data volume scale of time sequence characteristics can be effectively reduced, the threat situation information can be quickly analyzed to obtain the threat situation information, and the target protection behavior track information used for carrying out the safety performance analysis of the target configuration protection rule is generated by combining the protection behavior track information, the track time sequence information and the threat situation information. The track time sequence information and the threat situation information have the advantages of high discrimination and small data measurement model, so that the data volume scale of the target protection behavior track information can be reduced as much as possible on the premise of ensuring the correlation with the analyzed safety performance, and the network safety monitoring terminal with weaker data processing capability can also analyze the safety performance of the target configuration protection rule through the target protection behavior track information.

In an embodiment, regarding step S110, the present disclosure provides a method for processing a security representation based on network security big data, which may specifically include the following steps.

Step A110, obtaining network security big data aiming at the network security protection cloud service, wherein the network security big data comprises at least two network security behavior events.

The network security big data comprises a plurality of network security behavior events, wherein the network security behavior events can be from different network service objects, but are all network security behavior events aiming at the same network security protection cloud service.

The network security protection cloud service in the embodiment of the present disclosure mainly refers to a network security protection cloud service, and the network security protection cloud service may refer to software or services that have been developed and operated or that have been developed but are to be operated, such as a file transmission security cloud service, an audio/video interaction security cloud service, and the like.

Step A120, obtaining behavior transition probabilities between each network security behavior event in the network security big data and the network security protection cloud service.

Step A130, according to the behavior transition probability corresponding to each network security behavior event and the security behavior description component of each network security behavior event, performing order arrangement on each network security behavior event to obtain a corresponding network security behavior event set.

Step A140, a group of security image sets for the network security protection cloud service is generated based on the network security behavior event set, and each security image set comprises at least two marked security images.

The behavior transition probability can also be understood as a behavior correlation confidence coefficient, which represents a degree of correlation between the network security behavior event and the network security protection cloud service, and generally, the generated network security behavior event may further include a large number of noise features, and the more the noise features are, the smaller the behavior transition probability between the network security behavior event and the network security protection cloud service is.

In one embodiment, the network security behavior events can be clustered into a plurality of network security behavior event clusters according to the behavior transition probability between each network security behavior event and the network security protection cloud service and the security behavior description component of each network security behavior event, so that the network timing characteristics of each network security behavior event in the same network security behavior event cluster are similar, and the behavior transition probabilities between the network security behavior events and the network security protection cloud service are also similar. Therefore, after the network security behavior event clusters are obtained through clustering, the network security behavior event clusters are orderly sorted, the network security behavior events in the network security behavior event clusters are orderly sorted respectively to obtain a network security behavior event set, and the ordered target security portrait is generated based on the ordered network security behavior event set.

In the embodiment of the present disclosure, if the network security big data is clustered into multiple network security behavior events, when generating the labeled security portrait based on the network security behavior event set, one network security behavior event cluster may generate one target security portrait correspondingly, multiple network security behavior event clusters may also generate one target security portrait correspondingly, or one network security behavior event cluster generates multiple target security portraits correspondingly. In practical applications, if there are many network security behavior events in the network security big data, actually, the generated security portrait set generally contains several target security portraits, so generally, a plurality of network security behavior events are clustered and correspond to generate one target security portrait.

In one embodiment, when clustering each network security behavior event, a clustering method is mainly adopted, and the specific process is as follows: respectively performing weight fusion on the security behavior description components of each network security behavior event according to the behavior transition probability corresponding to each network security behavior event to obtain the fusion security behavior description components of each network security behavior event; clustering each network security behavior event according to the fused security behavior description component of each network security behavior event to obtain at least two network security behavior event clusters.

Because the behavior transition probability is also called as the behavior correlation confidence coefficient, the security behavior description component of the network security behavior event is subjected to weight fusion based on the behavior transition probability, and the significance information of the network security behavior event and the network security protection cloud service can be calculated, so that the goal of reducing noise of a large number of network security behavior events is achieved, the significance network security behavior event is favorably selected, and the irrelevant network security behavior event is weakened.

In one embodiment, the step of performing order sorting among the network security behavior event clusters, and performing order sorting on each network security behavior event in each network security behavior event cluster to obtain a group of network security behavior event sets includes:

according to the number of the network safety behavior events contained in each network safety behavior event cluster, performing order arrangement on each network safety behavior event cluster; and aiming at each network security behavior event cluster, respectively executing the following steps: and according to the security behavior description component of each network security behavior event in the network security behavior event cluster and the behavior matching parameter of the network security behavior event in the network security behavior event cluster center, carrying out order arrangement on each network security behavior event in the network security behavior event cluster. Finally, after the sequence arrangement is carried out among the network safety behavior event clusters and the sequence arrangement is also carried out among the network safety behavior events in the network safety behavior event clusters, a network safety behavior event set is generated on the basis of the information arranged according to the sequence between the network safety behavior event clusters and the sequence arrangement information of the network safety behavior events in the network safety behavior event clusters.

For example, a total of 4 network security behavior event clusters, k ═ 4, are obtained, and the 4 network security behavior event clusters are respectively marked as T1, T2, T3 and T4. Among them, there are 3 network security behavior events in T1, 5 network security behavior events in T2, 7 network security behavior events in T3, and 3 network security behavior events in T4. At this time, according to the number of the network security behavior events in each network security behavior event cluster, performing order sorting among the network security behavior event clusters, and assuming that the larger the number of the network security behavior events, the farther the network security behavior events are, according to the order from the larger the number of the network security behavior events, the order sorting information is as follows: t3, T2, T1 and T4 (or T3, T2, T4 and T1). The number of the network security activity events included in T1 and T4 is the same, because the two network security activity event clusters can be sorted in a random order, or further sorted in an order by combining other indexes, such as the total elements of the network security activity events, and the like, which is not limited herein.

In the embodiment of the present disclosure, after the order arrangement between the network security behavior event clusters, the order arrangement may be further performed on each network security behavior event in each network security behavior event cluster, or before the order arrangement between the network security behavior event clusters, the order arrangement may be performed on each network security behavior event in each network security behavior event cluster, or the order arrangement may be performed at the same time, and the like, which is not specifically limited herein. For example, for each network security behavior event cluster, when sorting the sequence of each network security behavior event in the network security behavior event cluster, the security behavior description component of each network security behavior event in the network security behavior event cluster and the behavior matching parameter of the network security behavior event cluster are mainly used, for example, the higher the behavior matching parameter is, the earlier the sequence is, the lower the behavior matching parameter is, and the later the sequence sorting is.

Assuming that the finally obtained network security behavior event set is as follows: [ QT3, 1, …, QT3, 7, QT2, 1, …, QT2, 5, QT1, 1, …, QT1, 3, QT4, 1, …, QT4, 3 ].

Wherein, QT3, 1 represents that the network security behavior event cluster of T3 is sorted in the order of the top network security behavior event, QT3, 7 represents that the network security behavior event cluster of T3 is sorted in the order of the top network security behavior event, and on the behavior matching parameter of T3, QT3, 1 is the highest, QT3, 7 is the lowest, and so on. Finally, an ordered set of security figures may be generated based on the set of network security behavior events.

The method for generating the security portrait in the embodiment of the disclosure can also be implemented by combining an artificial intelligence technology, for example, the steps are as follows: and respectively inputting each network security behavior event into the configured security image classification network, and extracting the characteristics of each network security behavior event based on a behavior transition probability classification layer in the configured security image classification network to obtain the behavior transition probability corresponding to each network security behavior event output by the behavior transition probability classification layer. Then, respectively inputting each network security behavior event and the behavior transition probability corresponding to each network security behavior event into a clustering sequence sorting network layer in the configured security image classification network, clustering and sequencing each network security behavior event based on the clustering sequence sorting network layer, obtaining a first combination description component of event dimensionality output by the clustering sequence sorting network layer, and combining each network security behavior event element in the first combination description component to form a network security behavior event set; and finally, inputting the first combined description component into a security portrait classification layer in the configured security portrait classification network, and extracting security portrait features based on the security portrait classification layer to obtain a security portrait set output by the security portrait classification layer.

The security portrait classification network proposed in the embodiment of the present disclosure mainly includes a behavior transition probability classification layer, a clustering order sorting network layer and a security portrait classification layer. The behavior transition probability classification layer is mainly used for distinguishing from subsequent event dimensions, event track representations of network safety behavior events are obtained in the behavior transition probability classification layer, a first combined description component finally obtained by sorting the network layers in a clustering sequence is an event dimension, and vector representations of all the network safety behavior events in a network safety behavior event set are spliced in sequence and then converted into the event dimension are obtained.

The security portrait model is obtained according to configuration of a marked network security behavior event set, and the marked network security behavior events in the marked network security behavior event set comprise marked network security behavior events added with marking information, wherein the marking information indicates whether behavior transfer is possible between the marked network security behavior events and reference network security cloud services or not, and can be a two-classification label. It should be noted that, in the marked network security behavior events included in the marked network security behavior event set in the embodiment of the present disclosure, the marked network security behavior events may be for the same reference network security cloud service, or for multiple reference network security cloud services, and generally, multiple marked network security behavior events correspond to the same reference network security cloud service. Further, the security portrait classification network in the embodiments of the present disclosure is obtained by using machine learning configuration through multiple groups of labeled network security behavior events.

For example, the following exemplary description is directed to a secure portrait classification network that may include three portions: a behavior transition probability classification layer, a clustering sequence arrangement network layer and a security portrait classification layer for security portrait classification.

Firstly, a group of network security behavior events (X1, X2, …, XM) of a network security protection cloud service are input, M represents the total number of the network security behavior events, and after a behavior transition probability classification layer, a behavior correlation confidence coefficient can be predicted for each network security behavior event to evaluate the characteristics of each network security behavior event related to the network security protection cloud service, namely, the behavior transition probability corresponding to the network security behavior event.

In the embodiment of the present disclosure, the purpose of the behavior transition probability classification layer is to calculate a behavior correlation confidence for each network security behavior event Xi. The behavior transition probability classification layer emphasizes network security behavior events related to features of network security protection cloud traffic and weakens noise features. Each network security behavior event can be regarded as an event track node sequence, each network security behavior event is mapped to a continuous feature vector space by using a bidirectional cyclic neural network to obtain event description features of each network security behavior event, and the event description features are converted into coded feature information through depth feature coding. For example, a self-attention mechanism at an event track level is adopted to respectively extract security portrait features between the coding feature information of each network security behavior event and coding feature information of other network security behavior events except the network security behavior event, the behavior transition probability between each network security behavior event and the network security protection cloud service is obtained based on the security portrait features corresponding to each network security behavior event, and a behavior correlation confidence zi is calculated for each network security behavior event.

After zi corresponding to each network security behavior event is obtained through calculation based on the behavior transition probability classification layer, the network layer can be sorted based on the clustering sequence in the configured security portrait classification network to sort the network security behavior events. The specific process is as follows:

firstly, mapping each network security behavior event to a continuous feature vector space to obtain an event element feature set corresponding to each network security behavior event, and performing time domain information extraction on the event element feature set corresponding to each network security behavior event through time domain feature extraction operation to obtain time domain event description features of each network security behavior event; and then, respectively performing weight fusion on the time domain event description characteristics of each network security behavior event according to the behavior transition probability corresponding to each network security behavior event to obtain fusion time domain event description characteristics Xi' of each network security behavior event.

Further, a K-Means clustering algorithm is applied to the fusion time domain event description characteristics of all the network safety behavior events for clustering, and all the network safety behavior events are grouped into K clusters; and sorting all the clusters according to the sequence of the number of the network safety behavior events from large to small, and sorting the clusters according to the sequence of the distance from the network safety behavior events to the cluster center from small to large, thereby finally obtaining an ordered network safety behavior event set. The embodiment of the disclosure carries out event dimension conversion after splicing vector representation of network security behavior events in order, tiling the vector representation into a first combination description component of event dimension,

finally, in the order-enhanced security portrait classification layer, two mapping standard limits, namely a mapping standard feature and a mapping standard loss, are adopted, so that the security portrait classification network can generate an ordered security portrait according to the time domain event description feature of the network security behavior event. The specific process is as follows:

and sequentially generating each security portrait in the security portrait set by adopting a traversal strategy, wherein one security portrait in the security portrait set at least comprises one security portrait.

Wherein each generation of a security representation is considered a traversal execution, which may also be referred to as a time step. For example, in a traversal process, the following steps are performed:

step A210, inputting the security portrait which is outputted last time into the security portrait classification layer, wherein the security portrait classification layer inputted first time is a preset initial security portrait object.

It is challenging to allow for accurate generation of ordered security representations. The disclosed embodiments provide a security portrait classification layer to generate ordered security portraits. According to the real data analysis, the sequence of the safety images and the sequence of the clusters have strong correlation, namely, the jth safety image often has strong correlation with the jth cluster and the neighbors thereof, so that the jth cluster and the neighbors thereof are represented as a focused cluster, and other clusters are represented as external clusters in the embodiment of the disclosure. To increase the order constraint between security profiles and clustering at each generation time step, the present disclosure involves two mapping criteria mechanisms:

in the embodiment of the present disclosure, a mapping standard feature is introduced into the coding feature information representation of the security image and the cluster, for example, the specific mapping standard process refers to the following steps:

step A220, the target cluster selected this time and the neighbors of the target cluster are used as focused clusters, and other clusters are used as external clusters, wherein the target cluster selected each time is determined based on the sequence among the clusters.

Step A230, adding a first mapping standard characteristic for a network security behavior event element in a focused cluster in a network security behavior event set, and adding a second mapping standard characteristic for a network security behavior event element in an external cluster in the network security behavior event set to obtain first mapping standard coding characteristic information corresponding to each network security behavior event element in the network security behavior event; and adding a first mapping standard characteristic for the previously output marked security portrait to obtain corresponding second mapping standard coding characteristic information.

In order to capture network timing characteristics and mapping standard information from ordered clusters, in the embodiment of the present disclosure, an attention value between a network security behavior event element and a security image output last time is specifically implemented as follows:

and step A240, analyzing the mapping confidence of the last output marked security portrait and each network security behavior event element in the network security behavior event based on an attention mechanism by combining the first mapping standard vector corresponding to each network security behavior event element in the network security behavior event and the second mapping standard coding feature information corresponding to the last output marked security image, wherein the mapping confidence represents the attention value between the network security behavior event element and the last output security image.

Step A250, weight fusion is carried out on the mapping confidence coefficient and the coding characteristic information sequence of the network security behavior event elements in the network security behavior event set, and the coding characteristic information sequence is input into a forward neural network to obtain the target time domain event description characteristics of the network security behavior event set output this time.

Step A260, generating the currently output marked safety portrait based on the last output marked safety portrait and the target time domain event description characteristics.

In one embodiment, a flow of a configuration method of a security image classification network based on network security big data in the embodiment of the present disclosure is described below, where the specific implementation flow of the method is as follows:

step A300, a marked network security behavior event set aiming at least one reference network security cloud service is obtained.

Step A301, a group of marked network security behavior events aiming at the same reference network security cloud service is selected from the marked network security behavior event set.

Step A302, respectively inputting the marked network security behavior events contained in each selected marked network security behavior event into a behavior transition probability classification layer in an unconfigured security image classification network, and obtaining the behavior transition probability corresponding to each marked network security behavior event output by the behavior transition probability classification layer.

Step A303, constructing a first difference parameter based on the difference between the behavior transition probability corresponding to each marked network security behavior event and the corresponding marking information.

Step A304, respectively inputting the marked network security behavior events in the selected marked network security behavior events and the behavior transition probabilities corresponding to the marked network security behavior events into a clustering order sorting network layer in an unconfigured security image classification network, and clustering the marked network security behavior events based on the clustering order sorting network layer to obtain at least two clusters.

Step A305, sorting the order of each cluster based on the cluster order sorting network layer, and obtaining a second combination description component of the event dimension output by the cluster order sorting network layer.

Step A306, inputting the second combination description component into a security portrait classification layer with enhanced order in an unconfigured security portrait classification network, and extracting security portrait features based on the security portrait classification layer to obtain a group of classified security portrait lists output by the security portrait classification layer.

Step A307, constructing a second difference parameter based on the evaluation confidence difference between the classified security portrait in the classified security portrait list and the actual security portrait in the real security portrait set.

Step A308, constructing a third difference parameter based on the attention values of the network security behavior event elements in each cluster.

Step A309, updating the network weight of the unconfigured secure image classification network according to the first difference parameter, the second difference parameter and the third difference parameter.

And A310, judging whether the security portrait classification network meets the training termination condition, if so, ending the process, otherwise, returning to the A301.

Fig. 3 is a schematic functional block diagram of a network security big data based security configuration apparatus 300 according to an embodiment of the disclosure, and the functions of the functional blocks of the network security big data based security configuration apparatus 300 are described in detail below.

The first obtaining module 310 is configured to obtain a target security portrait meeting a preset portrait characteristic by screening from a security portrait set according to the security portrait set for the network security protection cloud service, and obtain a first predicted network security protection rule based on the target security portrait.

The matching module 320 is configured to perform protection rule matching on the first predicted network security protection rule by using a plurality of second predicted network security protection rules related to the pre-obtained network security protection cloud service, so as to obtain target protection rule information corresponding to each of the plurality of second predicted network security protection rules.

The second obtaining module 330 is configured to obtain a target protection rule key field and target linkage protection rule information based on target protection rule information corresponding to each of the plurality of second predicted network security protection rules and a mining network security protection rule having a preset rule attribute corresponding to each of the plurality of second predicted network security protection rules.

And a third obtaining module 340, configured to obtain, based on the target protection rule key field and the target linkage protection rule information, a target mining network security protection rule corresponding to the first predicted network security protection rule.

Fig. 4 is a schematic diagram illustrating a hardware structure of a network security system 100 for implementing the above-mentioned network security big data-based security protection configuration method according to an embodiment of the present disclosure, and as shown in fig. 4, the network security system 100 may include a processor 110, a machine-readable storage medium 120, a bus 130, and a communication unit 140.

In a specific implementation process, at least one processor 110 executes computer-executable instructions stored in the machine-readable storage medium 120, so that the processor 110 may execute the security defense configuration method based on network security big data according to the above method embodiment, the processor 110, the machine-readable storage medium 120, and the communication unit 140 are connected through the bus 130, and the processor 110 may be configured to control the transceiving action of the communication unit 140, so as to perform data transceiving with the network security monitoring terminal 200.

For the specific implementation process of the processor 110, reference may be made to the above-mentioned various method embodiments executed by the network security system 100, which implement the principle and technical effect similarly, and this embodiment is not described herein again.

In addition, an embodiment of the present disclosure further provides a readable storage medium, where a computer execution instruction is preset in the readable storage medium, and when a processor executes the computer execution instruction, the above security protection configuration method based on network security big data is implemented.

Finally, it should be understood that the examples in this specification are only intended to illustrate the principles of the examples in this specification. Other variations are also possible within the scope of this description. Accordingly, by way of example, and not limitation, alternative configurations of the embodiments of the specification can be seen as matching the teachings of the specification. Accordingly, the embodiments of the present description are not limited to only those embodiments explicitly described and depicted herein.

Claims (10)

1. A security protection configuration method based on network security big data is applied to a network security system, wherein the network security system is in communication connection with a plurality of network security monitoring terminals, and the method comprises the following steps:

according to a security portrait collection aiming at network security protection cloud service, screening from the security portrait collection to obtain a target security portrait meeting preset portrait characteristics according to the security portrait collection aiming at network security protection cloud service, and obtaining a first predicted network security protection rule based on the target security portrait;

carrying out protection rule matching on the first prediction network safety protection rule by utilizing a plurality of second prediction network safety protection rules related to the network safety protection cloud service obtained in advance to obtain target protection rule information corresponding to the plurality of second prediction network safety protection rules respectively;

acquiring a target protection rule key field and target linkage protection rule information based on target protection rule information respectively corresponding to the plurality of second prediction network safety protection rules and mining network safety protection rules with preset rule attributes respectively corresponding to the plurality of second prediction network safety protection rules;

and acquiring a target mining network safety protection rule corresponding to the first prediction network safety protection rule based on the target protection rule key field and the target linkage protection rule information.

2. The method for configuring security protection based on network security big data according to claim 1, wherein the mining the network security protection rules comprises: the defense scene attribute of the mined network safety protection rule is linked protection rule information relative to the past defense scene attribute of the past mined network safety protection rule obtained in advance;

correspondingly, obtaining target linkage protection rule information based on the target protection rule information corresponding to the second prediction network security protection rules respectively and the mining network security protection rule with the preset rule attribute corresponding to the second prediction network security protection rules respectively, includes:

and acquiring target linkage protection rule information of target defense scene attributes of the target excavation network safety protection rules relative to the past defense scene attributes based on target protection rule information corresponding to the second prediction network safety protection rules respectively and linkage protection rule information included in the excavation network safety protection rules respectively.

3. The method according to claim 2, wherein the obtaining the target linkage protection rule information of the target defense scene attribute of the target mining network security protection rule relative to the past defense scene attribute based on the target protection rule information corresponding to each of the plurality of second predicted network security protection rules and the linkage protection rule information included in each of the plurality of mining network security protection rules comprises:

performing network attack simulation updating test on target protection rule information respectively corresponding to the plurality of second prediction network security protection rules;

and updating the tested target protection rule information and the linkage protection rule information respectively included in the mined network security protection rule based on the network attack simulation to obtain the target linkage protection rule information.

4. The method for configuring security protection based on big data of network security according to any one of claims 1 to 3, wherein the obtaining of the target mining network security protection rule corresponding to the first predicted network security protection rule based on the target protection rule key field and the target linkage protection rule information comprises:

based on the target protection rule key field and scene attribute correlation information between the past protection rule key field and past defense scene attributes in the past mining network safety protection rule, carrying out field classification processing on the past defense scene attributes to obtain unit defense scene attributes;

based on the target linkage protection rule information, performing association processing on the unit defense scene attribute to obtain a target defense scene attribute;

and generating the target mining network safety protection rule based on the target protection rule key field and the target defense scene attribute.

5. The method for configuring network security big data based security protection according to claim 1, wherein the target protection rule key field comprises at least one of the following fields: the target protection rule attack identification field, the target protection rule attack library calling field and the target protection rule attack updating field; the protection rule key fields corresponding to the plurality of mining network security protection rules respectively comprise at least one of the following: the protection rule attack updating field, the protection rule attack identification field and the protection rule attack library calling field corresponding to each group of configured protection rules in the plurality of groups of configured protection rules of the network security protection rules are mined;

if the target protection rule key field includes a target protection rule attack identification field, the method for obtaining the target protection rule key field based on the target protection rule information corresponding to the plurality of second prediction network security protection rules respectively and the mining network security protection rule with the preset rule attribute corresponding to the plurality of second prediction network security protection rules respectively includes: based on the target protection rule information respectively corresponding to the second prediction network security protection rules, attack identification field detection is carried out on protection rule attack identification fields respectively corresponding to the excavation network security protection rules to obtain the target protection rule attack identification fields;

if the target protection rule key field includes a target protection rule attack library calling field, the method for obtaining the target protection rule key field based on the target protection rule information corresponding to the plurality of second prediction network security protection rules respectively and the mining network security protection rule with the preset rule attribute corresponding to the plurality of second prediction network security protection rules respectively comprises the following steps: based on the target protection rule information respectively corresponding to the second prediction network security protection rules, carrying out attack library calling field detection on protection rule attack library calling fields respectively corresponding to the excavation network security protection rules to obtain target protection rule attack library calling fields;

if the target protection rule key field includes a target protection rule attack update field, the obtaining of the target protection rule key field based on the target protection rule information corresponding to the plurality of second prediction network security protection rules respectively and the mining network security protection rule with the preset rule attribute corresponding to the plurality of second prediction network security protection rules respectively includes: updating protection rule attack updating fields corresponding to the plurality of mining network security protection rules respectively into rule updating fields, performing rule object identification processing on the rule updating fields to obtain rule updating fields carrying rule object labels, and performing field screening processing on the rule updating fields carrying rule object labels corresponding to the plurality of mining network security protection rules respectively based on target protection rule information corresponding to the plurality of second prediction network security protection rules respectively to obtain the target protection rule attack updating fields.

6. The method for configuring security protection based on network security big data according to claim 1, wherein the step of obtaining a first predicted network security protection rule based on a target security portrait meeting a preset portrait characteristic according to a security portrait set aiming at network security protection cloud services and filtered from the security portrait set comprises:

acquiring a target security portrait corresponding to an initial network security protection rule;

carrying out integral security protection rule identification on the initial network security protection rule included in the target security portrait to obtain a first prediction network security protection rule;

wherein the plurality of second predicted network security protection rules are obtained in advance according to the following mode:

acquiring a plurality of groups of sample security figures corresponding to the sample network security protection rules;

and aiming at each group of sample security images in the plurality of groups of sample security images, carrying out integral security protection rule identification on the sample network security protection rules included in each group of sample security images to obtain second prediction network security protection rules corresponding to each group of sample security images.

7. The method for configuring security protection based on network security big data according to claim 1, further comprising: acquiring mining network safety protection rules with preset rule attributes corresponding to the second prediction network safety protection rules respectively in the following modes:

acquiring a unit mining network security protection rule with preset rule attributes corresponding to each second prediction network security protection rule in the plurality of second prediction network security protection rules;

acquiring linkage protection rule information of the excavation network safety protection rule corresponding to each second prediction network safety protection rule relative to past excavation network safety protection rules based on a plurality of groups of preset linkage protection rule information relative to the past excavation network safety protection rules;

updating the unit defense scene attribute in the unit mining network safety protection rule by using the linkage protection rule information, and acquiring the mining network safety protection rule of each second prediction network safety protection rule based on the updated unit defense scene attribute and the unit protection rule key field of the unit mining network safety protection rule.

8. The method according to claim 1, wherein the performing protection rule matching on the first predicted network security protection rule by using a plurality of second predicted network security protection rules related to the pre-obtained network security protection cloud service to obtain target protection rule information corresponding to each of the plurality of second predicted network security protection rules includes:

and performing protection rule distribution and citation on the plurality of second prediction network safety protection rules and the first prediction network safety protection rule to obtain target protection rule information corresponding to the plurality of second prediction network safety protection rules respectively.

9. The method for configuring network security big data based security protection according to any one of claims 1-8, wherein the method further comprises:

issuing a target configuration protection rule to the network security monitoring terminal according to the target mining network security protection rule so that the network security monitoring terminal performs rule configuration based on the target configuration protection rule;

after the target configuration protection rule is issued, determining an associated protection event corresponding to first protection behavior track information as an initial protection event according to the first protection behavior track information in the first candidate protection operation record of the network security monitoring terminal, wherein the first candidate protection operation record comprises at least one group of protection behavior track information;

determining an associated protection event corresponding to a second candidate protection operation record as a target protection event according to the second candidate protection operation record; the second candidate protection operation record is used for representing track element information and/or track element reference information of target protection behavior track information;

determining track time sequence information corresponding to the first protection behavior track information according to the initial protection event and the target protection event, and performing threat situation information analysis on the first protection behavior track information according to the track time sequence information to obtain threat situation information corresponding to the first protection behavior track information;

according to the first protection behavior track information and track time sequence information and threat situation information corresponding to the first protection behavior track information, obtaining track abnormal label information and frequency information attribute information corresponding to the first protection behavior track information through a machine decision network;

generating target protection behavior track information according to the first protection behavior track information and track timing sequence information, track abnormal label information and frequent information attribute information corresponding to the first protection behavior track information; and the target protection behavior track information is used for carrying out safety performance analysis of the target configuration protection rule.

10. A network security system, comprising a processor, a machine-readable storage medium, and a communication unit, wherein the machine-readable storage medium, the communication unit, and the processor are associated through a bus system, the communication unit is configured to be communicatively connected with at least one network security monitoring terminal, the machine-readable storage medium is configured to store computer instructions, and the processor is configured to execute the computer instructions in the machine-readable storage medium to perform the network security big data based security protection configuration method according to any one of claims 1 to 9.

Images