CN113742720B - Network security situation perception method based on multistage linkage mode - Google Patents
Network security situation perception method based on multistage linkage mode Download PDFInfo
- Publication number
- CN113742720B CN113742720B CN202110995822.8A CN202110995822A CN113742720B CN 113742720 B CN113742720 B CN 113742720B CN 202110995822 A CN202110995822 A CN 202110995822A CN 113742720 B CN113742720 B CN 113742720B
- Authority
- CN
- China
- Prior art keywords
- safety
- behavior
- baseline
- abnormal information
- method based
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/21—Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
- G06F18/214—Generating training patterns; Bootstrap methods, e.g. bagging or boosting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/22—Matching criteria, e.g. proximity measures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- Data Mining & Analysis (AREA)
- Software Systems (AREA)
- General Physics & Mathematics (AREA)
- Bioinformatics & Computational Biology (AREA)
- Evolutionary Computation (AREA)
- Evolutionary Biology (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Artificial Intelligence (AREA)
- Computing Systems (AREA)
- Life Sciences & Earth Sciences (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a network security situation perception method based on a multistage linkage mode, which comprises the following steps: collecting flow and safety logs of a region I and a region II of a power plant; preprocessing the acquired data and extracting key characteristic elements; establishing a baseline flow and log model through baseline learning based on the extracted key characteristic elements, and analyzing and detecting abnormal information in the baseline flow and log model in real time by using a safety detection model; and when abnormal information is detected, performing safety tracing analysis on the abnormal information by using safety expert knowledge to obtain a safety problem. The invention can analyze and early warn the potential safety hazard in real time in advance, thereby protecting the unsafe network problem in time.
Description
Technical Field
The invention relates to the technical field of network security situation awareness, in particular to a network security situation awareness method based on a multi-level linkage mode.
Background
The electric power group comprises a plurality of power plants, the network security environment is complex, the types of network security equipment are various, the types of logs are more, a platform and a situation perception platform for collecting and analyzing unified information are lacked, and overall supervision and analysis are carried out on the global security problems.
Communication capacity between a power plant and a group is limited, full flow cannot be sent to a regional level, safety modeling analysis is carried out by using a large computing cluster on the side of the group, and a large amount of safety data cannot be utilized due to the fact that the power plant side lacks the large computing cluster and the safety modeling capacity.
Network security detection ability needs to be updated in real time, so how can the detection ability of real-time update transfer to each power plant and form unified management, how the security expert of regional level is effectual guides and solves the safety problem of the appearance of power plant, and the problem of urgently waiting to solve is analyzed and early-warned the potential safety hazard that exists.
Disclosure of Invention
This section is for the purpose of summarizing some aspects of embodiments of the invention and to briefly introduce some preferred embodiments. In this section, as well as in the abstract and the title of the invention of this application, simplifications or omissions may be made to avoid obscuring the purpose of the section, the abstract and the title, and such simplifications or omissions are not intended to limit the scope of the invention.
The present invention has been made in view of the above-mentioned conventional problems.
Therefore, the technical problem solved by the invention is as follows: the prior art can not analyze and early warn potential safety hazards in real time, so that the network safety protection is not timely.
In order to solve the technical problems, the invention provides the following technical scheme: collecting flow and safety logs of a power plant area I and a power plant area II; preprocessing the acquired data and extracting key characteristic elements; establishing a baseline flow and log model through baseline learning based on the extracted key characteristic elements, and analyzing and detecting abnormal information in the baseline flow and log model in real time by using a safety detection model; and when abnormal information is detected, performing security traceability analysis on the abnormal information by using security expert knowledge to obtain a security problem.
As a preferred scheme of the network security situation awareness method based on the multi-level linkage mode, the method comprises the following steps: and acquiring flow and safety logs of the I area and the II area of the power plant by using plant station level situation awareness equipment.
As a preferred scheme of the network security situation awareness method based on the multi-level linkage mode, the method comprises the following steps: preprocessing the acquired data and extracting key characteristic elements, wherein the preprocessing comprises the steps of data cleaning, data integration, data transformation and data reduction of the acquired data; and extracting the key characteristic elements by using a principal component analysis strategy.
As a preferred scheme of the network security situation awareness method based on the multi-level linkage mode, the method comprises the following steps: constructing the baseline traffic and log model through baseline learning includes a session set: f. of 1 The communication time length of the communication starting time of the size of the uplink packet and the size of the downlink packet of the number of the uplink packets and the number of the downlink packets of a destination port destination IP address source IP address transmission protocol is set to be { the communication starting time of the size of the uplink packet and the size of the downlink packet }; protocol behavior aggregation: f. of 2 And (2) a communication time length protocol instruction parameter of communication starting time of size of downlink packet of size of uplink packet of number of downlink packets of destination IP address source IP address transmission protocol of destination port.
As a preferred scheme of the network security situation awareness method based on the multi-level linkage mode, the method comprises the following steps: further comprising, constructing the baseline traffic and log model based on the session set and protocol behavior set:
where E (Y | X = X) represents a behavior matching degree output value, Y represents an aggregate behavior, X represents an input behavior, τ 1 Denotes the number of times of extraction,. Tau 2 Representing the probability of behavior.
As a preferred scheme of the network security situation awareness method based on the multi-level linkage mode, the method comprises the following steps: judging whether abnormal flow or behavior exists according to the behavior matching degree output value, wherein the abnormal flow or behavior exists when E (Y | X = X) < 0.83 and is more than or equal to 0; when 0.83 ≦ E (Y | X = X) ≦ 1, the flow or behavior is normal.
As a preferred scheme of the network security situation awareness method based on the multi-level linkage mode, the method comprises the following steps: the safety detection model is utilized to carry out real-time analysis and detection on abnormal information in the baseline flow and log model, and an abnormal information feature library is established according to historical information; adopting a deep learning network to construct the safety detection model, and performing data training to obtain a perfect safety detection model; and matching the abnormal information with the abnormal information feature library, and analyzing and detecting to obtain the final security vulnerability.
As a preferred scheme of the network security situation awareness method based on the multi-level linkage mode, the method comprises the following steps: the exception information includes exception traffic and logs.
As a preferred scheme of the network security situation awareness method based on the multi-level linkage mode, the method comprises the following steps: the inclusion of the security detection model may include,
wherein [ a, b]Denotes a detection interval, x k Represents the flow value, x, when the subinterval is k value k-1 Denotes the flow value, Δ x, at a subinterval of k-1 k =x k -x k-1 Denotes the length of the subinterval k and N denotes the number of iterations.
The invention has the beneficial effects that: the invention can analyze and early warn the potential safety hazard in real time in advance, thereby protecting the unsafe network problem in time.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without inventive exercise. Wherein:
fig. 1 is a schematic basic flow chart of a network security situation awareness method based on a multi-level linkage manner according to an embodiment of the present invention;
fig. 2 is a schematic diagram of an area-level security situation awareness platform of a network security situation awareness method based on a multi-level linkage manner according to an embodiment of the present invention.
Detailed Description
In order to make the aforementioned objects, features and advantages of the present invention comprehensible, specific embodiments accompanied with figures are described in detail below, and it is apparent that the described embodiments are a part of the embodiments of the present invention, not all of the embodiments. All other embodiments, which can be obtained by a person skilled in the art without making any creative effort based on the embodiments in the present invention, shall fall within the protection scope of the present invention.
In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present invention, however, the present invention may be practiced otherwise than as specifically described herein, and it will be appreciated by those skilled in the art that the present invention may be practiced without departing from the spirit and scope of the present invention and that the present invention is not limited by the specific embodiments disclosed below.
Furthermore, reference herein to "one embodiment" or "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment is included in at least one implementation of the invention. The appearances of the phrase "in one embodiment" in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments.
The present invention will be described in detail with reference to the drawings, wherein the cross-sectional views illustrating the structure of the device are not enlarged partially in general scale for convenience of illustration, and the drawings are only exemplary and should not be construed as limiting the scope of the present invention. In addition, the three-dimensional dimensions of length, width and depth should be included in the actual fabrication.
Meanwhile, in the description of the present invention, it should be noted that the terms "upper, lower, inner and outer" and the like indicate orientations or positional relationships based on the orientations or positional relationships shown in the drawings, and are only for convenience of describing the present invention and simplifying the description, but do not indicate or imply that the referred device or element must have a specific orientation, be constructed in a specific orientation and operate, and thus, cannot be construed as limiting the present invention. Furthermore, the terms first, second, or third are used for descriptive purposes only and are not to be construed as indicating or implying relative importance.
The terms "mounted, connected and connected" in the present invention are to be understood broadly, unless otherwise explicitly specified or limited, for example: can be fixedly connected, detachably connected or integrally connected; they may be mechanically, electrically, or directly connected, or indirectly connected through intervening media, or may be interconnected between two elements. The specific meanings of the above terms in the present invention can be understood in specific cases to those skilled in the art.
Example 1
Referring to fig. 1 to 2, an embodiment of the present invention provides a network security situation awareness method based on a multi-level linkage manner, including:
s1: collecting flow and safety logs of a region I and a region II of a power plant; it should be noted that:
and acquiring the flow and the safety logs of the I area and the II area of the power plant by utilizing plant-level situation awareness equipment.
S2: preprocessing the acquired data and extracting key characteristic elements; it should be noted that:
preprocessing the acquired data and extracting key feature elements comprises the following steps:
carrying out data cleaning, data integration, data transformation and data reduction on the acquired data;
extracting key characteristic elements by using a principal component analysis strategy; the principal component analysis strategy extracts the characteristic elements by using the following codes:
s3: establishing a baseline flow and log model through baseline learning based on the extracted key characteristic elements, and performing real-time analysis and detection on abnormal information in the baseline flow and log model by using a safety detection model; it should be noted that:
the method for constructing the baseline traffic and log model through baseline learning comprises the following steps:
session aggregation:
f 1 the communication time length of the communication starting time of the size of the uplink packet and the size of the downlink packet of the number of the uplink packets and the number of the downlink packets of a destination port destination IP address source IP address transmission protocol is set to be { the communication starting time of the size of the uplink packet and the size of the downlink packet };
protocol behavior aggregation:
f 2 protocol instruction parameter of communication time length of communication starting time of size downlink packet size of uplink packet of number of downlink packets of destination IP address source IP address transmission protocol of { destination port }.
Establishing a baseline traffic and log model based on the session set and the protocol behavior set:
where E (Y | X = X) represents a behavior matching degree output value, Y represents an aggregate behavior, X represents an input behavior, τ 1 Denotes the number of extractions, τ 2 Representing the probability of behavior.
Judging whether abnormal flow or behavior exists according to the behavior matching degree output value, wherein the judging step comprises the following steps:
when 0 ≦ E (Y | X = X) < 0.83, there is an abnormal flow or behavior;
when 0.83 ≦ E (Y | X = X) ≦ 1, the flow or behavior is normal.
The real-time analysis and detection of abnormal information in the baseline flow and log model by using the safety detection model comprises the following steps:
establishing an abnormal information feature library according to the historical information;
a safety detection model is constructed by adopting a deep learning network, and data training is carried out to obtain a perfect safety detection model;
wherein, the safety detection model comprises a safety detection model,
wherein [ a, b ]]Denotes a detection interval, x k Denotes the flow value, x, at a subinterval of k k-1 Denotes the flow value, Δ x, at a subinterval of k-1 k =x k -x k-1 Denotes the length of the subinterval k and N denotes the number of iterations.
Matching the abnormal information with an abnormal information feature library, and analyzing and detecting to obtain a final security vulnerability;
the abnormal information comprises abnormal flow and logs.
S4: when abnormal information is detected, performing security traceability analysis on the abnormal information by using security expert knowledge to obtain a security problem; it should be noted that:
as shown in fig. 2, the regional situation awareness platform cooperates with a third-party security vendor through its security expert capability to continuously construct its security core security capability, which includes: a vulnerability library, an information library, a virus killing library, an intrusion detection library, an association rule analysis library, a model library based on behavior analysis, safety information and the like, and the core detection capabilities are issued to a plant-level situation perception platform; when security loopholes occur or abnormal flow possibly exists, the regional security experts can be directly connected to the plant station level situation awareness platform in a remote mode to conduct security source tracing and evidence obtaining.
Example 2
The embodiment is different from the first embodiment in that a verification test of a network security situation awareness method based on a multi-level linkage mode is provided, and in order to verify and explain the technical effects adopted in the method, the embodiment adopts a traditional technical scheme and the method of the invention to carry out a comparison test, and compares the test results by means of scientific demonstration to verify the real effect of the method.
The traditional technical scheme is as follows: the existing potential safety hazards cannot be analyzed and early warned in real time, so that the network safety protection is not timely. Compared with the traditional method, the method has higher real-time performance and analysis accuracy. In this embodiment, the detection of the problem of the security vulnerability of the simulation network and the accuracy and speed of analysis are measured and compared in real time by using the conventional network security situation awareness method and the conventional network security situation awareness method.
And (3) testing environment: the host operating system: windows, solaris, aix, linux, sco, sgi; a database system: mssql, oracle, mysql, informix, sybase; the application system comprises the following steps: various applications provided by the target, such as www applications composed of asp, cgi, jsp, php, and the like; a network device: a firewall, a security detection system, and a network device; the safety events are issued every 1 hour according to the sequence of 10, 12, 15, 12 and 21 by using an automatic testing device, and simulation tests of the two methods are realized by using MATLB software programming, and simulation data are obtained according to experimental results. 1000 sets of data were tested for each method and the results of the two methods are shown in the table below.
Table 1: the experimental results are shown in a comparison table.
Experimental sample | Conventional methods | The method of the invention |
Time delay | 1.2min | 0.4ms |
Rate of accuracy | 85% | 98% |
From the above table it can be seen that the process of the invention has good properties.
It should be noted that the above-mentioned embodiments are only for illustrating the technical solutions of the present invention and not for limiting, and although the present invention has been described in detail with reference to the preferred embodiments, it should be understood by those skilled in the art that modifications or equivalent substitutions may be made on the technical solutions of the present invention without departing from the spirit and scope of the technical solutions of the present invention, which should be covered by the claims of the present invention.
Claims (5)
1. A network security situation awareness method based on a multi-level linkage mode is characterized by comprising the following steps:
collecting flow and safety logs of a region I and a region II of a power plant;
preprocessing the acquired data and extracting key characteristic elements;
establishing a baseline flow and log model through baseline learning based on the extracted key characteristic elements, and analyzing and detecting abnormal information in the baseline flow and log model in real time by using a safety detection model;
constructing the baseline traffic and log model through baseline learning includes,
session aggregation:
= { destination port, destination IP address, source IP address, transport protocol, number of uplink packets, number of downlink packets, size of uplink packets, size of downlink packets, communication start time, communication duration };
protocol behavior aggregation:
= { destination port, destination IP address, source IP address, transport protocol, number of uplink packets, number of downlink packets, size of uplink packets, size of downlink packets, communication start time, communication duration, protocol instruction parameter };
constructing the baseline traffic and log model based on the session set and the protocol behavior set:
wherein the content of the first and second substances,an output value representing the degree of matching of the behavior,the behavior of the set is represented by,the behavior of the input is represented by,the number of times of the extraction is indicated,representing a probability of a behavior;
judging whether abnormal flow or behavior exists according to the behavior matching degree output value, including,
2. The network security situation awareness method based on the multi-level linkage mode according to claim 1, wherein: and acquiring flow and safety logs of the I area and the II area of the power plant by using plant station level situation awareness equipment.
3. The network security situation awareness method based on the multi-level linkage mode according to claim 1 or 2, wherein: preprocessing the collected data and extracting key feature elements includes,
carrying out data cleaning, data integration, data transformation and data reduction on the acquired data;
and extracting the key characteristic elements by using a principal component analysis strategy.
4. The network security situation awareness method based on the multi-level linkage mode according to claim 1, wherein: the real-time analysis and detection of abnormal information in the baseline traffic and log model using the security detection model includes,
establishing an abnormal information feature library according to the historical information;
adopting a deep learning network to construct the safety detection model, and carrying out data training to obtain a perfect safety detection model;
and matching the abnormal information with the abnormal information feature library, and analyzing and detecting to obtain the final security vulnerability.
5. The network security situation awareness method based on the multi-level linkage mode according to claim 4, wherein: the exception information includes exception traffic and logs.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110995822.8A CN113742720B (en) | 2021-08-27 | 2021-08-27 | Network security situation perception method based on multistage linkage mode |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110995822.8A CN113742720B (en) | 2021-08-27 | 2021-08-27 | Network security situation perception method based on multistage linkage mode |
Publications (2)
Publication Number | Publication Date |
---|---|
CN113742720A CN113742720A (en) | 2021-12-03 |
CN113742720B true CN113742720B (en) | 2022-11-25 |
Family
ID=78733451
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202110995822.8A Active CN113742720B (en) | 2021-08-27 | 2021-08-27 | Network security situation perception method based on multistage linkage mode |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN113742720B (en) |
Family Cites Families (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111245793A (en) * | 2019-12-31 | 2020-06-05 | 西安交大捷普网络科技有限公司 | Method and device for analyzing abnormity of network data |
CN112612669A (en) * | 2020-11-25 | 2021-04-06 | 中国大唐集团科学技术研究院有限公司 | Infrastructure monitoring and early warning method and system based on situation awareness |
CN112651006B (en) * | 2020-12-07 | 2023-08-25 | 中国电力科学研究院有限公司 | Power grid security situation sensing system |
CN112653678B (en) * | 2020-12-14 | 2023-01-24 | 国家电网有限公司信息通信分公司 | Network security situation perception analysis method and device |
-
2021
- 2021-08-27 CN CN202110995822.8A patent/CN113742720B/en active Active
Also Published As
Publication number | Publication date |
---|---|
CN113742720A (en) | 2021-12-03 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN102340485B (en) | Network security situation awareness system and method based on information correlation | |
CN105471882A (en) | Behavior characteristics-based network attack detection method and device | |
CN110188737B (en) | Thermal runaway early warning method based on lithium battery safety valve opening acoustic signal detection | |
CN112087445A (en) | Electric power Internet of things security vulnerability assessment method fusing business security | |
Srivastav et al. | Novel intrusion detection system integrating layered framework with neural network | |
CN113645182B (en) | Denial of service attack random forest detection method based on secondary feature screening | |
CN105354198A (en) | Data processing method and apparatus | |
CN111898647A (en) | Clustering analysis-based low-voltage distribution equipment false alarm identification method | |
CN116366374B (en) | Security assessment method, system and medium for power grid network management based on big data | |
CN110019519A (en) | Data processing method, device, storage medium and electronic device | |
CN112202718B (en) | XGboost algorithm-based operating system identification method, storage medium and device | |
CN110677430A (en) | User risk degree evaluation method and system based on log data of network security equipment | |
CN108183897A (en) | A kind of information physical emerging system safety risk estimating method | |
CN109634820A (en) | A kind of fault early warning method, relevant device and the system of the collaboration of cloud mobile terminal | |
CN110826852A (en) | Risk assessment method and system for forced isolation drug rehabilitation personnel | |
CN116862081A (en) | Operation and maintenance method and system for pollution treatment equipment | |
CN111586608A (en) | Intelligent health service system of power supply vehicle and data transmission method thereof | |
CN113742720B (en) | Network security situation perception method based on multistage linkage mode | |
CN110956316A (en) | Personnel level prediction model based on random forest | |
CN114330120A (en) | 24-hour PM prediction based on deep neural network2.5Method of concentration | |
CN110022313A (en) | Polymorphic worm feature extraction and polymorphic worm discrimination method based on machine learning | |
CN117526561A (en) | Digital twinning-based transformer substation equipment abnormality monitoring and early warning method and system | |
CN113750538A (en) | Big data-based hand-game security platform construction method and system | |
CN114697230B (en) | Zero trust-based energy station safety monitoring system and method | |
CN113794281B (en) | Safety monitoring system for power network based on data analysis |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |