CN114006802B - Situation awareness prediction method, device and system for collapse equipment - Google Patents
Situation awareness prediction method, device and system for collapse equipment Download PDFInfo
- Publication number
- CN114006802B CN114006802B CN202111076006.3A CN202111076006A CN114006802B CN 114006802 B CN114006802 B CN 114006802B CN 202111076006 A CN202111076006 A CN 202111076006A CN 114006802 B CN114006802 B CN 114006802B
- Authority
- CN
- China
- Prior art keywords
- information
- collapse
- network node
- situation awareness
- equipment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 41
- 230000002159 abnormal effect Effects 0.000 claims abstract description 109
- 230000008569 process Effects 0.000 claims abstract description 18
- 230000007123 defense Effects 0.000 claims abstract description 15
- 238000004458 analytical method Methods 0.000 claims description 23
- 238000012545 processing Methods 0.000 claims description 8
- 230000009471 action Effects 0.000 claims description 6
- 230000008859 change Effects 0.000 claims description 4
- 230000003993 interaction Effects 0.000 claims description 4
- 238000003672 processing method Methods 0.000 abstract 1
- 230000006399 behavior Effects 0.000 description 15
- 238000004891 communication Methods 0.000 description 8
- 238000012544 monitoring process Methods 0.000 description 7
- 241000700605 Viruses Species 0.000 description 4
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 4
- 238000007726 management method Methods 0.000 description 4
- 238000012360 testing method Methods 0.000 description 4
- 206010000117 Abnormal behaviour Diseases 0.000 description 3
- 238000001514 detection method Methods 0.000 description 3
- 238000005065 mining Methods 0.000 description 3
- 230000002155 anti-virotic effect Effects 0.000 description 2
- 238000012550 audit Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000011156 evaluation Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000000737 periodic effect Effects 0.000 description 2
- 230000003449 preventive effect Effects 0.000 description 2
- 230000001960 triggered effect Effects 0.000 description 2
- 230000004075 alteration Effects 0.000 description 1
- 238000004140 cleaning Methods 0.000 description 1
- 230000001010 compromised effect Effects 0.000 description 1
- 238000010219 correlation analysis Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000007613 environmental effect Effects 0.000 description 1
- 238000002513 implantation Methods 0.000 description 1
- 230000001788 irregular Effects 0.000 description 1
- -1 malicious procedures Chemical compound 0.000 description 1
- 230000008092 positive effect Effects 0.000 description 1
- 208000024891 symptom Diseases 0.000 description 1
- 238000013024 troubleshooting Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0631—Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/147—Network analysis or design for predicting network behaviour
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2463/00—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
- H04L2463/146—Tracing the source of attacks
Abstract
The invention provides a situation awareness prediction method, device and system of a collapse device, and relates to the technical field of network security. The processing method comprises the following steps: acquiring information of a collapse device, and acquiring log information and alarm information of a network node associated with the collapse device; acquiring situation awareness information of the collapse equipment and situation awareness information of the network node; comparing the situation awareness information of the collapse equipment with the situation awareness information of the network node to obtain abnormal items related to the situation awareness information of the network node in the situation awareness information of the collapse equipment; analyzing the abnormal item to obtain an abnormal cause of the collapse device, and acquiring a matched defense scheme based on the abnormal cause to process the collapse device and/or the device causing the abnormal cause. The invention utilizes the situation awareness system to defend the collapse equipment in the network environment, and further eliminates the influence of the collapse equipment on the network security so as to avoid more serious network attack.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a situation awareness prediction method of a collapse device.
Background
The situation awareness system aims at acquiring, understanding and displaying security elements capable of causing network situation change and forward prediction of recent development trend in a large-scale network environment so as to make decisions and actions. In the prior art, the situation awareness system integrates a plurality of data information systems such as antivirus software, a firewall, a network management system, an intrusion monitoring system, a security audit system and the like to complete evaluation of the current network environment condition and prediction of the future change trend of the network environment.
In the field of network security technology, a device that is lost and used by network intrusion attackers often appears, and this lost device poses a serious threat to network security. Therefore, in order to ensure network security and awareness of potential network threats, each enterprise often selects a situation awareness system to improve the ability of network security and stable operation, detects the collapse device, and performs network security defense on the collapse device through the situation awareness ability, which is one of the current hot problems.
Therefore, the situation awareness prediction method, device and system for the subsidence equipment are provided to solve the problem that the subsidence equipment affects the network security, and the situation awareness system defends the subsidence equipment in the network environment to avoid more serious network attacks, so that the situation awareness prediction method, device and system are the technical problems to be solved currently.
Disclosure of Invention
The invention aims at: the invention can acquire the information of the subsidence equipment, and the log information and the alarm information of the network node associated with the subsidence equipment; acquiring situation awareness information of the collapse equipment and situation awareness information of the network node; comparing the situation awareness information of the collapse equipment with the situation awareness information of the network node to obtain abnormal items related to the situation awareness information of the network node in the situation awareness information of the collapse equipment; analyzing the abnormal item to obtain an abnormal cause of the collapse device, and acquiring a matched defense scheme based on the abnormal cause to process the collapse device and/or the device causing the abnormal cause.
In order to solve the existing technical problems, the invention provides the following technical scheme:
a situation awareness prediction method of a collapse device is characterized by comprising the following steps:
acquiring information of a collapse device, and acquiring log information and alarm information of a network node associated with the collapse device;
acquiring situation awareness information of the collapse equipment based on the information of the collapse equipment, and acquiring situation awareness information of the network node based on log information and alarm information of the network node;
comparing the situation awareness information of the collapse equipment with the situation awareness information of the network node to obtain abnormal items related to the situation awareness information of the network node in the situation awareness information of the collapse equipment;
analyzing the abnormal item to obtain an abnormal cause of the collapse device, and acquiring a matched defense scheme based on the abnormal cause to process the collapse device and/or the device causing the abnormal cause.
Further, an anomaly item is analyzed, the anomaly item including an anomaly state, an anomaly signal, and an anomaly behavior.
Further, when analyzing the foregoing abnormal items, the analysis object includes unknown traffic, common protocol, P2P download, HTTP protocol and/or instant messaging message.
Further, the alarm comprises an emergency alarm and a non-emergency alarm, when the emergency alarm is judged, the corresponding network node is subjected to security defense, the network access of the network node is disconnected, and the network environment where the network node is located is subjected to fault processing; and/or periodically detecting the network node with the over-alarm, and sending the log information of the network node to a situation awareness system for safety analysis.
Further, the alarms include a root cause alarm, a derivative alarm, and a general alarm that is not a derivative root cause alarm.
Further, ports and/or IP network segments in the network node where the alarm occurs, which do not trigger the alarm, are monitored.
Further, the IP address of the network node in the alarm information is acquired, the access or operation record information of the IP address is acquired, and track tracing and/or track safety analysis is performed.
Further, data monitoring is performed on the input/output ports of the network nodes, and when the network environment is abnormally changed, the operation performed on the network nodes is marked and traced.
A situation awareness prediction device of a collapse device is characterized by comprising the following structure:
the information acquisition unit is used for acquiring the information of the collapse equipment, and the log information and the alarm information of the network node associated with the collapse equipment;
the information generating unit is used for obtaining situation awareness information of the collapse equipment based on the collapse equipment information and obtaining situation awareness information of the network node based on log information and alarm information of the network node;
the information comparison unit is used for comparing the situation awareness information of the collapse equipment with the situation awareness information of the network node to obtain abnormal items related to the situation awareness information of the network node in the situation awareness information of the collapse equipment;
and the information analysis unit is used for analyzing the abnormal items to obtain the abnormal reasons of the collapse equipment, and acquiring a matched defense scheme based on the abnormal reasons to process the collapse equipment and/or equipment causing the abnormal reasons.
A situational awareness prediction system for a subsidence device, comprising:
a network node for receiving and transmitting data;
the situation awareness system regularly detects the network nodes with over-alarming, and carries out security analysis on the log information of the network nodes;
the system server is connected with the network node and the situation awareness system;
the system server is configured to:
acquiring information of a collapse device, and acquiring log information and alarm information of a network node associated with the collapse device; acquiring situation awareness information of the collapse equipment based on the information of the collapse equipment, and acquiring situation awareness information of the network node based on log information and alarm information of the network node; comparing the situation awareness information of the collapse equipment with the situation awareness information of the network node to obtain abnormal items related to the situation awareness information of the network node in the situation awareness information of the collapse equipment; analyzing the abnormal item to obtain an abnormal cause of the collapse device, and acquiring a matched defense scheme based on the abnormal cause to process the collapse device and/or the device causing the abnormal cause.
Compared with the prior art, the invention has the following advantages and positive effects by way of example due to the adoption of the technical scheme:
firstly, acquiring information of a collapse device, and acquiring log information and alarm information of a network node associated with the collapse device; acquiring situation awareness information of the collapse equipment based on the information of the collapse equipment, and acquiring situation awareness information of the network node based on log information and alarm information of the network node; comparing the situation awareness information of the collapse equipment with the situation awareness information of the network node to obtain abnormal items related to the situation awareness information of the network node in the situation awareness information of the collapse equipment; analyzing the abnormal item to obtain an abnormal cause of the collapse device, and acquiring a matched defense scheme based on the abnormal cause to process the collapse device and/or the device causing the abnormal cause.
Drawings
Fig. 1 is a flowchart provided in an embodiment of the present invention.
Fig. 2 is a schematic structural diagram of an apparatus according to an embodiment of the present invention.
Fig. 3 is a schematic structural diagram of a system according to an embodiment of the present invention.
Reference numerals illustrate:
the device 200, the information acquisition unit 201, the information generation unit 202, the information comparison unit 203, the information analysis unit 204;
system 300, network node 301, situation awareness system 302, system server 303.
Detailed Description
The situation awareness prediction method, device and system of the collapse equipment disclosed by the invention are further described in detail below with reference to the accompanying drawings and specific embodiments. It should be noted that the technical features or combinations of technical features described in the following embodiments should not be regarded as being isolated, and they may be combined with each other to achieve a better technical effect. In the drawings of the embodiments described below, like reference numerals appearing in the various drawings represent like features or components and are applicable to the various embodiments. Thus, once an item is defined in one drawing, no further discussion thereof is required in subsequent drawings.
It should be noted that the structures, proportions, sizes, etc. shown in the drawings are merely used in conjunction with the disclosure of the present specification, and are not intended to limit the applicable scope of the present invention, but rather to limit the scope of the present invention. The scope of the preferred embodiments of the present invention includes additional implementations in which functions may be performed out of the order described or discussed, including in a substantially simultaneous manner or in an order that is reverse, depending on the function involved, as would be understood by those of skill in the art to which embodiments of the present invention pertain.
Techniques, methods, and apparatus known to one of ordinary skill in the relevant art may not be discussed in detail, but should be considered part of the specification where appropriate. In all examples shown and discussed herein, any specific values should be construed as merely illustrative, and not a limitation. Thus, other examples of the exemplary embodiments may have different values.
Examples
Referring to fig. 1, a flowchart is provided for the present invention. The implementation step S100 of the method is as follows:
s101, acquiring information of the collapse equipment, and acquiring log information and alarm information of a network node associated with the collapse equipment.
The collapse device is a network node which is controlled by a network intrusion attacker in a certain way, and after the network intrusion attacker obtains the control right, the attacker can continuously attack other hosts in the enterprise intranet by taking the network node as a springboard.
It should be noted that the collapse device often has irregular and high concealment characteristics, which makes it difficult to identify or fail to confirm whether the attack is successful by many intrusion actions. However, it may be determined that the host has been compromised by various operations following the compromise, which may be analyzed by security event analysis to identify the presence of interactions in the multi-stage attack on the host.
The information of the collapse device comprises alarm information of the collapse device, wherein the alarm information comprises but is not limited to collapse time and attacked information of the collapse device, and besides, the information of the collapse device also comprises data information such as access information, operation information and the like of the collapse device after collapse.
The network node refers to a terminal having independent network addresses and data processing functions in a network environment, including, but not limited to, functions of transmitting data, receiving data, and/or analyzing data. The network nodes may be workstations, clients, network users or personal computers, or servers, printers and other network-connected devices. The whole network environment comprises a plurality of network nodes which are connected through communication lines to form a network topology structure. The communication line may be a wired communication system or a wireless communication system.
It should be noted that when a network node is somehow controlled by a network intrusion attacker, the network node is called a collapse device. That is, a rogue device is only if the network node is somehow under control by a network intrusion attacker. When the network intrusion attacker loses the control right of the collapse equipment, the collapse equipment is restored to a normal working state, and at the moment, the collapse equipment is still a network node.
The log information of the network node refers to event records generated during operation of network equipment, a system, a service program and the like, wherein each row of log records the description of related operations such as date, time, users, actions and the like. The log information of the network node includes, but is not limited to, the following:
the duration of the connection, its value being in seconds, may be, for example, in the range of: [0, 58329];
protocol types including, but not limited to TCP, UDP, ICMP;
the network service type of the target host;
a connect normal or error condition;
the number of data bytes from the source host to the target host may be, for example, in the range of: [0,1379963888];
the number of data bytes from the target host to the source host may be, for example, in the range of:
[0,1309937401];
whether the connections come from the same host or not, whether the same port exists or not;
the number of erroneous segments, for example, may be in the range of: [0,3];
the number of the emergency packets may be, for example, in the range of: [0,14].
In a preferred implementation manner of this embodiment, the alarm is an event report for transmitting alarm information, which is also called an alarm event for short. It can be defined by the manufacturer or by the network manager in combination with alarms in the network. In one alarm, the monitoring unit of the network management system gives alarm signals according to the fault condition, and each time the system receives an alarm signal, the system represents the occurrence of one alarm event, performs fault description in the form of alarm information and displays the alarm information in the alarm information management center of the network management system. The failure is the cause of an alarm event generated by a device in the network.
The alarm information includes historical alarm information and real-time alarm information. The alarm information includes, but is not limited to, information about the name of the fault device, symptoms of the fault, the location of occurrence, time of occurrence, reason of occurrence, etc.
It should be noted that, the network node has a data processing function, and the data processing includes an operation of performing data cleaning on the data information.
Wherein, the object of the data processing includes, but is not limited to, the history alarm information, log information of the network node related to the history alarm information, and the like.
S102, obtaining situation awareness information of the collapse equipment based on the information of the collapse equipment, and obtaining situation awareness information of the network node based on the log information and the alarm information of the network node.
The situation awareness information refers to data information stored in a situation awareness system and is used for analyzing the development trend of situation awareness. The data sources of the situation awareness information include, but are not limited to, environmental service data, network layer data, log layer data and alarm data, so that the situation awareness information can include, but is not limited to, network environment information, log information of a network node, alarm information and the like, and in the process of forming network space security situation awareness, the data information of different sources is effectively fused by referring to the prior art.
The network environment information refers to data information related to the network environment, including but not limited to first access time of the user, access times of the user, operation type of the user at the current time, access rate of the control user and the like.
The operation of obtaining the situation awareness information of the subsidence device based on the subsidence device information may be, by way of example and not limitation, extracting information corresponding to an attribute type in the subsidence device information, where the extracted information can embody core features corresponding to the information.
For example, the situation awareness information of the subsidence device may be obtained by extracting corresponding information from attribute types such as the subsidence cause, the subsidence time, and the subsidence host from the subsidence device information.
Likewise, the operation of obtaining the situation awareness information of the network node based on the log information and the alarm information of the network node may be, by way of example and not limitation, extracting information corresponding to the attribute types in the log information and the alarm information of the network node, where the extracted information can embody core features corresponding to the information.
For example, the log information of the network node may extract corresponding information from attribute types such as keywords, sources, event IDs, task categories, dates, and times; the alarm information can extract corresponding information from attribute types such as alarm grade, alarm object, alarm reason and the like. And extracting information corresponding to the attribute type from the log information and the alarm information of the network node, and obtaining situation awareness information of the network node from the extracted information.
In the operation of obtaining situation awareness information of the network node based on the log information and the alarm information of the network node, the alarm information may be alarm information of the network node or alarm information triggering the network node to alarm.
It should be further noted that, when the foregoing alert information is processed, redundant data is filtered out, where the filtered data includes, but is not limited to, frequent alerts, user side alerts, general alerts that are not derived from the root alert, and derived alerts based on association rules.
S103, comparing the situation awareness information of the collapse equipment with the situation awareness information of the network node to obtain abnormal items related to the situation awareness information of the network node in the situation awareness information of the collapse equipment.
The abnormal item is obtained based on comparing situation awareness information of the collapse device with situation awareness information of the network node. By abnormal items is meant warnings or errors occurring during the running of the program or system, which often affect the robustness, reliability and safety of the program. By way of example and not limitation, the exception items include, but are not limited to, an exception state, an exception signal, an exception operation, an exception behavior, an exception value, and the like in a network environment.
S104, analyzing the abnormal items to obtain the abnormal reasons of the collapse equipment, and acquiring a matched defense scheme based on the abnormal reasons to process the collapse equipment and/or equipment causing the abnormal reasons.
The analysis operation can obtain an abnormal item according to the compared situation awareness information, wherein the abnormal item comprises the abnormal reason of the collapse device, and the abnormal reason of the collapse device can also be obtained based on the analysis of the existing analysis technology. By way of example and not limitation, the abnormal value corresponding to the abnormal item may be analyzed, and the abnormal value may be an outlier or a value exceeding a threshold value.
Preferably, the abnormal item is analyzed, including abnormal state, abnormal signal and abnormal behavior.
In addition, the abnormal items also comprise process abnormal behaviors, abnormal network connection, abnormal account numbers and the like.
Optionally, the abnormal item is dynamic, a decision criterion is set for the abnormal item when evaluating the abnormal item, and the abnormal item is removed when the abnormal item no longer meets the decision criterion.
Optionally, the abnormal items are updated along with the operation of comparing the situation awareness information of the collapse device and the situation awareness information of the network node, and the abnormal items are processed based on a situation awareness system.
By way of example and not limitation, the anomaly may be an anomaly flow rate, and the anomaly may be determined by determining that the anomaly of the missing device is an anomaly flow rate when the flow rate value of the missing device exceeds a maximum flow rate threshold or is below a minimum flow rate threshold.
When the flow value of the collapse device is recovered to be within the normal minimum flow threshold value and the normal maximum flow threshold value, the abnormal item is recovered to be normal, and at the moment, the abnormal flow is not the abnormal item of the collapse device any more.
It should be noted that when the missing device has no abnormal item, that is, the missing device resumes normal operation, the missing device continues to operate as a normal network node. Meanwhile, the network node which is the collapse device can be monitored to avoid being controlled by the network intrusion attacker again, and the network node becomes the collapse device.
After the abnormal item is obtained, the situation awareness system can analyze and predict based on the abnormal item to obtain prediction alarm information, perform preventive operation on the network node corresponding to the information, perform unidirectional access operation on the corresponding network node during preventive operation, record the operation performed by the access object of the network node, and release the pre-defense operation when it is determined that the object to be defended is not defended.
Preferably, when analyzing the abnormal item, the analysis object includes unknown traffic, common protocol, P2P download, HTTP protocol and/or instant messaging message.
Preferably, the alarms include emergency alarms and non-emergency alarms, when the alarms are determined to be emergency alarms, security defense is carried out on the corresponding network nodes, network access of the network nodes is disconnected, and fault processing is carried out on the network environment where the network nodes are located; and/or periodically detecting the network node with the over-alarm, and sending the log information of the network node to a situation awareness system for safety analysis.
The emergency alarm can alarm abnormal data suddenly occurring in the alarm, and the abnormal data can be abnormal operation, abnormal behavior, abnormal value and the like; preferably, the generated emergency alarm can be obtained after the situation awareness system analyzes based on the alarm data, and can provide a pointer for displaying abnormal data; the non-emergency alert refers to other alert situations other than an emergency alert.
The fault processing is for troubleshooting faults occurring in a network environment, and comprises the following steps: observing and describing fault phenomena, and collecting information of possible fault reasons; analyzing the cause of the fault and making a solution; and (5) implementing the solutions one by one, and recording the fault checking process until the network is recovered to be normal.
The periodic test may be set to a test time or a test time period, and the periodic test may be the following items, including but not limited to:
the webpage is tamper-proof and is used for monitoring the website catalogue in real time and recovering tampered files or catalogues through backup, so that website information of an important system is prevented from being tampered maliciously, and contents such as horse hanging, black chain, illegal implantation terrorism threat and the like are prevented;
the abnormal process behavior is used for detecting whether the behavior exceeding the normal execution flow exists in the asset;
the abnormal login is used for detecting abnormal login behaviors on the server. The abnormal login can be illegal IP login of ECS, ECS login very commonly, executing abnormal instruction sequence after ECS login, etc.;
sensitive file tampering is used for detecting whether malicious modification is carried out on the sensitive file in the server or not;
the malicious process is used for detecting the server in real time and providing real-time warning for the detected virus file. The detectable sub-items include accessing malicious IP, mining procedures, self-variation Trojan, malicious procedures, trojan horse procedures, and the like;
abnormal network connection, detecting network display disconnection or abnormal network connection state. The abnormal network connection can be active connection of malicious download sources, access of malicious domain names, mine pool communication behaviors, suspicious network external connection, rebound Shell network external connection, windows abnormal network connection, suspicious internal network transverse attack, suspicious sensitive port scanning behaviors and the like;
the abnormal account is used for detecting an illegal login account;
an application intrusion event to detect a behavior of an intrusion server through an application component of the system;
the virus detection can be used for actively defending the types of mainstream lux virus, DDoS Trojan horse, mining and Trojan horse programs, malicious programs, backdoor programs, worm viruses and the like;
the method comprises the steps of Web application threat detection, wherein the Web application threat detection is used for detecting the behavior of an intrusion server through the Web application;
a malicious script for detecting whether the system function of the asset is attacked or tampered by the malicious script, and carrying out alarm prompt on possible attack behaviors of the malicious script;
the malicious network behavior comprehensively judges abnormal network behaviors through logs such as flow content, server behavior and the like, and the abnormal network behaviors comprise abnormal network behaviors initiated by an attacker to invade a host through open network service or the host after sinking.
Preferably, the alarms include a root cause alarm, a derivative alarm, and a general alarm that is not a derivative root cause alarm.
As one of the preferred implementation manners of this embodiment, it should be noted that, when one network node and/or one communication link fails, the failure may cause a plurality of associated network nodes and/or a plurality of communication links to fail. In the process of the foregoing alarms, the alarms raised by the former are referred to as root alarms, and the alarms generated by the latter are referred to as derivative alarms.
The root alarm and the derived alarm can analyze rule information of the root alarm and the derived alarm existing in the alarm based on an association rule mining mode through alarm correlation analysis.
Preferably, ports and/or IP network segments in the network node where the alarm occurs that do not trigger the alarm are monitored.
When data monitoring is performed, the situation awareness system can monitor ports and/or IP network segments which do not trigger alarms in the network node where the alarms occur, and the ports and/or the IP network segments communicate in a multiplexing mode.
Preferably, the IP address of the network node in the alarm information is collected, access or operation record information of the IP address is obtained, and track tracing and/or track safety analysis is performed.
The IP address may be in a unified address format provided according to an IP protocol adhered to by the user, and may allocate a logical address to each network node in the network environment and a terminal device to which the user applies for access, so that the situation awareness system tracks an access path of the user.
Preferably, the data monitoring is performed on the input/output ports of the network nodes, and when the network environment is abnormally changed, the operation performed on the network nodes is marked and traced.
When an alarm is triggered, the alarm can display port information of the network node for triggering the alarm, and meanwhile, the execution operation of ports of other network nodes which do not trigger the alarm is monitored, so that real-time network security control can be ensured, and the ports and/or IP network segments can keep normal communication and stable operation with other network nodes when the alarm is not triggered.
Other technical features are referred to the previous embodiments and will not be described here again.
Referring to fig. 2, the present invention further provides an embodiment of a situation awareness prediction apparatus 200 of a subsidence device, which is characterized by including:
an information obtaining unit 201, configured to obtain information of a collapse device, log information and alarm information of a network node associated with the collapse device;
an information generating unit 202, configured to obtain situation awareness information of the collapse device based on the collapse device information, and obtain situation awareness information of the network node based on log information and alarm information of the network node;
an information comparing unit 203, configured to compare situation awareness information of the collapse device with situation awareness information of the network node, so as to obtain an abnormal item related to the situation awareness information of the network node in the situation awareness information of the collapse device;
an information analysis unit 204, configured to analyze the abnormal item to obtain an abnormal cause of the collapse device, and obtain a matching defending scheme based on the abnormal cause to process the collapse device and/or a device causing the abnormal cause.
In addition, referring to fig. 3, the present invention further provides an embodiment of a situation awareness prediction system 300 of a subsidence device, which is characterized by including:
the network node 301 is configured to transmit and receive data.
The situation awareness system 302 periodically detects the network node with the alarm, and performs security analysis on the log information of the network node.
The situation awareness system integrates a plurality of data information systems such as antivirus software, a firewall, a network management system, an intrusion monitoring system, a security audit system and the like so as to complete evaluation of the current network environment condition and forecast of the future change trend of the network environment.
A system server 303, wherein the system server 303 is connected with the network node 301 and the situation awareness system 302;
the system server 303 is configured to:
acquiring information of a collapse device, and acquiring log information and alarm information of a network node associated with the collapse device; acquiring situation awareness information of the collapse equipment based on the information of the collapse equipment, and acquiring situation awareness information of the network node based on log information and alarm information of the network node; comparing the situation awareness information of the collapse equipment with the situation awareness information of the network node to obtain abnormal items related to the situation awareness information of the network node in the situation awareness information of the collapse equipment; analyzing the abnormal item to obtain an abnormal cause of the collapse device, and acquiring a matched defense scheme based on the abnormal cause to process the collapse device and/or the device causing the abnormal cause.
Other technical features are referred to the previous embodiments and will not be described here again.
In the above description, the components may be selectively and operatively combined in any number within the scope of the present disclosure. In addition, terms like "comprising," "including," and "having" should be construed by default as inclusive or open-ended, rather than exclusive or closed-ended, unless expressly defined to the contrary. All technical, scientific, or other terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. Common terms found in dictionaries should not be too idealized or too unrealistically interpreted in the context of the relevant technical document unless the present disclosure explicitly defines them as such.
Although the exemplary aspects of the present disclosure have been described for illustrative purposes, those skilled in the art will appreciate that the foregoing description is merely illustrative of preferred embodiments of the invention and is not intended to limit the scope of the invention in any way, including additional implementations in which functions may be performed out of the order of presentation or discussion. Any alterations and modifications of the present invention, which are made by those of ordinary skill in the art based on the above disclosure, are intended to be within the scope of the appended claims.
Claims (10)
1. A situation awareness prediction method of a collapse device is characterized by comprising the following steps:
acquiring information of the collapse equipment, and acquiring log information and alarm information of a network node associated with the collapse equipment; the collapse equipment refers to a network node for a network intrusion attacker to obtain control rights; the information of the collapse equipment comprises alarm information of the collapse equipment, wherein the alarm information comprises collapse time, attacked information of the collapse equipment, access information and operation information of the collapse equipment after collapse; the host can be judged to have been attacked by the operation after attack, and the operation identifies the interaction action existing in the multi-stage attack on the host by the security event analysis;
acquiring situation awareness information of the collapse equipment based on the information of the collapse equipment, and acquiring the situation awareness information of the network node based on the log information and the alarm information of the network node; the operation of obtaining situation awareness information of the subsidence equipment based on the subsidence equipment information comprises extracting situation awareness information of the subsidence equipment from subsidence reasons, subsidence time and subsidence host attribute types corresponding to the subsidence equipment information; the operation of obtaining situation awareness information of the network node based on the log information and the alarm information of the network node includes extracting situation awareness information of the network node from a keyword, a source, an event ID, a task category, a date and time attribute type corresponding to the log information of the network node, and extracting situation awareness information of the network node from an alarm level, an alarm object and an alarm reason attribute type corresponding to the alarm information of the network node;
comparing the situation awareness information of the collapse equipment with the situation awareness information of the network node to obtain abnormal items related to the situation awareness information of the network node in the situation awareness information of the collapse equipment;
analyzing the abnormal item to obtain an abnormal cause of the collapse device, and acquiring a matched defense scheme based on the abnormal cause to process the collapse device and/or the device causing the abnormal cause.
2. The method of claim 1, wherein an exception item is analyzed, the exception item comprising an exception state, an exception signal, and an exception behavior.
3. The method according to claim 1, wherein the analysis object for which the aforementioned anomaly is analyzed comprises unknown traffic, common protocols, P2P downloads, HTTP protocols and/or instant messaging messages.
4. The method according to claim 1, wherein the alarms include an emergency alarm and a non-emergency alarm, and when the alarms are determined to be emergency alarms, the corresponding network node is safeguarded, network access of the network node is disconnected, and the network environment in which the network node is located is subjected to fault processing;
and/or periodically detecting the network node with the over-alarm, and sending the log information of the network node to a situation awareness system for safety analysis.
5. The method of claim 1, wherein the alarms include a root cause alarm, a derivative alarm, and a generic alarm that is not a derivative root cause alarm.
6. Method according to claim 1, characterized in that ports and/or IP network segments in the network node where alarms occur that do not trigger alarms are monitored.
7. The method according to claim 1, wherein the IP address of the network node in the alarm information is collected, access or operation record information of the IP address is obtained, and trace tracing and/or trace security analysis is performed.
8. The method according to claim 1, wherein the input/output ports of the network nodes are monitored for data, and operations performed at the network nodes are marked and traced when an abnormal change occurs in the network environment.
9. A situation awareness prediction device of a collapse device is characterized by comprising the following structure:
the information acquisition unit is used for acquiring the information of the collapse equipment, and the log information and the alarm information of the network node associated with the collapse equipment; the collapse equipment refers to a network node for a network intrusion attacker to obtain control rights; the information of the collapse equipment comprises alarm information of the collapse equipment, wherein the alarm information comprises collapse time, attacked information of the collapse equipment, access information and operation information of the collapse equipment after collapse; the host can be judged to have been attacked by the operation after attack, and the operation identifies the interaction action existing in the multi-stage attack on the host by the security event analysis;
the information generation unit is used for obtaining situation awareness information of the collapse equipment based on the collapse equipment information and obtaining the situation awareness information of the network node based on the log information and the alarm information of the network node; the operation of obtaining situation awareness information of the subsidence equipment based on the subsidence equipment information comprises extracting situation awareness information of the subsidence equipment from subsidence reasons, subsidence time and subsidence host attribute types corresponding to the subsidence equipment information; the operation of obtaining situation awareness information of the network node based on the log information and the alarm information of the network node includes extracting situation awareness information of the network node from a keyword, a source, an event ID, a task category, a date and time attribute type corresponding to the log information of the network node, and extracting situation awareness information of the network node from an alarm level, an alarm object and an alarm reason attribute type corresponding to the alarm information of the network node;
the information comparison unit is used for comparing the situation awareness information of the collapse equipment with the situation awareness information of the network node to obtain abnormal items related to the situation awareness information of the network node in the situation awareness information of the collapse equipment;
and the information analysis unit is used for analyzing the abnormal items to obtain the abnormal reasons of the collapse equipment, and acquiring a matched defense scheme based on the abnormal reasons to process the collapse equipment and/or equipment causing the abnormal reasons.
10. A situational awareness prediction system for a subsidence device, comprising:
a network node for receiving and transmitting data;
the situation awareness system regularly detects the network nodes with over-alarming, and carries out security analysis on the log information of the network nodes;
the system server is connected with the network node and the situation awareness system;
the system server is configured to: acquiring information of the collapse equipment, and acquiring log information and alarm information of a network node associated with the collapse equipment; the collapse equipment refers to a network node for a network intrusion attacker to obtain control rights; the information of the collapse equipment comprises alarm information of the collapse equipment, wherein the alarm information comprises collapse time, attacked information of the collapse equipment, access information and operation information of the collapse equipment after collapse; the host can be judged to have been attacked by the operation after attack, and the operation identifies the interaction action existing in the multi-stage attack on the host by the security event analysis; acquiring situation awareness information of the collapse equipment based on the information of the collapse equipment, and acquiring the situation awareness information of the network node based on the log information and the alarm information of the network node; the operation of obtaining situation awareness information of the subsidence equipment based on the subsidence equipment information comprises extracting situation awareness information of the subsidence equipment from subsidence reasons, subsidence time and subsidence host attribute types corresponding to the subsidence equipment information; the operation of obtaining situation awareness information of the network node based on the log information and the alarm information of the network node includes extracting situation awareness information of the network node from a keyword, a source, an event ID, a task category, a date and time attribute type corresponding to the log information of the network node, and extracting situation awareness information of the network node from an alarm level, an alarm object and an alarm reason attribute type corresponding to the alarm information of the network node; comparing the situation awareness information of the collapse equipment with the situation awareness information of the network node to obtain abnormal items related to the situation awareness information of the network node in the situation awareness information of the collapse equipment; analyzing the abnormal item to obtain an abnormal cause of the collapse device, and acquiring a matched defense scheme based on the abnormal cause to process the collapse device and/or the device causing the abnormal cause.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111076006.3A CN114006802B (en) | 2021-09-14 | 2021-09-14 | Situation awareness prediction method, device and system for collapse equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111076006.3A CN114006802B (en) | 2021-09-14 | 2021-09-14 | Situation awareness prediction method, device and system for collapse equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114006802A CN114006802A (en) | 2022-02-01 |
| CN114006802B true CN114006802B (en) | 2023-11-21 |
Family
ID=79921425
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111076006.3A Active CN114006802B (en) | 2021-09-14 | 2021-09-14 | Situation awareness prediction method, device and system for collapse equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114006802B (en) |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108259462A (en) * | 2017-11-29 | 2018-07-06 | 国网吉林省电力有限公司信息通信公司 | Big data Safety Analysis System based on mass network monitoring data |
| CN108965346A (en) * | 2018-10-10 | 2018-12-07 | 上海工程技术大学 | One kind is fallen Host Detection method |
| WO2018233593A1 (en) * | 2017-06-19 | 2018-12-27 | 中兴通讯股份有限公司 | Method, device and system for network situational awareness, and machine readable medium |
| CN110445807A (en) * | 2019-08-23 | 2019-11-12 | 瑞森网安(福建)信息科技有限公司 | Network security situation sensing system and method |
| CN110855687A (en) * | 2019-11-18 | 2020-02-28 | 惠州学院 | Network space security situation perception detection analysis system and method |
| CN111818073A (en) * | 2020-07-16 | 2020-10-23 | 深信服科技股份有限公司 | Method, device, equipment and medium for detecting defect host |
| CN112383503A (en) * | 2020-09-21 | 2021-02-19 | 西安交大捷普网络科技有限公司 | Network security event processing method |
| CN112995196A (en) * | 2021-03-23 | 2021-06-18 | 上海纽盾科技股份有限公司 | Method and system for processing situation awareness information in network security level protection |
| CN113329029A (en) * | 2021-06-18 | 2021-08-31 | 上海纽盾科技股份有限公司 | Situation awareness node defense method and system for APT attack |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10692252B2 (en) * | 2017-02-09 | 2020-06-23 | GM Global Technology Operations LLC | Integrated interface for situation awareness information alert, advise, and inform |
| US11305887B2 (en) * | 2019-09-13 | 2022-04-19 | The Boeing Company | Method and system for detecting and remedying situation awareness failures in operators of remotely operated vehicles |
-
2021
- 2021-09-14 CN CN202111076006.3A patent/CN114006802B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2018233593A1 (en) * | 2017-06-19 | 2018-12-27 | 中兴通讯股份有限公司 | Method, device and system for network situational awareness, and machine readable medium |
| CN108259462A (en) * | 2017-11-29 | 2018-07-06 | 国网吉林省电力有限公司信息通信公司 | Big data Safety Analysis System based on mass network monitoring data |
| CN108965346A (en) * | 2018-10-10 | 2018-12-07 | 上海工程技术大学 | One kind is fallen Host Detection method |
| CN110445807A (en) * | 2019-08-23 | 2019-11-12 | 瑞森网安(福建)信息科技有限公司 | Network security situation sensing system and method |
| CN110855687A (en) * | 2019-11-18 | 2020-02-28 | 惠州学院 | Network space security situation perception detection analysis system and method |
| CN111818073A (en) * | 2020-07-16 | 2020-10-23 | 深信服科技股份有限公司 | Method, device, equipment and medium for detecting defect host |
| CN112383503A (en) * | 2020-09-21 | 2021-02-19 | 西安交大捷普网络科技有限公司 | Network security event processing method |
| CN112995196A (en) * | 2021-03-23 | 2021-06-18 | 上海纽盾科技股份有限公司 | Method and system for processing situation awareness information in network security level protection |
| CN113329029A (en) * | 2021-06-18 | 2021-08-31 | 上海纽盾科技股份有限公司 | Situation awareness node defense method and system for APT attack |
Non-Patent Citations (2)
| Title |
|---|
| Rongrong Xi.CNSSA:A Comprehensive Network Security Situation Awareness System.《2011 IEEE 10th International Conference on Trust,Security and Privacy in Computing and Communications》.2012,全文. * |
| 刘鸣华.基于大数据的网络安全态势感知系统研究.《科技广场》.2021,50-55. * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114006802A (en) | 2022-02-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113839935B (en) | Network situation awareness method, device and system | |
| CN114006723B (en) | Network security prediction method, device and system based on threat information | |
| US20060242705A1 (en) | System and method for detection and mitigation of network worms | |
| US20030084319A1 (en) | Node, method and computer readable medium for inserting an intrusion prevention system into a network stack | |
| CN113660115B (en) | Alarm-based network security data processing method, device and system | |
| Pradhan et al. | Intrusion detection system (IDS) and their types | |
| CN113660224A (en) | Situation awareness defense method, device and system based on network vulnerability scanning | |
| Debar et al. | Intrusion detection: Introduction to intrusion detection and security information management | |
| CN114006722B (en) | Situation awareness verification method, device and system for detecting threat | |
| CN114124516B (en) | Situation awareness prediction method, device and system | |
| CN113411295A (en) | Role-based access control situation awareness defense method and system | |
| CN113411297A (en) | Situation awareness defense method and system based on attribute access control | |
| CN113794590B (en) | Method, device and system for processing network security situation awareness information | |
| US11405411B2 (en) | Extraction apparatus, extraction method, computer readable medium | |
| CN113660222A (en) | Situation awareness defense method and system based on mandatory access control | |
| CN113904920B (en) | Network security defense method, device and system based on collapse equipment | |
| CN112347484A (en) | Software vulnerability detection method, device, equipment and computer readable storage medium | |
| CN114006802B (en) | Situation awareness prediction method, device and system for collapse equipment | |
| CN114006719B (en) | AI verification method, device and system based on situation awareness | |
| CN114172881B (en) | Network security verification method, device and system based on prediction | |
| CN114301796B (en) | Verification method, device and system for prediction situation awareness | |
| CN114189361B (en) | Situation awareness method, device and system for defending threat | |
| CN114006720B (en) | Network security situation awareness method, device and system | |
| CN113660223B (en) | Network security data processing method, device and system based on alarm information | |
| CN113360907A (en) | Hacker intrusion prevention method based on IDES and NIDES |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |