CN114139020A - Network security event structure hierarchical processing method and device - Google Patents

Network security event structure hierarchical processing method and device Download PDF

Info

Publication number
CN114139020A
CN114139020A CN202111491045.XA CN202111491045A CN114139020A CN 114139020 A CN114139020 A CN 114139020A CN 202111491045 A CN202111491045 A CN 202111491045A CN 114139020 A CN114139020 A CN 114139020A
Authority
CN
China
Prior art keywords
event
data
security event
network security
processing
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202111491045.XA
Other languages
Chinese (zh)
Other versions
CN114139020B (en
Inventor
汤卫东
李华旭
李盛楠
刘勇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangxi University for Nationalities
Original Assignee
Guangxi University for Nationalities
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangxi University for Nationalities filed Critical Guangxi University for Nationalities
Priority to CN202111491045.XA priority Critical patent/CN114139020B/en
Publication of CN114139020A publication Critical patent/CN114139020A/en
Application granted granted Critical
Publication of CN114139020B publication Critical patent/CN114139020B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/901Indexing; Data structures therefor; Storage structures
    • G06F16/9027Trees
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/903Querying
    • G06F16/9035Filtering based on additional data, e.g. user or group profiles
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/906Clustering; Classification
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N7/00Computing arrangements based on specific mathematical models
    • G06N7/02Computing arrangements based on specific mathematical models using fuzzy logic

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Databases & Information Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Data Mining & Analysis (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • Computational Mathematics (AREA)
  • Biomedical Technology (AREA)
  • Fuzzy Systems (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Molecular Biology (AREA)
  • Health & Medical Sciences (AREA)
  • Algebra (AREA)
  • Artificial Intelligence (AREA)
  • Automation & Control Theory (AREA)
  • Evolutionary Computation (AREA)
  • Mathematical Analysis (AREA)
  • Mathematical Optimization (AREA)
  • Pure & Applied Mathematics (AREA)
  • Computing Systems (AREA)
  • Mathematical Physics (AREA)
  • Computational Linguistics (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention discloses a hierarchical processing method and a hierarchical processing device for a network security event structure, which comprise a data acquisition module, a data division module, a data processing module and a post-processing module; according to the invention, through the combination of hierarchical processing and an argument refining method, the calculation accuracy is improved by utilizing polynomial algebra and differential algebra, meanwhile, a consistency adjustment process is simpler by utilizing a fuzzy analytic hierarchy process, the weight calculation is simpler, the problem of complexity of the traditional weight calculation is solved, the acquisition efficiency of event data is greatly improved by extracting the event data from the data managed by the security event management model of the host time window, the event data is acquired more quickly, and the event structure after the refining processing is processed based on a Tri-tracing event relation classification method, so that the problem that the relation between the events after the hierarchical processing cannot be processed is effectively solved.

Description

Network security event structure hierarchical processing method and device
Technical Field
The invention relates to the technical field of network security event processing, in particular to a hierarchical processing method and device for a network security event structure.
Background
In the fields of computer science, control theory and control engineering, the composition and structure of concurrent systems are more and more complex, the scale is more and more huge, and the efficient and correct modeling and verification of the systems are more and more difficult. The formalization method provides good framework support for modeling and verification of a concurrent system after decades of research and development, and corresponding technologies and theories are applied to various aspects in the fields of computer science and control engineering;
in the design and verification of a concurrent system which is becoming more complex, because more concurrency uncertainty is brought between a plurality of small events in a sub-event structure which is obtained by argument refinement and the original concurrent events, the problem of hierarchical processing of a network security event structure becomes complicated, and therefore the invention provides a hierarchical processing method and a hierarchical processing device of the network security event structure to solve the problems in the prior art.
Disclosure of Invention
In view of the above problems, the present invention provides a method and an apparatus for hierarchical processing of network security event structure, the network security event structure hierarchical processing method and the device improve the calculation accuracy by combining hierarchical processing with a variable refinement method and utilizing polynomial algebra and differential algebra, meanwhile, the fuzzy analytic hierarchy process is utilized to lead the consistency adjustment process to be simpler, the weight calculation to be simpler, the problem of the complexity degree of the traditional weight calculation is solved, by extracting event data from the data managed by the security event management model of the host time window, the acquisition efficiency of the event data is greatly improved, the acquisition of the event data is quicker, and the event structure after the thinning processing is processed based on the Tri-tracing event relation classification method, so that the problem that the relation between the events after the hierarchical processing cannot be processed is effectively solved.
In order to realize the purpose of the invention, the invention is realized by the following technical scheme: a hierarchical processing method and device for a network security event structure comprise the following steps:
firstly, extracting data information of a network security event based on a security event management model of a host time window, and establishing a tree-shaped index system by taking node resource information of the network security event as a data source extraction index;
step two, establishing a network security event evaluation model according to the characteristics of a tree-shaped index system and a network system structure, evaluating the network security event, and performing hierarchical division on the output result of the security event evaluation model by adopting a hierarchical structure;
preprocessing each divided layer of security event structure based on an improved CAIM algorithm, then carrying out quantitative analysis, carrying out weight calculation on the security event structure by adopting a fuzzy analytic hierarchy process, and simultaneously generating a polynomial algebraic event structure and a differential algebraic event structure;
step four, adopting an argument refinement method to perform horizontal refinement processing and vertical refinement processing on the polynomial algebraic event structure and the differential algebraic event structure, and performing logic relation classification on the refined event structure based on a Tri-tracing event relation classification method;
and fifthly, sorting the data classified and output according to the logical relationship to obtain the network security event structure after hierarchical processing.
The further improvement lies in that: in the first step, the security event management model of the host time window collects the data of the security event from the network in advance, and stores the data after collection, pretreatment and association operation, and then extracts corresponding data information from the data of the network security event stored by the security event management model of the host time window.
The further improvement lies in that: the evaluation of the network security event in the second step is carried out from three levels of an event level, a region level and a system level, wherein the event level is evaluated by using behavior characteristics and content characteristics in event characteristics; the region level is evaluated according to the relation characteristic and the position characteristic; the system level is to integrate the evaluation at the area level and the event level.
The further improvement lies in that: the preprocessing method in the third step is to perform discretization processing on the continuous variable of the network security event through an improved CAIM algorithm, determine the quantized value of each layer of situation factors of the network security event, perform weight calculation on the weights among the situation factors of different layers by using a fuzzy analytic hierarchy process, and finally perform upward fusion layer by layer according to a hierarchical network security event data structure by using Bayesian thrust as a fusion tool for calculating data to obtain a polynomial algebraic event structure and a differential algebraic event structure.
The further improvement lies in that: the horizontal refinement processing in the fourth step is to optimize the internal event structure of the network security event on the premise of keeping the behavior of the network security event system unchanged, and select an equivalent event structure with a simple structure to replace a complex event structure for horizontal refinement; the vertical refinement processing is to replace the network security event atomic function behaviors on a higher abstraction level with a detailed event structure on a lower abstraction level of the network security event structure, and change the abstraction level to carry out vertical refinement.
A hierarchical processing device of a network security event structure comprises a data acquisition module, a data dividing module, a data processing module and a post-processing module, wherein the data acquisition module is used for extracting network security event data from storage data of a security event management model, the data dividing module is used for evaluating network security events and dividing evaluation results by adopting a hierarchical structure, the data processing module is used for carrying out quantitative analysis and weight calculation on the security events and carrying out thinning processing on the obtained event structures, and the post-processing module is used for classifying and sorting the logic relations among the thinned event structures.
The further improvement lies in that: the data acquisition module extracts network security event data information based on a security event management model of a host time window, and the security event management model of the host time window collects data of security events from a network in advance and stores the data after collection, pretreatment and correlation operation;
the data acquisition module also comprises an index establishing submodule, wherein the index establishing submodule is used for extracting indexes to establish a tree-shaped index system based on node resource information of network security events as data sources.
The further improvement lies in that: the data division module comprises a data evaluation submodule, and the data evaluation submodule is used for evaluating the network security event data obtained by the data acquisition module from three levels of an event level, a region level and a system level and then performing hierarchical division by using a hierarchical structure.
The further improvement lies in that: the data processing module comprises a quantitative analysis submodule, a weight calculation submodule and a refining processing submodule, wherein the quantitative analysis submodule carries out quantitative analysis after preprocessing each layer of security event structures divided by the data division module based on an improved CAIM algorithm;
the weight calculation submodule calculates the weight of the safety event structure by adopting a fuzzy analytic hierarchy process;
the refinement processing submodule adopts a variable refinement method to carry out horizontal refinement processing and vertical refinement processing on a polynomial algebraic event structure and a differential algebraic event structure of the network security event structure.
The further improvement lies in that: the post-processing module is used for carrying out logic relation classification on the event structure after the thinning processing based on a Tri-tracing event relation classification method and finally sorting the classification result.
The invention has the beneficial effects that: according to the invention, through the combination of hierarchical processing and an argument refining method, the calculation accuracy is improved by utilizing polynomial algebra and differential algebra, meanwhile, a consistency adjustment process is simpler by utilizing a fuzzy analytic hierarchy process, the weight calculation is simpler, the problem of complexity of the traditional weight calculation is solved, the acquisition efficiency of event data is greatly improved by extracting the event data from the data managed by the security event management model of the host time window, the event data is acquired more quickly, and the event structure after the refining processing is processed based on a Tri-tracing event relation classification method, so that the problem that the relation between the events after the hierarchical processing cannot be processed is effectively solved.
Drawings
FIG. 1 is a flow chart of an embodiment of the present invention.
FIG. 2 is a system architecture diagram according to an embodiment of the present invention.
FIG. 3 is a flowchart of an embodiment of the present invention.
FIG. 4 is a diagram of a system architecture according to a second embodiment of the present invention.
FIG. 5 is a flowchart of an embodiment of the present invention.
FIG. 6 is a block diagram of a system according to an embodiment of the present invention.
Detailed Description
In order to further understand the present invention, the following detailed description will be made with reference to the following examples, which are only used for explaining the present invention and are not to be construed as limiting the scope of the present invention.
Example one
As shown in fig. 1 and 2, the present embodiment provides a hierarchical processing method for a network security event structure, including the following steps:
firstly, extracting data information of a network security event based on a security event management model of a host time window, and establishing a tree-shaped index system by taking node resource information of the network security event as a data source extraction index;
the security event management model of the host time window collects data of security events from a network in advance, stores the data after collection, pretreatment and correlation operation, and then extracts corresponding data information from the data of the network security events stored by the security event management model of the host time window;
step two, establishing a network security event evaluation model according to the characteristics of a tree-shaped index system and a network system structure, evaluating network security events from an event level layer, an area level layer and a system level layer, and performing hierarchical division on the output result of the security event evaluation model by adopting a hierarchical structure;
wherein the event level is evaluated by using the behavior characteristics and the content characteristics in the event characteristics; the region level is evaluated according to the relation characteristic and the position characteristic; the system level integrates the evaluation of each area level and event level;
preprocessing each divided layer of security event structure based on an improved CAIM algorithm, then carrying out quantitative analysis, carrying out weight calculation on the security event structure by adopting a fuzzy analytic hierarchy process, and simultaneously generating a polynomial algebraic event structure and a differential algebraic event structure;
the preprocessing specifically comprises the steps of discretizing continuous variables of the network security events through an improved CAIM algorithm, determining a quantized value of each layer of situation factors of the network security events, calculating weights among the situation factors of different layers by using a fuzzy analytic hierarchy process, and finally performing upward fusion layer by layer according to a hierarchical network security event data structure by using Bayesian thrust as a fusion tool for calculating data to obtain a polynomial algebraic event structure and a differential algebraic event structure;
step four, adopting an argument refinement method to perform horizontal refinement processing and vertical refinement processing on the polynomial algebraic event structure and the differential algebraic event structure, and performing logic relation classification on the refined event structure based on a Tri-tracing event relation classification method;
the horizontal refinement processing is to optimize the internal event structure of the network security event on the premise of keeping the behavior of the network security event system unchanged, and select an equivalent event structure with a simple structure to replace a complex event structure for horizontal refinement;
the vertical refinement processing is to replace the network security event atomic function behavior on a higher abstraction level with a detailed event structure on a lower abstraction level of the network security event structure, and change the abstraction level to carry out vertical refinement;
and fifthly, sorting the data classified and output according to the logical relationship to obtain the network security event structure after hierarchical processing.
A hierarchical processing device of a network security event structure comprises a data acquisition module, a data dividing module, a data processing module and a post-processing module, wherein the data acquisition module is used for extracting network security event data from storage data of a security event management model, the data dividing module is used for evaluating network security events and dividing evaluation results by adopting a hierarchical structure, the data processing module is used for carrying out quantitative analysis and weight calculation on the security events and carrying out thinning processing on the obtained event structures, and the post-processing module is used for classifying and sorting the logic relations among the thinned event structures.
The data acquisition module extracts network security event data information based on a security event management model of a host time window, and the security event management model of the host time window collects data of security events from a network in advance and stores the data after collection, pretreatment and correlation operation;
the data acquisition module also comprises an index establishing submodule, wherein the index establishing submodule is used for extracting indexes to establish a tree-shaped index system based on node resource information of network security events as data sources.
The data division module comprises a data evaluation submodule, and the data evaluation submodule is used for evaluating the network security event data obtained by the data acquisition module from three levels of an event level, a region level and a system level and then performing hierarchical division by using a hierarchical structure.
The data processing module comprises a quantitative analysis submodule, a weight calculation submodule and a refining processing submodule, wherein the quantitative analysis submodule carries out quantitative analysis after preprocessing each layer of security event structures divided by the data division module based on an improved CAIM algorithm;
the weight calculation submodule calculates the weight of the safety event structure by adopting a fuzzy analytic hierarchy process;
the refinement processing submodule adopts a variable refinement method to carry out horizontal refinement processing and vertical refinement processing on a polynomial algebraic event structure and a differential algebraic event structure of the network security event structure.
The post-processing module is used for carrying out logic relation classification on the event structure after the thinning processing based on a Tri-tracing event relation classification method and finally sorting the classification result.
Example two
As shown in fig. 3 and 4, the present embodiment provides a hierarchical processing method for a network security event structure, including the following steps:
firstly, extracting data information of a network security event based on a security event management model of a host time window, and establishing a tree-shaped index system by taking node resource information of the network security event as a data source extraction index;
the security event management model of the host time window collects data of security events from a network in advance, stores the data after collection, pretreatment and correlation operation, and then extracts corresponding data information from the data of the network security events stored by the security event management model of the host time window;
step two, establishing a network security event evaluation model according to the characteristics of a tree-shaped index system and a network system structure, evaluating network security events from an event level layer, an area level layer and a system level layer, and performing hierarchical division on the output result of the security event evaluation model by adopting a hierarchical structure;
wherein the event level is evaluated by using the behavior characteristics and the content characteristics in the event characteristics; the region level is evaluated according to the relation characteristic and the position characteristic; the system level integrates the evaluation of each area level and event level;
preprocessing each divided layer of security event structure based on an improved CAIM algorithm, then carrying out quantitative analysis, carrying out weight calculation on the security event structure by adopting a fuzzy analytic hierarchy process, and simultaneously generating a polynomial algebraic event structure and a differential algebraic event structure;
the preprocessing specifically comprises the steps of discretizing continuous variables of the network security events through an improved CAIM algorithm, determining a quantized value of each layer of situation factors of the network security events, calculating weights among the situation factors of different layers by using a fuzzy analytic hierarchy process, and finally performing upward fusion layer by layer according to a hierarchical network security event data structure by using Bayesian thrust as a fusion tool for calculating data to obtain a polynomial algebraic event structure and a differential algebraic event structure;
step four, an action thinning method is adopted to thin a polynomial algebraic event structure and a differential algebraic event structure, and the thinned event structure is classified according to a logic relation based on a Tri-Training event relation classification method;
the action refinement is to select one or more abstract actions at one level of the network security event structure and respectively replace the abstract actions with a concrete event structure at a lower level;
and fifthly, sorting the data classified and output according to the logical relationship to obtain the network security event structure after hierarchical processing.
A hierarchical processing device of a network security event structure comprises a data acquisition module, a data dividing module, a data processing module and a post-processing module, wherein the data acquisition module is used for extracting network security event data from storage data of a security event management model, the data dividing module is used for evaluating network security events and dividing evaluation results by adopting a hierarchical structure, the data processing module is used for carrying out quantitative analysis and weight calculation on the security events and carrying out thinning processing on the obtained event structures, and the post-processing module is used for classifying and sorting the logic relations among the thinned event structures.
The data acquisition module extracts network security event data information based on a security event management model of a host time window, and the security event management model of the host time window collects data of security events from a network in advance and stores the data after collection, pretreatment and correlation operation;
the data acquisition module also comprises an index establishing submodule, wherein the index establishing submodule is used for extracting indexes to establish a tree-shaped index system based on node resource information of network security events as data sources.
The data division module comprises a data evaluation submodule, and the data evaluation submodule is used for evaluating the network security event data obtained by the data acquisition module from three levels of an event level, a region level and a system level and then performing hierarchical division by using a hierarchical structure.
The data processing module comprises a quantitative analysis submodule, a weight calculation submodule and a refining processing submodule, wherein the quantitative analysis submodule carries out quantitative analysis after preprocessing each layer of security event structures divided by the data division module based on an improved CAIM algorithm;
the weight calculation submodule calculates the weight of the safety event structure by adopting a fuzzy analytic hierarchy process;
and the thinning processing submodule thins a polynomial algebraic event structure and a differential algebraic event structure of the network security event structure by adopting an action thinning method.
The post-processing module is used for carrying out logic relation classification on the event structure after the thinning processing based on a Tri-tracing event relation classification method and finally sorting the classification result.
EXAMPLE III
As shown in fig. 5 and 6, the present embodiment provides a hierarchical processing method for a network security event structure, including the following steps:
firstly, extracting data information of a network security event based on a security event management model of a host time window, and establishing a tree-shaped index system by taking node resource information of the network security event as a data source extraction index;
the security event management model of the host time window collects data of security events from a network in advance, stores the data after collection, pretreatment and correlation operation, and then extracts corresponding data information from the data of the network security events stored by the security event management model of the host time window;
step two, establishing a network security event evaluation model according to the characteristics of a tree-shaped index system and a network system structure, evaluating network security events from an event level layer, an area level layer and a system level layer, and performing hierarchical division on the output result of the security event evaluation model by adopting a hierarchical structure;
wherein the event level is evaluated by using the behavior characteristics and the content characteristics in the event characteristics; the region level is evaluated according to the relation characteristic and the position characteristic; the system level integrates the evaluation of each area level and event level;
preprocessing each divided layer of security event structure based on an improved CAIM algorithm, then carrying out quantitative analysis, carrying out weight calculation on the security event structure by adopting a fuzzy analytic hierarchy process, and simultaneously generating a polynomial algebraic event structure and a differential algebraic event structure;
the preprocessing specifically comprises the steps of discretizing continuous variables of the network security events through an improved CAIM algorithm, determining a quantized value of each layer of situation factors of the network security events, calculating weights among the situation factors of different layers by using a fuzzy analytic hierarchy process, and finally performing upward fusion layer by layer according to a hierarchical network security event data structure by using Bayesian thrust as a fusion tool for calculating data to obtain a polynomial algebraic event structure and a differential algebraic event structure;
step four, adopting an argument refinement method to perform horizontal refinement processing and vertical refinement processing on the polynomial algebraic event structure and the differential algebraic event structure, and performing logic relation classification on the refined event structure based on a Tri-tracing event relation classification method;
the horizontal refinement processing is to optimize the internal event structure of the network security event on the premise of keeping the behavior of the network security event system unchanged, and select an equivalent event structure with a simple structure to replace a complex event structure for horizontal refinement;
the vertical refinement processing is to replace the network security event atomic function behavior on a higher abstraction level with a detailed event structure on a lower abstraction level of the network security event structure, and change the abstraction level to carry out vertical refinement;
and fifthly, sorting the data output according to the logic relation to obtain a network security event structure after hierarchical processing, and analyzing and predicting the event situation according to the processed network security event structure.
A hierarchical processing device of a network security event structure comprises a data acquisition module, a data dividing module, a data processing module, a post-processing module and a prediction processing module, wherein the data acquisition module is used for extracting network security event data from storage data of a security event management model, the data dividing module is used for evaluating network security events and dividing evaluation results by adopting a hierarchical structure, the data processing module is used for carrying out quantitative analysis and weight calculation on the security events and carrying out thinning processing on the obtained event structures, the post-processing module is used for classifying and sorting the logic relations among the thinned event structures, and the prediction processing module is used for analyzing and predicting event situations according to the network security event structures after hierarchical processing.
The data acquisition module extracts network security event data information based on a security event management model of a host time window, and the security event management model of the host time window collects data of security events from a network in advance and stores the data after collection, pretreatment and correlation operation;
the data acquisition module also comprises an index establishing submodule, wherein the index establishing submodule is used for extracting indexes to establish a tree-shaped index system based on node resource information of network security events as data sources.
The data division module comprises a data evaluation submodule, and the data evaluation submodule is used for evaluating the network security event data obtained by the data acquisition module from three levels of an event level, a region level and a system level and then performing hierarchical division by using a hierarchical structure.
The data processing module comprises a quantitative analysis submodule, a weight calculation submodule and a refining processing submodule, wherein the quantitative analysis submodule carries out quantitative analysis after preprocessing each layer of security event structures divided by the data division module based on an improved CAIM algorithm;
the weight calculation submodule calculates the weight of the safety event structure by adopting a fuzzy analytic hierarchy process;
the refinement processing submodule refines a polynomial algebraic event structure and a differential algebraic event structure of the network security event structure by adopting an argument refinement method.
The post-processing module is used for carrying out logic relation classification on the event structure after the thinning processing based on a Tri-tracing event relation classification method and finally sorting the classification result.
The prediction processing module comprises a situation analysis and prediction submodule and an event processing submodule, the situation analysis and prediction submodule pushes away the situation of the network security event and fuses inference data to perform situation analysis based on a Bayesian method, and the time processing submodule is used for judging the influence of the network security event according to the situation analysis result and timely making corresponding prevention or popularization measures.
The foregoing illustrates and describes the principles, general features, and advantages of the present invention. It will be understood by those skilled in the art that the present invention is not limited to the embodiments described above, which are described in the specification and illustrated only to illustrate the principle of the present invention, but that various changes and modifications may be made therein without departing from the spirit and scope of the present invention, which fall within the scope of the invention as claimed. The scope of the invention is defined by the appended claims and equivalents thereof.

Claims (10)

1. A hierarchical processing method for a network security event structure is characterized by comprising the following steps:
firstly, extracting data information of a network security event based on a security event management model of a host time window, and establishing a tree-shaped index system by taking node resource information of the network security event as a data source extraction index;
step two, establishing a network security event evaluation model according to the characteristics of a tree-shaped index system and a network system structure, evaluating the network security event, and performing hierarchical division on the output result of the security event evaluation model by adopting a hierarchical structure;
preprocessing each divided layer of security event structure based on an improved CAIM algorithm, then carrying out quantitative analysis, carrying out weight calculation on the security event structure by adopting a fuzzy analytic hierarchy process, and simultaneously generating a polynomial algebraic event structure and a differential algebraic event structure;
step four, adopting an argument refinement method to perform horizontal refinement processing and vertical refinement processing on the polynomial algebraic event structure and the differential algebraic event structure, and performing logic relation classification on the refined event structure based on a Tri-tracing event relation classification method;
and fifthly, sorting the data classified and output according to the logical relationship to obtain the network security event structure after hierarchical processing.
2. The method according to claim 1, wherein the method comprises: in the first step, the security event management model of the host time window collects the data of the security event from the network in advance, and stores the data after collection, pretreatment and association operation, and then extracts corresponding data information from the data of the network security event stored by the security event management model of the host time window.
3. The method according to claim 1, wherein the method comprises: the evaluation of the network security event in the second step is carried out from three levels of an event level, a region level and a system level, wherein the event level is evaluated by using behavior characteristics and content characteristics in event characteristics; the region level is evaluated according to the relation characteristic and the position characteristic; the system level is to integrate the evaluation at the area level and the event level.
4. The method according to claim 1, wherein the method comprises: the preprocessing method in the third step is to perform discretization processing on the continuous variable of the network security event through an improved CAIM algorithm, determine the quantized value of each layer of situation factors of the network security event, perform weight calculation on the weights among the situation factors of different layers by using a fuzzy analytic hierarchy process, and finally perform upward fusion layer by layer according to a hierarchical network security event data structure by using Bayesian thrust as a fusion tool for calculating data to obtain a polynomial algebraic event structure and a differential algebraic event structure.
5. The method according to claim 1, wherein the method comprises: the horizontal refinement processing in the fourth step is to optimize the internal event structure of the network security event on the premise of keeping the behavior of the network security event system unchanged, and select an equivalent event structure with a simple structure to replace a complex event structure for horizontal refinement; the vertical refinement processing is to replace the network security event atomic function behaviors on a higher abstraction level with a detailed event structure on a lower abstraction level of the network security event structure, and change the abstraction level to carry out vertical refinement.
6. A hierarchical processing device for network security event structure is characterized in that: the system comprises a data acquisition module, a data dividing module, a data processing module and a post-processing module, wherein the data acquisition module is used for extracting network security event data from storage data of a security event management model, the data dividing module is used for evaluating network security events and dividing evaluation results by adopting a hierarchical structure, the data processing module is used for carrying out quantitative analysis and weight calculation on the security events and carrying out thinning processing on obtained event structures, and the post-processing module is used for classifying and sorting the logic relationship among the thinned event structures.
7. The hierarchical network security event structure processing device according to claim 6, wherein: the data acquisition module extracts network security event data information based on a security event management model of a host time window, and the security event management model of the host time window collects data of security events from a network in advance and stores the data after collection, pretreatment and correlation operation;
the data acquisition module also comprises an index establishing submodule, wherein the index establishing submodule is used for extracting indexes to establish a tree-shaped index system based on node resource information of network security events as data sources.
8. The hierarchical network security event structure processing device according to claim 6, wherein: the data division module comprises a data evaluation submodule, and the data evaluation submodule is used for evaluating the network security event data obtained by the data acquisition module from three levels of an event level, a region level and a system level and then performing hierarchical division by using a hierarchical structure.
9. The hierarchical network security event structure processing device according to claim 6, wherein: the data processing module comprises a quantitative analysis submodule, a weight calculation submodule and a refining processing submodule, wherein the quantitative analysis submodule carries out quantitative analysis after preprocessing each layer of security event structures divided by the data division module based on an improved CAIM algorithm;
the weight calculation submodule calculates the weight of the safety event structure by adopting a fuzzy analytic hierarchy process;
the refinement processing submodule adopts a variable refinement method to carry out horizontal refinement processing and vertical refinement processing on a polynomial algebraic event structure and a differential algebraic event structure of the network security event structure.
10. The hierarchical network security event structure processing device according to claim 6, wherein: the post-processing module is used for carrying out logic relation classification on the event structure after the thinning processing based on a Tri-tracing event relation classification method and finally sorting the classification result.
CN202111491045.XA 2021-12-08 2021-12-08 Network security event structure hierarchical processing method and device Active CN114139020B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111491045.XA CN114139020B (en) 2021-12-08 2021-12-08 Network security event structure hierarchical processing method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111491045.XA CN114139020B (en) 2021-12-08 2021-12-08 Network security event structure hierarchical processing method and device

Publications (2)

Publication Number Publication Date
CN114139020A true CN114139020A (en) 2022-03-04
CN114139020B CN114139020B (en) 2023-03-28

Family

ID=80384988

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111491045.XA Active CN114139020B (en) 2021-12-08 2021-12-08 Network security event structure hierarchical processing method and device

Country Status (1)

Country Link
CN (1) CN114139020B (en)

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102722534A (en) * 2012-05-21 2012-10-10 中国标准化研究院 Event severity evaluating method and system based on network information
CN104112181A (en) * 2014-06-12 2014-10-22 西北工业大学 Analytical hierarchy process-based information security Bayesian network evaluation method
CN106209829A (en) * 2016-07-05 2016-12-07 杨林 A kind of network security management system based on warning strategies
CN107204876A (en) * 2017-05-22 2017-09-26 成都网络空间安全技术有限公司 A kind of network security risk evaluation method
CN108337270A (en) * 2018-05-18 2018-07-27 梧州井儿铺贸易有限公司 A kind of enterprise network security event management system
CN110620759A (en) * 2019-07-15 2019-12-27 公安部第一研究所 Network security event hazard index evaluation method and system based on multidimensional correlation
WO2020046286A1 (en) * 2018-08-29 2020-03-05 General Electronic Company Integrated cybersecurity risk assessment and state monitoring for electrical power grid
CN111680863A (en) * 2020-04-26 2020-09-18 南京南数数据运筹科学研究院有限公司 Network environment safety condition evaluation method based on analytic hierarchy process
CN112351004A (en) * 2020-10-23 2021-02-09 烟台南山学院 Computer network based information security event processing system and method
CN112738016A (en) * 2020-11-16 2021-04-30 中国南方电网有限责任公司 Intelligent security event correlation analysis system for threat scene
CN113411303A (en) * 2021-05-12 2021-09-17 桂林电子科技大学 Evaluation index system construction method based on hierarchical clustering and analytic hierarchy process

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102722534A (en) * 2012-05-21 2012-10-10 中国标准化研究院 Event severity evaluating method and system based on network information
CN104112181A (en) * 2014-06-12 2014-10-22 西北工业大学 Analytical hierarchy process-based information security Bayesian network evaluation method
CN106209829A (en) * 2016-07-05 2016-12-07 杨林 A kind of network security management system based on warning strategies
CN107204876A (en) * 2017-05-22 2017-09-26 成都网络空间安全技术有限公司 A kind of network security risk evaluation method
CN108337270A (en) * 2018-05-18 2018-07-27 梧州井儿铺贸易有限公司 A kind of enterprise network security event management system
WO2020046286A1 (en) * 2018-08-29 2020-03-05 General Electronic Company Integrated cybersecurity risk assessment and state monitoring for electrical power grid
CN110620759A (en) * 2019-07-15 2019-12-27 公安部第一研究所 Network security event hazard index evaluation method and system based on multidimensional correlation
CN111680863A (en) * 2020-04-26 2020-09-18 南京南数数据运筹科学研究院有限公司 Network environment safety condition evaluation method based on analytic hierarchy process
CN112351004A (en) * 2020-10-23 2021-02-09 烟台南山学院 Computer network based information security event processing system and method
CN112738016A (en) * 2020-11-16 2021-04-30 中国南方电网有限责任公司 Intelligent security event correlation analysis system for threat scene
CN113411303A (en) * 2021-05-12 2021-09-17 桂林电子科技大学 Evaluation index system construction method based on hierarchical clustering and analytic hierarchy process

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
丁思远: "基于线索挖掘与特征分析的事件关系分类方法研究", 《中国优秀硕士学位论文全文数据库信息科技辑》 *
丁思远等: "基于Tri-Training的事件关系分类方法研究", 《计算机工程与科学》 *
张淑英: "网络安全事件关联分析与态势评测技术研究", 《中国博士学位论文全文数据库信息科技辑》 *

Also Published As

Publication number Publication date
CN114139020B (en) 2023-03-28

Similar Documents

Publication Publication Date Title
CN104636449A (en) Distributed type big data system risk recognition method based on LSA-GCC
CN103176985A (en) Timely and high-efficiency crawling method for internet information
CN117789207B (en) Intelligent analysis method and system for pathological images of cell tissues based on graph neural network
KR101703972B1 (en) System and method for predicting groundwater potential area using spatial information
KR20180086602A (en) Apparatus and method for estimating traffic jam area based on machine learning
CN113052225A (en) Alarm convergence method and device based on clustering algorithm and time sequence association rule
Zhu et al. Fuzzy c-means clustering identification method of urban road traffic state
Hou et al. Simulating the dynamics of urban land quantity in China from 2020 to 2070 under the Shared Socioeconomic Pathways
Huo et al. Traffic anomaly detection method based on improved GRU and EFMS-Kmeans clustering
CN106815320B (en) Investigation big data visual modeling method and system based on expanded three-dimensional histogram
CN117236374A (en) Layering interpretation method based on fully developed material graph neural network
CN114139020B (en) Network security event structure hierarchical processing method and device
Liu et al. Two-dimensional explainability method for fault diagnosis of fluid machine
Tuan et al. Object Detection in Remote Sensing Images Using Picture Fuzzy Clustering and MapReduce.
CN112528015B (en) Method and device for judging rumor in message interactive transmission
Duda et al. Fog computing and Big data in projects of class smart city
Huang et al. Functional Domains Clustering of Autonomous Transportation Systems Based on Latent Dirichlet Allocation
Li et al. Modeling and analysis of mandatory lane-changing behavior considering heterogeneity in means and variances
Zheng Design and verification of use case generation algorithm based on multiple combination tests
Tu Analysis and prediction method of student behavior mining based on campus big data
CN117911662B (en) Digital twin scene semantic segmentation method and system based on depth hough voting
Zhang Application of English Score Management System Based on Spark-Decision Tree Algorithm
Zhao et al. A Vehicle Model Data Classification Algorithm Based on Hierarchy Clustering
Huang et al. The approach to classifying multi-output datasets based on cluster validity index method
CN118151231A (en) Classification method for carbonate broken solution seismic phases

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant