CN114640539A - Safety protection updating method and safety protection system adopting AI and big data technology - Google Patents

Safety protection updating method and safety protection system adopting AI and big data technology Download PDF

Info

Publication number
CN114640539A
CN114640539A CN202210381504.7A CN202210381504A CN114640539A CN 114640539 A CN114640539 A CN 114640539A CN 202210381504 A CN202210381504 A CN 202210381504A CN 114640539 A CN114640539 A CN 114640539A
Authority
CN
China
Prior art keywords
intrusion
monitoring
derived
knowledge point
illegal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
CN202210381504.7A
Other languages
Chinese (zh)
Inventor
昌雄彪
王刚
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Yilan Huayang Network Technology Co ltd
Original Assignee
Yilan Huayang Network Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Yilan Huayang Network Technology Co ltd filed Critical Yilan Huayang Network Technology Co ltd
Priority to CN202210381504.7A priority Critical patent/CN114640539A/en
Publication of CN114640539A publication Critical patent/CN114640539A/en
Withdrawn legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the invention provides a security protection updating method and a security protection system adopting AI and big data technologies, which output fuzzy security vulnerabilities associated with illegal intrusion monitoring big data of a cloud application software service by combining a security vulnerability mining network model meeting an AI model deployment condition, output derived security vulnerabilities associated with illegal intrusion nodes of the illegal intrusion monitoring big data by extracting the illegal intrusion derived prediction data associated with the illegal intrusion monitoring big data, and output derived security vulnerabilities associated with the illegal intrusion derived prediction data according to the security vulnerability mining network model, thereby generating reference security vulnerabilities under the cloud application software service by combining the fuzzy security vulnerabilities and the derived security vulnerabilities, performing security protection updating according to issuing related security protection updating information, combining fuzzy security vulnerability analysis and derived security vulnerability analysis, and improving vulnerability analysis precision and directivity, thereby improving the reliability of the final security protection update.

Description

Safety protection updating method and safety protection system adopting AI and big data technology
Technical Field
The invention relates to the technical field of information intrusion security protection, in particular to a security protection updating method and a security protection system adopting AI and big data technologies.
Background
With the rapid development of cloud computing technology, more and more internet information enterprises provide convenience for life of users through internet services arranged and provided at the cloud end, and meanwhile, for the internet information enterprises, the safety protection of cloud end services is more and more important. Based on the method, when each internet information enterprise carries out illegal intrusion monitoring, a large number of illegal intrusion monitoring logs can be generated, so that security vulnerabilities which may exist can be determined according to the illegal intrusion monitoring logs. However, in the existing scheme, for determining the security vulnerability, it is necessary to track according to the illegal intrusion monitoring to obtain related illegal intrusion monitoring tracking data, and perform vulnerability analysis and output on the illegal intrusion monitoring tracking data through a trained security vulnerability mining network model, but this scheme only considers the individual illegal intrusion monitoring tracking data on a single level, which results in partial one-level performance in the security vulnerability decision making, and also affects the basis output for subsequently performing security protection update.
Disclosure of Invention
In view of the above, the present invention provides a security protection updating method and a security protection system using AI and big data technologies.
In a first aspect, the present invention provides a security protection updating method using AI and big data technologies, which is applied to a security protection system, and the method includes:
combining a security vulnerability mining network model meeting AI model deployment conditions to output illegal intrusion of cloud application software service to monitor fuzzy security vulnerabilities associated with big data;
calling and searching illegal intrusion derived prediction data associated with illegal intrusion nodes existing in the illegal intrusion monitoring big data, and outputting derived security vulnerabilities associated with the illegal intrusion derived prediction data according to the security vulnerability mining network model;
generating a reference security vulnerability under the cloud application software service by combining the fuzzy security vulnerability and the derived security vulnerability;
and issuing related safety protection updating information to an application server corresponding to the cloud application software service according to the reference safety loophole under the cloud application software service.
For example, in some examples, the intrusion monitoring big data is obtained according to the following steps:
acquiring first illegal intrusion monitoring and tracking data monitored and tracked by a first illegal intrusion monitoring and tracking application, wherein the first illegal intrusion monitoring and tracking data comprises illegal intrusion monitoring and tracking data monitored and tracked under a first illegal intrusion monitoring and tracking interface cluster corresponding to the first illegal intrusion monitoring and tracking application;
analyzing second illegal intrusion monitoring and tracking data which is associated with the intrusion point of the first illegal intrusion monitoring and tracking data in an illegal intrusion monitoring and tracking database, wherein the second illegal intrusion monitoring and tracking data comprises illegal intrusion monitoring and tracking data monitored and tracked under a second illegal intrusion monitoring and tracking interface cluster corresponding to a second illegal intrusion monitoring and tracking application;
combining the first illegal intrusion monitoring interface cluster and the second illegal intrusion monitoring interface cluster, adjusting parameters of an intrusion monitoring interface in the first illegal intrusion monitoring interface cluster, and outputting a third illegal intrusion monitoring interface cluster;
and combining the third illegal intrusion monitoring interface cluster, outputting big data of the first illegal intrusion monitoring tracking data, and outputting illegal intrusion monitoring big data, wherein the illegal intrusion monitoring big data comprises an illegal intrusion monitoring interface corresponding to each illegal intrusion monitoring node.
For example, in some examples, the parameter adjustment is performed on the intrusion monitoring interface in the first illegal intrusion monitoring interface cluster by combining the first illegal intrusion monitoring interface cluster and the second illegal intrusion monitoring interface cluster, and a third illegal intrusion monitoring interface cluster is output, which is specifically as follows:
determining a second illegal intrusion monitoring interface cluster by combining the first illegal intrusion monitoring interface cluster, wherein the first illegal intrusion monitoring tracking data is obtained by monitoring and tracking the first illegal intrusion monitoring tracking application based on a first intrusion monitoring channel, the first intrusion monitoring channel comprises a first group of intrusion monitoring nodes, and the first illegal intrusion monitoring interface cluster comprises member intrusion monitoring interfaces of the first illegal intrusion monitoring tracking application on at least two intrusion monitoring nodes which are randomly linked by monitoring in the first group of intrusion monitoring nodes and guide intrusion monitoring interfaces of the first illegal intrusion monitoring tracking application on each intrusion monitoring node in the first group of intrusion monitoring nodes;
determining a third intrusion monitoring interface cluster and a fourth intrusion monitoring interface cluster by combining the second illegal intrusion monitoring interface cluster, wherein the second illegal intrusion monitoring tracking data is obtained by monitoring and tracking the first illegal intrusion monitoring tracking application based on a second intrusion monitoring channel, the second intrusion monitoring channel comprises a second group of intrusion monitoring nodes, and the second illegal intrusion monitoring interface cluster comprises member intrusion monitoring interfaces of the second illegal intrusion monitoring tracking application on at least two intrusion monitoring nodes which are arbitrarily linked with monitoring in the first group of intrusion monitoring nodes and guide intrusion monitoring interfaces of the second illegal intrusion monitoring tracking application on each intrusion monitoring node in the first group of intrusion monitoring nodes;
and combining the member intrusion monitoring interface cluster of the first illegal intrusion monitoring and tracking application, the guide intrusion monitoring interface of the first illegal intrusion monitoring and tracking application and the member intrusion monitoring interface cluster of the second illegal intrusion monitoring and tracking application to carry out parameter adjustment on the intrusion monitoring interface in the first illegal intrusion monitoring interface cluster by using the guide intrusion monitoring interface of the second illegal intrusion monitoring and tracking application, and outputting the third illegal intrusion monitoring interface cluster.
For example, in some examples, the method includes, in combination with the member intrusion monitoring interface cluster of the first illegal intrusion monitoring and tracking application, the guided intrusion monitoring interface of the first illegal intrusion monitoring and tracking application, and the member intrusion monitoring interface cluster of the second illegal intrusion monitoring and tracking application, performing parameter adjustment on the intrusion monitoring interface in the first illegal intrusion monitoring interface cluster by using the guided intrusion monitoring interface of the second illegal intrusion monitoring and tracking application, and outputting the third illegal intrusion monitoring interface cluster, where the specific details are as follows:
combine first illegal invasion monitor interface cluster with the illegal invasion monitor interface cluster of second generates first invasion monitor logic net, wherein, first invasion monitor logic net includes first group invasion monitor node, first group invasion monitor linkage information second group invasion monitor node, second group invasion monitor linkage information and third group invasion monitor linkage information, first group invasion monitor linkage information includes in the first group invasion monitor node arbitrary exist monitor linkage information between two at least invasion monitor nodes, second group invasion monitor linkage information includes in the second group invasion monitor node arbitrary exist monitor linkage information between two at least invasion monitor nodes, third group invasion monitor linkage information includes invasion monitor node in the first group invasion monitor node with invasion monitor node in the second group invasion monitor node between the invasion monitor node Monitoring linkage information of intrusion;
acquiring member intrusion monitoring interfaces between two intrusion monitoring nodes communicated with each intrusion monitoring linkage information in the third group of intrusion monitoring linkage information;
combining member intrusion monitoring interfaces between two intrusion monitoring nodes communicated with each intrusion monitoring linkage information in the third group of intrusion monitoring linkage information to generate intrusion monitoring linkage information whether surplus intrusion monitoring linkage information exists in the third group of intrusion monitoring linkage information;
when surplus intrusion monitoring linkage information exists in the third group of intrusion monitoring linkage information, the surplus intrusion monitoring linkage information is eliminated from the first intrusion monitoring logic network, and a second intrusion monitoring logic network is output;
combining the second invasion monitoring logic network, right the first set of guide invasion monitoring interface in the first illegal invasion monitoring interface cluster and the second set of guide invasion monitoring interface in the second illegal invasion monitoring interface cluster carry out parameter adjustment, output the third invasion monitoring interface cluster and the fourth invasion monitoring interface cluster, wherein, the third invasion monitoring interface cluster is with in the first illegal invasion monitoring interface cluster the first set of guide invasion monitoring interface is adjusted into the invasion monitoring interface cluster that the third set of guide invasion monitoring interface obtained, the fourth invasion monitoring interface cluster is with in the second illegal invasion monitoring interface cluster the second set of guide invasion monitoring interface is adjusted into the invasion monitoring interface cluster that the fourth set of guide invasion monitoring interface obtained.
For example, in some examples, in combination with the second intrusion monitoring logic network, parameter adjustment is performed on a first set of wizard intrusion monitoring interfaces in the first intrusion monitoring interface cluster and a second set of wizard intrusion monitoring interfaces in the second intrusion monitoring interface cluster, and the third intrusion monitoring interface cluster and the fourth intrusion monitoring interface cluster are output, which is specifically as follows:
adjusting parameters of a first group of guide intrusion monitoring interfaces in the first illegal intrusion monitoring interface cluster and a second group of guide intrusion monitoring interfaces in the second illegal intrusion monitoring interface cluster by combining first monitoring boundary configuration information, and outputting a third intrusion monitoring interface cluster and a fourth intrusion monitoring interface cluster, wherein the first monitoring boundary configuration information is monitoring boundary configuration information determined by combining member intrusion monitoring interfaces corresponding to a fourth group of intrusion monitoring linkage information in the second intrusion monitoring logic network;
combining the configuration information of the first monitoring boundary, adjusting the parameters of a first group of guide intrusion monitoring interfaces in the first illegal intrusion monitoring interface cluster and a second group of guide intrusion monitoring interfaces in the second illegal intrusion monitoring interface cluster, and outputting a third intrusion monitoring interface cluster and a fourth intrusion monitoring interface cluster, wherein the first group of guide intrusion monitoring interfaces and the second group of guide intrusion monitoring interfaces are as follows:
it is right wizard invasion monitoring interface in the first illegal invasion monitoring interface cluster and wizard invasion monitoring interface in the second illegal invasion monitoring interface cluster carries out parameter adjustment, makes member invasion monitoring interface that each invasion monitoring linkage information in the second invasion monitoring logic network has obtained is minimum with the interface linkage cost value between the member invasion monitoring interface that each invasion monitoring linkage information recalculated, wherein, the member invasion monitoring interface that each invasion monitoring linkage information recalculated is the basis the member invasion monitoring interface that wizard invasion monitoring interface on the invasion monitoring node that each invasion monitoring linkage information communicates confirms.
For example, in some examples, in combination with the second intrusion monitoring logic network, parameter adjustment is performed on a first set of wizard intrusion monitoring interfaces in the first intrusion monitoring interface cluster and a second set of wizard intrusion monitoring interfaces in the second intrusion monitoring interface cluster, and the third intrusion monitoring interface cluster and the fourth intrusion monitoring interface cluster are output, which is specifically as follows:
combine second control boundary configuration information, right first set of guide invasion monitoring interface in the first illegal invasion monitoring interface cluster and second set of guide invasion monitoring interface in the second illegal invasion monitoring interface cluster carries out parameter adjustment, outputs third invasion monitoring interface cluster with fourth invasion monitoring interface cluster, wherein, second control boundary configuration information combines member invasion monitoring interface and the first set of trust authentication invasion monitoring interface that fourth set of invasion monitoring linkage information in the second invasion monitoring logic network corresponds confirm the control boundary configuration information that obtains, fourth set of invasion monitoring linkage information includes in the third set of invasion monitoring linkage information except that invasion monitoring linkage information beyond the surplus invasion monitoring linkage information, every trust authentication invasion monitoring interface in the first set of trust authentication invasion monitoring interface does an invasion monitoring node's in the first set of invasion monitoring node intrusion monitoring information A trust authentication intrusion monitoring interface;
combining the second monitoring boundary configuration information, adjusting the parameters of a first group of guide intrusion monitoring interfaces in the first illegal intrusion monitoring interface cluster and a second group of guide intrusion monitoring interfaces in the second illegal intrusion monitoring interface cluster, and outputting a third intrusion monitoring interface cluster and a fourth intrusion monitoring interface cluster, wherein the third intrusion monitoring interface cluster and the fourth intrusion monitoring interface cluster are specifically as follows:
it is right wizard invasion monitoring interface in the first illegal invasion monitoring interface cluster and wizard invasion monitoring interface in the second illegal invasion monitoring interface cluster carries out parameter adjustment for first wizard interface linkage cost value and second wizard interface linkage cost value sum convergence, wherein, first wizard interface linkage cost value is member invasion monitoring interface that each invasion monitoring linkage information in the second invasion monitoring logic network has obtained and member invasion monitoring interface that each invasion monitoring linkage information recalculated link the interface linkage cost value between the member invasion monitoring interface, member invasion monitoring interface that each invasion monitoring linkage information recalculated is the basis member invasion monitoring interface that the wizard invasion monitoring interface on the invasion monitoring node that each invasion monitoring linkage information communicated confirms, second wizard interface linkage cost value is every trust invasion authentication monitoring interface in the first group trust authentication invasion monitoring interface and corresponding entry The cost value of interface linkage between the guide intrusion monitoring interfaces on the intrusion monitoring nodes is increased;
preferably, after combining the first illegal intrusion monitoring interface cluster and the second illegal intrusion monitoring interface cluster, adjusting parameters of a guide intrusion monitoring interface in the first illegal intrusion monitoring interface cluster and a guide intrusion monitoring interface in the second illegal intrusion monitoring interface cluster and outputting a third intrusion monitoring interface cluster and a fourth intrusion monitoring interface cluster, the method further comprises:
combine third group's wizard invasion monitoring interface in the third invasion monitoring interface cluster carries out big data output to first group's illegal invasion monitoring tracking data in the first illegal invasion monitoring tracking data, wherein, third invasion monitoring interface cluster will first group's wizard invasion monitoring interface in the first illegal invasion monitoring interface cluster adjusts into the invasion monitoring interface cluster that third group's wizard invasion monitoring interface obtained, first illegal invasion monitoring tracking data is first illegal invasion monitoring tracking application is based on the illegal invasion monitoring tracking data of first invasion monitoring channel monitoring tracking, first group's wizard invasion monitoring interface includes on the third group's invasion monitoring node in the first group's invasion monitoring node the wizard invasion monitoring interface of first illegal invasion monitoring tracking application, first group's illegal monitoring tracking data includes on the third group's invasion monitoring node first illegal invasion monitoring node is last Monitoring illegal intrusion monitoring and tracking data tracked by the tracking application;
combining a fourth set of guide intrusion monitoring interfaces in the fourth intrusion monitoring interface cluster, outputting big data of a second set of illegal intrusion monitoring and tracking data in second illegal intrusion monitoring and tracking data, and obtaining the illegal intrusion monitoring big data, wherein the fourth intrusion monitoring interface cluster is an intrusion monitoring interface cluster obtained by adjusting the second set of guide intrusion monitoring interfaces in the second illegal intrusion monitoring interface cluster into the fourth set of guide intrusion monitoring interfaces, the second illegal intrusion monitoring and tracking data is illegal intrusion monitoring and tracking data monitored and tracked by the second illegal intrusion monitoring and tracking application based on the second intrusion monitoring channel, and the second set of guide intrusion monitoring interfaces comprises guide intrusion monitoring interfaces applied to the second illegal intrusion monitoring and tracking on a fourth set of intrusion monitoring nodes in the second set of intrusion monitoring nodes, the second set of illegal intrusion monitoring and tracking data comprises illegal intrusion monitoring and tracking data tracked by the second illegal intrusion monitoring and tracking application on the fourth set of intrusion monitoring nodes.
In a second aspect, an embodiment of the present invention further provides a security protection updating system using an AI and big data technology, where the security protection updating system using the AI and big data technology includes a security protection system and a plurality of service usage devices communicatively connected to the security protection system;
the safety protection system is used for:
combining a security vulnerability mining network model meeting AI model deployment conditions to output illegal intrusion of cloud application software service to monitor fuzzy security vulnerabilities associated with big data;
calling and searching illegal intrusion derived prediction data associated with illegal intrusion nodes existing in the illegal intrusion monitoring big data, and outputting derived security vulnerabilities associated with the illegal intrusion derived prediction data according to the security vulnerability mining network model;
generating a reference security vulnerability under the cloud application software service by combining the fuzzy security vulnerability and the derived security vulnerability;
and issuing related safety protection updating information to an application server corresponding to the cloud application software service according to the reference safety loophole under the cloud application software service.
In combination with any one of the aspects, the fuzzy security loophole associated with the illegal intrusion monitoring big data of the cloud application software service is output in combination with the security loophole mining network model meeting the deployment condition of the AI model, the illegal intrusion derived prediction data associated with the illegal intrusion monitoring big data existing in the illegal intrusion node are extracted, and meanwhile, the derived security loophole associated with the illegal intrusion derived prediction data is output according to the security loophole mining network model, so that the reference security loophole under the cloud application software service is generated in combination with the fuzzy security loophole and the derived security loophole, the security protection updating is carried out according to the relevant security protection updating information issued, the fuzzy security loophole analysis and the derived security loophole analysis are combined, the loophole analysis precision and the directivity can be improved, and the reliability of the final security protection updating is improved.
Drawings
Fig. 1 is a schematic flowchart of a security protection updating method using AI and big data technologies according to an embodiment of the present invention;
fig. 2 is a schematic block diagram of a security protection system for implementing the above security protection updating method using AI and big data technologies according to an embodiment of the present invention.
Detailed Description
The architecture of the security protection update system 10 using AI and big data technologies according to an embodiment of the present application is described below, and the security protection update system 10 using AI and big data technologies may include a security protection system 100 and an application server 200 communicatively connected to the security protection system 100. In this embodiment, the security protection system 100 and the application server 200 in the security protection updating system 10 using the AI and big data technologies may cooperatively perform the security protection updating method using the AI and big data technologies described in the following method embodiment, and the specific steps of the security protection system 100 and the application server 200 may be partially described with reference to fig. 1 in conjunction with the following method embodiment.
And the Process100 outputs the fuzzy security vulnerability associated with the illegal intrusion monitoring big data by combining the security vulnerability mining network model meeting the AI model deployment condition.
And the Process120 calls and searches illegal intrusion derived prediction data associated with illegal intrusion nodes existing in the illegal intrusion monitoring big data, and outputs derived security vulnerabilities associated with the illegal intrusion derived prediction data according to the security vulnerability mining network model.
And the Process130 generates a reference security vulnerability under the cloud application software service by combining the fuzzy security vulnerability and the derived security vulnerability.
The Process140 issues related security protection update information to the application server corresponding to the cloud application software service according to the reference security vulnerability under the cloud application software service.
For example, the security vulnerability mining network model meeting the AI model deployment condition can be obtained by performing model development optimization and parameter adjustment according to the illegal intrusion monitoring sample data collected in advance and the security vulnerability marking information corresponding to the illegal intrusion monitoring sample data.
For example, the illegal intrusion derived prediction data associated with the illegal intrusion node in the illegal intrusion monitoring big data may refer to other derived illegal intrusion data in which the illegal intrusion entity in the illegal intrusion monitoring big data has linkage triggering activity.
For example, in the Process130, the fuzzy security vulnerability and the derived security vulnerability may be aggregated to determine a reference security vulnerability under the cloud application software service, wherein in some embodiments, derived vulnerability category characteristic fields related to the derived security vulnerability, which are not included in the vulnerability category characteristic field sequence of the fuzzy security vulnerability, may be aggregated into the vulnerability category characteristic field sequence of the fuzzy security vulnerability, so as to determine the reference security vulnerability.
For example, in the Process140, in the Process of issuing the relevant security protection update information to the application server corresponding to the cloud application software service according to the reference security vulnerability under the cloud application software service, a corresponding security protection update policy, for example, a corresponding security protection repair firmware, may be searched in the cloud vulnerability repair library in combination with the reference security vulnerability, or when there is no corresponding security protection repair firmware, a solution of another security vulnerability associated with the reference security vulnerability may be output for a relevant security developer to refer to when repairing.
By adopting the technical scheme, the embodiment of the invention monitors the fuzzy security vulnerability associated with the big data by combining the security vulnerability mining network model meeting the deployment condition of the AI model and outputting the illegal intrusion of the cloud application software service, and by extracting the illegal intrusion derived prediction data associated with the illegal intrusion node where the illegal intrusion monitoring big data exists, meanwhile, the derived security vulnerabilities associated with the illegal intrusion derived prediction data are output according to the security vulnerability mining network model, thereby generating a reference security vulnerability under the cloud application software service by combining the fuzzy security vulnerability and the derived security vulnerability, based on the above, the related safety protection updating information is issued to carry out safety protection updating, and the fuzzy safety loophole analysis and the derivative safety loophole analysis are combined, the vulnerability analysis precision and the directivity can be improved, and therefore the reliability of final safety protection updating is improved.
For example, in some examples, some possible design concepts may be as follows for Process 120.
ProcesssA 11: and acquiring derivative intrusion event data of a derivative intrusion attack chain between each illegal intrusion entity of the illegal intrusion monitoring big data and the corresponding illegal intrusion entity triggered in a linkage manner.
For example, in some examples, the derived intrusion event data may include information that maps the monitored derived intrusion event to the illegal intrusion entity, such as: mapping chain positions, etc., and the derived intrusion event data may also include situation data of the illegal intruding entity, such as: a first designated security update timing point, a second designated security update timing point, and so on.
ProcesssA 12: and generating intrusion knowledge map data of the derived intrusion attack chain according to the derived intrusion event data.
For example, in some examples, intrusion knowledge-graph data may be understood as a knowledge-graph design of attention intrusion knowledge-graph data. For example, a first scheduling position of each illegal intrusion entity scheduled by a derivative intrusion event from a derivative intrusion attack chain and a second scheduling position of the illegal intrusion entity triggered by the derivative intrusion event scheduling linkage can be generated according to mapping chain segments corresponding to the first mapping chain position and the second mapping chain position respectively, so that a position communication value between the second scheduling position and the first mapping chain position is determined according to the position.
For example, intrusion knowledge graph data in some examples may include, but is not limited to: and the indirect correlation knowledge point data of the attention invasion knowledge point data and the direct correlation knowledge point data of the attention invasion knowledge point data.
ProcesssA 13: and specifically selecting a derivative intrusion event of a derivative intrusion attack chain in a set time interval according to the intrusion knowledge map data, and outputting an intrusion execution track related to one or more intrusion execution channels and an intrusion overflow track related to one or more intrusion overflow channels in the set time interval.
ProcesssA 14: and obtaining intrusion knowledge point data of the intrusion overflow channel, determining the intrusion overflow channel of which the intrusion knowledge point data has an intrusion point association first preset matching requirement as an intrusion execution channel, and recording the intrusion execution channel to an intrusion execution track.
ProcesssA 15: and generating illegal intrusion derivation prediction data for deriving an intrusion attack chain in a set time interval according to the intrusion execution track.
By adopting the technical scheme, the intrusion knowledge map data of the derivative intrusion attack chain is generated according to the derivative intrusion event data of the derivative intrusion attack chain between each illegal intrusion entity and the corresponding illegal intrusion entity triggered in a linkage manner, so that the derivative intrusion event of the derivative intrusion attack chain in the set time interval is specifically selected according to the intrusion knowledge map data, the intrusion execution track related to one or more intrusion execution channels and the intrusion overflow track related to one or more intrusion overflow channels in the set time interval are output, and the influence of the non-intrusion execution channels on the determination of the illegal intrusion derivative prediction data can be avoided. And then, an intrusion overflow channel of the intrusion knowledge point data, which has an intrusion point associated with the first preset matching requirement, is determined as an intrusion execution channel and is recorded to an intrusion execution track, so that illegal intrusion derived prediction data of a derived intrusion attack chain in a set time interval can be generated according to the intrusion execution track, and the reliability of the illegal intrusion derived prediction data is improved.
For example, in some examples, the intrusion knowledge map data includes directly associated knowledge point data of the attention intrusion knowledge point data and indirectly associated knowledge point data of the attention intrusion knowledge point data. The ProcessA13 may specifically perform specific selection on a derivative intrusion event of the derivative intrusion attack chain within a set time interval according to the directly associated knowledge point data of the attention intrusion knowledge point data, and output an intrusion execution trajectory associated with one or more intrusion execution channels and an intrusion overflow trajectory associated with one or more intrusion overflow channels within the set time interval.
For example, in some examples, before generating the illegal intrusion derived prediction data of the derived intrusion attack chain in the set time interval according to the intrusion execution trajectory, the method further includes: and removing an intrusion execution channel which does not match a second preset matching requirement in the intrusion execution track according to the indirectly associated knowledge point data of the attention intrusion knowledge point data.
For example, in some examples, the derived intrusion event data of the derived intrusion attack chain includes a first mapping chain position where the derived intrusion event maps each illegal intrusion entity from the derived intrusion attack chain and a second mapping chain position where the derived intrusion event maps the linkage-triggered illegal intrusion entity, and the set time interval includes a first set time interval between a first specified security update timing point and a second specified security update timing point, and a second set time interval between a subsequent first specified security update timing point and a subsequent second specified security update timing point after the second specified security update timing point;
for example, in some examples, generating intrusion knowledge graph data for the derived intrusion attack chain based on the derived intrusion event data includes:
the ProcesssA 101 generates a derivative intrusion event according to the mapping chain segment corresponding to the first mapping chain position and the second mapping chain position, schedules a first scheduling position of each illegal intrusion entity from the derivative intrusion attack chain, and schedules a second scheduling position of the illegal intrusion entity triggered by linkage according to the derivative intrusion event;
the processA102 is used for sorting and collecting intrusion knowledge point data of all the derivative intrusion events of the derivative intrusion attack chain according to the second scheduling position and the first mapping chain position;
the ProcesssA 103 is used for extracting intrusion knowledge point data of all the derivative intrusion events of the derivative intrusion attack chain and acquiring indirect association knowledge point data of the attention intrusion knowledge point data and direct association knowledge point data of the attention intrusion knowledge point data;
for example, in some examples, the specifically selecting, according to the directly associated knowledge point data of the attention intrusion knowledge point data, a derivative intrusion event of the derivative intrusion attack chain within a set time interval, and outputting an intrusion execution trajectory associated with one or more intrusion execution channels and an intrusion overflow trajectory associated with one or more intrusion overflow channels within the set time interval includes:
the processA201 is used for sorting and collecting a first target derived intrusion event of which the first scheduling position corresponds to the first set time interval and a second target derived intrusion event of which the first scheduling position corresponds to the second set time interval;
the processA202 extracts a first intrusion execution track and a first intrusion overflow track from the first target derived intrusion event according to the comparison information among the first mapping link position, the first scheduling position, the first designated safety protection updating time sequence point, the second designated safety protection updating time sequence point, the intrusion knowledge point data and the direct correlation knowledge point data of the attention intrusion knowledge point data;
the ProcesssA 203 extracts a second intrusion execution track and a second intrusion overflow track from the second target derived intrusion event according to the comparison information among the first mapping link position, the first scheduling position, the subsequent first designated safety protection updating time sequence point, the subsequent second designated safety protection updating time sequence point, the intrusion knowledge point data and the direct associated knowledge point data of the attention intrusion knowledge point data;
for example, in some examples, the obtaining, by the processor a14, intrusion knowledge point data of the intrusion overflow path, and then determining, as an intrusion execution path, the intrusion overflow path of the intrusion knowledge point data having an intrusion point association first preset matching requirement, and recording the intrusion execution path to the intrusion execution trajectory includes:
the ProcesssA 301 is used for obtaining intrusion knowledge point data of an intrusion overflow channel in the first intrusion overflow track, then determining the intrusion overflow channel of the intrusion knowledge point data with an intrusion point associated first preset matching requirement as an intrusion execution channel and recording the intrusion execution channel to the first intrusion execution track;
the ProcesssA 302 is used for obtaining intrusion knowledge point data of an intrusion overflow channel in the second intrusion overflow track, then determining the intrusion overflow channel of the intrusion knowledge point data with an intrusion point associated with a first preset matching requirement as an intrusion execution channel and recording the intrusion execution channel to the second intrusion execution track;
the removing of the intrusion execution channel which is not matched with the second preset matching requirement in the intrusion execution track according to the indirectly associated knowledge point data of the attention intrusion knowledge point data comprises the following steps: and removing the intrusion execution channel which is not matched with the second preset matching requirement in the first intrusion execution track according to the indirectly associated knowledge point data of the attention intrusion knowledge point data, and removing the intrusion execution channel which is not matched with the second preset matching requirement in the second intrusion execution track.
Generating illegal intrusion derivation prediction data of the derivation intrusion attack chain in the set time interval according to the intrusion execution trajectory comprises the following steps: and generating illegal intrusion derived prediction data of the derived intrusion attack chain in the first set time interval according to the removed first intrusion execution track, and generating illegal intrusion derived prediction data of the derived intrusion attack chain in the second set time interval according to the removed second intrusion execution track.
For example, in some examples, the extracting intrusion knowledge point data of all the derivative intrusion events of the derivative intrusion attack chain, and obtaining indirect association knowledge point data of the attention intrusion knowledge point data and direct association knowledge point data of the attention intrusion knowledge point data includes: clustering the intrusion knowledge point data of all the derived intrusion events to obtain an intrusion knowledge point data cluster; acquiring intrusion knowledge point data of a set cluster region in the intrusion knowledge point data cluster, and then determining the intrusion knowledge point data of the set cluster region as indirect association knowledge point data of the attention intrusion knowledge point data; and extracting intrusion knowledge point data in a preset knowledge point category interval in the intrusion knowledge point data cluster, and then determining a cross intrusion knowledge point data part of the extracted intrusion knowledge point data as directly associated knowledge point data of the attention intrusion knowledge point data.
For example, in some examples, the generating a derivative intrusion event according to the mapping chain segment corresponding to the first mapping chain position and the second mapping chain position, and the scheduling a first scheduling position of each illegal intrusion entity from the derivative intrusion attack chain, and the scheduling a second scheduling position of the illegal intrusion entity triggered by the linkage by the derivative intrusion event include: determining the first mapping chain position as the first scheduling position when the first mapping chain position is analyzed to correspond to a scheduling mapping chain segment; when the first mapping chain position is analyzed to correspond to an unscheduled mapping chain segment, determining a first designated safety protection updating time sequence point after the unscheduled mapping chain segment as the first scheduling position; determining the second mapping chain position as the second scheduling position when the second mapping chain position is analyzed to correspond to the scheduling mapping chain segment; determining a first designated safeguard update timing point after the unscheduled mapping chain segment as the second scheduled position when the second mapping chain position is resolved to correspond to the unscheduled mapping chain segment.
For example, in some examples, the extracting a first intrusion execution trajectory and a first intrusion overflow trajectory from the first target derived intrusion event according to the comparison information between the first mapping chain position, the first scheduling position, the first designated security update timing point, the second designated security update timing point and the intrusion knowledge point data and the directly associated knowledge point data of the attention intrusion knowledge point data includes: sorting the first target derived intrusion events based on a mapping priority of the first mapping chain position; analyzing whether a first derived intrusion event in the sorted first target derived intrusion events matches a first target intrusion coverage rule or not; when the matching is analyzed, determining all the first target derived intrusion events as non-intrusion execution channels; and when mismatching is analyzed, respectively executing intrusion tendency analysis on the first target derivative intrusion event which is finished in the management, and simultaneously recording the first target derivative intrusion event to the first intrusion execution track or the first intrusion overflow track according to intrusion tendency analysis information.
For example, in some examples, the method includes respectively performing intrusion tendency analysis on first target derived intrusion events that are completed in a managed manner, and recording the first target derived intrusion events before the first intrusion execution trajectory or the first intrusion overflow trajectory according to intrusion tendency analysis information, and includes: the first intrusion tracking termination information is preset as first characteristic judgment information.
The respectively executing intrusion tendency analysis on the first target derived intrusion event after the completion of the management, and simultaneously recording the first target derived intrusion event to the first intrusion execution track or the first intrusion overflow track according to intrusion tendency analysis information comprises: when the second scheduling position of the current first target derived intrusion event is analyzed to be prior to the first appointed security protection updating time sequence point, determining the current first target derived intrusion event and the subsequent first target derived intrusion event as the non-intrusion execution channel; when the position communication value between the first scheduling position and the first mapping chain position of the current first target derived intrusion event is analyzed to be within the first target position communication value and the termination characteristic judgment information of the first intrusion tracking termination information is the first characteristic judgment information, recording the current first target derived intrusion event to the first intrusion execution track; when the position communication value between the first scheduling position and the first mapping chain position of the current first target derived intrusion event is analyzed to be within the first target position communication value and the termination characteristic judgment information of the first intrusion tracking termination information is not the first characteristic judgment information, recording the current first target derived intrusion event to the first intrusion overflow track; when the first mapping chain position of the current first target derivative intrusion event is smaller than the first designated safety protection updating time sequence point and the termination characteristic judgment information of the first intrusion tracking termination information is the first characteristic judgment information, recording the current first target derivative intrusion event to the first intrusion execution track; when the position of a first mapping chain of the current first target derivative intrusion event is smaller than the first appointed safety protection updating time sequence point and the termination characteristic judgment information of the first intrusion tracking termination information is not the first characteristic judgment information, recording the current first target derivative intrusion event to the first intrusion overflow track; when the position communication value between the first scheduling position of the current first target derived intrusion event and the first scheduling position of the previous first target derived intrusion event is analyzed to be matched with a second target intrusion coverage rule, determining the current first target derived intrusion event and the subsequent first target derived intrusion event as a non-intrusion execution channel; when the position communication value of the current first target derived intrusion event is analyzed to be a null value and the termination feature judgment information of the first intrusion tracking termination information is the first feature judgment information, recording the current first target derived intrusion event to the first intrusion execution track; when the position communication value of the current first target derivative intrusion event is analyzed to be a null value and the termination feature judgment information of the first intrusion tracking termination information is not the first feature judgment information, recording the current first target derivative intrusion event to the first intrusion overflow track; when the position communication value of the current first target derived intrusion event is not smaller than the first target position communication value of the direct correlation knowledge point data of the attention intrusion knowledge point data and the termination characteristic judgment information of the first intrusion tracking termination information is the first characteristic judgment information, recording the current first target derived intrusion event to the first intrusion execution track; when the position communication value of the current first target derived intrusion event is not smaller than the first target position communication value of the direct associated knowledge point data of the attention intrusion knowledge point data and the termination characteristic judgment information of the first intrusion tracking termination information is not the first characteristic judgment information, recording the current first target derived intrusion event to the first intrusion overflow track; when the position communication value of the current first target derived intrusion event is smaller than a second target position communication value of the directly associated knowledge point data of the attention intrusion knowledge point data, determining the current first target derived intrusion event and a subsequent first target derived intrusion event as the non-intrusion execution channel; and when analyzing that the communication value information between the intrusion knowledge point data of the current first target derived intrusion event and the directly associated knowledge point data of the attention intrusion knowledge point data is between the first target position communication value and the second target position communication value, setting the first intrusion tracking termination information as second characteristic judgment information, and then recording the current first target derived intrusion event to a first intrusion overflow track.
For example, in some examples, the first target position connectivity value is greater than the second target position connectivity value; and/or the first target intrusion coverage rule comprises any one of the following matching rules: the position communication value between the first mapping chain position and the first appointed safety protection updating time sequence point is larger than a first preassigned position communication value; a position communication value between the first mapping chain position and the first designated safety protection updating time sequence point is greater than a second pre-designated position communication value, a position communication value between the first scheduling position and the first mapping chain position is less than a third pre-designated position communication value, and the position communication value is less than the first target position communication value of the direct association knowledge point data of the attention intrusion knowledge point data;
wherein the first pre-designated location connectivity value is greater than the second pre-designated location connectivity value, the third pre-designated location connectivity value; and/or the second target intrusion coverage rule comprises any one of the following matching rules: a position communication value between a first scheduling position of a current first target derived intrusion event and a first scheduling position of a previous first target derived intrusion event is greater than a fourth pre-specified position communication value, and the first scheduling position is smaller than the second specified safety protection updating time sequence point; a position communication value between a first dispatching position of a current first target derived intrusion event and a first dispatching position of a previous first target derived intrusion event is greater than a fifth pre-designated position communication value, the first dispatching position is smaller than the second designated safety protection updating time sequence point, the position communication value between the first dispatching position and the first mapping chain position is smaller than a sixth pre-designated position communication value, and the position communication value is smaller than the first target position communication value of the directly associated knowledge point data of the attention intrusion knowledge point data; wherein the fourth pre-designated location connectivity value is greater than the fifth pre-designated location connectivity value, the sixth pre-designated location connectivity value.
For example, in some examples, the foregoing specific extraction manner of the intrusion monitoring big data, some possible design concepts may be as follows.
The process b110 obtains first illegal intrusion monitoring and tracking data monitored and tracked by a first illegal intrusion monitoring and tracking application, wherein the first illegal intrusion monitoring and tracking data includes illegal intrusion monitoring and tracking data monitored and tracked by the first illegal intrusion monitoring and tracking application corresponding to a first illegal intrusion monitoring interface cluster.
And the ProcessB120 analyzes second illegal intrusion monitoring and tracking data which is associated with the intrusion point of the first illegal intrusion monitoring and tracking data in an illegal intrusion monitoring and tracking database, wherein the second illegal intrusion monitoring and tracking data comprises illegal intrusion monitoring and tracking data which is monitored and tracked by a second illegal intrusion monitoring and tracking application corresponding to a second illegal intrusion monitoring interface cluster.
And the ProcessB130 is combined with the first illegal intrusion monitoring interface cluster and the second illegal intrusion monitoring interface cluster, adjusts parameters of the intrusion monitoring interface in the first illegal intrusion monitoring interface cluster, and outputs a third illegal intrusion monitoring interface cluster.
And the ProcessB140 is used for outputting big data of the first illegal intrusion monitoring tracking data and outputting illegal intrusion monitoring big data by combining the third illegal intrusion monitoring interface cluster, wherein the illegal intrusion monitoring big data comprises an illegal intrusion monitoring interface corresponding to each illegal intrusion monitoring node.
By adopting the technical scheme, the embodiment searches second illegal intrusion monitoring and tracking data which is associated with an intrusion point of the first illegal intrusion monitoring and tracking data in an illegal intrusion monitoring and tracking database according to the acquired first illegal intrusion monitoring and tracking data, combines the first illegal intrusion monitoring interface cluster and the second illegal intrusion monitoring interface cluster, performs parameter adjustment on an intrusion monitoring interface in the first illegal intrusion monitoring interface cluster, outputs a third intrusion monitoring interface cluster, thereby performing parameter adjustment on the intrusion monitoring interface, thereby performing big data output on the first illegal intrusion monitoring and tracking data, after outputting the illegal intrusion monitoring big data, performs security vulnerability classification on the illegal intrusion monitoring big data, acquires a reference security vulnerability associated with the illegal intrusion monitoring big data, thereby considering the scheme of performing parameter adjustment on the illegal intrusion monitoring interface in combination with the illegal monitoring and tracking data of different forms of monitoring and tracking, thereby improving the reliability of illegal intrusion monitoring.
For example, the following description is given with reference to specific examples.
The ProcessC110 obtains first illegal intrusion monitoring and tracking data, wherein the first illegal intrusion monitoring and tracking data comprises a first illegal intrusion monitoring interface cluster, the first illegal intrusion monitoring and tracking data is illegal intrusion monitoring and tracking data which is determined by combining first illegal intrusion monitoring and tracking application based on data monitored and tracked by a first intrusion monitoring channel, the first intrusion monitoring channel comprises a first group of intrusion monitoring nodes, and the first illegal intrusion monitoring interface cluster comprises member intrusion monitoring interfaces of first illegal intrusion monitoring and tracking application on at least two intrusion monitoring nodes which are arbitrarily linked by monitoring in the first group of intrusion monitoring nodes and intrusion guide monitoring interfaces of first illegal intrusion monitoring and tracking application on each intrusion monitoring node in the first group of intrusion monitoring nodes.
The ProcessC120 searches illegal intrusion monitoring and tracking data which is associated with the first illegal intrusion monitoring and tracking data and has intrusion points in an illegal intrusion monitoring and tracking database, wherein the illegal intrusion monitoring and tracking data is illegal intrusion monitoring and tracking data which is determined by combining the illegal intrusion monitoring and tracking application based on the data monitored and tracked by a second intrusion monitoring channel, the distribution of the intrusion monitoring channels corresponding to the second intrusion monitoring channel is in cross distribution with the distribution of the intrusion monitoring channels corresponding to the first intrusion monitoring channel, the second intrusion monitoring channel comprises a second group of intrusion monitoring nodes, the illegal intrusion monitoring and tracking data comprises a second illegal intrusion monitoring interface cluster, the second illegal intrusion monitoring interface cluster comprises member intrusion monitoring interfaces of the illegal intrusion monitoring and tracking application on at least two intrusion monitoring nodes which are in monitoring linkage with each other and are randomly arranged in the second group of intrusion monitoring nodes, and the illegal intrusion monitoring and tracking data comprises a first illegal intrusion monitoring and tracking data which are related to the first illegal intrusion monitoring and tracking data, and the illegal intrusion monitoring and tracking data are combined with the first illegal intrusion monitoring and tracking data, wherein the illegal monitoring and the first monitoring and the second monitoring and tracking data are combined with the second monitoring and the illegal intrusion monitoring and tracking data, and the illegal intrusion monitoring and the second monitoring and tracking data are combined with the member intrusion monitoring interface cluster, and the member monitoring interface of the member monitoring interface cluster, and the member monitoring interface, and the member monitoring nodes, and the member, and the member, and a guide intrusion monitoring interface of the second illegal intrusion monitoring and tracking application is arranged on each intrusion monitoring node in the second group of intrusion monitoring nodes.
And the ProcessC130 combines the first illegal intrusion monitoring interface cluster and the second illegal intrusion monitoring interface cluster, adjusts parameters of a guide intrusion monitoring interface in the first illegal intrusion monitoring interface cluster and a guide intrusion monitoring interface in the second illegal intrusion monitoring interface cluster, and outputs a third intrusion monitoring interface cluster and a fourth intrusion monitoring interface cluster, wherein the third intrusion monitoring interface cluster and the fourth intrusion monitoring interface cluster meet target monitoring boundary configuration information.
The ProcessC140, in combination with the third set of wizard intrusion monitoring interfaces in the third intrusion monitoring interface cluster, big data output is performed on a first set of illegal intrusion monitoring trace data in the first illegal intrusion monitoring trace data, the third intrusion monitoring interface cluster is obtained by adjusting a first group of guide intrusion monitoring interfaces in the first illegal intrusion monitoring interface cluster into a third group of guide intrusion monitoring interfaces, the first illegal intrusion monitoring tracking data is illegal intrusion monitoring tracking data of a first illegal intrusion monitoring tracking application based on a first intrusion monitoring channel monitoring tracking, the first group of guide intrusion monitoring interfaces comprises guide intrusion monitoring interfaces of the first illegal intrusion monitoring tracking application on the third group of intrusion monitoring nodes in the first group of intrusion monitoring nodes, and the first group of illegal intrusion monitoring tracking data comprises illegal intrusion monitoring tracking data tracked by the first illegal intrusion monitoring tracking application on the third group of intrusion monitoring nodes. Combining a fourth group of guide intrusion monitoring interfaces in a fourth intrusion monitoring interface cluster, outputting big data of a second group of illegal intrusion monitoring and tracking data in second illegal intrusion monitoring and tracking data to obtain illegal intrusion monitoring big data, wherein the fourth intrusion monitoring interface cluster is an intrusion monitoring interface cluster obtained by adjusting the second group of guide intrusion monitoring interfaces in the second illegal intrusion monitoring interface cluster into the fourth group of guide intrusion monitoring interfaces, the second illegal intrusion monitoring and tracking data comprises second illegal intrusion monitoring and tracking data, the second illegal intrusion monitoring and tracking data is illegal intrusion monitoring and tracking data monitored and tracked by a second illegal intrusion monitoring and tracking application based on a second intrusion monitoring channel, the second group of guide intrusion monitoring interfaces comprises guide intrusion monitoring interfaces of the second illegal intrusion monitoring and tracking application on the fourth group of intrusion monitoring nodes in the second group of intrusion monitoring nodes, the second set of illegal intrusion monitoring and tracking data comprises illegal intrusion monitoring and tracking data tracked by a second illegal intrusion monitoring and tracking application on the fourth set of intrusion monitoring nodes.
And searching matched second illegal intrusion monitoring and tracking data in an illegal intrusion monitoring and tracking database by combining the intrusion monitoring channel distribution associated with the first illegal intrusion monitoring and tracking data, wherein the intrusion monitoring channel distribution associated with the second illegal intrusion monitoring and tracking data is associated with the intrusion monitoring channel distribution associated with the first illegal intrusion monitoring and tracking data. That is, finding the illegal intrusion monitoring trace data having a cross section with the first illegal intrusion monitoring trace data, the hack monitoring trace data is also data that is monitored and tracked by a second hack monitoring trace application, which may be the first hack monitoring trace application, the first illegal intrusion monitoring and tracking data and the second illegal intrusion monitoring and tracking data are two illegal intrusion monitoring and tracking data obtained by monitoring and tracking the same illegal intrusion monitoring and tracking application twice based on the same intrusion monitoring channel, or two illegal intrusion monitoring and tracking data monitored and tracked by two different illegal intrusion monitoring and tracking application examples based on two different intrusion monitoring channels.
That is, the first and second illegal intrusion monitoring trace data may be tracked in the following manner:
firstly, the method comprises the following steps: the illegal intrusion monitoring and tracking application example 1 is based on first illegal intrusion monitoring and tracking data mined by the intrusion monitoring channel 1, and the illegal intrusion monitoring and tracking application example 2 is based on second illegal intrusion monitoring and tracking data mined by the intrusion monitoring channel 1. And monitoring and tracking illegal intrusion monitoring and tracking data tracked by different illegal intrusion monitoring and tracking application examples according to the same intrusion monitoring channel.
II, secondly: the illegal intrusion monitoring and tracking application example 1 is based on first illegal intrusion monitoring and tracking data mined by the intrusion monitoring channel 1, and the illegal intrusion monitoring and tracking application example 1 is based on second illegal intrusion monitoring and tracking data mined by the intrusion monitoring channel 1. And the same illegal intrusion monitoring and tracking application instance excavates illegal intrusion monitoring and tracking data which are obtained by multiple times according to the same intrusion monitoring channel.
Thirdly, the method comprises the following steps: the illegal intrusion monitoring and tracking application example 1 is based on first illegal intrusion monitoring and tracking data mined by the intrusion monitoring channel 1, and the illegal intrusion monitoring and tracking application example 1 is based on second illegal intrusion monitoring and tracking data mined by the intrusion monitoring channel 2. And monitoring and tracking illegal intrusion monitoring and tracking data tracked by different illegal intrusion monitoring and tracking application examples according to the same intrusion monitoring channel.
For example, the illegal intrusion monitoring and tracking database may include a plurality of illegal intrusion monitoring and tracking data, each of the plurality of illegal intrusion monitoring and tracking data may include an intrusion monitoring interface cluster, and each of the illegal intrusion monitoring and tracking data is determined based on data monitored and tracked by one intrusion monitoring channel in combination with one illegal intrusion monitoring and tracking application. The plurality of illegal intrusion monitoring and tracking data in the illegal intrusion monitoring and tracking database may be data that is monitored and tracked by a plurality of illegal intrusion monitoring and tracking applications for a plurality of times, wherein each illegal intrusion monitoring and tracking data in the plurality of illegal intrusion monitoring and tracking data in the illegal intrusion monitoring and tracking database is similar to the first illegal intrusion monitoring and tracking data, and may include an intrusion monitoring interface cluster, that is, the illegal intrusion monitoring and tracking data in the illegal intrusion monitoring and tracking database and the data in the first illegal intrusion monitoring and tracking data are data of the same dimension.
For example, in some examples, the second intrusion monitoring and tracking data may be intrusion monitoring and tracking data determined based on data monitored and tracked by the second intrusion monitoring channel in combination with the second intrusion monitoring and tracking application; the first illegal intrusion monitoring and tracking application can also determine illegal intrusion monitoring and tracking data based on the data monitored and tracked by the second intrusion monitoring channel, and can also determine illegal intrusion monitoring and tracking data based on the data monitored and tracked by the first illegal intrusion monitoring and tracking application again.
The second intrusion monitoring channel can comprise a second group of intrusion monitoring nodes, the second illegal intrusion monitoring tracking data can comprise a second illegal intrusion monitoring interface cluster, and the second illegal intrusion monitoring interface cluster comprises member intrusion monitoring interfaces of second illegal intrusion monitoring tracking applications on at least two intrusion monitoring nodes which are randomly linked with each other in the second group of intrusion monitoring nodes, and guide intrusion monitoring interfaces of the second illegal intrusion monitoring tracking applications on all the intrusion monitoring nodes in the second group of intrusion monitoring nodes. The member intrusion monitoring interface is determined by combining the rule configuration information of the illegal intrusion monitoring and tracking rule in the illegal intrusion monitoring and tracking application, and the member intrusion monitoring interface is determined by the root-oriented intrusion monitoring interface. And determining a second illegal intrusion monitoring interface cluster and a first illegal intrusion monitoring interface cluster in the second illegal intrusion monitoring tracking data.
And updating the guide intrusion monitoring interfaces of the illegal intrusion monitoring tracking application on the intrusion monitoring nodes of all the intrusion monitoring interface groups by combining the guide intrusion monitoring interface and the member intrusion monitoring interface in the first illegal intrusion monitoring interface cluster and the guide intrusion monitoring interface and the member intrusion monitoring interface in the second illegal intrusion monitoring interface cluster.
For example, in some examples, the method may include adjusting parameters of a wizard intrusion monitoring interface in a first illegal intrusion monitoring interface cluster and a wizard intrusion monitoring interface in a second illegal intrusion monitoring interface cluster, and outputting a third intrusion monitoring interface cluster and a fourth intrusion monitoring interface cluster, where the implementation manner may be:
the ProcessD201 combines the first illegal intrusion monitoring interface cluster and the second illegal intrusion monitoring interface cluster to generate a first intrusion monitoring logic network, the first intrusion monitoring logic network comprises a first group of intrusion monitoring nodes, a first group of intrusion monitoring linkage information, a second group of intrusion monitoring nodes, a second group of intrusion monitoring linkage information and a third group of intrusion monitoring linkage information, wherein the first group of intrusion monitoring linkage information comprises intrusion monitoring linkage information between at least two intrusion monitoring nodes with any monitoring linkage in the first group of intrusion monitoring nodes, the second group of intrusion monitoring linkage information comprises intrusion monitoring linkage information between at least two intrusion monitoring nodes with any monitoring linkage in the second group of intrusion monitoring nodes, and the third group of intrusion monitoring linkage information comprises intrusion monitoring linkage information between the intrusion monitoring nodes in the first group of intrusion monitoring nodes and the intrusion monitoring nodes in the second group of intrusion monitoring nodes;
the ProcessD202 is used for acquiring member intrusion monitoring interfaces between two intrusion monitoring nodes communicated with each intrusion monitoring linkage information in the third group of intrusion monitoring linkage information;
the ProcessD203 generates whether redundant intrusion monitoring linkage information exists in the third group of intrusion monitoring linkage information by combining member intrusion monitoring interfaces between two intrusion monitoring nodes communicated with each intrusion monitoring linkage information in the third group of intrusion monitoring linkage information;
the processD204 is used for eliminating superfluous intrusion monitoring linkage information from the first intrusion monitoring logic network and outputting a second intrusion monitoring logic network when the superfluous intrusion monitoring linkage information exists in the third group of intrusion monitoring linkage information;
and the ProcessD205 is used for adjusting parameters of a first group of guide intrusion monitoring interfaces in the first illegal intrusion monitoring interface cluster and a second group of guide intrusion monitoring interfaces in the second illegal intrusion monitoring interface cluster by combining a second intrusion monitoring logic network, and outputting a third intrusion monitoring interface cluster and a fourth intrusion monitoring interface cluster, wherein the third intrusion monitoring interface cluster is an intrusion monitoring interface cluster obtained by adjusting a first group of guide intrusion monitoring interfaces in the first illegal intrusion monitoring interface cluster into a third group of guide intrusion monitoring interfaces, and the fourth intrusion monitoring interface cluster is an intrusion monitoring interface cluster obtained by adjusting a second group of guide intrusion monitoring interfaces in the second illegal intrusion monitoring interface cluster into a fourth group of guide intrusion monitoring interfaces.
For example, in some examples, the second intrusion monitoring interface cluster may include one or more, for example, if the second intrusion monitoring interface cluster includes 1 first intrusion monitoring interface cluster and 1 second intrusion monitoring interface cluster, that is, 2 intrusion monitoring interface clusters, the intrusion monitoring interface cluster is numbered C, I, where each intrusion monitoring interface cluster includes a member intrusion monitoring interface of the first intrusion monitoring tracking application on any at least two intrusion monitoring nodes in the set of intrusion monitoring nodes where monitoring linkage exists and a guide intrusion monitoring interface of the first intrusion monitoring tracking application on each intrusion monitoring node in the set of intrusion monitoring nodes. The intrusion monitoring interface cluster C comprises 5 intrusion monitoring nodes, the intrusion monitoring interface cluster I comprises 6 intrusion monitoring nodes, wherein the first group of intrusion monitoring linkage information comprises 4 pieces of intrusion monitoring linkage information C12, C23, C34 and C45 corresponding to the intrusion monitoring interface cluster C, the second group of intrusion monitoring linkage information comprises 5 pieces of intrusion monitoring linkage information I12, I23, I34, I45 and I56 corresponding to the intrusion monitoring interface cluster I, and the third group of intrusion monitoring linkage information comprises intrusion monitoring linkage information LIN1-LIN 10 between the intrusion monitoring nodes in the first group of intrusion monitoring nodes and the intrusion monitoring nodes in the second group of intrusion monitoring nodes.
The above-mentioned generation of the first intrusion monitoring logic network by combining the first illegal intrusion monitoring interface cluster and the second illegal intrusion monitoring interface cluster can be understood as configuring the monitoring logic knowledge unit by combining the first illegal intrusion monitoring interface cluster and the second illegal intrusion monitoring interface cluster.
For example, in some examples, it is necessary to analyze redundant intrusion monitoring Linkage information in the first intrusion monitoring logic network, where the redundant intrusion monitoring Linkage information is that the Linkage Cost value of the member intrusion monitoring interface in each monitoring logic knowledge unit of the intrusion monitoring Linkage information is not 0, for example, if the intrusion monitoring Linkage information Linkage4 exists in the monitoring logic knowledge unit 1 composed of the intrusion monitoring Linkage information Linkage3, Linkage4 and intrusion monitoring Linkage information C23, and the monitoring logic knowledge unit 2 composed of the Linkage4, Linkage5 and intrusion monitoring Linkage information I23, it is determined by combining the guide interface Linkage Cost values of the member intrusion monitoring interfaces in the two monitoring logic knowledge units where the Linkage4 is located, whether the intrusion monitoring Linkage information Linkage4 needs to be removed, and it is to be explained that the Cost value Cost1 of the intrusion monitoring Linkage information Linkage4 in the monitoring logic unit 1 is equal to the intrusion monitoring Linkage information Linkage3, The weighted sum of the Linkage4 and the member intrusion monitoring interface corresponding to the intrusion monitoring Linkage information C23, the weighted sum of the Cost value Cost2 of the intrusion monitoring Linkage information Linkage4 in the monitoring logic knowledge unit 2 is equal to the weighted sum of the member intrusion monitoring interfaces corresponding to the intrusion monitoring Linkage information Linkage4, Linkage5 and the intrusion monitoring Linkage information I23, whether the intrusion monitoring Linkage information 4 needs to be removed or not is determined by combining the Cost values Cost1 and Cost2, and if the sum of Cost1 and Cost2 is less than 0, the intrusion monitoring Linkage information 4 is removed.
For example, the number of the second illegal intrusion monitoring interface clusters may include 2, and if the second illegal intrusion monitoring interface clusters include 1 first illegal intrusion monitoring interface cluster and 2 second illegal intrusion monitoring interface clusters, that is, 3 intrusion monitoring interface clusters, the number of the intrusion monitoring interface clusters is C, I, Linkage, wherein each intrusion monitoring interface cluster includes a member intrusion monitoring interface of the first illegal intrusion monitoring tracking application on at least two intrusion monitoring nodes having any monitoring linkage in a group of intrusion monitoring nodes and a guide intrusion monitoring interface of the first illegal intrusion monitoring tracking application on each intrusion monitoring node in the group of intrusion monitoring nodes. The intrusion monitoring interface cluster C comprises 5 intrusion monitoring nodes, the intrusion monitoring interface cluster I comprises 6 intrusion monitoring nodes, the intrusion monitoring interface cluster C comprises 5 intrusion monitoring nodes, the first group of intrusion monitoring Linkage information comprises 4 pieces of intrusion monitoring Linkage information C12, C23, C34 and C45 corresponding to the intrusion monitoring interface cluster C, the second group of intrusion monitoring Linkage information comprises 9 pieces of intrusion monitoring Linkage information I12, I23, I34, I45 and I56 corresponding to the intrusion monitoring interface cluster I and the intrusion monitoring interface Linkage, Linkage12, Linkage23, Linkage34 and Linkage45, and the third group of intrusion monitoring Linkage information comprises intrusion monitoring nodes in the first group of intrusion monitoring nodes, intrusion monitoring nodes in the second group of intrusion monitoring nodes and LIN 1-15 among the intrusion monitoring nodes in the third group of intrusion monitoring nodes.
For example, in some examples, it is necessary to analyze redundant intrusion monitoring Linkage information in the first intrusion monitoring logic network, where the redundant intrusion monitoring Linkage information is that the Linkage cost value of the member intrusion monitoring interface in each monitoring logic knowledge unit is not 0, if the intrusion monitoring Linkage information LIN5 is in the monitoring logic knowledge unit 1 formed by the intrusion monitoring Linkage information LIN5, LIN4 and the intrusion monitoring Linkage information I34, and also in the monitoring logic LIN knowledge unit 2 formed by LIN5, LIN10 and 11, and also in the monitoring logic knowledge unit 3 formed by LIN5, LIN9, Linkage23 and LIN11, and also in the monitoring logic knowledge unit 4 formed by the intrusion monitoring Linkage information LIN5, LIN6 and LIN 23, it is determined by combining the member intrusion monitoring interface Linkage cost values of the 4 monitoring logic knowledge units in which LIN5 is located, and whether the intrusion monitoring Linkage information 5 needs to be removed, wherein, the Cost value Cost1 of the intrusion monitoring Linkage information LIN5 in the monitoring logic knowledge unit 1 is equal to the weighted sum of the member intrusion monitoring interfaces corresponding to the intrusion monitoring Linkage information LIN5, LIN4 and the intrusion monitoring Linkage information C34, the Cost value Cost2 of the intrusion monitoring Linkage information LIN5 in the monitoring logic knowledge unit 2 is equal to the weighted sum of the member intrusion monitoring interfaces corresponding to the intrusion monitoring Linkage information LIN5, LIN10 and LIN11, the Cost value Cost3 of the intrusion monitoring Linkage information LIN5 in the monitoring logic knowledge unit 3 is equal to the weighted sum of the member intrusion monitoring interfaces corresponding to the intrusion monitoring Linkage information LIN5, LIN9, Linkage23 and LIN11, the Cost value Cost4 of the intrusion monitoring Linkage information LIN5 in the monitoring logic knowledge unit 4 is equal to the weighted sum of the member intrusion monitoring interfaces corresponding to the intrusion monitoring Linkage information LIN5, LIN6 and C23, and whether the monitoring Linkage information LIN1 needs to be determined by combining the Cost value Cost1, Cost1 and Cost information 1, and if the sum of Cost1, Cost2, Cost3 and Cost4 is less than 0, the intrusion monitoring linkage information LIN5 is rejected.
For example, in some examples, the intrusion monitoring linkage information is used as a unit, all monitoring logic knowledge units in which the intrusion monitoring linkage information is located are obtained first, and the monitoring logic knowledge units may include a plurality of monitoring logic knowledge units of the intrusion monitoring linkage information, such as 3 intrusion monitoring linkage information grids, 4 intrusion monitoring linkage information grids, and the like, and whether the intrusion monitoring linkage information is removed or not is generated by combining member intrusion monitoring interfaces corresponding to the intrusion monitoring linkage information in each monitoring logic knowledge unit in a group of monitoring logic knowledge units.
Therefore, whether each intrusion monitoring linkage information in the third group of intrusion monitoring linkage information needs to be eliminated or not is analyzed, after the analysis, redundant intrusion monitoring linkage information is eliminated, and a second intrusion monitoring logic network is output. And adjusting parameters of a guide intrusion monitoring interface of the illegal intrusion monitoring and tracking application by combining a second intrusion monitoring logic network.
In some ideas, whether intrusion monitoring linkage information needs to be removed or not can be understood as monitoring logic knowledge unit verification, wherein the monitoring logic knowledge unit verification is used for removing intrusion monitoring linkage information with a large constraint cost value, further removing the intrusion monitoring linkage information which does not meet the constraint, outputting a second intrusion monitoring logic network, and combining the second intrusion monitoring logic network to integrally update to obtain a guide intrusion monitoring interface for illegal intrusion monitoring tracking application in each intrusion monitoring interface cluster.
For example, in some examples, combine the member invasion monitoring interface between two invasion monitoring nodes that each invasion monitoring linkage information in the third group of invasion monitoring linkage information communicates, whether there is proud invasion monitoring linkage information in the third group of invasion monitoring linkage information, the implementation can be: determining monitoring logic knowledge units formed by each intrusion monitoring linkage information in the third group of intrusion monitoring linkage information, the first group of intrusion monitoring linkage information and the intrusion monitoring linkage information in the second group of intrusion monitoring linkage information, and obtaining a first group of monitoring logic knowledge units; and combining member intrusion monitoring interfaces corresponding to the intrusion monitoring linkage information in each monitoring logic knowledge unit in the first group of monitoring logic knowledge units to generate intrusion monitoring linkage information whether surplus intrusion monitoring linkage information exists in the third group of intrusion monitoring linkage information.
Wherein, whether have the invasion monitoring linkage information of proud surplus in the invasion monitoring linkage information of third group, the realization can be by combining the member invasion monitoring interface that the invasion monitoring linkage information in every monitoring logic knowledge unit in the first group monitoring logic knowledge unit corresponds, generating the invasion monitoring linkage information of third group: and executing the following steps for each intrusion monitoring linkage information in the third group of intrusion monitoring linkage information, wherein each intrusion monitoring linkage information is the current intrusion monitoring linkage information when executing the following steps: determining a second group of monitoring logic knowledge units comprising current intrusion monitoring linkage information in the first group of monitoring logic knowledge units; combining member intrusion monitoring interfaces corresponding to intrusion monitoring linkage information in each monitoring logic knowledge unit in the second group of monitoring logic knowledge units to generate redundancy judgment information of the current intrusion monitoring linkage information; and when the redundant judgment information of the current intrusion monitoring linkage information does not meet the preset condition, determining the current intrusion monitoring linkage information as redundant intrusion monitoring linkage information.
For example, in some examples, in combination with the second intrusion monitoring logic network, parameter adjustment is performed on a first set of wizard intrusion monitoring interfaces in the first intrusion monitoring interface cluster and a second set of wizard intrusion monitoring interfaces in the second intrusion monitoring interface cluster, and a third intrusion monitoring interface cluster and a fourth intrusion monitoring interface cluster are output, and the implementation manner may be: and adjusting parameters of a first group of guide intrusion monitoring interfaces in the first illegal intrusion monitoring interface cluster and a second group of guide intrusion monitoring interfaces in the second illegal intrusion monitoring interface cluster by combining the first monitoring boundary configuration information, and outputting a third intrusion monitoring interface cluster and a fourth intrusion monitoring interface cluster, wherein the first monitoring boundary configuration information is monitoring boundary configuration information determined by combining member intrusion monitoring interfaces corresponding to a fourth group of intrusion monitoring linkage information in the second intrusion monitoring logic network, and the target monitoring boundary configuration information can comprise the first monitoring boundary configuration information.
Wherein, combine first control border configuration information, carry out parameter adjustment to the first set of guide invasion monitoring interface in the first illegal invasion monitoring interface cluster and the second set of guide invasion monitoring interface in the illegal invasion monitoring interface cluster of second, export third invasion monitoring interface cluster and fourth invasion monitoring interface cluster, the realization mode can be: and adjusting parameters of a guide intrusion monitoring interface in the first illegal intrusion monitoring interface cluster and a guide intrusion monitoring interface in the second illegal intrusion monitoring interface cluster, so that the interface linkage cost value between the member intrusion monitoring interface obtained by each piece of intrusion monitoring linkage information in the second intrusion monitoring logic network and the member intrusion monitoring interface recalculated by each piece of intrusion monitoring linkage information is minimum, wherein the member intrusion monitoring interface recalculated by each piece of intrusion monitoring linkage information is a member intrusion monitoring interface determined according to the guide intrusion monitoring interface on the intrusion monitoring node communicated with each piece of intrusion monitoring linkage information.
For example, in some examples, in combination with the second intrusion monitoring logic network, parameter adjustment is performed on a first set of wizard intrusion monitoring interfaces in the first intrusion monitoring interface cluster and a second set of wizard intrusion monitoring interfaces in the second intrusion monitoring interface cluster, and a third intrusion monitoring interface cluster and a fourth intrusion monitoring interface cluster are output, and the implementation manner may be:
combining second monitoring boundary configuration information, performing parameter adjustment on a first group of guide intrusion monitoring interfaces in the first illegal intrusion monitoring interface cluster and a second group of guide intrusion monitoring interfaces in the second illegal intrusion monitoring interface cluster, and outputting a third intrusion monitoring interface cluster and a fourth intrusion monitoring interface cluster, wherein the second monitoring boundary configuration information is monitoring boundary configuration information determined by combining member intrusion monitoring interfaces corresponding to a fourth group of intrusion monitoring linkage information in the second intrusion monitoring logic network and the first group of trust authentication intrusion monitoring interfaces, the fourth group of intrusion monitoring linkage information comprises intrusion monitoring linkage information except redundant intrusion monitoring linkage information in the third group of intrusion monitoring linkage information, and each trust authentication intrusion monitoring interface in the first group of trust authentication intrusion monitoring interfaces is a trust authentication intrusion monitoring interface of one intrusion monitoring node in the first group of intrusion monitoring nodes, the target monitoring boundary configuration information includes second monitoring boundary configuration information.
Wherein, combine second control border configuration information, carry out parameter adjustment to the first set of wizard invasion monitoring interface in the first illegal invasion monitoring interface cluster and the second set of wizard invasion monitoring interface in the illegal invasion monitoring interface cluster of second, export third invasion monitoring interface cluster and fourth invasion monitoring interface cluster, still the realization mode can be: adjusting parameters of a guide intrusion monitoring interface in a first illegal intrusion monitoring interface cluster and a guide intrusion monitoring interface in a second illegal intrusion monitoring interface cluster to ensure that the sum of a linkage cost value of the first guide interface and a linkage cost value of the second guide interface is converged, wherein the linkage cost value of the first guide interface is the interface linkage cost value between a member intrusion monitoring interface obtained by each intrusion monitoring linkage information in a second intrusion monitoring logic network and a member intrusion monitoring interface recalculated by each intrusion monitoring linkage information, the member intrusion monitoring interface recalculated by each intrusion monitoring linkage information is a member intrusion monitoring interface determined according to the guide intrusion monitoring interface on an intrusion monitoring node communicated by each intrusion monitoring linkage information, and the linkage cost value of the second guide interface is the member intrusion monitoring interface between each trust authentication monitoring interface in the first group of trust authentication monitoring interfaces and the intrusion monitoring interface on the corresponding intrusion monitoring node The cost value of the interface linkage between the two.
For example, in some examples, the intrusion monitoring interface tracked in conjunction with the first intrusion monitoring tracking application may be determined to be a trust certification intrusion monitoring interface, and thus, in conjunction with the analysis, the first intrusion monitoring tracking application may be determined to correspond to a wizard intrusion monitoring interface on the intrusion monitoring node.
Fig. 2 illustrates a hardware structure of the security protection system 100 for implementing the above-described security protection updating method using AI and big data technologies according to an embodiment of the present application, and as shown in fig. 2, the security protection system 100 may include a processor 110, a machine-readable storage medium 120, a bus 130, and a communication unit 140.
In one possible design, security system 100 may be a single server or a group of servers. The set of servers may be centralized or distributed (e.g., security system 100 may be a distributed system). In some embodiments, security system 100 may be local or remote. For example, security shield system 100 may access information and/or data stored in machine-readable storage medium 120 via a network. As another example, security shield system 100 may be directly connected to machine-readable storage medium 120 to access stored information and/or data. In some embodiments, security system 100 may be implemented on a cloud platform. By way of example only, the cloud platform may include a private cloud, a public cloud, a hybrid cloud, a community cloud, a distributed cloud, an internal cloud, a multi-tiered cloud, and the like, or any combination thereof.
Machine-readable storage medium 120 may store data and/or instructions. In some embodiments, the machine-readable storage medium 120 may store data obtained from an external terminal. In some embodiments, machine-readable storage medium 120 may store data and/or instructions for use by or in carrying out the exemplary methods described in this application by security shield system 100. In some embodiments, the machine-readable storage medium 120 may include mass storage, removable storage, volatile read-write memory, read-only memory (ROM), and the like, or any combination thereof. For example, mass storage may include magnetic disks, optical disks, solid state disks, and so forth. Exemplary removable memory may include flash drives, floppy disks, optical disks, memory cards, compact disks, magnetic tape, and the like. Exemplary volatile read and write memories can include Random Access Memory (RAM). Exemplary RAM may include active random access memory (DRAM), double data rate synchronous active random access memory (DDR SDRAM), passive random access memory (SRAM), thyristor random access memory (T-RAM), and zero capacitance random access memory (Z-RAM), among others. Exemplary read-only memories may include mask read-only memory (MROM), programmable read-only memory (PROM), erasable programmable read-only memory (perrom), electrically erasable programmable read-only memory (EEPROM), compact disc read-only memory (CD-ROM), digital versatile disc read-only memory, and the like. In some embodiments, the machine-readable storage medium 120 may be implemented on a cloud platform. By way of example only, the cloud platform may include a private cloud, a public cloud, a hybrid cloud, a community cloud, a distributed cloud, an internal cloud, a multi-tiered cloud, and the like, or any combination thereof.
In a specific implementation process, one or more processors 110 execute computer-executable instructions stored in the machine-readable storage medium 120, so that the processors 110 may execute the security protection updating method using AI and big data technology according to the above method embodiments, the processors 110, the machine-readable storage medium 120, and the communication unit 140 are connected by the bus 130, and the processors 110 may be configured to control the transceiving actions of the communication unit 140.
For a specific implementation process of the processor 110, reference may be made to the above-mentioned method embodiments executed by the security system 100, which implement principles and technical effects similar to each other, and details of this embodiment are not described herein again.
In addition, an embodiment of the present application further provides a readable storage medium, where the readable storage medium has computer-executable instructions preset therein, and when a processor executes the computer-executable instructions, the method for updating security protection by using AI and big data technologies as described above is implemented.
Those of ordinary skill in the art will understand that: all or part of the steps for implementing the method embodiments may be implemented by hardware related to program instructions, where the program may be stored in a computer readable storage medium, and when executed, the program performs the steps including the method embodiments; and the aforementioned storage medium may be at least one of the following media: various media that can store program codes, such as Read-only Memory (ROM), RAM, magnetic disk, or optical disk.
Each embodiment in the present specification is described in a progressive manner, and the same and similar parts in each embodiment may be referred to each other, and each embodiment is described with emphasis on differences from other embodiments. In particular, for the apparatus and system embodiments, since they are substantially similar to the method embodiments, they are described in a relatively simple manner, and reference may be made to some of the descriptions of the method embodiments for related points. The above-described embodiments of the apparatus and system are merely illustrative, and the units described as separate parts may or may not be physically separate, and the parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Finally, it should be noted that: the above embodiments are only used to illustrate the technical solutions of the present application, and not to limit the same; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions in the embodiments of the present application.

Claims (10)

1. A safety protection updating method adopting AI and big data technology is applied to the safety protection system execution, and the method comprises the following steps:
combining a security vulnerability mining network model meeting AI model deployment conditions to output illegal intrusion of cloud application software service to monitor fuzzy security vulnerabilities associated with big data;
calling and searching illegal intrusion derived prediction data associated with illegal intrusion nodes existing in the illegal intrusion monitoring big data, and outputting derived security vulnerabilities associated with the illegal intrusion derived prediction data according to the security vulnerability mining network model;
generating a reference security vulnerability under the cloud application software service by combining the fuzzy security vulnerability and the derived security vulnerability;
and issuing related safety protection updating information to an application server corresponding to the cloud application software service according to the reference safety loophole under the cloud application software service.
2. The safety protection updating method adopting AI and big data technology according to claim 1, wherein the invoking searches for the illegal intrusion derived prediction data associated with the existence of the illegal intrusion node in the illegal intrusion monitoring big data as follows:
acquiring derivative intrusion event data of a derivative intrusion attack chain between each illegal intrusion entity of the illegal intrusion monitoring big data and the corresponding illegal intrusion entity triggered in a linkage manner;
generating intrusion knowledge map data of the derived intrusion attack chain according to the derived intrusion event data;
specifically selecting a derivative intrusion event of the derivative intrusion attack chain in a set time interval according to the intrusion knowledge map data, and outputting an intrusion execution track related to one or more intrusion execution channels and an intrusion overflow track related to one or more intrusion overflow channels in the set time interval;
acquiring intrusion knowledge point data of the intrusion overflow channel, determining the intrusion overflow channel of which the intrusion knowledge point data has an intrusion point associated first preset matching requirement as an intrusion execution channel, and recording the intrusion execution channel to the intrusion execution track;
and generating illegal intrusion derivation prediction data of the derivation intrusion attack chain in the set time interval according to the intrusion execution track.
3. The safety protection updating method using AI and big data technology according to claim 2, wherein the intrusion knowledge-graph data includes directly associated knowledge point data of attention intrusion knowledge point data and indirectly associated knowledge point data of attention intrusion knowledge point data;
specifically selecting a derivative intrusion event of the derivative intrusion attack chain in a set time interval according to the intrusion knowledge map data, and outputting an intrusion execution track related to one or more intrusion execution channels and an intrusion overflow track related to one or more intrusion overflow channels in the set time interval, wherein the specific steps are as follows:
specifically selecting a derivative intrusion event of the derivative intrusion attack chain in a set time interval according to the directly associated knowledge point data of the attention intrusion knowledge point data, and outputting an intrusion execution track associated with one or more intrusion execution channels and an intrusion overflow track associated with one or more intrusion overflow channels in the set time interval;
before generating illegal intrusion derived prediction data of the derived intrusion attack chain in the set time interval according to the intrusion execution track, the method further comprises the following steps:
and removing an intrusion execution channel which does not match a second preset matching requirement in the intrusion execution track according to the indirectly associated knowledge point data of the attention intrusion knowledge point data.
4. The AI-and big-data technology-based security protection updating method according to claim 3, wherein the derived intrusion event data of the derived intrusion attack chain includes a first mapping chain position where the derived intrusion event maps each illegal intrusion entity from the derived intrusion attack chain and a second mapping chain position where the derived intrusion event maps the illegal intrusion entity triggered by the linkage, and the set time interval includes a first set time interval between a first designated security protection updating timing point and a second designated security protection updating timing point, and a second set time interval between a first designated security protection updating timing point subsequent to the second designated security protection updating timing point and a second designated security protection updating timing point subsequent to the first designated security protection updating timing point;
the generating of the intrusion knowledge graph data of the derived intrusion attack chain according to the derived intrusion event data comprises:
generating a derivative intrusion event according to the mapping chain segments corresponding to the first mapping chain position and the second mapping chain position, scheduling a first scheduling position of each illegal intrusion entity from the derivative intrusion attack chain according to the derivative intrusion event, and scheduling a second scheduling position of the illegal intrusion entity triggered by linkage according to the derivative intrusion event;
according to the second scheduling position and the first mapping chain position, sorting and collecting intrusion knowledge point data of all derivative intrusion events of the derivative intrusion attack chain;
extracting intrusion knowledge point data of all derivative intrusion events of the derivative intrusion attack chain, and acquiring indirect association knowledge point data of the attention intrusion knowledge point data and direct association knowledge point data of the attention intrusion knowledge point data;
the specific selection of the derivative intrusion event of the derivative intrusion attack chain in a set time interval according to the direct associated knowledge point data of the attention intrusion knowledge point data, and the output of the intrusion execution track associated with one or more intrusion execution channels and the intrusion overflow track associated with one or more intrusion overflow channels in the set time interval comprise:
sorting and collecting a first target derived intrusion event of which the first scheduling position corresponds to the first set time interval and a second target derived intrusion event of which the first scheduling position corresponds to the second set time interval;
extracting a first intrusion execution track and a first intrusion overflow track from the first target derived intrusion event according to the comparison information among the first mapping chain position, the first scheduling position, the first designated security protection updating time sequence point, the second designated security protection updating time sequence point, the intrusion knowledge point data and the direct associated knowledge point data of the attention intrusion knowledge point data;
extracting a second intrusion execution track and a second intrusion overflow track from the second target derived intrusion event according to the comparison information among the first mapping chain position, the first scheduling position, the subsequent first specified security protection updating time sequence point, the subsequent second specified security protection updating time sequence point, the intrusion knowledge point data and the direct associated knowledge point data of the attention intrusion knowledge point data;
the acquiring of the intrusion knowledge point data of the intrusion overflow channel, and then determining the intrusion overflow channel of the intrusion knowledge point data with the intrusion point associated first preset matching requirement as an intrusion execution channel and recording the intrusion execution track comprises the following steps:
acquiring intrusion knowledge point data of an intrusion overflow channel in the first intrusion overflow track, determining the intrusion overflow channel of which the intrusion knowledge point data has an intrusion point association first preset matching requirement as an intrusion execution channel and recording the intrusion execution channel to the first intrusion execution track;
acquiring intrusion knowledge point data of an intrusion overflow channel in the second intrusion overflow track, determining the intrusion overflow channel of which the intrusion knowledge point data has an intrusion point association first preset matching requirement as an intrusion execution channel, and recording the intrusion execution channel to the second intrusion execution track;
the removing of the intrusion execution channel which is not matched with the second preset matching requirement in the intrusion execution track according to the indirectly associated knowledge point data of the attention intrusion knowledge point data comprises the following steps:
removing an intrusion execution channel which does not match a second preset matching requirement in the first intrusion execution track according to the indirectly associated knowledge point data of the attention intrusion knowledge point data, and removing an intrusion execution channel which does not match the second preset matching requirement in the second intrusion execution track;
generating illegal intrusion derivation prediction data of the derivation intrusion attack chain in the set time interval according to the intrusion execution trajectory comprises the following steps:
and generating illegal intrusion derived prediction data of the derived intrusion attack chain in the first set time interval according to the removed first intrusion execution track, and generating illegal intrusion derived prediction data of the derived intrusion attack chain in the second set time interval according to the removed second intrusion execution track.
5. The method for updating security protection through AI and big data technology as claimed in claim 4, wherein said extracting intrusion knowledge point data of all derived intrusion events of said derived intrusion attack chain and obtaining indirect association knowledge point data of said attention intrusion knowledge point data and direct association knowledge point data of said attention intrusion knowledge point data comprises:
clustering the intrusion knowledge point data of all the derived intrusion events to obtain an intrusion knowledge point data cluster;
acquiring intrusion knowledge point data of a set cluster region in the intrusion knowledge point data cluster, and then determining the intrusion knowledge point data of the set cluster region as indirect association knowledge point data of the attention intrusion knowledge point data;
and extracting intrusion knowledge point data in a preset knowledge point category interval in the intrusion knowledge point data cluster, and then determining a cross intrusion knowledge point data part of the extracted intrusion knowledge point data as directly associated knowledge point data of the attention intrusion knowledge point data.
6. The method for updating security protection by using AI and big data technologies according to claim 4, wherein the generating a derivative intrusion event according to the mapping chain segment corresponding to the first mapping chain position and the second mapping chain position includes a first scheduling position for scheduling each illegal intrusion entity from the derivative intrusion attack chain, and a second scheduling position for scheduling the illegal intrusion entity triggered by linkage by the derivative intrusion event includes:
determining the first mapping chain position as the first scheduling position when the first mapping chain position is analyzed to correspond to a scheduling mapping chain segment;
when the first mapping chain position is analyzed to correspond to an unscheduled mapping chain segment, determining a first designated safety protection updating time sequence point after the unscheduled mapping chain segment as the first scheduling position;
determining the second mapping chain position as the second scheduling position when the second mapping chain position is analyzed to correspond to the scheduling mapping chain segment;
when the second mapping chain position is analyzed to correspond to the non-scheduling mapping chain segment, determining a first designated safety protection updating timing point after the non-scheduling mapping chain segment as the second scheduling position.
7. The AI-and big-data-based security protection update method of claim 4, wherein the extracting a first intrusion execution trajectory and a first intrusion overflow trajectory from the first target-derived intrusion event according to the comparison information between the first mapping chain position, the first scheduling position, the first designated security protection update timing point, the second designated security protection update timing point, and the intrusion knowledge point data and the directly-associated knowledge point data of the attention intrusion knowledge point data comprises:
sorting the first target derived intrusion events based on a mapping priority of the first mapping chain position;
analyzing whether a first derived intrusion event in the sorted first target derived intrusion events matches a first target intrusion coverage rule or not;
when the matching is analyzed, determining all the first target derived intrusion events as non-intrusion execution channels;
and when mismatching is analyzed, respectively executing intrusion tendency analysis on the first target derivative intrusion event which is finished in the management, and simultaneously recording the first target derivative intrusion event to the first intrusion execution track or the first intrusion overflow track according to intrusion tendency analysis information.
8. The method for updating security protection through AI and big data technologies according to claim 7, wherein the intrusion tendency analysis is respectively performed on the sorted first target derived intrusion events, and the first target derived intrusion event is recorded before the first intrusion execution trajectory or the first intrusion overflow trajectory according to intrusion tendency analysis information, and the method includes:
presetting first intrusion tracking termination information as first characteristic judgment information;
the respectively executing intrusion tendency analysis on the first target derived intrusion event after the completion of the management, and simultaneously recording the first target derived intrusion event to the first intrusion execution track or the first intrusion overflow track according to intrusion tendency analysis information comprises:
when the second scheduling position of the current first target derived intrusion event is analyzed to be prior to the first appointed security protection updating time sequence point, determining the current first target derived intrusion event and the subsequent first target derived intrusion event as the non-intrusion execution channel;
when the position communication value between the first scheduling position and the first mapping chain position of the current first target derived intrusion event is analyzed to be within the first target position communication value and the termination characteristic judgment information of the first intrusion tracking termination information is the first characteristic judgment information, recording the current first target derived intrusion event to the first intrusion execution track;
when the position communication value between the first scheduling position and the first mapping chain position of the current first target derived intrusion event is analyzed to be within the first target position communication value and the termination characteristic judgment information of the first intrusion tracking termination information is not the first characteristic judgment information, recording the current first target derived intrusion event to the first intrusion overflow track;
when the first mapping chain position of the current first target derivative intrusion event is smaller than the first designated safety protection updating time sequence point and the termination characteristic judgment information of the first intrusion tracking termination information is the first characteristic judgment information, recording the current first target derivative intrusion event to the first intrusion execution track;
when the first mapping chain position of the current first target derivative intrusion event is smaller than the first designated safety protection updating time sequence point and the termination characteristic judgment information of the first intrusion tracking termination information is not the first characteristic judgment information, recording the current first target derivative intrusion event to the first intrusion overflow track;
when the position communication value between the first scheduling position of the current first target derived intrusion event and the first scheduling position of the previous first target derived intrusion event is analyzed to be matched with a second target intrusion coverage rule, determining the current first target derived intrusion event and the subsequent first target derived intrusion event as a non-intrusion execution channel;
when the position communication value of the current first target derived intrusion event is analyzed to be a null value and the termination feature judgment information of the first intrusion tracking termination information is the first feature judgment information, recording the current first target derived intrusion event to the first intrusion execution track;
when the position communication value of the current first target derivative intrusion event is analyzed to be a null value and the termination feature judgment information of the first intrusion tracking termination information is not the first feature judgment information, recording the current first target derivative intrusion event to the first intrusion overflow track;
when the position communication value of the current first target derived intrusion event is not smaller than the first target position communication value of the direct correlation knowledge point data of the attention intrusion knowledge point data and the termination characteristic judgment information of the first intrusion tracking termination information is the first characteristic judgment information, recording the current first target derived intrusion event to the first intrusion execution track;
when the position communication value of the current first target derived intrusion event is not smaller than the first target position communication value of the direct associated knowledge point data of the attention intrusion knowledge point data and the termination characteristic judgment information of the first intrusion tracking termination information is not the first characteristic judgment information, recording the current first target derived intrusion event to the first intrusion overflow track;
when the position communication value of the current first target derived intrusion event is smaller than a second target position communication value of the directly associated knowledge point data of the attention intrusion knowledge point data, determining the current first target derived intrusion event and a subsequent first target derived intrusion event as the non-intrusion execution channel;
and when analyzing that the communication value information between the intrusion knowledge point data of the current first target derived intrusion event and the directly associated knowledge point data of the attention intrusion knowledge point data is between the first target position communication value and the second target position communication value, setting the first intrusion tracking termination information as second characteristic judgment information, and then recording the current first target derived intrusion event to a first intrusion overflow track.
9. The safety-guard updating method using AI and big data technology of claim 8, wherein the first target location connectivity value is greater than the second target location connectivity value;
and/or the first target intrusion coverage rule comprises any one of the following matching rules:
the position communication value between the first mapping chain position and the first appointed safety protection updating time sequence point is larger than a first preassigned position communication value;
a position communication value between the first mapping chain position and the first designated security protection update timing point is greater than a second pre-designated position communication value, a position communication value between the first scheduling position and the first mapping chain position is less than a third pre-designated position communication value, and the position communication value is less than the first target position communication value of the directly associated knowledge point data of the attention intrusion knowledge point data;
wherein the first pre-designated location connectivity value is greater than the second pre-designated location connectivity value, the third pre-designated location connectivity value;
and/or the second target intrusion coverage rule comprises any one of the following matching rules:
a position communication value between a first scheduling position of a current first target derived intrusion event and a first scheduling position of a previous first target derived intrusion event is greater than a fourth pre-specified position communication value, and the first scheduling position is smaller than the second specified safety protection updating time sequence point;
a position communication value between a first dispatching position of a current first target derived intrusion event and a first dispatching position of a previous first target derived intrusion event is greater than a fifth pre-designated position communication value, the first dispatching position is smaller than the second designated safety protection updating time sequence point, the position communication value between the first dispatching position and the first mapping chain position is smaller than a sixth pre-designated position communication value, and the position communication value is smaller than the first target position communication value of the directly associated knowledge point data of the attention intrusion knowledge point data;
wherein the fourth pre-designated location connectivity value is greater than the fifth pre-designated location connectivity value, the sixth pre-designated location connectivity value.
10. A security protection system comprising a processor and a machine-readable storage medium, wherein the machine-readable storage medium stores a computer program, the computer program being loaded and executed by the processor to implement the security protection updating method using AI and big data technology according to any one of claims 1 to 9.
CN202210381504.7A 2022-04-13 2022-04-13 Safety protection updating method and safety protection system adopting AI and big data technology Withdrawn CN114640539A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210381504.7A CN114640539A (en) 2022-04-13 2022-04-13 Safety protection updating method and safety protection system adopting AI and big data technology

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210381504.7A CN114640539A (en) 2022-04-13 2022-04-13 Safety protection updating method and safety protection system adopting AI and big data technology

Publications (1)

Publication Number Publication Date
CN114640539A true CN114640539A (en) 2022-06-17

Family

ID=81950859

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210381504.7A Withdrawn CN114640539A (en) 2022-04-13 2022-04-13 Safety protection updating method and safety protection system adopting AI and big data technology

Country Status (1)

Country Link
CN (1) CN114640539A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114861172A (en) * 2022-07-11 2022-08-05 广州平云信息科技有限公司 Data processing method and system based on government affair service system

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114861172A (en) * 2022-07-11 2022-08-05 广州平云信息科技有限公司 Data processing method and system based on government affair service system
CN114861172B (en) * 2022-07-11 2022-09-16 广州平云信息科技有限公司 Data processing method and system based on government affair service system

Similar Documents

Publication Publication Date Title
CN111565205B (en) Network attack identification method and device, computer equipment and storage medium
JP4988724B2 (en) Data storage access control method
CN105812177A (en) Network fault processing method and processing apparatus
CN114531298B (en) Threat vulnerability prediction method based on AI and big data analysis and cloud AI system
CN113688382B (en) Attack intention mining method based on information security and artificial intelligence analysis system
CN114640539A (en) Safety protection updating method and safety protection system adopting AI and big data technology
Verma et al. Introduction of formal methods in blockchain consensus mechanism and its associated protocols
CN114692169A (en) Page vulnerability processing method applying big data and AI analysis and page service system
CN111312406A (en) Epidemic situation label data processing method and system
US11115455B2 (en) Technique for monitoring activity in a content delivery network utilizing geohashing indexes
US20210406346A1 (en) Determining optimal machine learning models
CN113688383A (en) Attack defense testing method based on artificial intelligence and artificial intelligence analysis system
Tajgardan et al. Software systems clustering using estimation of distribution approach
CN114238885A (en) User abnormal login behavior identification method and device, computer equipment and storage medium
CN110166422A (en) Domain name Activity recognition method, apparatus, readable storage medium storing program for executing and computer equipment
US20230164162A1 (en) Valuable alert screening method efficiently detecting malicious threat
CN116070193A (en) Authority auditing method, system and storage medium for operation and maintenance personnel
CN115086002A (en) Network security protection method and system
US11243833B2 (en) Performance event troubleshooting system
CN103942403A (en) Method and device for screening mass variables
Hooda et al. An improved intrusion detection system based on kdd dataset using feature ranking and data sampling
CN113657536A (en) Object classification method and device based on artificial intelligence
CN114745143A (en) Method and device for automatically generating access control strategy
Zhou et al. A user behavior anomaly detection approach based on sequence mining over data streams
CN114553726B (en) Network security operation and maintenance method and system based on functions and resource levels

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WW01 Invention patent application withdrawn after publication
WW01 Invention patent application withdrawn after publication

Application publication date: 20220617