CN114844667B - Intelligent security analysis management decision system and method based on network equipment - Google Patents
Intelligent security analysis management decision system and method based on network equipment Download PDFInfo
- Publication number
- CN114844667B CN114844667B CN202210261857.3A CN202210261857A CN114844667B CN 114844667 B CN114844667 B CN 114844667B CN 202210261857 A CN202210261857 A CN 202210261857A CN 114844667 B CN114844667 B CN 114844667B
- Authority
- CN
- China
- Prior art keywords
- security
- event
- security event
- network
- network equipment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Abstract
The invention provides a method and a system for intelligent security analysis and management decision based on network equipment, which are based on network security attack or network security system setting fault which may occur in the running process of a cloud system of the network equipment.
Description
Technical Field
The invention belongs to the technical field of network security, and particularly relates to a management decision system based on intelligent security analysis of network equipment and a management method thereof.
Background
The development of the internet not only brings convenience for data transmission to the information-oriented society, but also has various types of network security problems.
Generally, network security refers to a technology that protects computers, servers, mobile devices, electronic systems, networks, and data from malicious attacks, which is also referred to as information technology security or electronic information security. Network security, which generally refers to the security of computer networks, may actually also refer to the security of computer communication networks. The computer communication network is a system which interconnects a plurality of computers with independent functions through communication equipment and transmission media and realizes information transmission and exchange among the computers under the support of communication software. The computer network is a system that connects a plurality of independent computer systems, terminals, and data devices, which are relatively dispersed geographically, by a communication means for the purpose of sharing resources, and performs data exchange under the control of a protocol. The fundamental purpose of computer networks is resource sharing, and communication networks are the way to implement network resource sharing, so that computer networks are secure, and corresponding computer communication networks must also be secure, and information exchange and resource sharing should be implemented for network users. The term applies to a variety of environments, from business to mobile computing, and can be divided into several general categories. The most common meaning of network security is a technique to protect a computer network from both targeted and conditional malware attacks by intruders. Application security focuses on protecting software and devices from threats. An offending application may provide access to data that it intends to protect. And, it is decided whether the application can be successfully secured early in the application design phase, rather than before the deployment of the program or device. Information security is designed to protect the integrity and privacy of data during storage and transmission. Operational security includes processes and decisions to process and protect data assets. The rights a user has when accessing the network and the steps of determining when and where to store/share data are both included under this umbrella. Disaster recovery and business continuity define how an organization deals with network security events or any other event that results in loss of operations/data. Disaster recovery policies dictate how an organization recovers its operations and information to restore the equivalent operational capability before the event occurs. Business continuity refers to the plan on which an organization relies when attempting to operate without certain resources.
Network security often includes hardware security and software security at the same time, maintenance needs to be performed in two aspects, hardware needs to be assembled by selecting appropriate products and is tested and checked regularly, and software needs to be sterilized, maintained and upgraded. In the internet, the most important link is the sharing of resource information, the sharing of the link needs network security to ensure the security, and because the equipment, the data and the computer system are connected, data exchange is performed under the control of a protocol, so that the information feedback is performed. Therefore, network security is also the security of communication and information.
The most effective method for network security is to perform network security defense based on network security form analysis.
Network security defense, or network security protection, generally has several basic security aspects, and if properly combined, attacks on data, networks and users of an enterprise can be effectively stopped. Firewall: this fundamental stone of network defense for more than a decade is still very desirable today for robust basic security. Without firewalls to screen unwanted traffic, the enterprise's efforts to protect its own network assets have multiplied. The firewall must be deployed on the outer boundary of the enterprise, but it may also be located inside the enterprise network, protecting the data security of the network segments. Deploying firewalls inside an enterprise is a relatively fresh but good practice. This practice arises primarily because any tangible, reliable network boundary that can distinguish trusted traffic from unwanted traffic is disappearing. The old concept of so-called clear internet borders no longer exists in modern networks. The latest change is that firewalls are becoming more intelligent, more granular and able to be defined in a data stream. Today, it is common for firewalls to control data flow based on the type of application and even some function of the application. For example, a firewall may screen a SIP voice call based on an incoming number. The security router: routers are almost everywhere in most networks. Conventionally, they have been used only as traffic policemen for monitoring traffic. But modern routers can do more than that. The router has complete security function, sometimes even more complete than the function of the firewall. Most routers today have robust firewall functionality, some useful IDS/IPS functionality, robust QoS and traffic management tools, and certainly powerful VPN data encryption. Such a list of functions may also be listed in large numbers. Modern routers are fully capable of adding security to a network. With modern VPN technology, it is relatively simple to encrypt all data streams on an enterprise WAN without adding a person to it. Some people may also take full advantage of some of their atypical uses, such as firewall functionality and IPS functionality. Opening the router can see that the security conditions have improved a lot. Wireless WPA2: if WPA2 wireless security is not adopted, WPA2 with AES encryption is started to be used, and network security is improved well. E, mail security: mail is the most vulnerable object. Viruses, malware, and worms all prefer to use mail as their propagation channel. Mail is also the channel that we are most likely to reveal sensitive data. Web security: in view of the increasing sophistication of Web-based attacks, enterprises must deploy a robust Web security solution. Simple URL filtering has been used for many years, and this approach is really a core item of Web security. But Web security is far more than simple as URL filtering, and it also requires functions such as AV scan injection, malware scan, IP reputation recognition, dynamic URL classification skills, and data leakage prevention. Attackers are attacking a large number of highly known web sites at an alarming rate, and if filtering is done solely on black and white lists of URLs, only white-listed URLs may be left available for access. Any Web security solution must be able to dynamically scan Web traffic.
The defense against the network security attack usually complies with the security protection rule in the traditional sense, and the network security management and defense are comprehensively decided from the system level by not well adapting to the characteristics of network equipment, the event characteristics of network security events and the consideration of the protection layer level, so that the protection against the network security is always in full use, and the local and transient data protection is over concerned.
The invention provides a method and a system for intelligent security analysis and management decision based on network equipment, which are based on network security attack or network security system setting fault which may occur in the running process of a cloud system of the network equipment.
Disclosure of Invention
The invention aims to provide a network equipment-based intelligent security analysis management decision system and a method thereof which are superior to those of the prior art.
In order to achieve the purpose, the technical scheme of the invention is as follows:
a network device based intelligent security analysis management decision making system, the system comprising:
each network device runs in a cloud computing network, processes a network data processing request provided by a client and returns a data processing result;
the network equipment is also used for sending a security event message to a security event collator of the intelligent security analysis management decision system based on the network equipment when encountering a network security event;
the security event message is used for recording the acquisition record information when the network equipment encounters a network security event;
the security event message is used for recording acquisition record information of the network device when encountering a network security event, and specifically includes: when a network device A encounters a network security event, the security event message at least records a network device ID, a first parameter set of the security event, a security event occurrence level and an association level of the network device;
the security event normalizing device is used for performing event-based message normalizing processing on a security event message sent by the network equipment, and at least disassembling the security event message into a network equipment ID field, a security event first parameter set field, a security event occurrence level and an associated level field of the network equipment;
the security event normalizer is also used for packaging the network equipment ID field of the network equipment into first event decision data and sending the first event decision data to an equipment confidence module; packaging the first parameter set field of the security event into second event decision data, and sending the second event decision data to a policy collection module; packaging the security event occurrence level and the association level into third event decision data, and sending the third event decision data to a processing level module;
the equipment confidence module is used for receiving the first event decision data, analyzing the network equipment ID of the network equipment, searching a network equipment security event confidence table based on the network equipment ID, determining a network equipment security event confidence value and sending the network equipment security event confidence value to the intelligent management decision module;
the policy collecting module is used for receiving and analyzing the second event decision data, determining a corresponding security policy collecting set based on the first parameter set field of the security event, and sending the corresponding security policy collecting set to the intelligent management decision module;
a processing hierarchy module; the processing level module is used for receiving the third event decision data, analyzing the occurrence level and the association level of the security event in the third event decision data, determining corresponding security event processing operation level authority requirements based on the occurrence level and the association level of the security event, and sending the determined corresponding security event processing operation level authority requirements to the intelligent management decision module;
wherein the corresponding security event processing operation level authority requirement is at least higher than or equal to the associated level of the security event;
the intelligent management decision module receives the network equipment security event confidence value, the security policy collection and the corresponding security event processing operation level authority requirement, and determines whether to execute the security event intelligent management decision based on the comparison of the security event confidence value and the confidence threshold value;
wherein, the determining whether to execute the security event intelligent management decision based on the comparison of the security event confidence value and the confidence threshold value specifically comprises:
when the confidence value of the security event is greater than the confidence threshold value, directly executing an intelligent management decision of the security event; when the confidence value of the security event is smaller than a confidence threshold value, judging whether a random number result selected in the range of [0,1] falls in the range of [0, K1] by using the confidence value K1 of the security event as a probability by adopting a random algorithm, if so, executing an intelligent management decision of the security event, if not, not executing the intelligent management decision of the security event, and confirming that the security event is false alarm;
the security event intelligent management decision comprises at least: opening the processing operation level authority required by the security event processing operation level authority requirement to a security event processing object, processing the security event by adopting a corresponding security strategy based on the security strategy set, and recording the security event to a database.
Preferably, the network device may be a cloud computing edge server, a router, a gateway, or a service host.
Preferably, the network security event comprises at least one of the following events: network attack event, non-attack network fault event and network information security level change event.
Preferably, the network device security event confidence table is preset by the network device-based intelligent security analysis management decision-making system, and the network device security event confidence table at least includes network device ID information and network device security event confidence values in one-to-one correspondence with the network device ID information, and the network device security event confidence value is calculated based on the historical security event confidence degree of the network device stored in the system database.
Preferably, the reliability of the historical security event of the network device stored in the system database is equal to the false alarm probability of the historical security event of the network device, and is updated and dynamically changed along with the continuous reporting of the security event of the network device.
Meanwhile, the application also claims a network device-based intelligent security analysis and management method, which comprises the following steps:
the method comprises the following steps: each network device in the plurality of network devices is operated to run in the cloud computing network, a network data processing request provided by a client is processed, and a data processing result is returned;
the network equipment is also used for sending a security event message to a security event collator of the intelligent security analysis management decision system based on the network equipment when encountering a network security event;
the security event message is used for recording the acquisition record information when the network equipment encounters a network security event;
the security event message is used for recording acquisition record information of the network device when encountering a network security event, and specifically includes: when a network device A encounters a network security event, the security event message at least records a network device ID, a first parameter set of the security event, a security event occurrence level and an association level of the network device;
step two: operating a security event normalizing device to perform event-based message normalization processing on a security event message sent by the network equipment, and at least disassembling the security event message into a network equipment ID field, a security event first parameter set field, a security event occurrence level and an associated level field of the network equipment;
the security event normalizing device is also used for packaging the network equipment ID field of the network equipment into first event decision data and sending the first event decision data to the equipment confidence module; packaging the first parameter set field of the security event into second event decision data, and sending the second event decision data to a policy collection module; packaging the security event occurrence level and the association level into third event decision data, and sending the third event decision data to a processing level module;
step three: the operation equipment confidence module receives the first event decision data, analyzes the network equipment ID of the network equipment, searches a network equipment security event confidence table based on the network equipment ID, determines a network equipment security event confidence value and sends the network equipment security event confidence value to the intelligent management decision module;
step four: an operation strategy collection module receives and analyzes the second event decision data, determines a corresponding safety strategy collection based on the first parameter set field of the safety event, and sends the corresponding safety strategy collection to an intelligent management decision module;
step five: the operation processing level module receives the third event decision data, analyzes the security event occurrence level and the association level in the third event decision data, determines the corresponding security event processing operation level authority requirement based on the security event occurrence level and the association level, and sends the determined corresponding security event processing operation level authority requirement to the intelligent management decision module;
wherein the corresponding security event processing operation level authority requirement is at least higher than or equal to the associated level of the security event;
step six: an operation intelligent management decision module receives the network equipment security event confidence value, the security policy collection and the corresponding security event processing operation level authority requirement, and determines whether to execute a security event intelligent management decision based on the comparison of the security event confidence value and a confidence threshold value;
the determining whether to execute the security event intelligent management decision based on the comparison between the security event confidence value and the confidence threshold value specifically includes:
when the confidence value of the security event is greater than the confidence threshold value, directly executing an intelligent management decision of the security event; when the confidence value of the security event is smaller than a confidence threshold value, judging whether a random number result selected in the range of [0,1] falls in the range of [0, K1] by using the confidence value K1 of the security event as a probability by adopting a random algorithm, if so, executing an intelligent management decision of the security event, if not, not executing the intelligent management decision of the security event, and confirming that the security event is false alarm;
the security event intelligent management decision comprises at least: opening the processing operation level authority required by the security event processing operation level authority requirement to a security event processing object, adopting a corresponding security strategy to process the security event based on the security strategy set, and recording the security event to a database.
Preferably, the network device may be a cloud computing edge server, a router, a gateway, or a service host.
Preferably, the network security event comprises at least one of the following events: network attack event, non-attack network fault event and network information security level change event.
Preferably, the network device security event confidence table is preset by the network device-based intelligent security analysis management decision system, and the network device security event confidence table at least includes network device ID information and network device security event confidence values corresponding to the network device ID information one by one, and the network device security event confidence value is calculated based on the historical security event confidence of the network device stored in the system database.
Preferably, the reliability of the historical security event of the network device stored in the system database is equal to the false alarm probability of the historical security event of the network device, and is updated and dynamically changed along with the continuous reporting of the security event of the network device.
The invention provides a method and a system for intelligent security analysis and management decision based on network equipment, which are based on network security attack or network security system setting fault which may occur in the running process of a cloud system of the network equipment.
Drawings
FIG. 1 is a diagram of a basic system architecture of a network device based intelligent security analysis management decision making system according to the present invention;
FIG. 2 is a diagram of a basic system architecture of a security event normalizer in a network device based intelligent security analysis management decision system according to the present invention;
FIG. 3 is a diagram of a basic system architecture of the interconnection of a security event normalizer module, a device confidence module, a policy-aggregating module, and a processing hierarchy module in the intelligent security analysis management decision system based on network devices according to the present invention;
FIG. 4 is a flowchart illustrating a method for intelligent security analysis management based on network devices according to a preferred embodiment of the present invention;
fig. 5 is a schematic diagram of a preferred embodiment of the present invention, which illustrates the steps of performing intelligent management decision-making of security events based on the intelligent security analysis management method for network devices.
Detailed Description
The following describes several embodiments and benefits of a network device based intelligent security analysis management decision system as claimed herein to facilitate a more detailed review and decomposition of the present invention.
For better understanding of the technical solutions of the present invention, the following detailed descriptions of the embodiments of the present invention are provided with reference to the accompanying drawings.
It should be understood that the described embodiments are only some embodiments of the invention, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The terminology used in the embodiments of the invention is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used in the examples of the present invention and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.
It should be understood that the term "and/or" as used herein is merely one type of association that describes an associated object, meaning that three relationships may exist, e.g., a and/or B may mean: a exists alone, A and B exist simultaneously, and B exists alone. In addition, the character "/" herein generally indicates that the former and latter related objects are in an "or" relationship.
It should be understood that although the terms first, second, etc. may be used to describe the methods and corresponding apparatuses in the embodiments of the present invention, these keywords should not be limited to these terms. These terms are only used to distinguish keywords from each other. For example, a first set of parameters, first event decision data, etc. may also be referred to as a second set of parameters, second event decision data, and similarly, a second set of parameters, second event decision data, etc. may also be referred to as a first set of parameters, first event decision data, etc. without departing from the scope of embodiments of the present invention.
The word "if" as used herein may be interpreted as "at 8230; \8230;" or "when 8230; \8230;" or "in response to a determination" or "in response to a detection", depending on the context. Similarly, the phrase "if determined" or "if detected (a stated condition or event)" may be interpreted as "upon determining" or "in response to determining" or "upon detecting (a stated condition or event)" or "in response to detecting (a stated condition or event)", depending on the context.
As shown in fig. 1-3 of the specification, fig. 1-3 of the specification are one of embodiments of an intelligent security analysis management decision system based on network devices and specific inter-module relationship thereof, which are claimed by the present invention, and the system includes:
each network device runs in a cloud computing network, processes a network data processing request provided by a client and returns a data processing result;
the network equipment is also used for sending a security event message to a security event collator of the intelligent security analysis management decision system based on the network equipment when encountering a network security event;
the security event message is used for recording the acquisition record information when the network equipment encounters a network security event;
the security event message is used for recording acquisition record information of the network device when encountering a network security event, and specifically includes: when a network device A encounters a network security event, the security event message at least records a network device ID, a first parameter set of the security event, a security event occurrence level and an association level of the network device;
as a preferred embodiment that can be superimposed, the security event message is used to record acquisition record information when the network device encounters a network security event, and specifically may be: when a network device A encounters a network security event, the security event message records at least a network device ID, a first parameter set of the security event, a security event occurrence level and an association level of the network device. The network device ID is used for representing the diversity of the network device and identifying the network device, and the first parameter set of the security event at least comprises a data message protocol flow table of the security event and is used for recording and summarizing the type of a data message protocol cluster with transmission errors; the safety fault range is used for determining the concurrency range of the safety fault; and the new safety fault index is used for determining whether the current safety fault is a new safety fault in a specific period. As another stackable preferred embodiment, the concurrency range of the security failures is used when the network device a fails, the network device a sends a failure detection message to the same type of network device directly connected to or upstream and downstream, and is used to detect whether the same type of failure occurs in the same type of network device directly connected to or upstream and downstream, and when the same type of network device directly connected to or upstream and downstream, the network device a continues to send a failure detection message to the same type of network device directly connected to or upstream and downstream, or the same type of network device upstream and downstream, and is used to detect whether the same type of failure occurs in the same type of network device directly connected to or upstream and downstream, until no failure occurs or the failure detection message has been sent at least three times, the sending of the failure detection message is stopped. The value of the safety fault range is the number of times of sending the fault detection message, and if the fault detection message is sent at least three times and reaches the upper limit, the value of the safety fault range is equal to 3. The new safety fault indicator is used for determining whether a specific network device is a first new fault or not in a specific maintenance period, for example, 3day, determining the fault occurrence rate of the network device, and determining the repair probability based on the fault occurrence rate of the network device, wherein the repair probability is in a direct proportion relation with the new safety fault indicator. If the network equipment fails newly in a specific period, the new safety failure issue index is 1 to represent the failure, and if the network equipment fails not newly and has occurred for K times in the specific period, the new safety failure issue index is K +1. As another stackable preferred embodiment, the security event occurrence level and the association level are used for characterizing the occurrence level and the association level of the security event, and as another stackable preferred embodiment, the occurrence level is used for characterizing that the failure of the security event comes from a delivery layer, namely an underlying client layer, of the cloud computing system; or edge connection layer, i.e., network device layer from the underlying client (not included) to the cloud edge device; or a cloud center layer, that is, one of the central computing layers from the cloud computing center of the network device based intelligent security analysis management decision system to each cloud edge device (not included), and records the upper layer (if any) of the occurrence layer of the network security event as the association layer of the security event in the security event occurrence layer and the association layer field of the security event message.
The security event normalizing device is used for performing event-based message normalizing processing on a security event message sent by the network equipment, and at least disassembling the security event message into a network equipment ID field, a security event first parameter set field, a security event occurrence level and an associated level field of the network equipment;
the security event normalizer is also used for packaging the network equipment ID field of the network equipment into first event decision data and sending the first event decision data to an equipment confidence module; packaging the first parameter set field of the security event into second event decision data, and sending the second event decision data to a policy collecting module; packaging the security event occurrence level and the association level into third event decision data, and sending the third event decision data to a processing level module;
the equipment confidence module is used for receiving the first event decision data, analyzing the network equipment ID of the network equipment, searching a network equipment security event confidence table based on the network equipment ID, determining a network equipment security event confidence value and sending the network equipment security event confidence value to the intelligent management decision module;
the strategy collection module is used for receiving and analyzing the second event decision data, determining a corresponding safety strategy collection based on the first parameter set field of the safety event, and sending the corresponding safety strategy collection to the intelligent management decision module;
as a preferred stackable embodiment, the policy aggregation module is configured to receive and parse the second event decision data, and determine a corresponding security policy aggregation based on the security event first parameter set field, specifically: the strategy collection module analyzes the safety event data message protocol flow table, the safety fault range field and the safety fault new issue index, and determines a corresponding safety event management strategy based on the safety event data message protocol flow table, the safety fault range field and the safety fault new issue index, wherein the safety event management strategy can be decided by a system administrator according to the indexes or can be decided by the system automatically based on a safety strategy collection inquiry table. As a preferred embodiment that can be superimposed, the security policy aggregation module stores a system preset security policy aggregation query table, where the security policy aggregation query table at least includes each security policy and its corresponding security event data packet protocol flow table, security failure range field, and new security failure index range, and by querying the security event data packet protocol flow table, security failure range field, and new security failure index carried by a security event packet, it is possible to query a corresponding security policy aggregation in the security policy aggregation query table, and send the corresponding security policy aggregation to the intelligent management decision module.
A processing hierarchy module; the processing level module is used for receiving the third event decision data, analyzing the occurrence level and the association level of the security event, determining the corresponding security event processing operation level authority requirement based on the occurrence level and the association level of the security event, and sending the determined corresponding security event processing operation level authority requirement to the intelligent management decision module;
wherein the corresponding security event processing operation level permission requirement is at least higher than or equal to the association level of the security event;
the intelligent management decision module receives the network equipment security event confidence value, the security policy collection and the corresponding security event processing operation level authority requirement, and determines whether to execute the security event intelligent management decision based on the comparison of the security event confidence value and the confidence threshold value;
wherein, the determining whether to execute the security event intelligent management decision based on the comparison of the security event confidence value and the confidence threshold value specifically comprises:
when the confidence value of the security event is greater than the confidence threshold value, directly executing an intelligent management decision of the security event; when the security event confidence value is smaller than the confidence threshold value, judging whether the random number result selected in the range of [0,1] falls in [0, K1] by adopting a random algorithm with the security event confidence value K1 as the probability, if so, executing the security event intelligent management decision, if not, not executing the security event intelligent management decision, and confirming that the security event is false alarm;
the security event intelligent management decision comprises at least: opening the processing operation level authority required by the security event processing operation level authority requirement to a security event processing object, processing the security event by adopting a corresponding security strategy based on the security strategy set, and recording the security event to a database.
As a stackable embodiment, the network device may be a cloud computing edge server, a router, a gateway, or a service host.
As another stackable embodiment, the network security event includes at least one of the following events: network attack event, non-attack network fault event and network information security level change event.
As another superimposable embodiment, the network device security event confidence table is preset by the network device-based intelligent security analysis management decision-making system, the network device security event confidence table at least includes network device ID information and network device security event confidence values in one-to-one correspondence with the network device ID information, and the network device security event confidence value is calculated based on historical security event confidence degrees of the network devices stored in a system database.
As another stackable embodiment, the reliability of the historical security event of the network device stored in the system database is equal to the false alarm probability of the historical security event of the network device, and is updated and dynamically changed as the security event of the network device is continuously reported.
As shown in fig. 4-5, fig. 4-5 are schematic diagrams of preferred embodiments of the method for intelligent security analysis and management based on network devices and the method for performing intelligent management decision-making steps of security events, which are claimed by the present invention, and the method comprises the following steps:
step S102: operating each network device in a plurality of network devices to enable the network device to operate in a cloud computing network, processing a network data processing request provided by a client and returning a data processing result;
the network equipment is also used for sending a security event message to a security event collator of the intelligent security analysis management decision system based on the network equipment when encountering a network security event;
the security event message is used for recording the acquisition record information when the network equipment encounters a network security event;
the security event message is used for recording acquisition record information of the network device when encountering a network security event, and specifically includes: when a network device A encounters a network security event, the security event message at least records a network device ID, a first parameter set of the security event, a security event occurrence level and an association level of the network device;
step S104: operating a security event normalizing device to perform event-based message normalization processing on a security event message sent by the network equipment, and at least disassembling the security event message into a network equipment ID field, a security event first parameter set field, a security event occurrence level and an associated level field of the network equipment;
the security event normalizer is also used for packaging the network equipment ID field of the network equipment into first event decision data and sending the first event decision data to an equipment confidence module; packaging the first parameter set field of the security event into second event decision data, and sending the second event decision data to a policy collection module; packaging the security event occurrence level and the association level into third event decision data, and sending the third event decision data to a processing level module;
step S106: the operation equipment confidence module receives the first event decision data, analyzes the network equipment ID of the network equipment, searches a network equipment security event confidence table based on the network equipment ID, determines a network equipment security event confidence value and sends the network equipment security event confidence value to the intelligent management decision module;
step S108: an operation strategy collection module receives and analyzes the second event decision data, determines a corresponding safety strategy collection based on the first parameter set field of the safety event, and sends the corresponding safety strategy collection to an intelligent management decision module;
step S110: the operation processing level module receives the third event decision data, analyzes the occurrence level and the association level of the security event, determines the corresponding security event processing operation level authority requirement based on the occurrence level and the association level of the security event, and sends the determined corresponding security event processing operation level authority requirement to the intelligent management decision module;
wherein the corresponding security event processing operation level authority requirement is at least higher than or equal to the associated level of the security event;
step S112: an operation intelligent management decision module receives the network equipment security event confidence value, the security policy collection and the corresponding security event processing operation level authority requirement, and determines whether to execute a security event intelligent management decision based on the comparison of the security event confidence value and a confidence threshold value;
wherein, the determining whether to execute the security event intelligent management decision based on the comparison of the security event confidence value and the confidence threshold value specifically comprises:
when the confidence value of the security event is greater than the confidence threshold value, directly executing an intelligent management decision of the security event; when the security event confidence value is smaller than the confidence threshold value, judging whether the random number result selected in the range of [0,1] falls in [0, K1] by adopting a random algorithm with the security event confidence value K1 as the probability, if so, executing the security event intelligent management decision, if not, not executing the security event intelligent management decision, and confirming that the security event is false alarm;
the security event intelligent management decision comprises at least: opening the processing operation level authority required by the security event processing operation level authority requirement to a security event processing object, adopting a corresponding security strategy to process the security event based on the security strategy set, and recording the security event to a database.
As another stackable embodiment, the network device may be a cloud computing edge server, a router, a gateway, or a service host.
As another stackable embodiment, the network security event includes at least one of the following events: network attack event, non-attack network fault event and network information security level change event.
As another superimposable embodiment, the network device security event confidence table is preset by the network device-based intelligent security analysis management decision-making system, the network device security event confidence table at least includes network device ID information and network device security event confidence values in one-to-one correspondence with the network device ID information, and the network device security event confidence value is calculated based on historical security event confidence degrees of the network devices stored in a system database.
As another stackable embodiment, the reliability of the historical security event of the network device stored in the system database is equal to the false alarm probability of the historical security event of the network device, and is updated and dynamically changed as the security event of the network device is continuously reported.
The invention provides a method and a system for intelligent security analysis and management decision based on network equipment, which are based on network security attack or network security system setting fault which may occur in the running process of a cloud system of the network equipment.
In all the above embodiments, in order to meet the requirements of some special data transmission and read/write functions, the above method and its corresponding devices may add devices, modules, devices, hardware, pin connections or memory and processor differences to expand the functions during the operation process.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described method, apparatus and unit may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the embodiments provided in the present invention, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the method steps into only one type of logical or functional division may be implemented in practice in another type of division, e.g., multiple units or components may be combined or integrated into another system, or some features may be omitted, or not implemented. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as individual steps of the method, apparatus separation parts may or may not be logically or physically separate, or may not be physical units, and may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, the method steps, the implementation thereof, and the functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, or in a form of hardware plus a software functional unit.
The method and apparatus may be implemented as an integrated unit in the form of a software functional unit, and may be stored in a computer readable storage medium. The software functional unit is stored in a storage medium and includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device) or a Processor (Processor) to execute some steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), an NVRAM, a magnetic disk, or an optical disk, and various media capable of storing program codes.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and should not be taken as limiting the scope of the present invention, and any modifications, equivalents, improvements and the like made within the spirit and principle of the present invention should be included in the scope of the present invention.
It should be noted that: the above embodiments are only used to explain and illustrate the technical solution of the present invention more clearly, and not to limit the same; although the present invention has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (10)
1. An intelligent security analysis management decision system based on network equipment, which is used for realizing security intelligent analysis and global decision of the network equipment based on network security attack or network security system setting fault of the network equipment in the operation process of a cloud system, so that a security event analysis decision is based on equipment confidence, processing level information and security event parameter set three-party entry parameters, and the system comprises:
each network device runs in a cloud computing network, processes a network data processing request provided by a client and returns a data processing result;
the network equipment is also used for sending a security event message to the security event normalizing device based on the network equipment intelligent security analysis management decision-making system when encountering a network security event;
the security event message is used for recording acquisition record information when the network equipment encounters a network security event;
the security event message is used for recording acquisition record information of the network device when encountering a network security event, and specifically includes: when a network device A encounters a network security event, the security event message at least records a network device ID, a first parameter set of the security event, a security event occurrence level and an association level of the network device;
the security event normalizing device is used for performing event-based message normalizing processing on a security event message sent by the network equipment, and at least disassembling the security event message into a network equipment ID field, a security event first parameter set field, a security event occurrence level and an associated level field of the network equipment;
the security event normalizer is also used for packaging the network equipment ID field of the network equipment into first event decision data and sending the first event decision data to an equipment confidence module; packaging the first parameter set field of the security event into second event decision data, and sending the second event decision data to a policy collection module; packaging the security event occurrence level and the association level into third event decision data, and sending the third event decision data to a processing level module;
the equipment confidence module is used for receiving the first event decision data, analyzing the network equipment ID of the network equipment, searching a network equipment security event confidence table based on the network equipment ID, determining a network equipment security event confidence value and sending the network equipment security event confidence value to the intelligent management decision module;
the policy collecting module is used for receiving and analyzing the second event decision data, determining a corresponding security policy collecting set based on the first parameter set field of the security event, and sending the corresponding security policy collecting set to the intelligent management decision module;
a processing hierarchy module; the processing level module is used for receiving the third event decision data, analyzing the occurrence level and the association level of the security event, determining the corresponding security event processing operation level authority requirement based on the occurrence level and the association level of the security event, and sending the determined corresponding security event processing operation level authority requirement to the intelligent management decision module;
wherein the corresponding security event processing operation level authority requirement is at least higher than or equal to the associated level of the security event;
the intelligent management decision module receives the network equipment security event confidence value, the security policy collection and the corresponding security event processing operation level authority requirement, and determines whether to execute the security event intelligent management decision based on the comparison of the security event confidence value and the confidence threshold value;
wherein, the determining whether to execute the security event intelligent management decision based on the comparison of the security event confidence value and the confidence threshold value specifically comprises:
when the confidence value of the security event is greater than the confidence threshold value, directly executing an intelligent management decision of the security event; when the security event confidence value is smaller than the confidence threshold value, judging whether the random number result selected in the range of [0,1] falls in [0, K1] by adopting a random algorithm with the security event confidence value K1 as the probability, if so, executing the security event intelligent management decision, if not, not executing the security event intelligent management decision, and confirming that the security event is false alarm;
the security event intelligent management decision comprises at least: opening the processing operation level authority required by the security event processing operation level authority requirement to a security event processing object, processing the security event by adopting a corresponding security strategy based on the security strategy set, and recording the security event to a database.
2. The intelligent network device based security analysis and management decision making system of claim 1, wherein said network device is a cloud computing edge server, a router, a gateway or a service host.
3. The system of claim 2, wherein the network security event comprises at least one of: network attack event, non-attack network fault event and network information security level change event.
4. The network device based intelligent security analysis management decision making system of claim 2, wherein:
the network equipment safety event confidence table is preset by the network equipment-based intelligent safety analysis management decision system, the network equipment safety event confidence table at least comprises network equipment ID information and network equipment safety event confidence values corresponding to the network equipment ID information one by one, and the network equipment safety event confidence values are calculated based on the historical safety event confidence degrees of the network equipment stored in a system database.
5. The network device based intelligent security analysis management decision making system of claim 4, wherein:
and the credibility of the historical security events of the network equipment stored in the system database is equal to the false alarm probability of the historical security events of the network equipment, and the network equipment is updated and dynamically changed along with the continuous reporting of the security events of the network equipment.
6. An intelligent security analysis management method based on network equipment is based on network security attack or network security system setting fault of the network equipment in the operation process of a cloud system, so that security event analysis decision is based on equipment confidence, processing level information and security event parameter set three-party entry parameters, and security intelligent analysis and global decision of the network equipment are realized, and the method comprises the following steps:
the method comprises the following steps: operating each network device in a plurality of network devices to enable the network device to operate in a cloud computing network, processing a network data processing request provided by a client and returning a data processing result;
the network equipment is also used for sending a security event message to the security event normalizing device based on the network equipment intelligent security analysis management decision-making system when encountering a network security event;
the security event message is used for recording the acquisition record information when the network equipment encounters a network security event;
the security event message is used for recording acquisition record information of the network device when encountering a network security event, and specifically includes: when a network device A encounters a network security event, the security event message at least records a network device ID, a first parameter set of the security event, a security event occurrence level and an association level of the network device;
step two: operating a security event normalizing device to perform event-based message normalization processing on a security event message sent by the network equipment, and at least disassembling the security event message into a network equipment ID field, a security event first parameter set field, a security event occurrence level and an associated level field of the network equipment;
the security event normalizer is also used for packaging the network equipment ID field of the network equipment into first event decision data and sending the first event decision data to an equipment confidence module; packaging the first parameter set field of the security event into second event decision data, and sending the second event decision data to a policy collecting module; packaging the security event occurrence level and the association level into third event decision data, and sending the third event decision data to a processing level module;
step three: the operation equipment confidence module receives the first event decision data, analyzes the network equipment ID of the network equipment, searches a network equipment safety event confidence table based on the network equipment ID, determines a network equipment safety event confidence value and sends the network equipment safety event confidence value to the intelligent management decision module;
step four: an operation strategy collection module receives and analyzes the second event decision data, determines a corresponding safety strategy collection based on the first parameter set field of the safety event, and sends the corresponding safety strategy collection to an intelligent management decision module;
step five: the operation processing level module receives the third event decision data, analyzes the security event occurrence level and the association level in the third event decision data, determines the corresponding security event processing operation level authority requirement based on the security event occurrence level and the association level, and sends the determined corresponding security event processing operation level authority requirement to the intelligent management decision module;
wherein the corresponding security event processing operation level permission requirement is at least higher than or equal to the association level of the security event;
step six: an operation intelligent management decision module receives the network equipment security event confidence value, the security policy collection and the corresponding security event processing operation level authority requirement, and determines whether to execute a security event intelligent management decision based on the comparison of the security event confidence value and a confidence threshold value;
wherein, the determining whether to execute the security event intelligent management decision based on the comparison of the security event confidence value and the confidence threshold value specifically comprises:
when the confidence value of the security event is greater than the confidence threshold value, directly executing an intelligent management decision of the security event; when the confidence value of the security event is smaller than a confidence threshold value, judging whether a random number result selected in the range of [0,1] falls in the range of [0, K1] by using the confidence value K1 of the security event as a probability by adopting a random algorithm, if so, executing an intelligent management decision of the security event, if not, not executing the intelligent management decision of the security event, and confirming that the security event is false alarm;
the security event intelligent management decision comprises at least: opening the processing operation level authority required by the security event processing operation level authority requirement to a security event processing object, processing the security event by adopting a corresponding security strategy based on the security strategy set, and recording the security event to a database.
7. The intelligent network device-based security analysis management method of claim 6, wherein the network device is a cloud computing edge server, a router, a gateway, or a service host.
8. The intelligent network-device-based security analysis and management method according to claim 7, wherein the network security event comprises at least one of the following events: network attack event, non-attack network fault event and network information security level change event.
9. The intelligent security analysis and management method based on network devices of claim 7, wherein:
the network equipment safety event confidence table is preset by the network equipment-based intelligent safety analysis management decision-making system, the network equipment safety event confidence table at least comprises network equipment ID information and network equipment safety event confidence values in one-to-one correspondence with the network equipment ID information, and the network equipment safety event confidence values are calculated based on historical safety event confidence degrees of the network equipment stored in a system database.
10. The network-device-based intelligent security analysis and management method of claim 9, wherein:
the credibility of the historical security events of the network equipment stored in the system database is equal to the false alarm probability of the historical security events of the network equipment, and the network equipment is updated and dynamically changed along with the continuous reporting of the security events of the network equipment.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210261857.3A CN114844667B (en) | 2022-03-16 | 2022-03-16 | Intelligent security analysis management decision system and method based on network equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210261857.3A CN114844667B (en) | 2022-03-16 | 2022-03-16 | Intelligent security analysis management decision system and method based on network equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114844667A CN114844667A (en) | 2022-08-02 |
| CN114844667B true CN114844667B (en) | 2023-04-07 |
Family
ID=82562052
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210261857.3A Active CN114844667B (en) | 2022-03-16 | 2022-03-16 | Intelligent security analysis management decision system and method based on network equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114844667B (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104901960A (en) * | 2015-05-26 | 2015-09-09 | 汉柏科技有限公司 | Device and method for network security management based on alarm strategy |
| CN110011849A (en) * | 2019-04-08 | 2019-07-12 | 郑州轨道交通信息技术研究院 | A kind of association analysis alarm method based on normalization event format |
| CN114219374A (en) * | 2022-02-21 | 2022-03-22 | 济南法诺商贸有限公司 | Big data analysis decision system and method based on block chain |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| RU2762528C1 (en) * | 2020-06-19 | 2021-12-21 | Акционерное общество "Лаборатория Касперского" | Method for processing information security events prior to transmission for analysis |
-
2022
- 2022-03-16 CN CN202210261857.3A patent/CN114844667B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104901960A (en) * | 2015-05-26 | 2015-09-09 | 汉柏科技有限公司 | Device and method for network security management based on alarm strategy |
| CN110011849A (en) * | 2019-04-08 | 2019-07-12 | 郑州轨道交通信息技术研究院 | A kind of association analysis alarm method based on normalization event format |
| CN114219374A (en) * | 2022-02-21 | 2022-03-22 | 济南法诺商贸有限公司 | Big data analysis decision system and method based on block chain |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114844667A (en) | 2022-08-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP2599026B1 (en) | System and method for local protection against malicious software | |
| US7398389B2 (en) | Kernel-based network security infrastructure | |
| Wang et al. | Intrusion prevention system design | |
| Sandhu et al. | A survey of intrusion detection & prevention techniques | |
| US7493659B1 (en) | Network intrusion detection and analysis system and method | |
| US6405318B1 (en) | Intrusion detection system | |
| EP3270564B1 (en) | Distributed security provisioning | |
| Gula | Correlating ids alerts with vulnerability information | |
| US20040111637A1 (en) | Method and system for responding to a computer intrusion | |
| WO2005029249A2 (en) | Secure network system and associated method of use | |
| Beigh et al. | Intrusion Detection and Prevention System: Classification and Quick | |
| CN113660224A (en) | Situation awareness defense method, device and system based on network vulnerability scanning | |
| CN113411297A (en) | Situation awareness defense method and system based on attribute access control | |
| CN113411295A (en) | Role-based access control situation awareness defense method and system | |
| CN113660222A (en) | Situation awareness defense method and system based on mandatory access control | |
| Coulibaly | An overview of intrusion detection and prevention systems | |
| CN114844667B (en) | Intelligent security analysis management decision system and method based on network equipment | |
| KR20130033161A (en) | Intrusion detection system for cloud computing service | |
| Nalavade et al. | Intrusion prevention systems: data mining approach | |
| Sandhu et al. | A study of the novel approaches used in intrusion detection and prevention systems | |
| De La Peña Montero et al. | Autonomic and integrated management for proactive cyber security (AIM-PSC) | |
| Rizvi et al. | A review on intrusion detection system | |
| Karthikeyan et al. | Network Intrusion Detection System Based on Packet Filters | |
| Zope et al. | Event correlation in network security to reduce false positive | |
| Palekar et al. | Complete Study Of Intrusion Detection System |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 250101 814, block D, Sanqing century wealth center, No. 359, Shunhua Road, Jinan area, China (Shandong) pilot Free Trade Zone, Jinan City, Shandong Province Patentee after: Fano Information Industry Co.,Ltd. Address before: 250101 814, block D, Sanqing century wealth center, No. 359, Shunhua Road, Jinan area, China (Shandong) pilot Free Trade Zone, Jinan City, Shandong Province Patentee before: Jinan fanuo Trading Co.,Ltd. |
|
| CP01 | Change in the name or title of a patent holder | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |