CN115037561B - Network security detection method and system - Google Patents
Network security detection method and system Download PDFInfo
- Publication number
- CN115037561B CN115037561B CN202210956055.4A CN202210956055A CN115037561B CN 115037561 B CN115037561 B CN 115037561B CN 202210956055 A CN202210956055 A CN 202210956055A CN 115037561 B CN115037561 B CN 115037561B
- Authority
- CN
- China
- Prior art keywords
- node
- data
- network
- target
- security detection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/21—Design, administration or maintenance of databases
- G06F16/215—Improving data quality; Data cleansing, e.g. de-duplication, removing invalid entries or correcting typographical errors
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/50—Information retrieval; Database structures therefor; File system structures therefor of still image data
- G06F16/53—Querying
- G06F16/535—Filtering based on additional data, e.g. user or group profiles
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Databases & Information Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Data Mining & Analysis (AREA)
- Computing Systems (AREA)
- Quality & Reliability (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computer Hardware Design (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the invention discloses a network security detection method and a system. The network security detection method comprises the following steps: acquiring node data of a target time period from a graph database; sequencing the node data to obtain subgraphs corresponding to the sequenced node data; and determining a target node according to the subgraph. The scheme provided by the invention can quickly find the loopholes existing in the network, and greatly improves the technical effect of detection efficiency.
Description
Technical Field
The invention relates to the field of internet technology application, in particular to a network security detection method and a network security detection system.
Background
In order to solve the increasingly prominent problem of internet information security, each large enterprise and public institution deploys a set of security protection system on the server cluster of the large enterprise and public institution. The existing internet server cluster can generate a large amount of safety logs during safety protection, so that a safety manager can determine whether an intrusion event occurs according to the logs. However, in practice, it is found that as the number of security logs increases, it is increasingly difficult for security managers to quickly and effectively analyze the intrusion event, so that the detection efficiency and accuracy of the intrusion event are reduced.
Aiming at the problem that in the prior art, the detection efficiency and accuracy of the intrusion event are low because a security manager determines whether the intrusion event occurs according to the security log, an effective solution is not provided at present.
Disclosure of Invention
In order to solve the above technical problems, embodiments of the present invention are expected to provide a network security detection method and system, so as to at least solve the problem in the prior art that the detection efficiency and accuracy of an intrusion event are low because a security manager determines whether the intrusion event occurs according to a security log.
The technical scheme of the invention is realized as follows:
in a first aspect, an embodiment of the present invention provides a network security detection system, including: the system comprises at least one network device, a data preprocessing cluster and a graph database, wherein the at least one network device is accessed to the data preprocessing cluster, and the data preprocessing cluster is used for acquiring data of the at least one network device and cleaning the data to obtain cleaned data; and the graph database is used for acquiring the cleaned data and generating node data, acquiring the node data of the target time period from the graph database under the condition of network security detection, sequencing the node data, acquiring a subgraph corresponding to the sequenced node data, and determining the target node according to the subgraph.
Optionally, the network security detection system further includes: and the input end of the data importing device is connected with the output end of the data preprocessing cluster, and the output end of the data importing device is connected with the input end of the graph database and is used for importing the cleaned data into the graph database.
Optionally, the network security detection system further includes: and the reliable coordination system of the distributed system is connected with the data preprocessing cluster and is used for providing configuration maintenance, domain name service, distributed synchronization or group service for at least one network device and the data preprocessing cluster.
Further, optionally, the network security detection system further includes: and the cluster computing engine is respectively connected with the data import device and the graph database and is used for respectively processing according to the data flow of the data import device and the graph database.
In a second aspect, an embodiment of the present invention provides a network security detection method, which is applied to a network security detection system, and includes: acquiring node data of a target time period from a graph database; sequencing the node data to obtain a subgraph corresponding to the sequenced node data; and determining a target node according to the subgraph.
Optionally, the obtaining the node data of the target time period from the graph database includes: and acquiring the node data with the highest out-degree in the target time from the graph database according to an in-out degree statistical method.
Further, optionally, the sorting the node data, and the obtaining a subgraph corresponding to the sorted node data includes: sequencing the node data to obtain the sequenced node data; and performing reverse tracing according to the sorted node data to obtain a subgraph.
Optionally, determining the target node according to the subgraph includes: and acquiring intersection nodes of the subgraphs, and determining the nodes as target nodes.
Further, optionally, the method further includes: and acquiring intermediate nodes from the subgraph according to an intermediate center algorithm, wherein the intermediate nodes are used for measuring the times of the shortest path of one vertex between any other two vertex pairs, identifying the importance of the nodes, and determining the nodes as the intermediate nodes when the nodes are positioned among a plurality of nodes.
Optionally, the method further includes: and pushing the target node to a security department for standby processing.
Further, optionally, the method further includes: when the target node is the alarm node, changing the identification state of the target node in the subgraph and handing over to an external organ for processing; and when the target node is a normal node, reinforcing the network security of the target node.
Optionally, the method further includes: determining a network to which the target node belongs as a target network according to the target node; the method for determining the network to which the target node belongs as the target network according to the target node comprises the following steps: and determining a network formed by connecting target nodes as a target network through the point-edge relation, obtaining networks with similar network structures through matching of a similarity algorithm according to the target network, and obtaining all the target nodes according to the target network and the network.
The embodiment of the invention provides a network security detection method and a system. Acquiring node data of a target time period from a graph database; sequencing the node data to obtain a subgraph corresponding to the sequenced node data; and determining the target node according to the subgraph, so that the loopholes existing in the network can be quickly found, and the technical effect of the detection efficiency is greatly improved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the invention and together with the description serve to explain the invention and do not constitute a limitation of the invention. In the drawings:
fig. 1 is a schematic diagram of a network security detection system according to an embodiment of the present invention;
fig. 2 is a schematic structural diagram of a network security detection system according to an embodiment of the present invention;
fig. 3 is a schematic flowchart of a network security detection method according to a second embodiment of the present invention;
fig. 4 is a schematic diagram of a sub-graph in a network security detection method according to a second embodiment of the present invention;
fig. 5 is a schematic diagram illustrating a target node determined in a network security detection method according to a second embodiment of the present invention;
fig. 6a is a schematic diagram illustrating determining an intermediate node in a network security detection method according to a second embodiment of the present invention;
fig. 6b is a schematic diagram illustrating determining an intermediary node in another network security detection method according to a second embodiment of the present invention.
Detailed Description
In order to make the technical solutions of the present invention better understood, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be obtained by a person skilled in the art without making any creative effort based on the embodiments in the present invention, shall fall within the protection scope of the present invention.
It should be noted that the terms "first", "second", and the like in the description and claims of the present invention and the accompanying drawings are used for distinguishing different objects, and are not used for limiting a specific order.
It should be noted that the following embodiments of the present invention may be implemented individually, or may be implemented in combination with each other, and the embodiments of the present invention are not limited in this respect.
Example one
In a first aspect, an embodiment of the present invention provides a network security detection system, and fig. 1 is a schematic diagram of a network security detection system according to an embodiment of the present invention; as shown in fig. 1, the network security detection system provided in the embodiment of the present application includes:
the system comprises at least one network device 12, a data preprocessing cluster 14 and a database 16, wherein the at least one network device 12 is accessed to the data preprocessing cluster 14, and the data preprocessing cluster 14 is used for acquiring data of the at least one network device 12 and cleaning the data to obtain cleaned data; the graph database 16 is used for acquiring the cleaned data and generating node data, acquiring the node data of the target time period from the graph database 16 under the condition of network security detection, sequencing the node data, acquiring a subgraph corresponding to the sequenced node data, and determining the target node according to the subgraph.
Specifically, as shown in fig. 2, fig. 2 is a schematic structural diagram of a network security detection system according to an embodiment of the present invention, where at least one network device 12 is marked as network device 1, network device 2, network device 3, network device 4, \8230, network device N, data preprocessing cluster 14 is marked as kafka cluster, and Graph database 16 is marked as Nebula Graph cluster; in the embodiment of the application, data and logs of various network security devices (for example, a sinomenium cloud, a micro-step online, a Chinese era day down, and the like) are collected, cleaned and then imported into a kafka cluster.
The data examples are as follows:
data sample collected by network security equipment (json)
1.{ "srcIntelType_s": "0",
2. "ORG_ID": "1",
3. "EVENT _ TYPE": scanner ",
4. "collectionName_s": "ctwaf",
5. "EVENT _ ONE _ TYPE _ DESC": network threat ",
6. "SRC_PROVINCE": "",
7. "EVENT _ THREE _ TYPE _ DESC": other scans ",
8. "uuid": "21416767-6a7e-42cf-82d4-fa34752bfe571637220376099",
9. "ACTION _ DESC": no ",
10. "DST_LONGITUDE": "",
11. "SRC_LONGITUDE": "",
12. "DST_PROVINCE": "",
13. "IP_GROUP": "4",
14. "SNOW_ID": "1461234282818174976",
15. "DST_ORG_NAME": "",
16. "DST _ netdistict": public service area (including internet access device) ",
17. "CREATE_TIME": "2021-11-18 15:26:16.104",
18. "TYPE": unclassified threat ",
19. the "RISK _ LEVEL" and the "middle RISK",
20. "SRC_NETDISTRICT": "",
21. "DEVICE_TYPE": "CTWAF",
22. "dstInnerType_s": "1",
23. "EVENT_ONE_TYPE": "20000",
24. "DEVICE_IP": "10.200.51.34:9092,10.200.51.35:9092,10.200.51.40:9092",
25. "DST_COUNTRY": "",
26. "DST_WHITE": "",
27. "NAME": "scanner",
28. "MODULE": "m_scanner",
29. "DST_APP_NAME": "",
30. "EVENT_TWO_TYPE": "20200",
31. "EVENT_ID": "P01-99",
32. "DEVICE_PARENT_TYPE": "CTWAF",
33. "DST_IP": "192.168.24.3",
34. "direct _ DESC": out-to-out ",
35. "GV_VAPP_BRANCH": "",
36. "SRC_IP": "112.47.198.184",
37. "EVENT_THREE_TYPE": "20220",
38. "FLAG": "0",
39. "srcInnerType_s": "0",
40. "URL": "/",
41. "SRC_POST": "0",
42. "SRC_LATITUDE": "",
43. "GV_DST_IP_NETSEG": "192.168.24.0/24",
44. "MESSAGE" 112.47.198.184 initiates a ' null ' scanner ' threat to 192.168.24.3, processes it as ' none ', with the treatment result ' unconfirmed ',
45. "SRC_WHITE": "",
46. "DST_POST": "0",
47. "SRC_APP_NAME": "",
48. "BOTHWHITE": "",
49. "dpRuleId_s": 610,
50. "DST_IP_PORT": "192.168.24.3:17204",
51. "collectTime": "2021-11-18 15:26:16.099",
52. "DST_CITY": "",
53. "DST_LATITUDE": "",
54. "EVENT _ NAME": scanner ",
55. "DIRECTION": "99",
56. "SRC_PORT": "3777",
57. "SRC_CITY": "",
58. "DST_IP_LABEL": "0",
59. "GV_SRC_IP_NETSEG": "",
60. "EVENT _ TWO _ TYPE _ DESC": scan probe ",
61. "ATTACK _ STAGE": information probing,
62. "CREATE_TIME_dt": "2021-11-10 11:24:22.000",
63. "recordTime": "2021-11-18 15:26:16.483",
64. "ACTION": "99",
65. "equIP": "10.200.51.34:9092,10.200.51.35:9092,10.200.51.40:9092",
66. "SRC_INTEL_TYPE": "0",
67. "DST_PORT": "17204",
68. "TENANT_ID": "-1",
69. "TAG" { \\\ "ATTACK _ STAGE \": \ intelligence probing \ \ "DIRECTION \": out-to-out \ "," EVENT _ THEE _ TYPE \ ": \ other scans \" } ",
70. "SRC_ORG_NAME": "",
71. "SRC_COUNTRY": "",
72. "RESULT": not confirmed "}
The Graph database 16, i.e., the Nebula Graph cluster shown in fig. 2, creates the schema by deploying the Nebula Graph cluster. Wherein, the schema is created as follows:
according to different network devices, the edge types are preliminarily defined into three types, and the specific creation statements are as follows:
1.CREATE TAG SRC_IP(
SRC _APP _NAMEstring DEFAULT null COMMENT 'Source application System name',
3 SRC, NETDISTRICT StringDEFAULT null COMMENT 'Source IP region',
src InnerType's string DEFAULT null COMMENT's source IP tag ',
GV _SRC _IP _NETSEGstring DEFAULT null COMMENT 'Source IP network segment',
SRC, COUNTRY STRING DEFAULT null COMMENT 'SOURCE STATUS',
SRC, PROVINCE string DEFAULT null COMMENT 'Source province',
SRC _, CITY string DEFAULT null COMMENT 'Source City',
SRC _ORG _NAMEstring DEFAULT null COMMENT 'Source agency name');
10.
11.CREATE TAG DST_IP(
application system name of DST _APP _NAMEstring DEFAULT null COMMENT',
DST _NETDISTRICTstring DEFAULT null COMMENT 'destination IP region',
the IP tag ' of dstInnerType's string DEFAULT null COMMENT ',
GV _DST _IP _NETSEGstring DEFAAULT null COMMENT 'destination IP segment',
DST winding DEFAULT null COMMENT 'destination country',
the province of DST _ PROVINCE string DEFAULT null COMMENT',
18.3 city of DST _CITYstring DEFAULT null COMMENT',
DST _ORG _NAMEstring DEFAULT null COMMENT 'destination name');
20.
21.CREATE EDGE ATTACKBLOCK(
AB _NODEstring default null COMMENT 'node name',
GV _ _RISK _LEVELstring default null COMMENT 'alarm level',
AB _actionstring default null COMMENT 'performs the action',
ABELECTOR _IDstring default null COMMENT 'policy group ID',
AB _RULE _IDstring default null COMMENT 'custom rule ID',
AB _modelstring default null COMMENT 'detection module name',
device type string default null COMMENT 'device type',
GV \ u DEVICE IP string default null COMMENT 'device IP',
GV _CREATE _time _dtdatetime default null COMMENT 'time',
GV _SRC _porestring default null COMMENT 'Source port',
GV _DST _PORTstring default null COMMENT 'destination port',
GV \/event \/type string default null COMMENT 'alarm type',
event _ONE _TYPEstring default null COMMENT 'first class classification',
35, event _THEE _TYPEstring default null COMMENT 'three-stage classification',
event_twoType string default null COMMENT 'secondary classification',
(iii) event _ONE _TYPE _DESCstring default null COMMENT 'first class Classification description',
38, three-level classification description of EVENT _THREE _TYPE _DESCstring default null COMMENT',
event _two _TYPE _DESCstring default null COMMENT 'Secondary class description',
SRC _WHITEstring default null COMMENT 'source IP whitelist',
an IP white list 'of DST _WHITEstring default name COMMENT',
ATTACK _ STAGE _ Stringdefault null COMMENT 'attack stage',
43 message string default null COMMENT 'alarm information',
(ii) direction of attack on direct string default null COMMENT',
45.TAG string default null COMMENT 'attacks the tag',
collectTime datatime default null COMMENT 'Collection time',
ORG _IDstring default name COMMENT 'organization number',
TENAT _IDstring default null COMMENT 'tenant ID');
49.
50. CREATE EDGE ATTACKALARM(
51. AA _ ATTACKTAGE string failure null COMMENT 'attack phase',
52. AA _ ATTACK _ TYPE _ STRING Default null COMMENT 'ATTACK TYPE',
53. GV _ EVENT _ NAME string default null COMMENT 'alarm NAME',
54. GV _ CREATE _ TIME _ dt stroking default common 'attack TIME',
55. GV _ DEVICE _ IP string default null COMMENT 'DEVICE IP',
56. DEVICE _ TYPE STRING DEFAULT NULL COMMENT 'ALARM DEVICE TYPE',
57. GV _ SRC _ PORT string default null COMMENT' source PORT,
58. GV _ DST _ PORT string default null COMMENT 'destination PORT',
59. EVENT _ ONE _ TYPE _ DESC string default null command 'primary class description',
60. EVENT _ THEE _ TYPE _ DESC string default null COMMENT 'THREE-level class description',
61. EVENT _ TWO _ TYPE _ DESC string default null COMMENT 'secondary class description',
62. GV _ REQ _ METHOD string default null COMMENT 'request METHOD',
63. GV _ PROTOCOL string default null COMMENT 'PROTOCOL',
64. GV _ RES _ CODE string default null COMMENT 'response CODE',
65. GV _ RESULT string default null COMMENT 'attack RESULT',
66. GV _ RISK _ LEVEL string default null COMMENT 'alarm LEVEL',
67. AA _ TYPE string default null COMMENT 'threat TYPE',
68. GV _ URL string default null COMMENT 'destination URL',
69. direct _ DESC string default null COMMENT 'attack DIRECTION description',
70. AA _ HOST string default null COMMENT 'destination Address',
71.GV_XFF string default null COMMENT 'XFF',
GV _REQ _HEADstring default null COMMENT 'request header',
GV _REQ _BODYstring default null COMMENT 'request body',
GV _RES _headstring default null COMMENT 'response head',
GV _RES _BODYstring default null COMMENT 'responder',
SRC _WHITEstring default null COMMENT 'source IP whitelist',
DST _whitestring default null COMMENT 'purpose IP white list',
ORG _IDstring default null COMMENT 'organization number',
TENAT_ID string default null COMMENT 'tenant id',
IP _ GROUP string default null COMMENT 'ip packet',
collectTime string default null COMMENT 'Collection time',
GV _, characterized _, line _, ORG string default null COMMENT 'Special line agency',
GV _, characterized, line _, name of specific line,
84, event \\uTYPE string default null COMMENT 'primary classification',
85.Event \_THREE_TYPE string default null COMMENT 'three-stage classification',
(iii) event_two type string default null COMMENT 'secondary classification',
GV \/event \/TYPE string default null COMMENT 'alarm type',
gv _totalof total of count string default common 'journal');
89.
90.CREATE EDGE FWTRAFFIC(
collectTime string default null COMMENT 'Collection time',
GV _event _ NAME string default null COMMENT 'performs an action',
GV \ u DEVICE code string default null COMMENT 'device search code',
GV _, device IP string default null COMMENT 'device IP',
GV _CREATE _TIME _dtstring default null COMMENT 'time',
GV _SRC _porestring default null COMMENT 'Source port',
GV _DST _PORTstring default null COMMENT 'destination port',
GV _PROTOCOLstring default null COMMENT 'protocol name',
device type string default null COMMENT 'device type',
direct (directed) direction of default null COMMENT' direction,
GV _, characterized, line _, name of specific line,
GV _, characterized _, line _, ORG string default null COMMENT 'Special line agency',
ORG _IDstring default null COMMENT 'organization number',
TENAT _IDstring default null COMMENT 'tenant ID');
optionally, the network security detection system provided in the embodiment of the present application further includes: and a data importing device, wherein an input terminal of the data importing device is connected with an output terminal of the data preprocessing cluster 14, and an output terminal of the data importing device is connected with an input terminal of the graph database 16, and the data importing device is used for importing the cleaned data into the graph database 16.
Specifically, as shown in fig. 2, the data importing apparatus is denoted as Nebula Exchange, in the embodiment of the present application, a Nebula Exchange importing tool is deployed, and a stream importing manner is adopted to import data into a Nebula Graph cluster in real time to a kafka cluster.
Wherein, the Nebula Exchange is configured as follows:
1.{
2. # Spark related configuration
3. spark: {
4. app: {
5. name: Nebula Exchange 2.0
6. }
7. master:local
8.
9. driver: {
10. cores: 1
11. memory: 1G
12. }
13.
14. executor: {
15. memory: 64G
16. }
17.
18. cores:{
19. max: 32
20. }
21. }
22.
23. # Nebula Graph related configuration
24. nebula: {
25. address:{
26. graph [ "127.0.0.1
27. meta [ "127.0.0.1
28. }
29. user: root
30. pswd: "123456"
31. space: test
32.
33. path:{
34. local:"/tmp"
35. remote:"/sst"
36. hdfs.namenode: "hdfs://127.0.0.1:9000"
37. }
38.
39. connection {
40. timeout: 3000
41. retry: 3
42. }
43.
44. execution {
45. retry: 3
46. }
47.
48. error: {
49. max: 32
50. output: /tmp/errors/
51. }
52.
53. rate: {
54. limit: 1024
55. timeout: 1000
56. }
57. }
58.
59. # Process vertices
60. tags: [
61. # Configurations for the course tag
62. {
63. Tag name in name Nebula
64. type: {
65. source: kafka
66. sink: client
67. }
68. service: "127.0.0.1
69. topics [ "test" ] # topic name
70. groupid: "test" #groupid
71. offset is earliest consumption mode earlieat and latest
72. configFile: "/data/nebula/exchange/kafka. Conf" # exchange registers a configuration file of kafka
73. Whether the autoCommit # is automatically submitted or not, and if true, the import can be continuously transmitted after interruption
74.
75. fields: [ kafka field ]
76. Fields: [ nebula field ]
77. vertex: {
78. field as vid in field kafka
79. }
80. partition: 15
81. batch: 200
82. interval.seconds: 10
83. }
84. ]
85.
86. # Process edges
87. edges: [
88. {
89. Edge name in name Nebula
90. type: {
91. source: kafka
92. sink: client
93. }
94. service: "127.0.0.1
95. topics [ "test" ] # topic name
96. groupid: "test" #groupid
97. offset is earliest consumption mode earlieat and latest
98. configFile: "/data/nebula/exchange/kafka. Conf" # exchange login kafka configuration file
99. Whether the autoCommit is automatically submitted or not, and if true is automatically submitted, the import can be continuously transmitted after interruption
100.
101. fields: [ kafka field ]
102. Fields: [ nebula field ]
103.
104. surce: {
105. field as Source in field kafka
106. }
107. target: {
108. field of kafka as destination Point
109. }
110. ranking: field in kafka as rank
111.
112. partition: 15
113. batch: 200
114. interval.seconds: 10
115. }
116. ]
117.}
Wherein, the Nebula Exchange starting command is as follows:
number of exectors, # num-exectors, three servers so select 3
# execute-cores: the number of cores used by each executor, a single server 48core, is thus configured 30 here
# execute-memory: the memory used by each execotor is a single server 256G memory, 90G is configured here, and the whole spark cluster uses 270G
4.
Nopump spark-submit-master spark:/[ spark cluster
IP]:7077 --executor-memory=90G --num-executors=3 --executor-cores=30 --conf "spark.executor.extraJavaOptions=-Djava.security.auth.login.config=/data/nebula/exchange/kafka.conf" --class com.vesoft.nebula.exchange.Exchange nebula-exchange-2.5-streaming-kafka-SNAPSHOT.jar -c application.conf >> exchange.log 2>&1 &。
Optionally, the network security detection system provided in the embodiment of the present application further includes: and a reliable coordination system of the distributed system, wherein the reliable coordination system of the distributed system is connected with the data preprocessing cluster 14 and is used for providing configuration maintenance, domain name service, distributed synchronization or group service for the at least one network device 12 and the data preprocessing cluster 14.
As shown in fig. 2, in the embodiment of the present application, a reliable coordination system of a distributed system is labeled as a Zookeeper cluster.
Further, optionally, the network security detection system provided in the embodiment of the present application further includes: and the cluster computing engine is respectively connected with the data importing device and the graph database 16 and is used for respectively processing according to the data flow of the data importing device and the graph database 16.
As shown in fig. 2, in the embodiment of the present application, the cluster computing engine is labeled as a Spark cluster.
In summary, the network security detection system provided in the embodiment of the present application has the advantage that the graph database technology has an inherent advantage in processing the security data by comparing the relational database with the non-relational data, and can easily obtain the whole network attack topological graph by storing the attack initiator, the attacked and the attack link into the graph database in a point-edge manner, and further analyze the topological graph by using the technologies such as graph computation, etc., so as to quickly find the bugs existing in the network, thereby greatly improving the detection efficiency.
The embodiment of the invention provides a network security detection system. Accessing a data preprocessing cluster through at least one network device, wherein the data preprocessing cluster is used for acquiring data of the at least one network device and cleaning the data to obtain cleaned data; the graph database is used for acquiring the cleaned data and generating node data, acquiring the node data of a target time period from the graph database under the condition of network security detection, sequencing the node data, acquiring subgraphs corresponding to the sequenced node data, and determining a target node according to the subgraphs, so that vulnerabilities existing in the network can be quickly found, and the technical effect of greatly improving the detection efficiency is achieved.
Example two
In a second aspect, an embodiment of the present invention provides a network security detection method, and fig. 3 is a schematic flow chart of the network security detection method provided in the second embodiment of the present invention; as shown in fig. 3, the network security detection method provided in the embodiment of the present application is applied to the network security detection system in embodiment 1, and includes:
step S302, acquiring node data of a target time period from a graph database;
optionally, the step S302 of obtaining the node data of the target time period from the graph database includes: and acquiring the node data with the highest out-degree in the target time from the graph database according to an in-out degree statistical method.
Specifically, the network security detection method provided in the embodiment of the present application is applied to the network security detection system in the first embodiment, and finds out the node with the highest out-degree in a certain time period (for example, within 1 day) (i.e., the target time period in the embodiment of the present application) in the whole graph space by using an "in-out degree statistics" algorithm.
In the implementation process, by modifying the algorithm configuration file, the input and output of the data are all Nebula Graph clusters, which are expressed as follows:
wnum = 3// 3 processes; if 3 machines, each machine has 1 process
WCORES = 6// 6 threads per process execute, set according to the number of cpus
3.INPUT = $ { INPUT: = Nebula: $ PROJECT/scripts/Nebula. Conf "}// the data source is Nebula
OUTPUT = $ (OUTPUT: = "Nebula: $ projection/scripts/nebula.conf" }// the write data source is Nebula
5.STEP = $ { STEP: =1 }// -1 stands for infinite, change to a few degrees within a few degrees needs to be counted
In the implementation process, the algorithm of 'entrance and exit degree statistics' is operated as follows:
./scripts/run_degree.sh
s304, sequencing the node data to obtain a subgraph corresponding to the sequenced node data;
optionally, the step S304 of sorting the node data, and acquiring a subgraph corresponding to the sorted node data includes: sequencing the node data to obtain the sequenced node data; and carrying out reverse tracing according to the sorted node data to obtain a subgraph.
Specifically, based on the node data obtained in step S302, the node data is sorted, and the sorting process may be as follows in an implementation process:
connecting Nebula Graph, executing nGQL statement to find out the most highly-found node and sequencing top N:
1.match (v:degree) return id(v), v.degree_out as degree_out order by degree_out desc limit 10;
after the sorted node data are obtained, reverse tracing is performed according to the sorted node data, and the obtained subgraph can be as follows in the implementation process:
and carrying out reverse tracing on the found top N node and forming a subgraph.
For example:
GO 1 TO 3 STEPS FROM [ vid of top N node ]
OVER * YIELD dst(edge) AS destination。
As shown in fig. 4, fig. 4 is a schematic diagram of a sub-graph in a network security detection method according to a second embodiment of the present invention; wherein, the node A is an agent, and the real attack initiator is hidden in the traced subgraph.
And S306, determining a target node according to the subgraph.
Optionally, the determining the target node according to the subgraph in step S306 includes: and acquiring intersection nodes of the subgraphs, and determining the nodes as target nodes.
Specifically, as shown in fig. 5, fig. 5 is a schematic diagram of determining a target node in a network security detection method according to a second embodiment of the present invention; intersection nodes of the subgraphs after the top N nodes are reversely traced are taken and defined as intermediate-risk (alternative) nodes (namely, target nodes in the embodiment of the application).
Further, optionally, the network security detection method provided in the embodiment of the present application further includes: and acquiring intermediate nodes from the subgraph according to an intermediate center algorithm, wherein the intermediate nodes are used for measuring the times of the shortest path of one vertex between any other two vertex pairs, identifying the importance of the nodes, and determining the nodes as the intermediate nodes when the nodes are positioned among a plurality of nodes.
Optionally, the network security detection method provided in the embodiment of the present application further includes: and pushing the target node to a security department for standby processing.
Further, optionally, the network security detection method provided in the embodiment of the present application further includes: when the target node is the alarm node, changing the identification state of the target node in the subgraph and handing over to an external organ for processing; and when the target node is a normal node, reinforcing the network security of the target node.
The intermediary centrality algorithm in the embodiment of the present application may be: the intermediary centrality is used for measuring the number of times that one vertex appears in the shortest path between any other two vertex pairs, thereby describing the node importance. Intermediaries centrality measures how much a node can become an "intermediary", i.e., how much it controls others. If a node is located between multiple nodes, the node (i.e., intermediary node in the embodiments of the present application) may be considered to act as an important "intermediary" where the person at the location may control the delivery of information to affect the community.
The formula for the centrality of the intermediary is as follows:
specifically, in the network security detection method provided in the embodiment of the present application, a plurality of suspicious network subgraphs are obtained, and a bridge node (i.e., a middle node in the embodiment of the present application) between the suspicious network subgraphs is found through a "middle centrality" algorithm. Special attention is needed for the nodes, the nodes are pushed to a decision-making department or a security department for judgment, if the nodes are problem nodes (namely, alarm nodes in the embodiment of the application), the nodes are grayed and blacked (namely, the identification state of the target nodes in the subgraph is changed in the embodiment of the application), even the nodes are handed over to public security agency processing (namely, external agency processing in the embodiment of the application), and if the nodes are normal nodes, the nodes are required to be reinforced in network security.
A "mediated centrality" algorithm is used to find a group of nodes in the whole graph that bear the pivot. By carrying out grey setting and black setting on the part of the pivot nodes, the network attack link can be cut off quickly, and the loss is reduced.
As shown in fig. 6a, fig. 6a is a schematic diagram illustrating determining an intermediate node in a network security detection method according to a second embodiment of the present invention; the C node is an important bridge node (i.e., an intermediate node in the embodiment of the present application) among the multiple subgraphs.
Fig. 6b is a schematic diagram illustrating determining an intermediate node in another network security detection method according to a second embodiment of the present invention; however, the node B is disconnected, and the entire link is disconnected, although the node B has a low degree of access.
When a network intrusion event occurs, a fast coping mechanism is required for security managers to reduce loss as much as possible. By adopting the traditional scheme, for example, a wide table is manufactured to record and analyze attack detailed information, the network structure cannot be reflected intuitively, and the most valuable key nodes (with low access degree, but the function of bearing a bridge) in the network are hidden.
And through the graph technology, key nodes in the whole network can be easily found, and links attacked by the whole network can be quickly cut off by operating the key nodes, so that the loss is reduced, and the workload of operation and maintenance personnel is greatly reduced. Meanwhile, the key points of the whole network environment are found by finding out the nodes, and safety management personnel need to pay special attention in the usual work, so that the precaution work is done in advance.
Optionally, the network security detection method provided in the embodiment of the present application further includes: determining a network to which the target node belongs as a target network according to the target node; the method for determining the network to which the target node belongs as the target network according to the target node comprises the following steps: and determining a network formed by connecting target nodes as a target network through the point-edge relation, obtaining networks with similar network structures through matching of a similarity algorithm according to the target network, and obtaining all the target nodes according to the target network and the network.
Specifically, the intermediate-risk nodes (i.e., the target nodes in the embodiment of the present application) are connected into a network through point-edge relationships and are defined as a suspicious network (i.e., the target network in the embodiment of the present application), the suspicious network is used as a sample, and the whole graph is scanned through a "jaccard similarity" algorithm to find out a network structure similar to the suspicious network structure, so as to obtain the intermediate-risk nodes of the whole graph.
./scripts/run_jaccard_similarity.sh
Wherein, the "Jacard similarity" algorithm may be: jacard similarity is measured using Jacard coefficients (Jaccard Index) for comparing similarity and difference between a finite sample set. The larger the value of the Jacard coefficient, the higher the sample similarity.
The calculation formula of the Jacard coefficient is as follows:
in the present application, it is used to analyze the similarity of two network structures.
In the network security detection method provided by the embodiment of the invention, because the network attack has strong concealment, although the number of times of launching the attack by a certain node is high, the node may only be a layer of agent, and therefore, the statistical information (Top N) can only find the effect of the shallowest layer.
The network security detection method provided by the embodiment of the invention can obtain the network structure hidden behind the agent node by comparing attack subgraphs behind the agent node in different time periods and only performing simple N-layer query, and finds out the specific network characteristic structure by the Jacard similarity algorithm, so that deeper dangerous nodes can be found. The root-cause (root-cause) digging capability is improved, and the follow-up attack is avoided.
The embodiment of the invention provides a network security detection method. Obtaining node data of a target time period from a graph database; sequencing the node data to obtain subgraphs corresponding to the sequenced node data; and determining the target node according to the subgraph, so that the loopholes existing in the network can be quickly found, and the technical effect of the detection efficiency is greatly improved.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The above description is only a preferred embodiment of the present invention, and is not intended to limit the scope of the present invention.
Claims (10)
1. A network security detection system, comprising:
at least one network device, a data pre-processing cluster, and a graph database, wherein,
the at least one network device is accessed to the data preprocessing cluster, and the data preprocessing cluster is used for acquiring data of the at least one network device and cleaning the data to obtain the cleaned data;
the graph database is used for acquiring the cleaned data and generating node data, under the condition of network security detection, the node data with the highest output degree in a target time period is acquired from the graph database according to an input and output degree statistical calculation method, wherein the node data is generated by the graph database according to the acquired network equipment data, topN sequencing is carried out on the node data with the highest output degree, reverse tracing is carried out according to the sequenced node data, a subgraph corresponding to the node data is obtained, and a target node is determined according to the subgraph.
2. The network security detection system of claim 1, further comprising: and the input end of the data importing device is connected with the output end of the data preprocessing cluster, and the output end of the data importing device is connected with the input end of the graph database and is used for importing the cleaned data into the graph database.
3. The network security detection system of claim 1, further comprising: a reliable coordination system for a distributed system, wherein,
and the reliable coordination system of the distributed system is connected with the data preprocessing cluster and is used for providing configuration maintenance, domain name service, distributed synchronization or group service for the at least one network device and the data preprocessing cluster.
4. The network security detection system of claim 2, further comprising: a cluster computing engine, wherein,
the cluster computing engine is respectively connected with the data import device and the graph database and is used for respectively processing according to data flows of the data import device and the graph database.
5.A network security detection method is applied to a network security detection system and comprises the following steps:
according to an entrance and exit degree statistical calculation method, obtaining node data with the largest exit degree in a target time period from a graph database, wherein the node data are generated by the graph database according to the obtained network equipment data;
topN sorting is carried out on the node data with the largest output degree, and reverse tracing is carried out according to the sorted node data to obtain a subgraph corresponding to the node data;
and determining a target node according to the subgraph.
6. The network security detection method of claim 5, wherein the determining a target node from the subgraph comprises:
and acquiring intersection nodes of the subgraphs, and determining the nodes as the target nodes.
7. The network security detection method of claim 6, wherein the method further comprises:
and acquiring an intermediate node from the subgraph according to an intermediate center algorithm, wherein the intermediate node is used for measuring the times of the shortest path of one vertex between any other two vertex pairs, identifying the importance of the node, and determining the node as the intermediate node when the node is positioned between a plurality of nodes.
8. The network security detection method of claim 7, wherein the method further comprises:
and pushing the target node to a security department for standby processing.
9. The network security detection method of claim 8, wherein the method further comprises:
when the target node is an alarm node, changing the identification state of the target node in the subgraph and handing over to an external organ for processing;
and when the target node is a normal node, reinforcing the network security of the target node.
10. The network security detection method of claim 8, wherein the method further comprises:
determining a network to which the target node belongs as a target network according to the target node; wherein the determining that the network to which the target node belongs is the target network according to the target node comprises: and determining a network formed by connecting the target nodes as the target network through the point-edge relation, obtaining networks with similar network structures through matching of a similarity algorithm according to the target network, and obtaining all the target nodes according to the target network and the network.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210956055.4A CN115037561B (en) | 2022-08-10 | 2022-08-10 | Network security detection method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210956055.4A CN115037561B (en) | 2022-08-10 | 2022-08-10 | Network security detection method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115037561A CN115037561A (en) | 2022-09-09 |
| CN115037561B true CN115037561B (en) | 2022-11-22 |
Family
ID=83130665
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210956055.4A Active CN115037561B (en) | 2022-08-10 | 2022-08-10 | Network security detection method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115037561B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115622796B (en) * | 2022-11-16 | 2023-04-07 | 南京南瑞信息通信科技有限公司 | Network security linkage response combat map generation method, system, device and medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CA3135360A1 (en) * | 2019-03-28 | 2020-10-01 | NTT Security Corporation | Graph stream mining pipeline for efficient subgraph detection |
| CN114006723A (en) * | 2021-09-14 | 2022-02-01 | 上海纽盾科技股份有限公司 | Network security prediction method, device and system based on threat intelligence |
| CN114143109A (en) * | 2021-12-08 | 2022-03-04 | 安天科技集团股份有限公司 | Visual processing method, interaction method and device for attack data |
| CN114268954A (en) * | 2020-09-25 | 2022-04-01 | 中国移动通信集团河南有限公司 | Safety monitoring method, device, equipment and storage medium for Internet of things equipment |
Family Cites Families (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20160110365A1 (en) * | 2014-10-09 | 2016-04-21 | Arizona Board Of Regents On Behalf Of Arizona State University | Systems and methods for locating contagion sources in networks with partial timestamps |
| CN111125453B (en) * | 2019-12-27 | 2023-03-28 | 中国电子科技集团公司信息科学研究院 | Opinion leader role identification method in social network based on subgraph isomorphism and storage medium |
| CN112700261B (en) * | 2020-12-30 | 2023-06-06 | 平安科技(深圳)有限公司 | Method, device, equipment and medium for detecting single file of brushing on basis of suspicious communities |
| CN113128076A (en) * | 2021-05-18 | 2021-07-16 | 北京邮电大学 | Power dispatching automation system fault tracing method based on bidirectional weighted graph model |
| CN113676484B (en) * | 2021-08-27 | 2023-04-18 | 绿盟科技集团股份有限公司 | Attack tracing method and device and electronic equipment |
| CN114238958A (en) * | 2021-12-15 | 2022-03-25 | 华中科技大学 | Intrusion detection method and system based on traceable clustering and graph serialization |
-
2022
- 2022-08-10 CN CN202210956055.4A patent/CN115037561B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CA3135360A1 (en) * | 2019-03-28 | 2020-10-01 | NTT Security Corporation | Graph stream mining pipeline for efficient subgraph detection |
| CN114268954A (en) * | 2020-09-25 | 2022-04-01 | 中国移动通信集团河南有限公司 | Safety monitoring method, device, equipment and storage medium for Internet of things equipment |
| CN114006723A (en) * | 2021-09-14 | 2022-02-01 | 上海纽盾科技股份有限公司 | Network security prediction method, device and system based on threat intelligence |
| CN114143109A (en) * | 2021-12-08 | 2022-03-04 | 安天科技集团股份有限公司 | Visual processing method, interaction method and device for attack data |
Non-Patent Citations (2)
| Title |
|---|
| 基于三角形子图的复杂网络过滤压缩算法;吴涛等;《计算机工程》;20200515(第05期);全文 * |
| 面向网络攻击建模的分布式过程挖掘与图分割方法;刘贞宇等;《小型微型计算机系统》;20200815(第08期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115037561A (en) | 2022-09-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11831668B1 (en) | Using a logical graph to model activity in a network environment | |
| US11882141B1 (en) | Graph-based query composition for monitoring an environment | |
| CN108900541B (en) | System and method for sensing security situation of SDN (software defined network) of cloud data center | |
| US20200389495A1 (en) | Secure policy-controlled processing and auditing on regulated data sets | |
| CN107667505B (en) | System and method for monitoring and managing data center | |
| Lou et al. | Mining dependency in distributed systems through unstructured logs analysis | |
| US20190361843A1 (en) | System and Method for Performing Similarity Search Queries in a Network | |
| US11770464B1 (en) | Monitoring communications in a containerized environment | |
| US10511613B2 (en) | Knowledge transfer system for accelerating invariant network learning | |
| Bryant et al. | Improving SIEM alert metadata aggregation with a novel kill-chain based classification model | |
| WO2009142832A2 (en) | Ranking the importance of alerts for problem determination in large systems | |
| JP2014112400A (en) | Method and apparatus for generating configuration rules for computing entities within computing environment by using association rule mining | |
| CN112468347B (en) | Security management method and device for cloud platform, electronic equipment and storage medium | |
| Baiardi et al. | Automating the assessment of ICT risk | |
| CN109981326B (en) | Method and device for positioning household broadband sensing fault | |
| CN115037561B (en) | Network security detection method and system | |
| Vieira et al. | Autonomic intrusion detection system in cloud computing with big data | |
| CN113965497B (en) | Server abnormity identification method and device, computer equipment and readable storage medium | |
| Vaarandi et al. | How to Build a SOC on a Budget | |
| US11665185B2 (en) | Method and apparatus to detect scripted network traffic | |
| Lagzian et al. | Frequent item set mining-based alert correlation for extracting multi-stage attack scenarios | |
| JP2019514315A (en) | Graph-Based Joining of Heterogeneous Alerts | |
| Mondek et al. | Security analytics in the big data era | |
| WO2019032502A1 (en) | Knowledge transfer system for accelerating invariant network learning | |
| Chen et al. | Research on automatic vulnerability mining model based on knowledge graph |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |