CN115085986A - Abnormal behavior monitoring system and method based on network security situation awareness system - Google Patents

Abnormal behavior monitoring system and method based on network security situation awareness system Download PDF

Info

Publication number
CN115085986A
CN115085986A CN202210636139.XA CN202210636139A CN115085986A CN 115085986 A CN115085986 A CN 115085986A CN 202210636139 A CN202210636139 A CN 202210636139A CN 115085986 A CN115085986 A CN 115085986A
Authority
CN
China
Prior art keywords
data
monitoring
equipment
monitored
deployment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210636139.XA
Other languages
Chinese (zh)
Other versions
CN115085986B (en
Inventor
陈良汉
段海宁
洪超
钟海维
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhuhai Hongrui Information Technology Co Ltd
Original Assignee
Zhuhai Hongrui Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhuhai Hongrui Information Technology Co Ltd filed Critical Zhuhai Hongrui Information Technology Co Ltd
Priority to CN202210636139.XA priority Critical patent/CN115085986B/en
Publication of CN115085986A publication Critical patent/CN115085986A/en
Application granted granted Critical
Publication of CN115085986B publication Critical patent/CN115085986B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0631Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Alarm Systems (AREA)

Abstract

The invention discloses an abnormal behavior monitoring system and method based on a network security situation perception system, which comprises the following steps: a perception data acquisition module, a database, a deployment mode selection module, an abnormal behavior monitoring module and a data forwarding management module, the processing information of the sensing data and the use information of the monitoring equipment are collected by the sensing data collecting module, all the collected data are stored and managed through a database, a deployment mode is selected and distributed for the situation awareness system through a deployment mode selection module, situation awareness is carried out through an abnormal behavior monitoring module according to the selected deployment mode, the equipment is monitored, the monitored data is collected and sorted through the data forwarding management module, the sorted monitoring data is forwarded, the rationalization of resource allocation is realized, the comprehensive benefit maximization of monitoring the equipment by adopting a corresponding deployment mode is further realized, the problem of information islands is relieved through monitoring data summarization and sharing, and the analysis difficulty of perception data is reduced.

Description

Abnormal behavior monitoring system and method based on network security situation awareness system
Technical Field
The invention relates to the technical field of big data, in particular to an abnormal behavior monitoring system and method based on a network security situation perception system.
Background
The network security situation awareness system monitors abnormal network behaviors by acquiring operation data of equipment such as a server, a switch, a router, an encryption device and an isolation device and processing the acquired data by adopting methods such as a mathematical model and knowledge reasoning, and accordingly performs global network security real-time state evaluation;
in the existing mode, the mode of monitoring abnormal behaviors still has some problems: firstly, after equipment data is monitored and collected, the problem of information isolated island exists, associated data sharing cannot be realized, and associated monitoring data cannot be summarized and matched, so that the analysis amount of the monitoring data is reduced, and more network abnormal behaviors are prevented in time; secondly, the deployment modes of the network security situation awareness system are different, the deployment modes are randomly selected according to the requirements in the existing mode, the rationalization of the configuration of the resources, namely the deployment modes, cannot be realized, and certain monitoring cost is increased while the monitoring efficiency is reduced.
Therefore, there is a need for an abnormal behavior monitoring system and method based on a network security situation awareness system to solve the above problems.
Disclosure of Invention
The invention aims to provide an abnormal behavior monitoring system and method based on a network security situation perception system, so as to solve the problems in the background technology.
In order to solve the technical problems, the invention provides the following technical scheme: abnormal behavior monitoring system based on network security situation perception system, its characterized in that: the system comprises: the system comprises a perception data acquisition module, a database, a deployment mode selection module, an abnormal behavior monitoring module and a data forwarding management module;
the perception data acquisition module is used for acquiring processing information of perception data and using information of monitoring equipment;
the database is used for storing and managing all the collected data;
the deployment mode selection module is used for selecting and distributing a deployment mode for the situation awareness system;
the abnormal behavior monitoring module is used for carrying out situation perception according to the selected deployment mode and monitoring equipment;
and the data forwarding management module is used for summarizing and sorting the monitored data and forwarding the sorted monitoring data.
Furthermore, the perception data acquisition module comprises a calling information acquisition unit, a deployment information acquisition unit and an equipment information acquisition unit, wherein the calling information acquisition unit is used for acquiring called information of historical perception data; the deployment information acquisition unit is used for acquiring cost data required by perception data in different deployment modes; the equipment information acquisition unit is used for acquiring the use information of the monitored equipment and transmitting all acquired data to the database.
Furthermore, the deployment mode selection module comprises a deployment cost analysis unit, a demand data analysis unit and a deployment mode allocation unit, wherein the deployment cost analysis unit is used for analyzing the effect proportion of the network security situation awareness system for selecting different deployment mode monitoring devices; the demand data analysis unit is used for analyzing the influence degree of the equipment to be monitored on the network security; the deployment mode allocation unit is used for selecting and allocating different deployment modes for the situation awareness system.
Furthermore, the abnormal behavior monitoring module comprises a situation sensing unit and a behavior abnormality early warning unit, wherein the situation sensing unit is used for carrying out situation sensing on network safety according to the selected deployment mode and monitoring equipment; the behavior abnormity early warning unit is used for sending an abnormity warning signal when the abnormal behavior of the equipment is monitored, and transmitting the sensing data to the data forwarding management module.
The data forwarding management module comprises a perception data collection unit, a data display adjustment unit and a summarized data forwarding unit, wherein the perception data collection unit is used for receiving and summarizing perception data; the data display adjusting unit is used for adjusting the display position of the summarized data and sorting the summarized data: synchronously displaying the data gathered together; the summarized data forwarding unit is used for forwarding the sorted summarized data to a superior management system.
An abnormal behavior monitoring method based on a network security situation awareness system is characterized by comprising the following steps: the method comprises the following steps:
z01: acquiring the called information of the perception data, cost data in different deployment modes and use information of monitored equipment;
z02: analyzing the effect proportion of the situation awareness system selecting monitoring equipment with different deployment modes and the influence degree of the monitored equipment on the network safety;
z03: selecting and distributing a deployment mode to monitor abnormal behaviors of the equipment;
z04: monitoring the equipment according to the selected deployment mode, and sending an alarm signal when abnormal behavior of the equipment is monitored;
z05: and summarizing and sorting the monitored data, and forwarding the sorted monitored data to a superior management system.
Further, in steps Z01-Z02: the method comprises the following steps of collecting M deployment modes of a situation awareness system, in a time period from T to T, collecting the data of a random device in different deployment modes by a frequency set of B ═ B1, B2, … and Bm, collecting alarm frequencies by a frequency set of N ═ N1, N2, … and Nm, collecting invalid alarm total frequencies by a frequency set of M ═ M1, M2, … and Mm, monitoring the device by adopting different deployment modes by a cost set of R ═ R1, R2, … and Rm, and calculating and selecting a success ratio wi of monitoring the device by adopting a random deployment mode according to the following formula:
Figure BDA0003680370420000031
the set of performance scales for monitoring devices using different deployment modes is w ═ w1, w2, …,wm, where Bi represents the number of times of acquiring random equipment data in a random deployment mode in a period from T to T, Ni represents the number of times of alarms in a corresponding deployment mode, Mi represents the number of times of invalid alarms, Ri represents the cost required for monitoring the equipment in the corresponding deployment mode, the set of the acquired monitored equipment operation data is a ═ a1, a2, …, and An }, the set of the monitored equipment maintenance times is C ═ C1, C2, …, and Cn }, the set of alarm level coefficients when a network abnormal behavior of the random monitored equipment is sensed is L ═ L1, L2, …, and Lk }, and the set of the alarm level coefficients is L ═ L1, L2, …, and Lk }, and the set of the alarm invalid level coefficients is L ={L1 ,L2 ,…,Lp N represents the number of the monitored devices, k represents the number of times of alarming on a random monitored device, p represents the number of times of invalid alarming, and the influence degree Ki of the random monitored device on the network safety is calculated according to the following formula:
Figure BDA0003680370420000032
obtaining a set of influence degrees of the monitored equipment on network security, wherein K is { K1, K2, …, Kn }, where Ai represents the number of times of randomly calling operation data of one monitored equipment, Ci represents the number of times of maintaining corresponding equipment, Li represents an alarm level coefficient when the corresponding equipment is perceived to have network abnormal behavior at one time, and Li represents an alarm level coefficient when the corresponding equipment is perceived to have network abnormal behavior at one time at random The method comprises the steps of representing a random one-time invalid alarm level coefficient, wherein a success ratio refers to the ratio of efficiency and cost of monitoring equipment by adopting a random one deployment mode, analyzing monitoring efficiency according to data acquired in a certain time period and alarm times when abnormal behaviors are monitored when the random one equipment is monitored in different deployment modes in the past, judging that the monitoring efficiency is higher when the more times of data acquisition and the more times of alarm are increased in the certain time period, adding invalid alarm times obtained after actual checking into monitoring efficiency analysis due to the fact that the alarm has errors, improving the accuracy of an analysis result, and calculating the ratio of the monitoring efficiency to the cost aiming at obtaining the ratio of the monitoring efficiency to the cost under different deployment modesMonitoring the comprehensive benefit of the equipment, wherein the lower the cost and the higher the efficiency, the higher the comprehensive benefit is; the influence degree of abnormal behaviors of different equipment on network security is different, and the influence degree of equipment data analysis equipment on the network security is collected and analyzed, so that the purpose of matching a proper deployment mode is realized, the rationalization of resource allocation is realized, and the equipment is monitored with the highest comprehensive benefit.
Further, in step Z03: selecting and distributing a deployment mode to monitor abnormal behaviors of the equipment: randomly dividing the data of the degree of influence of the monitored equipment on the network security into m groups to obtain the total and integrated K of the degree of influence in each group of data sum ={K sum1 ,K sum2 ,...,K summ According to the formula
Figure BDA0003680370420000041
Finding the optimal grouping mode, wherein K sumi Representing the sum of the influence degrees in a random group of data, comparing the lengths calculated in different grouping modes: screening out the packet mode that makes the Length value the biggest, the Length value is shown and is divided into m group data's variance behind the group data with the influence degree data, after grouping in order to make the maximum packet mode of Length value, arranges m group data with the order that influence degree sum is big to little in every group data, arranges the effect proportion that will adopt different deployment modes to monitor equipment from big to little, matches influence degree and effect proportion after the sequencing: the method comprises the steps of selecting a deployment mode corresponding to an effect proportion with the same sequence as the sum of the influence degrees in corresponding group data for monitored equipment corresponding to the influence degrees in each group of data, selecting the same deployment mode for equipment corresponding to the influence degrees in the same group of data to monitor, wherein the deployment modes are different from the equipment number and cannot be matched one by one, dividing the equipment into the group number with the same number as the deployment mode in a random grouping mode, and searching an optimal solution, namely an optimal distribution mode, in a mode of comparing and calculating data variance after grouping due to the existence of multiple grouping modes, so that the difference of data among groups is maximized, and the method is favorable for maximizing the comprehensive benefit of monitoring the equipment by adopting the corresponding deployment mode.
Further, in steps Z04-Z05: monitoring the monitored equipment by using the selected deployment mode, sending an alarm signal when monitoring that the equipment is abnormal, summarizing and arranging the monitored data: monitoring that the alarm level coefficient set of a random device is D ═ D1, D2, …, Dq } in the current deployment mode, and the invalid alarm level coefficient set is D ═ D1, D2, …, df }, so as to obtain the abnormal degree Qi of the random device:
Figure BDA0003680370420000042
wherein Q represents the number of alarms of monitoring a random device in a current deployment mode, f represents the number of invalid alarms of monitoring a random device in a current deployment mode, Di represents the alarm level coefficient of monitoring a random device in a current deployment mode at one time, Di represents the invalid alarm level coefficient of monitoring a random device in a current deployment mode at one time, the obtained abnormal degree set is Q (Q1, Q2, …, Qn), the abnormal degree of the monitored devices is compared, and the abnormal degree difference threshold is set as Q Threshold(s) The devices are similar in function and meet Qi-Qj<Q Threshold(s) The operating data of the two monitored devices are collected, wherein Qi and Qj represent the abnormal degree of the two random devices, the collected data are transmitted to a superior management system, collected information cannot be shared, the problem of information isolated island can occur, data with similar functions and similar alarm conditions are selected, the corresponding data are collected and transmitted to the superior management system, and the collected data which are related to the data received by the superior management system are beneficial to the comparative analysis of the data by related personnel, so that the analysis difficulty of perception data is reduced.
Compared with the prior art, the invention has the following beneficial effects:
the invention analyzes the effect proportion of monitoring the equipment in different deployment modes through big data, synchronously analyzes the influence degree of the abnormity of the monitored equipment on the network safety, matches the effect proportion with the influence degree value, considers that the data quantity of the two is possibly different and can not be matched one by one, divides the equipment into groups with the same quantity as the deployment modes through a random grouping mode, and searches the optimal solution, namely the optimal distribution mode, by comparing and calculating the data variance after grouping because of the existence of a plurality of grouping modes, thereby maximizing the data difference among the groups, being beneficial to matching the proper deployment mode for the monitoring equipment, realizing the rationalization of resource allocation and further realizing the comprehensive benefit maximization of monitoring the equipment by adopting the corresponding deployment mode; data with similar functions and similar alarm conditions are summarized and displayed and forwarded to a superior management system, so that the problem of information island is relieved, monitoring data sharing is realized, and the difficulty of relevant personnel in analyzing perception data is reduced.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the description serve to explain the principles of the invention and not to limit the invention. In the drawings:
FIG. 1 is a block diagram of an abnormal behavior monitoring system based on a network security situation awareness system according to the present invention;
FIG. 2 is a step diagram of an abnormal behavior monitoring method based on a network security situation awareness system according to the present invention.
Detailed Description
The preferred embodiments of the present invention will be described in conjunction with the accompanying drawings, and it will be understood that they are described herein for the purpose of illustration and explanation and not limitation.
Referring to fig. 1-2, the present invention provides a technical solution: abnormal behavior monitoring system based on network security situation perception system, its characterized in that: the system comprises: the system comprises a perception data acquisition module, a database, a deployment mode selection module, an abnormal behavior monitoring module and a data forwarding management module;
the perception data acquisition module is used for acquiring processing information of perception data and using information of monitoring equipment;
the database is used for storing and managing all the acquired data;
the deployment mode selection module is used for selecting and distributing a deployment mode for the situation awareness system;
the abnormal behavior monitoring module is used for carrying out situation perception according to the selected deployment mode and monitoring the equipment;
the data forwarding management module is used for summarizing and sorting the monitored data and forwarding the sorted monitoring data.
The perception data acquisition module comprises a calling information acquisition unit, a deployment information acquisition unit and an equipment information acquisition unit, wherein the calling information acquisition unit is used for acquiring called information of historical perception data; the deployment information acquisition unit is used for acquiring cost data required by sensing data in different deployment modes; the equipment information acquisition unit is used for acquiring the use information of the monitored equipment and transmitting all acquired data to the database.
The deployment mode selection module comprises a deployment cost analysis unit, a demand data analysis unit and a deployment mode distribution unit, wherein the deployment cost analysis unit is used for analyzing the effect proportion of the network security situation awareness system for selecting monitoring equipment in different deployment modes; the demand data analysis unit is used for analyzing the influence degree of the equipment to be monitored on the network security; the deployment mode distribution unit is used for selecting and distributing different deployment modes for the situation awareness system, and the deployment modes can be a single-machine single-network mode, a single-machine double-network mode and the like.
The abnormal behavior monitoring module comprises a situation awareness unit and a behavior abnormality early warning unit, wherein the situation awareness unit is used for carrying out situation awareness on network security according to the selected deployment mode and monitoring equipment; the behavior abnormity early warning unit is used for sending an abnormity warning signal when the abnormal behavior of the equipment is monitored, and transmitting the sensing data to the data forwarding management module.
The data forwarding management module comprises a sensing data collection unit, a data display adjustment unit and a summarized data forwarding unit, wherein the sensing data collection unit is used for receiving and summarizing sensing data; the data display adjusting unit is used for adjusting the display position of the summarized data and sorting the summarized data: synchronously displaying the data gathered together; the summarized data forwarding unit is used for forwarding the sorted summarized data to a superior management system.
The abnormal behavior monitoring method based on the network security situation awareness system is characterized by comprising the following steps: the method comprises the following steps:
z01: acquiring the called information of the perception data, cost data in different deployment modes and use information of monitored equipment;
z02: analyzing the effect proportion of the situation awareness system selecting monitoring equipment with different deployment modes and the influence degree of the monitored equipment on the network safety;
z03: selecting and allocating a deployment mode to monitor abnormal behaviors of the equipment;
z04: monitoring the equipment according to the selected deployment mode, and sending an alarm signal when abnormal behavior of the equipment is monitored;
z05: and summarizing and sorting the monitored data, and forwarding the sorted monitoring data to a superior management system.
In steps Z01-Z02: the method comprises the following steps of collecting M deployment modes of a situational awareness system, in a time period from T to T, collecting data of a random device in different deployment modes by using a frequency set of B (B1, B2, … and Bm), collecting alarm frequencies by using an alarm frequency set of N (N1, N2, … and Nm), collecting invalid alarm total frequencies by using an invalid alarm total frequency set of M (M1, M2, … and Mm), collecting cost sets required by monitoring the device in different deployment modes by using R (R1, R2, … and Rm), and calculating the success ratio wi of monitoring the device in a random deployment mode according to the following formula:
Figure BDA0003680370420000061
obtaining an effect proportion set for monitoring the equipment by adopting different deployment modes, wherein w is { w1, w2, …, wm }, Bi represents the number of times of acquiring random equipment data by adopting a random deployment mode in a time period from T to T, Ni represents the number of alarms in a corresponding deployment mode, Mi represents the number of invalid alarms, Ri represents the cost required for monitoring the equipment in the corresponding deployment mode, and the acquired set of acquired and monitored operation data of the equipment is a { a1, a2, …An, the set of times that the monitored device is maintained is C ═ C1, C2, …, Cn }, the set of alarm level coefficients when a random monitored device is sensed to have network abnormal behavior is L ═ L1, L2, …, Lk }, and the set of invalid alarm level coefficients is L ={L1 ,L2 ,…,Lp N represents the number of the monitored devices, k represents the number of times of alarming on a random monitored device, p represents the number of times of invalid alarming, and the influence degree Ki of the random monitored device on the network safety is calculated according to the following formula:
Figure BDA0003680370420000071
obtaining a set of influence degrees of the monitored equipment on network security, wherein K is { K1, K2, …, Kn }, where Ai represents the number of times of randomly calling operation data of one monitored equipment, Ci represents the number of times of maintaining corresponding equipment, Li represents an alarm level coefficient when the corresponding equipment is perceived to have network abnormal behavior at one time, and Li represents an alarm level coefficient when the corresponding equipment is perceived to have network abnormal behavior at one time at random And the coefficient of the level of the random one-time invalid alarm is expressed, and a proper deployment mode is matched for the monitored equipment, so that the rationalization of resource configuration is realized, the monitoring cost is reduced, and the equipment is monitored with the highest comprehensive benefit.
In step Z03: selecting and distributing a deployment mode to monitor abnormal behaviors of the equipment: randomly dividing the data of the degree of influence of the monitored equipment on the network security into m groups to obtain the total and integrated K of the degree of influence in each group of data sum ={K sum1 ,K sum2 ,...,K summ According to the formula
Figure BDA0003680370420000072
Finding the optimal grouping mode, wherein K sumi Representing the sum of the influence degrees in a random group of data, comparing the lengths calculated in different grouping modes: screening out a grouping mode which enables a Length value to be maximum, wherein the Length value represents the variance of m groups of data after the influence degree data are divided into m groups, and grouping is carried out in the grouping mode which enables the Length value to be maximumAnd then arranging the m groups of data in a sequence from large to small of the sum of the influence degrees in each group of data, arranging the effect proportion of monitoring the equipment by adopting different deployment modes from large to small, and matching the ordered influence degrees and effect proportions: the deployment mode corresponding to the effect proportion with the same sequence as the sum of the influence degrees in the corresponding group of data is selected for the monitored equipment corresponding to the influence degrees in each group of data, the same deployment mode is selected for the equipment corresponding to the influence degrees in the same group of data for monitoring, the optimal solution, namely the optimal distribution mode, is searched in a mode of comparing and calculating the data variance after grouping, so that the data difference among the groups is maximized, and the comprehensive benefit maximization of monitoring the equipment by adopting the corresponding deployment mode is facilitated.
In steps Z04-Z05: monitoring the monitored equipment by using the selected deployment mode, sending an alarm signal when monitoring that the equipment is abnormal, summarizing and arranging the monitored data: monitoring that the alarm level coefficient set of a random device is D ═ D1, D2, …, Dq } in the current deployment mode, and the invalid alarm level coefficient set is D ═ D1, D2, …, df }, so as to obtain the abnormal degree Qi of the random device:
Figure BDA0003680370420000073
wherein Q represents the number of alarms of monitoring a random device in a current deployment mode, f represents the number of invalid alarms of monitoring a random device in a current deployment mode, Di represents the alarm level coefficient of monitoring a random device in a current deployment mode at one time, Di represents the invalid alarm level coefficient of monitoring a random device in a current deployment mode at one time, the obtained abnormal degree set is Q (Q1, Q2, …, Qn), the abnormal degree of the monitored devices is compared, and the abnormal degree difference threshold is set as Q Threshold(s) The devices are similar in function and meet Qi-Qj<Q Threshold(s) The Qi and the Qj represent the abnormal degree of the two random devices, the summarized data are transmitted to a superior management system, and relevant personnel summarize the data through comparison and analysis, so that the analysis difficulty of perception data is reduced.
The first embodiment is as follows: the method comprises the following steps of collecting m-4 deployment modes of the situation awareness system, and when t is 10: 00 to T ═ 10: in 10 time periods, a set of times of acquiring data of a random device in different deployment modes is B ═ { B1, B2, B3, B4} ═ 3, 5, 2, 4}, a set of alarm times is N ═ N1, N2, N3, N4} ═ 1, 5, 2, 3}, a set of invalid alarm times is M ═ M1, M2, M3, M4} {0, 2, 1, 3}, and a set of costs required for monitoring the device in different deployment modes is R ═ R1, R2, R3, R4} {20, 100, 50, 30}, according to a formula
Figure BDA0003680370420000081
The method includes the steps of obtaining a set of success ratios for monitoring the equipment by adopting different deployment modes, wherein w is { w1, w2, w3, w4}, a is {0.41, 0.20, 0.14, 0.19}, collecting a set of times of monitored equipment operation data being called is a { a1, a2, A3, a4, a5} {5, 6, 8, 2, 1}, a set of times of monitored equipment being maintained is C { C1, C2, C3, C4, C5} {2, 3, 1, 0, 5}, a set of alarm level coefficients when a random monitored equipment is sensed to have network abnormal behaviors is L is { L1, L2, L3} {4, 3, 2}, and a set of alarm level invalidity coefficients is L ={L1 {2}, according to the formula
Figure BDA0003680370420000082
Obtaining a set of influence degrees of the monitored equipment on the network security, wherein the set is K (K1, K2, K3, K4 and K5) (0.41, 0.27, 0.68, 0.18 and 0.5), randomly dividing the data of the influence degrees of the monitored equipment on the network security into m (4) groups, and obtaining a set of the sum of the influence degrees in each group of data, wherein the set is K sum ={K sum1 ,K sum2 ,K sum3 ,K sum4 According to the formula
Figure BDA0003680370420000083
Finding an optimal grouping mode, and comparing lengths calculated in different grouping modes: screening out the grouping mode which enables the Length value to be maximum: the devices corresponding to K3 and K5 are divided into a group, and the rest devices are divided into a groupAnd then arranging the m groups of data in a sequence from large to small of the sum of the influence degrees in each group of data, and matching the sorted influence degrees and the effect proportion: selecting a deployment mode corresponding to w1 for the devices corresponding to K3 and K5, selecting a deployment mode corresponding to w2 for the devices corresponding to K1, selecting a deployment mode corresponding to w4 for the devices corresponding to K2, and selecting a deployment mode corresponding to w3 for the devices corresponding to K4, so as to monitor the monitored devices in the selected deployment modes.
Finally, it should be noted that: although the present invention has been described in detail with reference to the foregoing embodiments, it will be apparent to those skilled in the art that changes may be made in the embodiments and/or equivalents thereof without departing from the spirit and scope of the invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (9)

1. Abnormal behavior monitoring system based on network security situation perception system, its characterized in that: the system comprises: the system comprises a perception data acquisition module, a database, a deployment mode selection module, an abnormal behavior monitoring module and a data forwarding management module;
the perception data acquisition module is used for acquiring processing information of perception data and using information of monitoring equipment;
the database is used for storing and managing all the collected data;
the deployment mode selection module is used for selecting and distributing a deployment mode for the situation awareness system;
the abnormal behavior monitoring module is used for carrying out situation perception according to the selected deployment mode and monitoring equipment;
and the data forwarding management module is used for summarizing and sorting the monitored data and forwarding the sorted monitoring data.
2. The system for monitoring the abnormal behavior based on the network security situation awareness system according to claim 1, wherein: the perception data acquisition module comprises a calling information acquisition unit, a deployment information acquisition unit and an equipment information acquisition unit, wherein the calling information acquisition unit is used for acquiring called information of historical perception data; the deployment information acquisition unit is used for acquiring cost data required by perception data in different deployment modes; the equipment information acquisition unit is used for acquiring the use information of the monitored equipment and transmitting all acquired data to the database.
3. The system for monitoring the abnormal behavior based on the network security situation awareness system according to claim 1, wherein: the deployment mode selection module comprises a deployment cost analysis unit, a demand data analysis unit and a deployment mode distribution unit, wherein the deployment cost analysis unit is used for analyzing the effect proportion of monitoring equipment with different deployment modes selected by the network security situation awareness system; the demand data analysis unit is used for analyzing the influence degree of the equipment to be monitored on the network security; the deployment mode allocation unit is used for selecting and allocating different deployment modes for the situation awareness system.
4. The system for monitoring the abnormal behavior based on the network security situation awareness system according to claim 1, wherein: the abnormal behavior monitoring module comprises a situation perception unit and a behavior abnormity early warning unit, wherein the situation perception unit is used for carrying out situation perception on network safety according to the selected deployment mode and monitoring equipment; the behavior abnormity early warning unit is used for sending an abnormity warning signal when the abnormal behavior of the equipment is monitored, and transmitting the sensing data to the data forwarding management module.
5. The system for monitoring the abnormal behavior based on the network security situation awareness system according to claim 1, wherein: the data forwarding management module comprises a perception data collection unit, a data display adjustment unit and a summarized data forwarding unit, wherein the perception data collection unit is used for receiving and summarizing perception data; the data display adjusting unit is used for adjusting the display position of the summarized data and sorting the summarized data: synchronously displaying the data gathered together; the summarized data forwarding unit is used for forwarding the sorted summarized data to a superior management system.
6. An abnormal behavior monitoring method based on a network security situation awareness system is characterized by comprising the following steps: the method comprises the following steps:
z01: acquiring the called information of the perception data, cost data in different deployment modes and use information of monitored equipment;
z02: analyzing the effect proportion of the situation awareness system selecting monitoring equipment with different deployment modes and the influence degree of the monitored equipment on the network safety;
z03: selecting and distributing a deployment mode to monitor abnormal behaviors of the equipment;
z04: monitoring the equipment according to the selected deployment mode, and sending an alarm signal when abnormal behavior of the equipment is monitored;
z05: and summarizing and sorting the monitored data, and forwarding the sorted monitoring data to a superior management system.
7. The abnormal behavior monitoring method based on the network security situation awareness system according to claim 6, wherein: in steps Z01-Z02: the method comprises the following steps of collecting M deployment modes of a situation awareness system, in a time period from T to T, collecting the data of a random device in different deployment modes by a frequency set of B ═ B1, B2, … and Bm, collecting alarm frequencies by a frequency set of N ═ N1, N2, … and Nm, collecting invalid alarm total frequencies by a frequency set of M ═ M1, M2, … and Mm, monitoring the device by adopting different deployment modes by a cost set of R ═ R1, R2, … and Rm, and calculating and selecting a success ratio wi of monitoring the device by adopting a random deployment mode according to the following formula:
Figure FDA0003680370410000021
obtaining An effect proportion set for monitoring equipment by adopting different deployment modes, wherein w is { w1, w2, …, wm }, Bi represents the number of times of acquiring random equipment data by adopting a random deployment mode in a time period from T to T, Ni represents the alarm number of times in a corresponding deployment mode, Mi represents the invalid alarm number of times, Ri represents the cost required for monitoring the equipment in the corresponding deployment mode, the acquired monitored equipment operation data is called a number set of times { a1, a2, …, An }, the monitored equipment is maintained for a number set of times C { C1, C2, …, Cn }, the alarm level coefficient set when the network abnormal behavior of the random monitored equipment is sensed is L is { L1, L2, …, Lk }, and the alarm invalid level coefficient set is L ={L1 ,L2 ,…,Lp N represents the number of the monitored devices, k represents the number of times of alarming on a random monitored device, p represents the number of times of invalid alarming, and the influence degree Ki of the random monitored device on the network safety is calculated according to the following formula:
Figure FDA0003680370410000031
obtaining a set of influence degrees of the monitored equipment on network security, wherein K is { K1, K2, …, Kn }, where Ai represents the number of times of randomly calling operation data of one monitored equipment, Ci represents the number of times of maintaining corresponding equipment, Li represents an alarm level coefficient when the corresponding equipment is perceived to have network abnormal behavior at one time, and Li represents an alarm level coefficient when the corresponding equipment is perceived to have network abnormal behavior at one time at random Representing a random one-time invalid alarm level coefficient.
8. The abnormal behavior monitoring method based on the network security situation awareness system according to claim 7, wherein: in step Z03: selecting and distributing a deployment mode to monitor abnormal behaviors of the equipment: randomly dividing the data of the degree of influence of the monitored equipment on the network security into m groups to obtain the total and integrated K of the degree of influence in each group of data sum ={K sum1 ,K sum2 ,...,K summ According to the formula
Figure FDA0003680370410000032
Finding the optimal grouping mode, wherein K sumi Representing the sum of the influence degrees in a random group of data, comparing the lengths calculated in different grouping modes: screening out the packet mode that makes the Length value the biggest, the Length value is shown and is divided into m group data's variance behind the group data with the influence degree data, after grouping in order to make the maximum packet mode of Length value, arranges m group data with the order that influence degree sum is big to little in every group data, arranges the effect proportion that will adopt different deployment modes to monitor equipment from big to little, matches influence degree and effect proportion after the sequencing: and selecting a deployment mode corresponding to the effect proportion with the same sequence as the sum of the influence degrees in the corresponding group of data for the monitored equipment corresponding to the influence degrees in each group of data, and selecting the same deployment mode for the equipment corresponding to the influence degrees in the same group of data for monitoring.
9. The abnormal behavior monitoring method based on the network security situation awareness system according to claim 6, wherein: in steps Z04-Z05: monitoring the monitored equipment by using the selected deployment mode, sending an alarm signal when monitoring that the equipment is abnormal, summarizing and arranging the monitored data: monitoring that the alarm level coefficient set of a random device is D ═ D1, D2, …, Dq } in the current deployment mode, and the invalid alarm level coefficient set is D ═ D1, D2, …, df }, so as to obtain the abnormal degree Qi of the random device:
Figure FDA0003680370410000033
wherein q represents the number of alarms of monitoring a random device in the current deployment mode, f represents the number of invalid alarms of monitoring a random device in the current deployment mode, Di represents the alarm level coefficient of monitoring a random device in the current deployment mode at one time, and Di represents the invalid alarm level coefficient of monitoring a random device in the current deployment mode at one timeAlarm level coefficient, obtaining abnormal degree set as Q ═ { Q1, Q2, …, Qn }, comparing abnormal degree of monitored equipment, setting abnormal degree difference threshold as Q Threshold(s) The devices are similar in function and meet Qi-Qj<Q Threshold(s) The operation data of the two monitored devices are summarized, wherein Qi and Qj represent the abnormal degree of the two random devices, and the summarized data are transmitted to a superior management system.
CN202210636139.XA 2022-06-07 2022-06-07 Abnormal behavior monitoring system and method based on network security situation awareness system Active CN115085986B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210636139.XA CN115085986B (en) 2022-06-07 2022-06-07 Abnormal behavior monitoring system and method based on network security situation awareness system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210636139.XA CN115085986B (en) 2022-06-07 2022-06-07 Abnormal behavior monitoring system and method based on network security situation awareness system

Publications (2)

Publication Number Publication Date
CN115085986A true CN115085986A (en) 2022-09-20
CN115085986B CN115085986B (en) 2023-03-24

Family

ID=83251624

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210636139.XA Active CN115085986B (en) 2022-06-07 2022-06-07 Abnormal behavior monitoring system and method based on network security situation awareness system

Country Status (1)

Country Link
CN (1) CN115085986B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170104778A1 (en) * 2015-10-12 2017-04-13 Verint Systems Ltd. System and method for assessing cybersecurity awareness
CN108965209A (en) * 2017-05-19 2018-12-07 南京骏腾信息技术有限公司 Threat cognitive method based on safe big data analysis
CN109889476A (en) * 2018-12-05 2019-06-14 国网冀北电力有限公司信息通信分公司 A kind of network safety protection method and network security protection system
CN111740975A (en) * 2020-06-16 2020-10-02 黑龙江省网络空间研究中心 Network security situation awareness system and method
CN114584395A (en) * 2022-04-18 2022-06-03 南京硕茂电子科技有限公司 Big data security protection system and method based on network security

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170104778A1 (en) * 2015-10-12 2017-04-13 Verint Systems Ltd. System and method for assessing cybersecurity awareness
CN108965209A (en) * 2017-05-19 2018-12-07 南京骏腾信息技术有限公司 Threat cognitive method based on safe big data analysis
CN109889476A (en) * 2018-12-05 2019-06-14 国网冀北电力有限公司信息通信分公司 A kind of network safety protection method and network security protection system
CN111740975A (en) * 2020-06-16 2020-10-02 黑龙江省网络空间研究中心 Network security situation awareness system and method
CN114584395A (en) * 2022-04-18 2022-06-03 南京硕茂电子科技有限公司 Big data security protection system and method based on network security

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
刘汝隽等: "网络安全数据可视分析系统的设计与实现", 《信息网络安全》 *

Also Published As

Publication number Publication date
CN115085986B (en) 2023-03-24

Similar Documents

Publication Publication Date Title
US7934257B1 (en) On-box active reconnaissance
US6385609B1 (en) System and method for analyzing and displaying telecommunications switch report output
US9213590B2 (en) Network monitoring and diagnostics
US20180329932A1 (en) Identification of distinguishing compound features extracted from real time data streams
US8780761B2 (en) Web based capacity management (WBCM) system
CN110096410A (en) Alarm information processing method, system, computer installation and readable storage medium storing program for executing
US7502844B2 (en) Abnormality indicator of a desired group of resource elements
US20100161630A1 (en) Sensor Net System, Sensor Net System Data Managing Method, and Sensor Net System Data Managing Program
JP2003536162A (en) Live Exceptions System
US20190294836A1 (en) Memory structure for inventory management
CN115085986B (en) Abnormal behavior monitoring system and method based on network security situation awareness system
CN111582796B (en) Express monitoring system and method based on image recognition
CN106874423A (en) search control method and system
CN101253507B (en) Account false use detecting/suppressing device, data collecting device
CN107147547A (en) A kind of cluster overall performance monitoring implementation method
CN103324153A (en) Device and method for automatic safety monitoring of boilers
US6484184B1 (en) Database network system
US8572041B2 (en) Representing records
CN112491622B (en) Method and system for locating fault root cause of service system
CN107395585B (en) Method, system and equipment for acquiring anomaly index based on time node
CN112801788A (en) Internet stock right financing platform monitoring system and monitoring method
KR100900146B1 (en) System and method for managing alarm occur rate of optical transmission network
GB2365252A (en) Network management system user interface which presents graphs of conversation information in response to user selection
WO2006090354A1 (en) Detection of misuse of a database
US20210368370A1 (en) Space utilization information system utilizing native lighting control system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB03 Change of inventor or designer information
CB03 Change of inventor or designer information

Inventor after: Liu Zhiyong

Inventor after: Chen Lianghan

Inventor after: Duan Haining

Inventor after: Hong Chao

Inventor after: Zhong Haiwei

Inventor before: Chen Lianghan

Inventor before: Duan Haining

Inventor before: Hong Chao

Inventor before: Zhong Haiwei

GR01 Patent grant
GR01 Patent grant