CN115442122A - Fusion analysis method and system for network security data - Google Patents
Fusion analysis method and system for network security data Download PDFInfo
- Publication number
- CN115442122A CN115442122A CN202211062683.4A CN202211062683A CN115442122A CN 115442122 A CN115442122 A CN 115442122A CN 202211062683 A CN202211062683 A CN 202211062683A CN 115442122 A CN115442122 A CN 115442122A
- Authority
- CN
- China
- Prior art keywords
- network
- safety
- environment
- fusion
- security
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Abstract
The invention discloses a fusion analysis method and a fusion analysis system for network security data, which relate to the field of network security, wherein the method comprises the following steps: acquiring configuration information of a network by acquiring data of the network; obtaining a network real-time environment, network hardware equipment and a network software system; connecting an intrusion detection platform, and respectively performing security analysis on a network real-time environment, network hardware equipment and a network software environment to obtain a plurality of security indexes; acquiring a plurality of fusion safety indexes by performing data fusion on a network real-time environment, network hardware equipment and a network software environment; inputting the plurality of safety indexes and the plurality of fusion safety indexes into a binary decision maker, and acquiring a configuration to be optimized based on decision constraint conditions; and sending the information to related management personnel for reminding. The method achieves the technical effects of improving the accuracy and comprehensiveness of network security detection, improving the quality of network security detection and the like.
Description
Technical Field
The invention relates to the field of network security, in particular to a fusion analysis method and a fusion analysis system for network security data.
Background
The network has penetrated the aspects of social life, and the rapid development of the network brings great economic benefits to people. Meanwhile, the network security problem is getting more serious, and various network security events such as network information leakage and illegal occupation of network resources present an increasing situation. Network security has become a hot topic of people's attention, and network security detection is a powerful means for guaranteeing network security.
In the prior art, the technical problems of insufficient accuracy and low comprehensiveness of network security detection and poor network security detection effect exist.
Disclosure of Invention
The application provides a fusion analysis method and system for network security data. The technical problems that in the prior art, the accuracy of network security detection is not enough, the comprehensiveness is not high, and the effect of network security detection is not good are solved.
In view of the foregoing problems, the present application provides a method and a system for fusion analysis of network security data.
In a first aspect, the present application provides a method for performing fusion analysis on network security data, where the method is applied to a system for performing fusion analysis on network security data, and the method includes: acquiring configuration information of a network by acquiring data of the network; obtaining a network real-time environment, network hardware equipment and a network software system according to the configuration information of the network; connecting the intrusion detection platform, and respectively performing security analysis on the network real-time environment, the network hardware equipment and the network software environment to obtain a plurality of security indexes; acquiring a plurality of fusion safety indexes by performing data fusion on the network real-time environment, the network hardware equipment and the network software environment; inputting the plurality of safety indices and the plurality of fused safety indices into a two-valued decider, wherein the two-valued decider comprises a decision constraint; based on the decision constraint condition, the binary decision maker performs decision output to obtain the configuration to be optimized; and sending the configuration to be optimized to a relevant manager for reminding.
In a second aspect, the present application further provides a system for fusion analysis of network security data, where the system includes: the data acquisition module is used for acquiring data of a network to acquire configuration information of the network; the network information determining module is used for obtaining a network real-time environment, network hardware equipment and a network software system according to the configuration information of the network; the security analysis module is used for connecting the intrusion detection platform, respectively carrying out security analysis on the network real-time environment, the network hardware equipment and the network software environment, and acquiring a plurality of security indexes; a data fusion module for obtaining a plurality of fusion security indices by performing data fusion on the network real-time environment, the network hardware device, and the network software environment; an input module to input the plurality of safety indices and the plurality of fused safety indices into a two-valued decider, wherein the two-valued decider comprises a decision constraint; the decision output module is used for performing decision output by the binary decision device based on the decision constraint condition to obtain the configuration to be optimized; and the reminding module is used for sending the configuration to be optimized to related management personnel for reminding.
One or more technical solutions provided in the present application have at least the following technical effects or advantages:
acquiring configuration information of a network by acquiring data of the network; based on the network real-time environment, the network hardware equipment and the network software system are obtained; connecting an intrusion detection platform, and respectively performing security analysis on the network real-time environment, the network hardware equipment and the network software environment to obtain a plurality of security indexes; acquiring a plurality of fusion safety indexes by performing data fusion on the network real-time environment, the network hardware equipment and the network software environment; inputting the plurality of safety indices and the plurality of fused safety indices into a two-valued decider, wherein the two-valued decider comprises a decision constraint; based on the decision constraint condition, the binary decision maker makes decision output to obtain the configuration to be optimized; and sending the configuration to be optimized to a relevant manager for reminding. The accuracy and comprehensiveness of network security detection are improved, and the quality of the network security detection is improved; meanwhile, the intelligentization and diversification of network security detection are improved, so that a powerful guarantee technical effect is provided for network security.
Drawings
Fig. 1 is a schematic flowchart of a fusion analysis method for network security data according to the present application;
fig. 2 is a schematic flowchart illustrating an output environment safety index, a hardware safety index and a software safety index in a fusion analysis method of network safety data according to the present application;
FIG. 3 is a schematic flowchart illustrating a process of obtaining an environment-hardware security index, a hardware-software security index and an environment-software security index in a fusion analysis method of network security data according to the present application;
fig. 4 is a schematic structural diagram of a fusion analysis system for network security data according to the present application.
Description of the reference numerals: the system comprises a data acquisition module 11, a network information determination module 12, a security analysis module 13, a data fusion module 14, an input module 15, a decision output module 16 and a reminding module 17.
Detailed Description
The application provides a fusion analysis method and system for network security data. The method solves the technical problems that in the prior art, the accuracy of network security detection is insufficient, the comprehensiveness is not high, and the effect of network security detection is poor. The accuracy and comprehensiveness of network security detection are improved, and the quality of the network security detection is improved; meanwhile, the intelligentization and diversification of network security detection are improved, so that a powerful guarantee technical effect is provided for network security.
Example one
Referring to fig. 1, the present application provides a method for performing fusion analysis on network security data, where the method is applied to a system for performing fusion analysis on network security data, the system is in communication connection with an intrusion detection platform, and the method specifically includes the following steps:
step S100: acquiring configuration information of a network by acquiring data of the network;
step S200: obtaining a network real-time environment, network hardware equipment and a network software system according to the configuration information of the network;
specifically, the network security data fusion analysis system acquires data of a network, obtains configuration information of the network, and extracts a network real-time environment, network hardware equipment and a network software system from the configuration information of the network. The network can be any computer communication network which uses the fusion analysis system of the network security data to carry out intelligent network security detection. The network may comprise a local area network, the internet, or other private network. For example, the network may be the computer interconnection network of a certain school. The configuration information of the network comprises a network real-time environment, network hardware equipment and a network software system. The network real-time environment comprises data information of the real-time running speed, the real-time running frequency, the real-time running time, the real-time running user number and the like of the network. The network hardware equipment comprises network connection equipment such as a hub, a switch, a router and a network card of a network and network interconnection equipment. The network software system comprises a network operating system, network protocol software, communication control software, management software and the like of the network. The method and the device achieve the technical effects of determining the real-time environment of the network, the network hardware equipment and the network software system according to the configuration information of the network and laying a foundation for subsequent safety management of the network.
Step S300: connecting the intrusion detection platform, and respectively performing security analysis on the network real-time environment, the network hardware equipment and the network software environment to obtain a plurality of security indexes;
further, step S300 of the present application further includes:
step S310: connecting the intrusion detection platform to obtain an intrusion detection sample data set;
step S320: according to the intrusion detection sample data set, carrying out intrusion detection on the network and outputting an abnormal detection data set;
specifically, the fusion analysis system of the network security data is connected with an intrusion detection platform. Furthermore, the system for fusion analysis of network security data obtains an intrusion detection sample data set through big data query. And then, carrying out intrusion detection on the network through an intrusion detection sample data set by using an intrusion detection platform to obtain an abnormal detection data set. The intrusion detection platform can be a network intrusion early warning platform in the prior art and the like. The intrusion detection sample data set comprises a plurality of preset and determined attack samples. The anomaly detection data set comprises an intrusion detection sample data set and attack samples which are not detected by the intrusion detection platform. The technical effects that the intrusion detection of the network intrusion detection sample data set is performed through the intrusion detection platform, the abnormal detection data set is obtained, and data support is provided for subsequently obtaining a plurality of security indexes are achieved.
Step S330: respectively obtaining an environmental safety index, a hardware safety index and a software safety index according to the abnormal detection data set;
further, as shown in fig. 2, step S330 of the present application further includes:
step S331: carrying out abnormal positioning according to the abnormal detection data set to determine an abnormal data source;
step S332: respectively counting the number of abnormal sources and identifying the sizes of the abnormal sources according to the abnormal data sources to generate a plurality of groups of abnormal source distribution information, wherein the plurality of groups of abnormal source distribution information correspond to the network real-time environment, the network hardware equipment and the network software environment;
step S333: and inputting the information into a safety index evaluation model based on the plurality of groups of abnormal source distribution information, and outputting the environmental safety index, the hardware safety index and the software safety index according to the safety index evaluation model.
Step S340: obtaining the plurality of safety indices based on the environmental safety index, the hardware safety index, and the software safety index.
Specifically, according to the abnormal detection data set, abnormal positioning is carried out on the network real-time environment, the network hardware equipment and the network software system, and an abnormal data source is determined. Further, carrying out abnormal source quantity statistics and abnormal source size identification on the abnormal data sources to obtain multiple groups of abnormal source distribution information. And then, inputting the multiple groups of abnormal source distribution information as input information into a safety index evaluation model to obtain an environmental safety index, a hardware safety index and a software safety index, and further determining a plurality of safety indexes.
The abnormal data source comprises a network real-time environment abnormal source, a network hardware equipment abnormal source and a network software system abnormal source. Illustratively, the network software system exception source comprises a plurality of exception information such as system crash, system jam and the like caused by the exception detection data set to the network software system. The multiple groups of abnormal source distribution information comprise network real-time environment abnormal source distribution information, network hardware equipment abnormal source distribution information and network software system abnormal source distribution information. The network real-time environment abnormal source distribution information comprises the number of the network real-time environment abnormal sources and the size identification of the network real-time environment abnormal sources. The distribution information of the network hardware device abnormal sources comprises the number of the network hardware device abnormal sources and the size identification of the network hardware device abnormal sources. The network software system abnormal source distribution information comprises the number of the network software system abnormal sources and the size identification of the network software system abnormal sources. That is, the plurality of sets of abnormal source distribution information correspond to the network real-time environment, the network hardware device, and the network software environment. The safety index evaluation model is obtained by training a large amount of data information related to multiple groups of abnormal source distribution information, and has the functions of intelligently evaluating the input multiple groups of abnormal source distribution information and the like. The environment safety index can be used for representing the safety of the abnormal source distribution information of the network real-time environment to the network real-time environment. For example, when the distribution information of the network real-time environment abnormal sources indicates that the number of the network real-time environment abnormal sources is large and the number of the network real-time environment abnormal sources is large, the security of the network real-time environment is low and the corresponding environment security index is low. The hardware safety index can be used for representing the safety of the distribution information of the abnormal source of the network hardware equipment to the network hardware equipment. The software safety index can be used for representing the safety of the abnormal source distribution information of the network software system to the network software system. The plurality of safety indexes comprise an environmental safety index, a hardware safety index and a software safety index. The technical effects that accurate multi-group abnormal source distribution information is obtained by performing abnormal positioning, abnormal source quantity statistics and abnormal source size identification on an abnormal detection data set and is input into a safety index evaluation model to obtain a plurality of reliable safety indexes, and further the accuracy of subsequent network safety detection is improved are achieved.
Step S400: acquiring a plurality of fusion safety indexes by performing data fusion on the network real-time environment, the network hardware equipment and the network software environment;
further, step S400 of the present application further includes:
step S410: building an intrusion test environment sample according to the network real-time environment, the network hardware equipment and the network software environment;
specifically, an intrusion test environment sample is built based on the obtained network real-time environment, network hardware equipment and network software environment. Wherein the intrusion test environment samples comprise environment-hardware intrusion test environment samples, hardware-software intrusion test environment samples and environment-software intrusion test environment samples. The environment-hardware intrusion test environment sample is environment information formed by a network real-time environment and network hardware equipment. The hardware-software intrusion test environment sample is environment information formed by network hardware equipment and a network software environment. The environment-software intrusion test environment sample is environment information formed by a network real-time environment and a network software environment. The technical effects of obtaining diversified intrusion test environment samples and improving the comprehensiveness and reliability of a plurality of subsequently obtained fusion safety indexes are achieved.
Step S420: connecting the intrusion detection platform, and testing by using the intrusion test environment sample and the intrusion detection sample data set to obtain an environment-hardware security index, a hardware-software security index and an environment-software security index;
further, as shown in fig. 3, step S420 of the present application further includes:
step S421: connecting the intrusion detection platform, and testing by using the intrusion test environment sample and the intrusion detection sample data set to obtain a fusion abnormal data set;
step S422: generating a plurality of groups of fusion abnormal source distribution information according to the fusion abnormal data set;
step S423: and inputting the multiple groups of fusion abnormal source distribution information into a safety index evaluation model, and outputting the environment-hardware safety index, the hardware-software safety index and the environment-software safety index.
Step S430: obtaining the plurality of fused security indices based on the environment-hardware security index, the hardware-software security index, and the environment-software security index.
Specifically, based on an intrusion detection platform, an intrusion test environment sample is tested according to an intrusion detection sample data set, and a fusion abnormal data set is obtained. Further, fusion abnormal source positioning, fusion abnormal source quantity statistics and fusion abnormal source size identification are carried out on the fusion abnormal data set, and multiple groups of fusion abnormal source distribution information are determined. And then, inputting the multiple groups of fusion abnormal source distribution information as input information into a safety index evaluation model to obtain an environment-hardware safety index, a hardware-software safety index and an environment-software safety index, and further determining a plurality of fusion safety indexes.
The fusion abnormal data set comprises an environment-hardware fusion abnormal data set, a hardware-software fusion abnormal data set and an environment-software fusion abnormal data set. The environment-hardware fusion abnormal data set comprises attack samples which are not detected when the environment-hardware intrusion test environment samples in the intrusion test environment samples are tested according to the intrusion detection sample data set. The hardware-software fusion abnormal data set comprises attack samples which are not detected when the hardware-software intrusion test environment samples in the intrusion test environment samples are tested according to the intrusion detection sample data set. The environment-software fusion abnormal data set comprises attack samples which are not detected when the environment-software intrusion test environment samples in the intrusion test environment samples are tested according to the intrusion detection sample data set. The multiple groups of fusion abnormal source distribution information comprise environment-hardware fusion abnormal source distribution information, hardware-software fusion abnormal source distribution information and environment-software fusion abnormal source distribution information. The environment-hardware fusion abnormal source distribution information comprises the number and the size identification of the environment-hardware fusion abnormal sources. The hardware-software fusion abnormal source distribution information comprises the number and size identification of the hardware-software fusion abnormal sources. The environment-software fusion abnormal source distribution information comprises the number and size identification of the environment-software fusion abnormal sources. The environment-hardware security index is parameter information for characterizing security of an intrusion test environment sample of environment-hardware in the intrusion test environment sample. The hardware-software security index is parameter information for characterizing security of the hardware-software intrusion test environment sample in the intrusion test environment sample. The environment-software security index is parameter information for characterizing security of an intrusion test environment sample of the environment-software in the intrusion test environment sample. The plurality of fused security indices includes an environment-hardware security index, a hardware-software security index, an environment-software security index. The technical effects that a plurality of accurate fusion safety indexes are obtained by testing the intrusion test environment sample and the intrusion detection sample data set, and the accuracy of the subsequently obtained configuration to be optimized is improved are achieved.
Step S500: inputting the plurality of security indices and the plurality of fused security indices into a two-valued decider, wherein the two-valued decider comprises a decision constraint;
step S600: based on the decision constraint condition, the binary decision maker makes decision output to obtain the configuration to be optimized;
further, step S600 of the present application further includes:
step S610: building the decision constraint condition, wherein the decision constraint condition is formed by an independent constraint condition and a fusion constraint condition and has a logical relation;
step S620: inputting the plurality of safety indexes and the plurality of fusion safety indexes into the binary decision maker, and judging whether the decision constraint conditions embedded in the binary decision maker are met;
step S630: and if the decision constraint condition embedded in the binary decision maker is not met, obtaining the configuration to be optimized.
Step S700: and sending the configuration to be optimized to a relevant manager for reminding.
Specifically, a plurality of safety indexes and a plurality of fusion safety indexes are input into a binary decision maker, whether the plurality of safety indexes and the plurality of fusion safety indexes meet decision constraint conditions embedded in the binary decision maker or not is judged, and if the plurality of safety indexes and the plurality of fusion safety indexes do not meet the decision constraint conditions embedded in the binary decision maker, configuration to be optimized is obtained and sent to relevant management personnel for reminding. The double-value decision maker is a model used for intelligently judging a plurality of input safety indexes and a plurality of fusion safety indexes. The decision constraint condition is that the input multiple safety indexes meet the independent constraint condition, and the input multiple fusion safety indexes meet the fusion constraint condition. The independent constraints comprise preset conditions of a plurality of safety indexes. The fusion constraint condition comprises a plurality of preset conditions for fusing safety indexes. That is, the independent constraints include an environmental safety index threshold, a hardware safety index threshold, and a software safety index threshold. The fusion constraint condition comprises an environment-hardware safety index threshold value, a hardware-software safety index threshold value and an environment-software safety index threshold value. And the configuration to be optimized is a corresponding network real-time environment, network hardware equipment and network software system when a plurality of safety indexes and a plurality of fusion safety indexes do not meet decision constraint conditions embedded in the binary decision maker. For example, when the environmental safety index in the input multiple safety indexes does not meet the environmental safety index threshold, the configuration to be optimized is configured as a network real-time environment corresponding to the environmental safety index. The technical effects that whether the plurality of safety indexes and the plurality of fusion safety indexes meet the decision constraint condition or not is judged through the binary decision maker, reliable configuration to be optimized is obtained, and the quality and the practicability of network safety detection are improved are achieved.
Further, step S620 of the present application further includes:
step S621: if the decision constraint conditions embedded in the binary decision maker are met, carrying out standardization processing on the plurality of safety indexes and the plurality of fusion safety indexes, and carrying out extreme value extraction on each index after standardization processing to obtain an extreme value index;
step S622: carrying out equilibrium calculation by using the extreme value index, and outputting a safe equilibrium coefficient;
step S623: and sending the safety balance coefficient to the related management personnel.
Specifically, when judging whether a plurality of safety indexes and a plurality of fusion safety indexes meet decision constraint conditions embedded in a binary decision device, if the plurality of safety indexes and the plurality of fusion safety indexes meet the decision constraint conditions embedded in the binary decision device, the plurality of safety indexes and the plurality of fusion safety indexes are subjected to standardization processing, and extremum extraction is performed on the plurality of safety indexes and the plurality of fusion safety indexes after the standardization processing to determine extremum indexes. And further, carrying out balance calculation on the plurality of safety indexes and the plurality of fusion safety indexes after the standardization processing according to the extreme value indexes to obtain a safety balance coefficient, and sending the safety balance coefficient to related management personnel.
The standardization processing refers to unifying the magnitude of a plurality of safety indexes and a plurality of fusion safety indexes and converting the safety indexes into dimensionless pure numerical values. The extreme value index comprises a plurality of safety indexes after standardization processing and the maximum value and the minimum value in a plurality of fusion safety indexes. The balance calculation comprises the steps of removing extreme value indexes from the plurality of safety indexes and the plurality of fusion safety indexes after the standardization processing, respectively subtracting the extreme value indexes from the rest indexes, and then calculating the average value of the rest indexes. The safety balance coefficient is parameter information used for representing the balance of a plurality of safety indexes and a plurality of fusion safety indexes. The larger the safety balance coefficient is, the higher the balance of the plurality of safety indexes and the plurality of fusion safety indexes is, and the higher the safety balance of the corresponding network real-time environment, network hardware equipment and network software system is. The technical effects of carrying out standardized processing, extreme value extraction and balance calculation on a plurality of safety indexes and a plurality of fusion safety indexes meeting decision constraint conditions, obtaining accurate safety balance coefficients and improving the comprehensiveness of network safety detection are achieved.
In summary, the fusion analysis method for network security data provided by the present application has the following technical effects:
1. acquiring configuration information of a network by acquiring data of the network; based on the network real-time environment, the network hardware equipment and the network software system are obtained; connecting an intrusion detection platform, and respectively performing security analysis on the network real-time environment, the network hardware equipment and the network software environment to obtain a plurality of security indexes; acquiring a plurality of fusion safety indexes by performing data fusion on the network real-time environment, the network hardware equipment and the network software environment; inputting the plurality of safety indices and the plurality of fused safety indices into a two-valued decider, wherein the two-valued decider comprises a decision constraint; based on the decision constraint condition, the binary decision maker performs decision output to obtain the configuration to be optimized; and sending the configuration to be optimized to related management personnel for reminding. The accuracy and comprehensiveness of network security detection are improved, and the quality of the network security detection is improved; meanwhile, the intellectualization and the diversification of network security detection are improved, so that a powerful guarantee technical effect is provided for the network security.
2. By carrying out anomaly positioning, anomaly source quantity statistics and anomaly source size identification on an anomaly detection data set, accurate multi-group anomaly source distribution information is obtained and is input into a safety index evaluation model, a plurality of reliable safety indexes are obtained, and the accuracy of network safety detection is further improved.
3. By testing the intrusion test environment sample and the intrusion detection sample data set, a plurality of accurate fusion safety indexes are obtained, and the accuracy of the subsequently obtained configuration to be optimized is improved.
Example two
Based on the fusion analysis method of network security data in the foregoing embodiment, the same inventive concept, the present invention further provides a fusion analysis system of network security data, please refer to fig. 4, where the system includes:
the data acquisition module 11 is used for acquiring data of a network to acquire configuration information of the network;
the network information determining module 12, the network information determining module 12 is configured to obtain a network real-time environment, a network hardware device, and a network software system according to the configuration information of the network;
the security analysis module 13 is used for connecting the intrusion detection platform, and respectively performing security analysis on the network real-time environment, the network hardware equipment and the network software environment to obtain a plurality of security indexes;
a data fusion module 14, wherein the data fusion module 14 is configured to perform data fusion on the network real-time environment, the network hardware device, and the network software environment to obtain a plurality of fusion security indexes;
an input module 15, said input module 15 being configured to input said plurality of safety indices and said plurality of fused safety indices into a two-valued decision maker, wherein said two-valued decision maker comprises decision constraints;
a decision output module 16, where the decision output module 16 is configured to perform decision output by using the binary decision engine based on the decision constraint condition, so as to obtain a configuration to be optimized;
and the reminding module 17 is used for sending the configuration to be optimized to related management personnel for reminding.
Further, the system further comprises:
the intrusion detection sample data set determining module is used for connecting the intrusion detection platform and acquiring an intrusion detection sample data set;
an anomaly detection data set determining module, configured to perform intrusion detection on the network according to the intrusion detection sample data set and output an anomaly detection data set;
the safety index determining module is used for respectively obtaining an environmental safety index, a hardware safety index and a software safety index according to the abnormal detection data set;
a plurality of security index acquisition modules to acquire the plurality of security indices based on the environmental security index, the hardware security index, and the software security index.
Further, the system further comprises:
the abnormal data source determining module is used for carrying out abnormal positioning according to the abnormal detection data set and determining an abnormal data source;
a plurality of groups of abnormal source distribution information determining modules, configured to perform statistics on the number of abnormal sources and size identification of the abnormal sources according to the abnormal data sources, and generate a plurality of groups of abnormal source distribution information, where the plurality of groups of abnormal source distribution information correspond to the network real-time environment, the network hardware device, and the network software environment;
and the safety index output module is used for inputting the information into a safety index evaluation model based on the plurality of groups of abnormal source distribution information, and outputting the environment safety index, the hardware safety index and the software safety index according to the safety index evaluation model.
Further, the system further comprises:
the intrusion test environment sample building module is used for building an intrusion test environment sample according to the network real-time environment, the network hardware equipment and the network software environment;
the testing module is used for connecting the intrusion detection platform and testing by using the intrusion detection environment sample and the intrusion detection sample data set to obtain an environment-hardware safety index, a hardware-software safety index and an environment-software safety index;
a fused security index acquisition module to acquire the plurality of fused security indices based on the environment-hardware security index, the hardware-software security index, and the environment-software security index.
Further, the system further comprises:
the fusion abnormal data set determining module is used for connecting the intrusion detection platform, testing by using the intrusion test environment sample and the intrusion detection sample data set and acquiring a fusion abnormal data set;
the fusion abnormal source distribution information determining module is used for generating a plurality of groups of fusion abnormal source distribution information according to the fusion abnormal data set;
a first execution module, configured to input the multiple sets of fusion anomaly source distribution information into a safety index evaluation model, and output the environment-hardware safety index, the hardware-software safety index, and the environment-software safety index.
Further, the system further comprises:
the decision constraint condition determining module is used for constructing the decision constraint condition, and the decision constraint condition is a logical relation consisting of an independent constraint condition and a fusion constraint condition;
a judging module, configured to input the multiple security indexes and the multiple fused security indexes into the binary decider, and judge whether the decision constraint condition embedded in the binary decider is satisfied;
and the to-be-optimized configuration acquisition module is used for acquiring the to-be-optimized configuration if the decision constraint condition embedded in the binary decision maker is not met.
Further, the system further comprises:
an extreme value index obtaining module, configured to, if the decision constraint condition embedded in the binary decision maker is satisfied, perform normalization processing on the multiple safety indexes and the multiple fusion safety indexes, and perform extreme value extraction on each normalized index to obtain an extreme value index;
the safe equalization coefficient output module is used for carrying out equalization calculation by using the extreme value index and outputting a safe equalization coefficient;
and the second execution module is used for sending the safety balance coefficient to the related management personnel.
The application provides a fusion analysis method of network security data, wherein the method is applied to a fusion analysis system of the network security data, and the method comprises the following steps: acquiring configuration information of a network by acquiring data of the network; based on the network real-time environment, the network hardware equipment and the network software system are obtained; connecting an intrusion detection platform, and respectively performing security analysis on the network real-time environment, the network hardware equipment and the network software environment to obtain a plurality of security indexes; acquiring a plurality of fusion safety indexes by performing data fusion on the network real-time environment, the network hardware equipment and the network software environment; inputting the plurality of safety indices and the plurality of fused safety indices into a two-valued decider, wherein the two-valued decider comprises a decision constraint; based on the decision constraint condition, the binary decision maker performs decision output to obtain the configuration to be optimized; and sending the configuration to be optimized to a relevant manager for reminding. The technical problems that in the prior art, the accuracy of network security detection is not enough, the comprehensiveness is not high, and the effect of network security detection is not good are solved. The accuracy and comprehensiveness of network security detection are improved, and the quality of the network security detection is improved; meanwhile, the intelligentization and diversification of network security detection are improved, so that a powerful guarantee technical effect is provided for network security.
All possible combinations of the technical features in the above embodiments may not be described for the sake of brevity, but should be considered as being within the scope of the present disclosure as long as there is no contradiction between the combinations of the technical features.
The specification and drawings are merely illustrative of the present application, and it is intended that the present invention covers the modifications and variations of this invention provided they come within the scope of the invention and its equivalents.
Claims (8)
1. A fusion analysis method for network security data is characterized in that the method is applied to a network security data management system which is in communication connection with an intrusion detection platform, and the method comprises the following steps:
acquiring configuration information of a network by acquiring data of the network;
obtaining a network real-time environment, network hardware equipment and a network software system according to the configuration information of the network;
connecting the intrusion detection platform, and respectively performing security analysis on the network real-time environment, the network hardware equipment and the network software environment to obtain a plurality of security indexes;
acquiring a plurality of fusion safety indexes by performing data fusion on the network real-time environment, the network hardware equipment and the network software environment;
inputting the plurality of safety indices and the plurality of fused safety indices into a two-valued decider, wherein the two-valued decider comprises a decision constraint;
based on the decision constraint condition, the binary decision maker performs decision output to obtain the configuration to be optimized;
and sending the configuration to be optimized to a relevant manager for reminding.
2. The method of claim 1, wherein the obtaining a plurality of safety indices, the method further comprises:
connecting the intrusion detection platform to obtain an intrusion detection sample data set;
according to the intrusion detection sample data set, carrying out intrusion detection on the network and outputting an abnormal detection data set;
respectively obtaining an environmental safety index, a hardware safety index and a software safety index according to the abnormal detection data set;
obtaining the plurality of safety indices based on the environmental safety index, the hardware safety index, and the software safety index.
3. The method of claim 2, wherein the method further comprises:
carrying out abnormal positioning according to the abnormal detection data set to determine an abnormal data source;
respectively counting the number of abnormal sources and identifying the sizes of the abnormal sources according to the abnormal data sources to generate a plurality of groups of abnormal source distribution information, wherein the plurality of groups of abnormal source distribution information correspond to the network real-time environment, the network hardware equipment and the network software environment;
and inputting the information into a safety index evaluation model based on the plurality of groups of abnormal source distribution information, and outputting the environment safety index, the hardware safety index and the software safety index according to the safety index evaluation model.
4. The method of claim 3, wherein the obtaining a plurality of fused security indices, the method further comprises:
building an intrusion test environment sample according to the network real-time environment, the network hardware equipment and the network software environment;
connecting the intrusion detection platform, and testing by using the intrusion test environment sample and the intrusion detection sample data set to obtain an environment-hardware safety index, a hardware-software safety index and an environment-software safety index;
obtaining the plurality of fused security indices based on the environment-hardware security index, the hardware-software security index, and the environment-software security index.
5. The method of claim 4, wherein the method further comprises:
connecting the intrusion detection platform, and testing by using the intrusion test environment sample and the intrusion detection sample data set to obtain a fusion abnormal data set;
generating a plurality of groups of fusion abnormal source distribution information according to the fusion abnormal data set;
and inputting the multiple groups of fusion abnormal source distribution information into a safety index evaluation model, and outputting the environment-hardware safety index, the hardware-software safety index and the environment-software safety index.
6. The method of claim 1, wherein the method further comprises:
building the decision constraint condition, wherein the decision constraint condition is formed by an independent constraint condition and a fusion constraint condition and has a logical relation;
inputting the plurality of safety indexes and the plurality of fusion safety indexes into the binary decision maker, and judging whether the decision constraint conditions embedded in the binary decision maker are met;
and if the decision constraint condition embedded in the binary decision maker is not met, obtaining the configuration to be optimized.
7. The method of claim 6, wherein the method further comprises:
if the decision constraint conditions embedded in the binary decision maker are met, carrying out standardization processing on the plurality of safety indexes and the plurality of fusion safety indexes, and carrying out extreme value extraction on each index after standardization processing to obtain an extreme value index;
carrying out equilibrium calculation by using the extreme value index, and outputting a safe equilibrium coefficient;
and sending the safety balance coefficient to the related management personnel.
8. A system for converged analytics of network security data, the system communicatively coupled to an intrusion detection platform, the system comprising:
the data acquisition module is used for acquiring data of a network to acquire configuration information of the network;
the network information determining module is used for obtaining a network real-time environment, network hardware equipment and a network software system according to the configuration information of the network;
the security analysis module is used for connecting the intrusion detection platform, and respectively performing security analysis on the network real-time environment, the network hardware equipment and the network software environment to obtain a plurality of security indexes;
the data fusion module is used for performing data fusion on the network real-time environment, the network hardware equipment and the network software environment to obtain a plurality of fusion safety indexes;
an input module for inputting the plurality of safety indices and the plurality of fused safety indices into a two-valued decider, wherein the two-valued decider comprises a decision constraint;
the decision output module is used for performing decision output by the binary decision device based on the decision constraint condition to obtain the configuration to be optimized;
and the reminding module is used for sending the configuration to be optimized to related management personnel for reminding.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211062683.4A CN115442122B (en) | 2022-09-01 | 2022-09-01 | Fusion analysis method and system for network security data |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211062683.4A CN115442122B (en) | 2022-09-01 | 2022-09-01 | Fusion analysis method and system for network security data |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115442122A true CN115442122A (en) | 2022-12-06 |
| CN115442122B CN115442122B (en) | 2023-03-17 |
Family
ID=84245249
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211062683.4A Active CN115442122B (en) | 2022-09-01 | 2022-09-01 | Fusion analysis method and system for network security data |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115442122B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116127522A (en) * | 2023-04-17 | 2023-05-16 | 北京盛科沃科技发展有限公司 | Safety risk analysis method and system based on multi-source data acquisition |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104836855A (en) * | 2015-04-30 | 2015-08-12 | 国网四川省电力公司电力科学研究院 | Web application safety situation assessment system based on multi-source data fusion |
| CN104852927A (en) * | 2015-06-01 | 2015-08-19 | 国家电网公司 | Safety comprehensive management system based on multi-source heterogeneous information |
| US20160028754A1 (en) * | 2014-07-23 | 2016-01-28 | Cisco Technology, Inc. | Applying a mitigation specific attack detector using machine learning |
| CN106685946A (en) * | 2016-12-22 | 2017-05-17 | 北京邮电大学 | System for detecting Internet of Things sensing layer intrusion |
| CN114329448A (en) * | 2021-12-15 | 2022-04-12 | 安天科技集团股份有限公司 | System security detection method and device, electronic equipment and storage medium |
-
2022
- 2022-09-01 CN CN202211062683.4A patent/CN115442122B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20160028754A1 (en) * | 2014-07-23 | 2016-01-28 | Cisco Technology, Inc. | Applying a mitigation specific attack detector using machine learning |
| CN104836855A (en) * | 2015-04-30 | 2015-08-12 | 国网四川省电力公司电力科学研究院 | Web application safety situation assessment system based on multi-source data fusion |
| CN104852927A (en) * | 2015-06-01 | 2015-08-19 | 国家电网公司 | Safety comprehensive management system based on multi-source heterogeneous information |
| CN106685946A (en) * | 2016-12-22 | 2017-05-17 | 北京邮电大学 | System for detecting Internet of Things sensing layer intrusion |
| CN114329448A (en) * | 2021-12-15 | 2022-04-12 | 安天科技集团股份有限公司 | System security detection method and device, electronic equipment and storage medium |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116127522A (en) * | 2023-04-17 | 2023-05-16 | 北京盛科沃科技发展有限公司 | Safety risk analysis method and system based on multi-source data acquisition |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115442122B (en) | 2023-03-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP7116103B2 (en) | Method, Apparatus, and Device for Predicting Optical Module Failure | |
| CN102890776A (en) | Method for searching emoticons through facial expression | |
| CN115442122B (en) | Fusion analysis method and system for network security data | |
| CN112327100B (en) | Power failure detection method and system based on Internet of things | |
| CN110619535B (en) | Data processing method and device | |
| CN109391624A (en) | A kind of terminal access data exception detection method and device based on machine learning | |
| CN111724290B (en) | Environment-friendly equipment identification method and system based on depth layering fuzzy algorithm | |
| CN115955691A (en) | 5G private network perception evaluation method and device, electronic equipment and readable storage medium | |
| CN112995207A (en) | Fingerprint identification and exposed surface risk assessment method for network assets | |
| CN111007452A (en) | Fault diagnosis method and device of data acquisition system | |
| CN112285484B (en) | Power system fault diagnosis information fusion method and device based on deep neural network | |
| CN116896452B (en) | Computer network information security management method and system based on data processing | |
| CN117110794A (en) | Intelligent diagnosis system and method for cable faults | |
| CN110535972B (en) | Centralized control and communication system, equipment and readable storage medium for platform gas detection equipment | |
| CN114625627B (en) | User intelligent perception method based on big data multidimensional analysis | |
| CN113726779B (en) | Rule false alarm testing method and device, electronic equipment and computer storage medium | |
| CN106530199B (en) | Multimedia integration steganalysis method based on window type hypothesis testing | |
| CN108075918B (en) | Internet service change detection method and system | |
| CN114553473A (en) | Abnormal login behavior detection system and method based on login IP and login time | |
| CN114372497A (en) | Multi-modal security data classification method and classification system | |
| CN111782908A (en) | WEB violation operation behavior detection method based on data mining cluster analysis | |
| CN112417450B (en) | Malicious behavior real-time detection system based on dynamic behavior sequence and deep learning | |
| CN116127522B (en) | Safety risk analysis method and system based on multi-source data acquisition | |
| CN117041362B (en) | Checking method and system for industrial control protocol semantic reverse result | |
| CN115588439B (en) | Fault detection method and device of voiceprint acquisition device based on deep learning |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |