CN115567258A - Network security situation awareness method, system, electronic device and storage medium - Google Patents
Network security situation awareness method, system, electronic device and storage medium Download PDFInfo
- Publication number
- CN115567258A CN115567258A CN202211128114.5A CN202211128114A CN115567258A CN 115567258 A CN115567258 A CN 115567258A CN 202211128114 A CN202211128114 A CN 202211128114A CN 115567258 A CN115567258 A CN 115567258A
- Authority
- CN
- China
- Prior art keywords
- security
- network
- analysis
- situation awareness
- domain
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 48
- 238000004458 analytical method Methods 0.000 claims abstract description 116
- 238000001514 detection method Methods 0.000 claims abstract description 53
- 230000008447 perception Effects 0.000 claims abstract description 26
- 238000012038 vulnerability analysis Methods 0.000 claims abstract description 24
- 238000012423 maintenance Methods 0.000 claims abstract description 22
- 230000015654 memory Effects 0.000 claims description 19
- 230000002159 abnormal effect Effects 0.000 claims description 16
- 238000004590 computer program Methods 0.000 claims description 12
- 230000011664 signaling Effects 0.000 claims description 12
- 238000011156 evaluation Methods 0.000 claims description 10
- 230000008569 process Effects 0.000 claims description 10
- 230000005856 abnormality Effects 0.000 claims description 8
- 206010000117 Abnormal behaviour Diseases 0.000 claims description 7
- 230000006399 behavior Effects 0.000 claims description 6
- 230000006870 function Effects 0.000 claims description 5
- 230000010354 integration Effects 0.000 claims description 5
- 238000010219 correlation analysis Methods 0.000 claims description 4
- 238000012544 monitoring process Methods 0.000 claims 2
- 238000007726 management method Methods 0.000 description 18
- 238000010586 diagram Methods 0.000 description 7
- 101100240462 Homo sapiens RASAL2 gene Proteins 0.000 description 4
- 102100035410 Ras GTPase-activating protein nGAP Human genes 0.000 description 4
- 230000008520 organization Effects 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 3
- 230000000007 visual effect Effects 0.000 description 3
- 238000012098 association analyses Methods 0.000 description 2
- 238000005065 mining Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000013500 data storage Methods 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/04—Network management architectures or arrangements
- H04L41/042—Network management architectures or arrangements comprising distributed management centres cooperatively managing the network
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present disclosure provides a network security situation awareness method, system, electronic device and readable storage medium, to solve the problem that the existing general network security situation awareness system cannot adapt to a 5G service operation and maintenance scenario, the method includes: acquiring basic analysis data of a network through an information acquisition node; aiming at the domain division characteristics of a network architecture, a plurality of security situation awareness subsystems are established, and basic analysis data of the network collected by information collection nodes in the corresponding security domains are obtained for each security situation awareness subsystem; performing vulnerability analysis and security detection and analysis on the single-domain assets of the corresponding network security domains through each security situation awareness subsystem; and integrating the analysis results of all the security situation perception subsystems through a network-level situation perception system, and analyzing and displaying the security situation of the whole network. The technical scheme of the disclosure can realize the perception of the overall network security situation of the 5G network.
Description
Technical Field
The present disclosure relates to the field of network security technologies, and in particular, to a method for sensing a network security situation, a system for sensing a network security situation, an electronic device, and a computer-readable storage medium.
Background
The network security situation awareness system can be used for processing massive and disordered alarms, breaking information islands, associating the security alarm information from a higher dimension, integrally understanding, analyzing and predicting the security risk of a target network, and helping an enterprise security team to find events which cannot be monitored by a traditional security management platform and independent security equipment, so that the security events are more effectively and quickly checked and responded, and the active defense capability of the network is improved.
At present, security enterprises at home and abroad provide a network security situation awareness system, but the network security situation awareness system is mainly applied to an enterprise IT network, is used for solving the security problem of an office network in an enterprise internet scene, partially guarantees the security situation awareness system of an industrial control network, and lacks a security situation awareness system product aiming at a 5G network. The 5G network is greatly different from the IT network in the aspects of networking structure, asset constitution, asset organization form, service attribute, threat detection model and the like, and a general network security situation perception system cannot adapt to a 5G service operation and maintenance scene.
Disclosure of Invention
In order to solve the technical problems in the prior art, the present disclosure provides a network security situation awareness method, a network security situation awareness system, an electronic device, and a computer-readable storage medium, which fully consider the architecture, asset organization form, and service attributes of a 5G network, provide a three-level network security situation awareness system architecture, and solve the problem that a general network security situation awareness system cannot adapt to the operation and maintenance of a 5G service.
In a first aspect, the present disclosure provides a network security situation awareness method, including:
acquiring basic analysis data of a network through an information acquisition node;
aiming at the domain division characteristic of a network architecture, a plurality of security situation awareness subsystems are established, and basic analysis data of the network, which are acquired by information acquisition nodes in the corresponding security domains, are acquired for each security situation awareness subsystem;
performing vulnerability analysis and security detection and analysis on the single-domain assets of the corresponding network security domains through each security situation perception subsystem;
and integrating the analysis results of each security situation perception subsystem through a network-level situation perception system, and analyzing and displaying the security situation of the whole network.
Further, the basic analysis data of the network includes:
network slice, network element, virtual machine, physical machine, network equipment, safety equipment and network asset data of network management system;
the method comprises the steps of a process of a physical machine and a process of a virtual machine, open port data of the physical machine and the virtual machine, and version information and configuration information of network equipment and safety equipment;
uu interface (interface between user and base station), N4 interface (interface between session management function SMF and user port function UPF), EMS system flow interface (flow interface of network element management system EMS), or control plane, user plane and management plane flow of the system;
log system, vulnerability system, and asset management system.
Further, the security situation awareness subsystem comprises:
the access security domain situation awareness subsystem, the bearing security domain situation awareness subsystem, the edge security domain situation awareness subsystem, the core security domain situation awareness subsystem and the operation and maintenance security domain situation awareness subsystem.
Further, the vulnerability analysis comprises vulnerability analysis, configuration compliance analysis and weak password analysis;
the network security domain comprises an access security domain, a bearing security domain, an edge security domain, a core security domain and an operation and maintenance security domain;
the security detection and analysis of the access security domain comprises: detecting and analyzing a wireless side signaling storm, a pseudo base station and a positioning pseudo signal;
the security detection and analysis of the bearer security domain comprises: ARP (Address Resolution Protocol) flooding/spoofing attack detection analysis and IP spoofing/malformed message attack detection analysis;
the security detection and analysis of the edge security domain comprises: detecting and analyzing flow attack, service abnormal attack, third-party application attack, MEC (Mobile Edge Computing) platform attack and industry terminal abnormal behavior;
the security detection and analysis of the core security domain comprise detection and analysis of abnormal access and illegal service registration among network elements, network slice attack, open interface abnormality, east-west flow abnormality and virtualization platform attack;
and the safety detection and analysis of the operation and maintenance safety domain comprise detection and analysis of user behavior abnormity, abnormal login and unauthorized access.
Further, the analyzing and presenting the security posture of the whole network includes:
carrying out security evaluation and situation analysis evaluation on the network attack of the whole network;
and presenting a comprehensive security situation, an asset security situation, a slicing security situation and a vulnerability security situation.
Further, the method further comprises:
and carrying out situation early warning, emergency disposal, whole-network event association analysis and security threat tracing on the possible security threats through a network-level situation awareness system.
In a second aspect, the present disclosure provides a network security situation awareness system, the system comprising:
the acquisition module is arranged for acquiring basic analysis data of the network through the information acquisition node;
the system comprises an establishing module, a data acquisition module and a data processing module, wherein the establishing module is set to establish a plurality of security situation perception subsystems aiming at the domain division characteristics of a network architecture and acquire basic analysis data of a network acquired by information acquisition nodes in a corresponding security domain for each security situation perception subsystem;
the analysis module is arranged for performing vulnerability analysis and security detection and analysis on the single-domain assets of the corresponding network security domains through each security situation awareness subsystem;
and the integration module is arranged for integrating the analysis results of the security situation perception subsystems through the network-level situation perception system and analyzing and displaying the security situation of the whole network.
Further, the security situation awareness subsystem comprises:
the access security domain situation awareness subsystem, the bearing security domain situation awareness subsystem, the edge security domain situation awareness subsystem, the core security domain situation awareness subsystem and the operation and maintenance security domain situation awareness subsystem.
In a third aspect, the present disclosure provides an electronic device, including a memory and a processor, where the memory stores a computer program, and when the processor runs the computer program stored in the memory, the processor executes the network security situation awareness method according to any one of the first aspect.
In a fourth aspect, the present disclosure provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the network security situation awareness method according to any one of the above first aspects.
Has the advantages that:
the network security situation awareness method, the network security situation awareness system, the electronic device and the computer readable storage medium provided by the disclosure fully consider the architecture, the asset organization form and the service attributes of the 5G network, provide a three-level network security situation awareness system architecture, perform vulnerability analysis and security detection and analysis on the single-domain assets of the corresponding network security domain by setting different security situation awareness subsystems, integrate the analysis results through the network-level situation awareness system, and analyze and display the security situation of the whole network, thereby realizing the overall network security situation awareness of the 5G network, and solving the problem that the universal network security situation awareness system cannot adapt to the 5G service operation and maintenance.
Drawings
Fig. 1 is a schematic flowchart of a network security situation awareness method according to an embodiment of the present disclosure;
fig. 2 is a three-level network security situation awareness system architecture diagram according to an embodiment of the present disclosure;
fig. 3 is a specific architecture diagram of a 5G network security situation awareness system according to an embodiment of the present disclosure;
fig. 4 is an architecture diagram of a security situation awareness subsystem according to an embodiment of the present disclosure;
fig. 5 is an architecture diagram of a network-level situation awareness system according to an embodiment of the present disclosure;
fig. 6 is an architecture diagram of a network security situation awareness system according to a second embodiment of the present disclosure;
fig. 7 is an architecture diagram of an electronic device according to a third embodiment of the present disclosure.
Detailed Description
In order to make the technical solutions of the present disclosure better understood, the present disclosure is further described in detail below with reference to the accompanying drawings and examples. It is to be understood that the specific embodiments and figures described herein are merely illustrative of the invention and are not limiting of the invention.
It should be noted that the terms "first," "second," and the like in the description and claims of the present disclosure and in the foregoing drawings are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order; also, the embodiments and features of the embodiments in the present disclosure may be arbitrarily combined with each other without conflict.
Wherein the terminology used in the embodiments of the disclosure is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. As used in the disclosed embodiments and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.
In the following description, suffixes such as "module", "component", or "unit" used to denote elements are used only for the convenience of explanation of the present disclosure, and have no specific meaning in themselves. Thus, "module", "component" or "unit" may be used mixedly.
The following describes the technical solutions of the present disclosure and how to solve the above technical problems in the prior art in detail with specific embodiments. The following several specific embodiments may be combined with each other, and details of the same or similar concepts or processes may not be repeated in some embodiments.
Fig. 1 is a schematic flow chart of a network security situation awareness method provided in an embodiment of the present disclosure, and as shown in fig. 1, the method includes:
step S101: acquiring basic analysis data of a network through an information acquisition node;
step S102: aiming at the domain division characteristics of a network architecture, a plurality of security situation awareness subsystems are established, and basic analysis data of the network collected by information collection nodes in the corresponding security domains are obtained for each security situation awareness subsystem;
step S103: performing vulnerability analysis and security detection and analysis on the single-domain assets of the corresponding network security domains through each security situation awareness subsystem;
step S104: and integrating the analysis results of each security situation perception subsystem through a network-level situation perception system, and analyzing and displaying the security situation of the whole network.
Data analyzed by the existing security situation awareness system does not have the data type in the 5G network, is not analyzed according to the characteristics of a 3GPP protocol, is mostly only analyzed according to the general characteristics of the data, generally only relates to situation awareness of a single network element or a system, does not consider the overall characteristics and requirements of the 5G network, and cannot meet the security situation awareness requirements of the 5G network. The embodiment of the disclosure aims at the characteristics of a 5G network, and provides a three-layer architecture for 5G network security situation awareness, wherein the three-layer architecture for 5G network security situation awareness is shown in FIG. 2, the first layer is an information acquisition node of each 5G network equipment level and provides basic analysis data for the upper layer, and the basic analysis data comprises data and flow acquired from each asset, system, interface and the like of the 5G network; the second layer is each security situation awareness subsystem, aiming at the domain division characteristics of a 5G network architecture, namely different functions and deployment positions of different network elements in the 5G network, the 5G network is divided into different regions for domain division management, the different regions are divided into different specialties, a plurality of security situation awareness subsystems are established aiming at the respective different characteristics, for example, a common base station belongs to an access domain, an MEC belongs to an edge domain, a 5GC belongs to a core domain, each operation and maintenance system belongs to an operation and maintenance domain and the like, the separate management is facilitated, each security situation awareness subsystem acquires basic analysis data acquired by an information acquisition node in the corresponding security domain, vulnerability analysis and security detection and analysis are carried out aiming at single-domain assets, big data correlation analysis is carried out on the data acquired by the corresponding network security domain, and the security analysis results of the security domains are obtained according to the characteristics of different attack events. And then, integrating analysis results of each security situation perception subsystem through a third-layer network-level situation perception system, and analyzing and presenting the security situation of the whole network, for example, an attack event may relate to analysis results of a plurality of security domains, for example, a slice is an end-to-end logic network of the whole 5G network, covers access, load and 5GC, presents the security situation of the slice, needs to integrate the access, load and 5GC security domains, and uniformly merges and presents the security result of the slice.
In the embodiment, the architecture, the asset organization form and the service attributes of the 5G network are fully considered, a three-level network security situation perception system architecture is provided, different security situation perception subsystems are set to perform vulnerability analysis and security detection and analysis on single-domain assets of corresponding network security domains, the network-level situation perception system integrates analysis results and analyzes and displays the security situation of the whole network, the overall network security situation perception of the 5G network is realized, and the problem that a universal network security situation perception system cannot adapt to the operation and maintenance of the 5G service is solved.
Further, the basic analysis data of the network includes:
network asset data of network slices, network elements, virtual machines, physical machines, network devices, security devices and network management systems;
the method comprises the steps of a process of a physical machine and a process of a virtual machine, open port data of the physical machine and the virtual machine, and version information and configuration information of network equipment and safety equipment;
uu interface, N4 interface, EMS system flow interface or system control surface, user surface and management surface flow;
log system, vulnerability system, and asset management system.
And collecting corresponding network basic analysis data according to the equipment parameters, the generated data, the flow and the like of each 5G network equipment level information collection node, such as a base station, a bearing device, a safety device, an asset management platform, a log platform, an MEC, a 5GC and the like, and carrying out corresponding classification, sorting and combination to obtain each type of data for subsequent analysis. For example, the method for acquiring the data of various network assets such as network slices, network elements, virtual machines, physical machines, network equipment, safety equipment, network management systems and the like is used for acquiring various network asset data, and can be used for comparing the acquired various network asset data with a white list set in an analysis system and judging whether abnormal assets illegally accessed exist or not; the method comprises the following steps that data such as processes and open ports of systems such as a physical machine and a virtual machine and version information and configuration information of network equipment and safety equipment are collected to obtain related asset information in a 5G network, and the method can be used for analyzing and uniformly displaying all safety domain situation perception subsystems; "Uu interface, N4 interface, EMS system flow and other interface or control plane, user plane and management plane flow of the system" are data obtained from 5G network elements such as base station, MEC, 5GC, etc., can strip the SUPI, SUCI, IMEI, 5G-GUTI, PDU session ID, AMF UE NGAP ID, RAN UE NGAP ID, F-SEID and other information relevant to 5G user according to 3GPP protocol specification, integrate and merge the information of the same user in multiple network elements, used for subsequent security analysis such as abnormal user, attack signaling, etc.; related alarm data can be directly checked in data of a log system, a vulnerability system, an asset management system and the like, and meanwhile vulnerability information found in the vulnerability system can be directly displayed and security threat information analysis can be carried out. Of course, in actual implementation, data of more nodes can be collected according to needs.
Further, the security situation awareness subsystem comprises:
the system comprises an access security domain situation awareness subsystem, a bearing security domain situation awareness subsystem, an edge security domain situation awareness subsystem, a core security domain situation awareness subsystem and an operation and maintenance security domain situation awareness subsystem.
According to the characteristics of the 5G network architecture domain division, a plurality of different security situation perception subsystems are arranged in the two-layer architecture, as shown in fig. 3, the different security situation perception subsystems perform vulnerability analysis and security detection and analysis on data of information acquisition nodes in corresponding security domains, and the analysis is more convenient and more comprehensive.
Further, the vulnerability analysis comprises vulnerability analysis, configuration compliance analysis and weak password analysis;
the network security domain comprises an access security domain, a bearing security domain, an edge security domain, a core security domain and an operation and maintenance security domain;
the security detection and analysis of the access security domain comprises: detecting and analyzing a wireless side signaling storm, a pseudo base station and a positioning pseudo signal;
the security detection and analysis of the bearer security domain comprises: ARP flooding/spoofing attack detection analysis and IP spoofing/malformed message attack detection analysis;
the security detection and analysis of the edge security domain comprises: detecting and analyzing flow attack, service abnormal attack, third-party application attack, MEC platform attack and abnormal behaviors of an industry terminal;
the security detection and analysis of the core security domain comprise detection and analysis of abnormal access and illegal service registration among network elements, network slice attack, open interface abnormality, east-west flow abnormality and virtualization platform attack;
and the safety detection and analysis of the operation and maintenance security domain comprises the detection and analysis of user behavior abnormity, abnormal login and unauthorized access.
As shown in fig. 4, each security domain level situation awareness subsystem includes a data acquisition module, a data processing module, a data storage module, a vulnerability analysis module, and a single domain security threat analysis module. Each security situation awareness subsystem carries out vulnerability analysis and security detection and analysis on the single-domain assets of the security domain of the security situation awareness subsystem, wherein the vulnerability analysis comprises vulnerability analysis, configuration compliance analysis and weak password analysis, and the security detection and analysis are different according to different specific analysis contents of the security domain of the security situation awareness subsystem and correspond to the corresponding characteristics of the security domain of the security situation awareness subsystem. If the wireless side signaling storm analysis of the access security domain is to count the signaling data of the acquired Uu port data including the signaling data sent by the user to the base station, and judge whether the signaling data exceeds a set signaling quantity threshold, wherein the signaling storm is generated if the signaling data exceeds the threshold; the 'detection and analysis of abnormal behaviors of an industry terminal' of an edge security domain is to strip information such as SUPI, SUCI, IMEI, 5G-GUTI, PDU session ID, AMF UE NGAP ID, RAN UE NGAP ID, F-SEID and the like related to a 5G user from collected data of 5GC network element interfaces such as Uu ports, N1/N2/N4 and the like according to 3GPP protocol specifications, integrate and combine information of the same user in a plurality of network elements, and judge whether a certain terminal has abnormal behaviors or not by analyzing characteristics of the data. For example, a terminal frequently initiates user registration and deregistration requests; frequently initiating a service request; after the registration is completed, the pdu is established/deleted particularly frequently, and the like, and the behaviors are not normal user behaviors, namely, the abnormal behavior of the industry terminal can be judged. And the security detection and analysis of each security domain are carried out according to the actual condition of the security domain.
Further, the analyzing and presenting the security posture of the whole network includes:
carrying out security evaluation and situation analysis evaluation on the network attack of the whole network;
and presenting a comprehensive security situation, an asset security situation, a slicing security situation and a vulnerability security situation.
As shown in fig. 5, the network-level situation awareness system includes a whole-network security situation analysis and evaluation module, a security situation early warning module, a security threat tracing module, an emergency disposal module, and a visual display module;
the whole-network security situation analysis and evaluation module analyzes and evaluates the situation by integrating the security analysis results of each security domain, and presents the security situation of a certain security domain through the visual display module according to the type, severity, quantity and the like of the attack events of each domain. The visual display module is used for displaying the comprehensive security situation, the asset security situation, the slice security situation and the vulnerability security situation in a classified mode so as to be convenient to search and display and support the combination of analysis results of a plurality of security domains according to different attack types. For example, the asset security situation, access, bearer, MEC, 5GC and other domains all contain assets, and the attack situations of all the assets can be integrated together for uniform presentation.
Further, the method further comprises:
and carrying out situation early warning, emergency disposal, whole-network event association analysis and security threat tracing on the possible security threats through a network-level situation awareness system.
The network-level situation awareness system dynamically and comprehensively analyzes the internal and external environments, so that the existence of safety risks is perceived; the big data is used as a core, and potential threats of network security are identified, analyzed and processed under the overall view angle; automatically mining the network potential danger data hidden in the network potential danger data; by mining the network potential danger data, the commonality and the difference among the network potential danger data are specifically analyzed, and potential rules among the network potential danger data are searched on the basis; judging whether a network security risk event exists or not by preparing network data, searching network abnormal data and summarizing the rule of the network abnormal data; the situation early warning, the emergency disposal, the whole network event correlation analysis and the safety threat traceability are carried out on the safety threats through the safety situation early warning module, the emergency disposal module and the safety threat traceability module, and therefore the safety of the whole network is guaranteed.
The embodiment of the disclosure gives a three-level network security situation awareness system architecture, gives vulnerability analysis and security detection and analysis to the single-domain assets of the corresponding network security domain by setting different security situation awareness subsystems, integrates the analysis result through the network-level situation awareness system, analyzes and displays the security situation of the whole network, realizes the overall network security situation awareness of the 5G network, and solves the problem that a universal network security situation awareness system cannot adapt to the operation and maintenance of the 5G service.
Fig. 6 is an architecture diagram of a network security situation awareness system according to a second embodiment of the present disclosure, and as shown in fig. 6, the system includes:
an acquisition module 11 configured to acquire basic analysis data of a network through an information acquisition node;
the establishing module 12 is configured to establish a plurality of security situation awareness subsystems according to the domain division characteristics of the network architecture, and acquire basic analysis data of the network acquired by the information acquisition nodes in the corresponding security domains for each security situation awareness subsystem;
the analysis module 13 is configured to perform vulnerability analysis and security detection and analysis on the single-domain assets of the corresponding network security domains through each security situation awareness subsystem;
and the integration module 14 is configured to integrate the analysis results of the security situation awareness subsystems through a network-level situation awareness system, and analyze and display the security situation of the whole network.
Further, the basic analysis data of the network includes:
network slice, network element, virtual machine, physical machine, network equipment, safety equipment and network asset data of network management system;
the method comprises the steps of a process of a physical machine and a process of a virtual machine, open port data of the physical machine and the virtual machine, and version information and configuration information of network equipment and safety equipment;
uu interface, N4 interface, EMS system flow interface or system control surface, user surface and management surface flow;
log system, vulnerability system, and asset management system.
Further, the security situation awareness subsystem comprises:
the access security domain situation awareness subsystem, the bearing security domain situation awareness subsystem, the edge security domain situation awareness subsystem, the core security domain situation awareness subsystem and the operation and maintenance security domain situation awareness subsystem.
Further, the vulnerability analysis comprises vulnerability analysis, configuration compliance analysis and weak password analysis;
the network security domain comprises an access security domain, a bearing security domain, an edge security domain, a core security domain and an operation and maintenance security domain;
the security detection and analysis of the access security domain comprises: detecting and analyzing a wireless side signaling storm, a pseudo base station and a positioning pseudo signal;
the security detection and analysis of the bearer security domain comprises: ARP flooding/spoofing attack detection analysis and IP spoofing/malformed message attack detection analysis;
the security detection and analysis of the edge security domain comprises: detecting and analyzing flow attack, service abnormal attack, third-party application attack, MEC platform attack and abnormal behaviors of an industry terminal;
the security detection and analysis of the core security domain comprise detection and analysis of abnormal access and illegal service registration among network elements, network slice attack, open interface abnormality, east-west flow abnormality and virtualization platform attack;
and the safety detection and analysis of the operation and maintenance safety domain comprise detection and analysis of user behavior abnormity, abnormal login and unauthorized access.
Further, the integration module 14 is specifically configured to:
carrying out security evaluation and situation analysis evaluation on the network attack of the whole network;
presenting a comprehensive security posture, an asset security posture, a slicing security posture and a vulnerability security posture.
Further, the integration module 14 is further configured to:
and carrying out situation early warning, emergency disposal, whole-network event correlation analysis and security threat traceability on the possible security threats through a network-level situation awareness system.
The network security situation awareness system of the embodiment of the present disclosure is used for implementing the network security situation awareness method in the first method embodiment, so that description is simple, and specific reference may be made to the related description in the first method embodiment, which is not described herein again.
Furthermore, as shown in fig. 7, a third embodiment of the present disclosure further provides an electronic device, which includes a memory 100 and a processor 200, where the memory 100 stores a computer program, and when the processor 200 runs the computer program stored in the memory 100, the processor 200 executes the above-mentioned various possible methods.
The memory 100 is connected to the processor 200, the memory 100 may be a flash memory, a read-only memory or other memories, and the processor 200 may be a central processing unit or a single chip microcomputer.
Furthermore, the disclosed embodiments also provide a computer-readable storage medium, on which a computer program is stored, the computer program being executed by a processor to perform the above-mentioned various possible methods.
The computer-readable storage media include volatile or nonvolatile, removable or non-removable media implemented in any method or technology for storage of information such as computer-readable instructions, data structures, computer program modules or other data. Computer-readable storage media include, but are not limited to, RAM (Random Access Memory), ROM (Read-Only Memory), EEPROM (Electrically Erasable Programmable Read-Only Memory), flash Memory or other Memory technology, CD-ROM (Compact disk Read-Only Memory), digital Versatile Disks (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can be accessed by a computer.
It will be understood that the above embodiments are merely exemplary embodiments employed to illustrate the principles of the present disclosure, and the present disclosure is not limited thereto. It will be apparent to those skilled in the art that various changes and modifications can be made therein without departing from the spirit and scope of the disclosure, and these changes and modifications are to be considered within the scope of the disclosure.
Claims (10)
1. A network security situation awareness method, the method comprising:
acquiring basic analysis data of a network through an information acquisition node;
aiming at the domain division characteristic of a network architecture, a plurality of security situation awareness subsystems are established, and basic analysis data of the network, which are acquired by information acquisition nodes in the corresponding security domains, are acquired for each security situation awareness subsystem;
performing vulnerability analysis and security detection and analysis on the single-domain assets of the corresponding network security domains through each security situation perception subsystem;
and integrating the analysis results of each security situation perception subsystem through a network-level situation perception system, and analyzing and displaying the security situation of the whole network.
2. The network security situation awareness method according to claim 1, wherein the basic analysis data of the network comprises:
network asset data of network slices, network elements, virtual machines, physical machines, network devices, security devices and network management systems;
the method comprises the steps of a process of a physical machine and a process of a virtual machine, open port data of the physical machine and the virtual machine, and version information and configuration information of network equipment and safety equipment;
an interface Uu interface between a user and a base station, an interface N4 interface between a session management function SMF and a user port function UPF, a system flow interface of a network element management system EMS or a control plane, a user plane and a management plane flow of a system;
log system, vulnerability system, and asset management system.
3. The network security situation awareness method of claim 1, wherein the security situation awareness subsystem comprises:
the system comprises an access security domain situation awareness subsystem, a bearing security domain situation awareness subsystem, an edge security domain situation awareness subsystem, a core security domain situation awareness subsystem and an operation and maintenance security domain situation awareness subsystem.
4. The network security situation awareness method of claim 3,
the vulnerability analysis comprises vulnerability analysis, configuration compliance analysis and weak password analysis;
the network security domain comprises an access security domain, a bearing security domain, an edge security domain, a core security domain and an operation and maintenance security domain;
the security detection and analysis of the access security domain comprises: detecting and analyzing a wireless side signaling storm, a pseudo base station and a positioning pseudo signal;
the security detection and analysis of the bearer security domain comprises: address resolution protocol ARP flooding/spoofing attack detection analysis and IP spoofing/malformed message attack detection analysis;
the security detection and analysis of the edge security domain comprises: detecting and analyzing flow attack, service abnormal attack, third-party application attack, mobile edge computing MEC platform attack and industry terminal abnormal behavior;
the security detection and analysis of the core security domain comprise detection and analysis of abnormal access and illegal service registration among network elements, network slice attack, open interface abnormality, east-west flow abnormality and virtualization platform attack;
and the safety detection and analysis of the operation and maintenance security domain comprises the detection and analysis of user behavior abnormity, abnormal login and unauthorized access.
5. The network security situation awareness method according to claim 3, wherein the analyzing and presenting the security situation of the entire network comprises:
carrying out security evaluation and situation analysis evaluation on the network attack of the whole network;
presenting a comprehensive security posture, an asset security posture, a slicing security posture and a vulnerability security posture.
6. The network security situation awareness method according to claim 5, wherein the method further comprises:
and carrying out situation early warning, emergency disposal, whole-network event correlation analysis and security threat traceability on the possible security threats through a network-level situation awareness system.
7. A network security situational awareness system, the system comprising:
the acquisition module is arranged for acquiring basic analysis data of the network through the information acquisition node;
the system comprises an establishing module, a monitoring module and a monitoring module, wherein the establishing module is set to establish a plurality of security situation awareness subsystems according to the domain division characteristics of a network architecture and acquire basic analysis data of a network acquired by information acquisition nodes in a corresponding security domain for each security situation awareness subsystem;
the analysis module is arranged for performing vulnerability analysis and security detection and analysis on the single-domain assets of the corresponding network security domains through each security situation awareness subsystem;
and the integration module is arranged for integrating the analysis results of the security situation awareness subsystems through the network-level situation awareness system and analyzing and displaying the security situation of the whole network.
8. The network security posture awareness system of claim 7, wherein the security posture awareness subsystem comprises:
the access security domain situation awareness subsystem, the bearing security domain situation awareness subsystem, the edge security domain situation awareness subsystem, the core security domain situation awareness subsystem and the operation and maintenance security domain situation awareness subsystem.
9. An electronic device, comprising a memory and a processor, wherein the memory stores a computer program, and when the processor runs the computer program stored by the memory, the processor performs the network security situation awareness method according to any one of claims 1-6.
10. A computer-readable storage medium, comprising: computer program which, when run on a computer, causes the computer to perform the network security situation awareness method according to any one of claims 1-6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211128114.5A CN115567258B (en) | 2022-09-16 | 2022-09-16 | Network security situation awareness method, system, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211128114.5A CN115567258B (en) | 2022-09-16 | 2022-09-16 | Network security situation awareness method, system, electronic equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115567258A true CN115567258A (en) | 2023-01-03 |
| CN115567258B CN115567258B (en) | 2024-03-01 |
Family
ID=84740302
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211128114.5A Active CN115567258B (en) | 2022-09-16 | 2022-09-16 | Network security situation awareness method, system, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115567258B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115776411A (en) * | 2023-01-30 | 2023-03-10 | 网思科技股份有限公司 | Data security analysis method, system and readable storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170346846A1 (en) * | 2016-05-31 | 2017-11-30 | Valarie Ann Findlay | Security threat information gathering and incident reporting systems and methods |
| CN110740141A (en) * | 2019-11-15 | 2020-01-31 | 国网山东省电力公司信息通信公司 | integration network security situation perception method, device and computer equipment |
| CN114124503A (en) * | 2021-11-15 | 2022-03-01 | 北京邮电大学 | Intelligent network sensing method for optimizing efficiency of progressive concurrent cache |
| CN114697963A (en) * | 2022-03-29 | 2022-07-01 | 中国南方电网有限责任公司 | Terminal identity authentication method and device, computer equipment and storage medium |
| CN115051879A (en) * | 2022-08-17 | 2022-09-13 | 珠海市鸿瑞信息技术股份有限公司 | Data analysis system of network security situation perception system based on machine learning |
-
2022
- 2022-09-16 CN CN202211128114.5A patent/CN115567258B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170346846A1 (en) * | 2016-05-31 | 2017-11-30 | Valarie Ann Findlay | Security threat information gathering and incident reporting systems and methods |
| CN110740141A (en) * | 2019-11-15 | 2020-01-31 | 国网山东省电力公司信息通信公司 | integration network security situation perception method, device and computer equipment |
| CN114124503A (en) * | 2021-11-15 | 2022-03-01 | 北京邮电大学 | Intelligent network sensing method for optimizing efficiency of progressive concurrent cache |
| CN114697963A (en) * | 2022-03-29 | 2022-07-01 | 中国南方电网有限责任公司 | Terminal identity authentication method and device, computer equipment and storage medium |
| CN115051879A (en) * | 2022-08-17 | 2022-09-13 | 珠海市鸿瑞信息技术股份有限公司 | Data analysis system of network security situation perception system based on machine learning |
Non-Patent Citations (1)
| Title |
|---|
| 李建华: "能源关键基础设施网络安全威胁与防御技术综述", 《电子与信息学报》, 5 September 2020 (2020-09-05) * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115776411A (en) * | 2023-01-30 | 2023-03-10 | 网思科技股份有限公司 | Data security analysis method, system and readable storage medium |
| CN115776411B (en) * | 2023-01-30 | 2023-05-23 | 网思科技股份有限公司 | Data security analysis method, system and readable storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115567258B (en) | 2024-03-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107958322B (en) | Urban network space comprehensive treatment system | |
| CN114584405B (en) | Electric power terminal safety protection method and system | |
| CN114372286A (en) | Data security management method and device, computer equipment and storage medium | |
| CN114598525A (en) | IP automatic blocking method and device for network attack | |
| CN104702603A (en) | Multi-view-angle security auditing system for mobile internet | |
| CN113055379A (en) | Risk situation perception method and system for key infrastructure of whole network | |
| CN108234426B (en) | APT attack warning method and APT attack warning device | |
| CN104486320B (en) | Intranet sensitive information leakage evidence-obtaining system and method based on sweet network technology | |
| CN111970233B (en) | Analysis and identification method for network violation external connection scene | |
| CN115567258B (en) | Network security situation awareness method, system, electronic equipment and storage medium | |
| CN114640548A (en) | Network security sensing and early warning method and system based on big data | |
| CN112953952A (en) | Industrial security situation awareness method, platform, electronic device and storage medium | |
| CN116939589A (en) | Student internet monitoring system based on campus wireless network | |
| CN115913652A (en) | Abnormal access behavior detection method and device, electronic equipment and readable storage medium | |
| CN115603944A (en) | Vehicle data safety management method based on Internet of vehicles | |
| KR101973728B1 (en) | Integration security anomaly symptom monitoring system | |
| CN112839029B (en) | Botnet activity degree analysis method and system | |
| CN115333791A (en) | Cloud-based vehicle safety protection method and related equipment | |
| CN112084239A (en) | Signaling network security mining analysis method based on big data characteristic model recognition | |
| CN113852984A (en) | Wireless terminal access monitoring system and method, electronic equipment and readable storage device | |
| EP3275148A1 (en) | Optimizing data detection in communications | |
| CN219287668U (en) | Safety situation perception monitoring device | |
| KR20200054495A (en) | Method for security operation service and apparatus therefor | |
| CN111125692B (en) | Anti-crawler method and device | |
| CN116226858A (en) | Network security test evaluation system and method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |