CN115567258B - Network security situation awareness method, system, electronic equipment and storage medium - Google Patents
Network security situation awareness method, system, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN115567258B CN115567258B CN202211128114.5A CN202211128114A CN115567258B CN 115567258 B CN115567258 B CN 115567258B CN 202211128114 A CN202211128114 A CN 202211128114A CN 115567258 B CN115567258 B CN 115567258B
- Authority
- CN
- China
- Prior art keywords
- security
- network
- analysis
- domain
- situation
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 49
- 238000004458 analytical method Methods 0.000 claims abstract description 122
- 238000001514 detection method Methods 0.000 claims abstract description 56
- 238000012038 vulnerability analysis Methods 0.000 claims abstract description 22
- 238000012423 maintenance Methods 0.000 claims abstract description 21
- 230000008447 perception Effects 0.000 claims abstract description 7
- 230000015654 memory Effects 0.000 claims description 20
- 230000005856 abnormality Effects 0.000 claims description 16
- 230000002159 abnormal effect Effects 0.000 claims description 12
- 238000004590 computer program Methods 0.000 claims description 10
- 238000011156 evaluation Methods 0.000 claims description 9
- 230000011664 signaling Effects 0.000 claims description 9
- 206010000117 Abnormal behaviour Diseases 0.000 claims description 7
- 230000006870 function Effects 0.000 claims description 7
- 230000008569 process Effects 0.000 claims description 7
- 238000012098 association analyses Methods 0.000 claims description 6
- 230000006399 behavior Effects 0.000 claims description 5
- 230000010354 integration Effects 0.000 claims description 5
- 238000007726 management method Methods 0.000 description 18
- 238000010586 diagram Methods 0.000 description 7
- 230000008520 organization Effects 0.000 description 5
- 101100240462 Homo sapiens RASAL2 gene Proteins 0.000 description 4
- 102100035410 Ras GTPase-activating protein nGAP Human genes 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 3
- 230000000007 visual effect Effects 0.000 description 3
- 238000005065 mining Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 239000000126 substance Substances 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/04—Network management architectures or arrangements
- H04L41/042—Network management architectures or arrangements comprising distributed management centres cooperatively managing the network
Abstract
The disclosure provides a network security situation awareness method, a system, an electronic device and a readable storage medium, so as to solve the problem that the existing general network security situation awareness system cannot adapt to a 5G service operation and maintenance scene, wherein the method comprises the following steps: basic analysis data of the network are collected through the information collection node; aiming at the domain division characteristics of a network architecture, a plurality of security situation awareness subsystems are established, and basic analysis data of the network acquired by the information acquisition nodes in the corresponding security domain are acquired for each security situation awareness subsystem; carrying out vulnerability analysis and security detection and analysis on the single-domain assets of the network security domain corresponding to each security situation through each security situation perception subsystem; and integrating analysis results of all the security situation awareness subsystems through the network-level situation awareness system, and analyzing and displaying the security situation of the whole network. The technical scheme can realize network security situation awareness of the whole 5G network.
Description
Technical Field
The present disclosure relates to the field of network security technologies, and in particular, to a network security situation awareness method, a network security situation awareness system, an electronic device, and a computer-readable storage medium.
Background
The network security situation awareness system can be used for processing massive and disordered alarms, breaking information islands, associating security alarm information from higher dimensionality, carrying out overall understanding, analysis and prediction on security risks faced by a target network, helping enterprise security teams to find events which cannot be monitored by a traditional security management platform and independent security equipment, so that security events can be more effectively and rapidly checked and responded, and the active defense capacity of the network is improved.
At present, domestic and foreign security enterprises already provide network security situation awareness systems, but are mainly applied to enterprise IT networks, are used for solving security problems faced by office networks in enterprise Internet scenes, and are partially guaranteed, and lack security situation awareness system products aiming at 5G networks. The 5G network is very different from the IT network in the aspects of networking structure, asset constitution, asset organization form, business attribute, threat detection model and the like, and the universal network security situation awareness system cannot adapt to the 5G business operation and maintenance scene.
Disclosure of Invention
In order to solve the technical problems in the prior art, the disclosure provides a network security situation awareness method, a network security situation awareness system, electronic equipment and a computer readable storage medium, which fully consider the architecture, asset organization form and business attribute of a 5G network, provide a three-level network security situation awareness system architecture and solve the problem that a general network security situation awareness system cannot adapt to 5G business operation and maintenance.
In a first aspect, the present disclosure provides a network security posture awareness method, the method comprising:
basic analysis data of the network are collected through the information collection node;
aiming at the domain division characteristics of a network architecture, a plurality of security situation awareness subsystems are established, and basic analysis data of the network acquired by the information acquisition nodes in the corresponding security domain are acquired for each security situation awareness subsystem;
carrying out vulnerability analysis and security detection and analysis on the single-domain assets of the network security domain corresponding to each security situation through each security situation perception subsystem;
and integrating analysis results of all the security situation awareness subsystems through the network-level situation awareness system, and analyzing and displaying the security situation of the whole network.
Further, the basic analysis data of the network includes:
network slice, network element, virtual machine, physical machine, network equipment, safety equipment and network asset data of network management system;
the method comprises the steps of processes of a physical machine and a virtual machine, open port data of the physical machine and the virtual machine, version information and configuration information of network equipment and safety equipment;
uu interface (interface between user and base station), N4 interface (interface between session management function SMF and user port function UPF), EMS system traffic interface (traffic interface of network element management system EMS) or control plane, user plane and management plane traffic of the system;
data of a log system, a vulnerability system, and an asset management system.
Further, the security posture awareness subsystem includes:
the method comprises the steps of accessing a security domain situation awareness subsystem, a bearing security domain situation awareness subsystem, an edge security domain situation awareness subsystem, a core security domain situation awareness subsystem and an operation and maintenance security domain situation awareness subsystem.
Further, the vulnerability analysis comprises vulnerability analysis, configuration compliance analysis and weak password analysis;
the network security domains comprise an access security domain, a bearing security domain, an edge security domain, a core security domain and an operation and maintenance security domain;
the security detection and analysis of the access security domain includes: detecting and analyzing a wireless side signaling storm and a pseudo base station and positioning pseudo signals;
the security detection and analysis of the bearer security domain includes: ARP (Address Resolution Protocol ) flooding/spoofing attack detection analysis and IP spoofing/malformed message attack detection analysis;
the security detection and analysis of the edge security domain includes: flow attack, service abnormality attack, third party application attack, MEC (Mobile Edge Computing ) platform attack, and detection analysis of abnormal behaviors of industry terminals;
the security detection and analysis of the core security domain comprises detection and analysis of abnormal access and illegal service registration between network elements, network slicing attack, open interface abnormality, east-west flow abnormality and virtualized platform attack;
the security detection and analysis of the operation and maintenance security domain comprises detection and analysis of user behavior abnormality, abnormal login and unauthorized access.
Further, the analyzing and displaying the security situation of the whole network includes:
carrying out security evaluation and situation analysis evaluation on network attacks of the whole network;
and the comprehensive security situation, the asset security situation, the slicing security situation and the vulnerability security situation are presented.
Further, the method further comprises:
and carrying out situation early warning, emergency treatment, whole network event association analysis and security threat tracing on the security threats possibly appearing through a network-level situation awareness system.
In a second aspect, the present disclosure provides a network security posture awareness system, the system comprising:
the acquisition module is used for acquiring basic analysis data of the network through the information acquisition node;
the establishing module is used for establishing a plurality of security situation awareness subsystems aiming at the domain division characteristics of the network architecture and acquiring basic analysis data of the network acquired by the information acquisition nodes in the corresponding security domain for each security situation awareness subsystem;
the analysis module is used for carrying out vulnerability analysis and security detection and analysis on the single-domain assets of the network security domain corresponding to each security situation perception subsystem;
the integration module is arranged for integrating analysis results of all the security situation awareness subsystems through the network-level situation awareness system and analyzing and displaying the security situation of the whole network.
Further, the security posture awareness subsystem includes:
the method comprises the steps of accessing a security domain situation awareness subsystem, a bearing security domain situation awareness subsystem, an edge security domain situation awareness subsystem, a core security domain situation awareness subsystem and an operation and maintenance security domain situation awareness subsystem.
In a third aspect, the present disclosure provides an electronic device comprising a memory and a processor, the memory having a computer program stored therein, the processor performing the network security posture awareness method of any of the first aspects when the processor runs the computer program stored in the memory.
In a fourth aspect, the present disclosure provides a computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the network security posture awareness method of any of the first aspects above.
The beneficial effects are that:
the network security situation awareness method, the network security situation awareness system, the electronic equipment and the computer readable storage medium fully consider the architecture, the asset organization form and the service attribute of the 5G network, three-level network security situation awareness system architecture is provided, vulnerability analysis, security detection and analysis are carried out on single-domain assets of corresponding network security domains through setting up different security situation awareness subsystems, analysis results are integrated through the network-level situation awareness system, and analysis and display are carried out on security situations of the whole network, so that network security situation awareness of the whole 5G network is realized, and the problem that the general network security situation awareness system cannot adapt to 5G service operation is solved.
Drawings
Fig. 1 is a flow chart of a network security situation awareness method according to a first embodiment of the disclosure;
fig. 2 is a schematic diagram of a three-level network security situation awareness system according to an embodiment of the present disclosure;
fig. 3 is a specific architecture diagram of a 5G network security situation awareness system according to an embodiment of the present disclosure;
fig. 4 is a architecture diagram of a security situation awareness subsystem according to an embodiment of the present disclosure;
fig. 5 is a block diagram of a network level situation awareness system according to an embodiment of the present disclosure;
fig. 6 is a architecture diagram of a network security situation awareness system according to a second embodiment of the present disclosure;
fig. 7 is a schematic diagram of an electronic device according to a third embodiment of the disclosure.
Detailed Description
In order that those skilled in the art will better understand the technical solutions of the present disclosure, the present disclosure will be described in further detail with reference to the accompanying drawings and examples. It is to be understood that the specific embodiments and figures described herein are merely illustrative of the invention, and are not limiting of the invention.
It should be noted that the terms "first," "second," and the like in the description and claims of the present disclosure and the above-described figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order; moreover, embodiments of the present disclosure and features of embodiments may be arbitrarily combined with each other without conflict.
Wherein the terminology used in the embodiments of the disclosure is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. As used in this disclosure and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.
In the following description, suffixes such as "module", "component", or "unit" for representing elements are used only for facilitating the description of the present disclosure, and are not of specific significance per se. Thus, "module," "component," or "unit" may be used in combination.
The following describes the technical solutions of the present disclosure and how the technical solutions of the present disclosure solve the above technical problems existing in the prior art in detail with specific embodiments. The following embodiments may be combined with each other, and the same or similar concepts or processes may not be described in detail in some embodiments.
Fig. 1 is a flow chart of a network security situation awareness method according to an embodiment of the present disclosure, as shown in fig. 1, where the method includes:
step S101: basic analysis data of the network are collected through the information collection node;
step S102: aiming at the domain division characteristics of a network architecture, a plurality of security situation awareness subsystems are established, and basic analysis data of the network acquired by the information acquisition nodes in the corresponding security domain are acquired for each security situation awareness subsystem;
step S103: carrying out vulnerability analysis and security detection and analysis on the single-domain assets of the network security domain corresponding to each security situation through each security situation perception subsystem;
step S104: and integrating analysis results of all the security situation awareness subsystems through the network-level situation awareness system, and analyzing and displaying the security situation of the whole network.
The data analyzed by the existing security situation awareness system is not of the data type in the 5G network, is not analyzed according to the characteristics of the 3GPP protocol, is mostly only analyzed according to the general characteristics of the data, is generally only related to situation awareness of a single network element or system, is not considered for the characteristics and the requirements of the whole 5G network, and cannot meet the security situation awareness requirements of the 5G network. Aiming at the characteristics of a 5G network, the embodiment of the disclosure sets a three-layer architecture for 5G network security situation awareness, wherein the three-layer architecture for 5G network security situation awareness is shown in fig. 2, a first layer is an information acquisition node of each 5G network equipment level, and basic analysis data is provided for an upper layer, including data and flow acquired from each asset, system, interface and the like of the 5G network; the second layer is each security situation sensing subsystem, aiming at the domain division characteristics of the 5G network architecture, namely different network elements in the 5G network are different in functions and deployment positions, the 5G network is divided into different areas, domain division management is carried out, different domains are divided into different professions, a plurality of security situation sensing subsystems are established aiming at the respective different characteristics, such as a common base station belongs to an access domain, an MEC belongs to an edge domain, a 5GC belongs to a core domain, each operation and maintenance system belongs to an operation and maintenance domain and the like, the separate management is convenient, each security situation sensing subsystem acquires basic analysis data acquired by an information acquisition node in a corresponding security domain, vulnerability analysis and security detection and analysis are carried out on single-domain assets, large data association analysis is carried out on the data acquired by the corresponding network security domain, and analysis is carried out according to the characteristics of different attack events, so that security analysis results of each security domain are obtained. And integrating analysis results of all security situation awareness subsystems through a network-level situation awareness system of a third layer, analyzing and displaying security situations of the whole network, wherein if a certain attack event possibly involves analysis results of a plurality of security domains, for example, slicing is an end-to-end logic network of the whole 5G network, covering access, bearing and 5GC, presenting the security situations of the slices, integrating the security domains of the access, bearing and 5GC, and merging and presenting the security results of the slices uniformly.
The embodiment fully considers the architecture, asset organization form and business attribute of the 5G network, gives out a three-level network security situation awareness system architecture, carries out vulnerability analysis and security detection and analysis on single-domain assets of the corresponding network security domain by setting up different security situation awareness subsystems, integrates analysis results by the network-level situation awareness system, analyzes and displays the security situation of the whole network, realizes the network security situation awareness of the whole 5G network, and solves the problem that the general network security situation awareness system cannot adapt to the operation and maintenance of the 5G business.
Further, the basic analysis data of the network includes:
network slice, network element, virtual machine, physical machine, network equipment, safety equipment and network asset data of network management system;
the method comprises the steps of processes of a physical machine and a virtual machine, open port data of the physical machine and the virtual machine, version information and configuration information of network equipment and safety equipment;
uu interface, N4 interface, EMS system flow interface or control plane, user plane and management plane flow of system;
data of a log system, a vulnerability system, and an asset management system.
And each 5G network equipment-level information acquisition node, such as a base station, bearing equipment, security equipment, an asset management platform, a log platform, MEC, 5GC and the like, acquires corresponding network basic analysis data according to equipment parameters, generated data, traffic and the like, and carries out corresponding classification, arrangement and combination to obtain each type of data for subsequent analysis. The data of various network assets such as a network slice, a network element, a virtual machine, a physical machine, a network device, a security device, a network management system and the like are collected as various kinds of network asset data, and can be used for comparing with a white list set in an analysis system to judge whether abnormal assets illegally accessed exist or not; the data such as the process, the open port and the like of the system such as the physical machine, the virtual machine and the like are collected, and the version information, the configuration information and the like of the network equipment and the safety equipment are related asset information in the 5G network, so that the system can be used for analyzing and uniformly displaying the situation awareness subsystems of all the safety domains; the Uu interface, the N4 interface, EMS system flow and other interfaces or control surface, user surface and management surface flow of the system are data obtained from 5G network elements such as a base station, MEC, 5GC and the like, and the information of the same user in the network elements can be integrated and combined for subsequent security analysis such as abnormal users, attack signaling and the like by stripping the information of SUPI, SUCI, IMEI, 5G-GUTI, PDU session ID, AMF UE NGAP ID, RANUE NGAP ID, F-SEID and the like related to the 5G user according to the 3GPP protocol specification; related alarm data can be directly checked in the data of a log system, a vulnerability system, an asset management system and the like, and meanwhile, vulnerability information found in the vulnerability system can be directly displayed and analyzed. Of course, data of more nodes can be acquired as required in actual implementation.
Further, the security posture awareness subsystem includes:
the method comprises the steps of accessing a security domain situation awareness subsystem, a bearing security domain situation awareness subsystem, an edge security domain situation awareness subsystem, a core security domain situation awareness subsystem and an operation and maintenance security domain situation awareness subsystem.
According to the characteristics of 5G network architecture domain division, a plurality of different security situation awareness subsystems are arranged in a two-layer architecture, as shown in fig. 3, the different security situation awareness subsystems perform vulnerability analysis, security detection and analysis on data of information acquisition nodes in the corresponding security domain, and analysis is more convenient and comprehensive.
Further, the vulnerability analysis comprises vulnerability analysis, configuration compliance analysis and weak password analysis;
the network security domains comprise an access security domain, a bearing security domain, an edge security domain, a core security domain and an operation and maintenance security domain;
the security detection and analysis of the access security domain includes: detecting and analyzing a wireless side signaling storm and a pseudo base station and positioning pseudo signals;
the security detection and analysis of the bearer security domain includes: ARP flooding/spoofing attack detection analysis and IP spoofing/malformed message attack detection analysis;
the security detection and analysis of the edge security domain includes: flow attack, service abnormality attack, third party application attack, MEC platform attack and detection analysis of abnormal behaviors of industry terminals;
the security detection and analysis of the core security domain comprises detection and analysis of abnormal access and illegal service registration between network elements, network slicing attack, open interface abnormality, east-west flow abnormality and virtualized platform attack;
the security detection and analysis of the operation and maintenance security domain comprises detection and analysis of user behavior abnormality, abnormal login and unauthorized access.
As shown in fig. 4, each security domain-level situational awareness subsystem includes a data acquisition module, a data processing module, a data storage module, a vulnerability analysis and a single-domain security threat analysis module. Each security situation perception subsystem performs vulnerability analysis, configuration compliance analysis and weak password analysis on single-domain assets of the security domain, and the security detection and analysis are different according to different specific analysis contents of the security domain and correspond to the corresponding characteristics of the security domain. If the wireless side signaling storm analysis of the access security domain is to count the data quantity of signaling sent by a user to a base station in the collected Uu port data, judging whether the data quantity exceeds a set signaling quantity threshold value, wherein the exceeding of the threshold value is that the signaling storm occurs; the detection analysis of the abnormal behavior of the industrial terminal in the edge security domain is to strip out the information of SUPI, SUCI, IMEI, 5G-GUTI, PDU session ID, AMF UE NGAP ID, RAN UE NGAP ID, F-SEID and the like related to 5G users from the collected data of 5GC network element interfaces such as Uu port, N1/N2/N4 and the like according to the 3GPP protocol specification, integrate and combine the information of the same user in a plurality of network elements, and judge whether a certain terminal has abnormal behavior or not by analyzing the characteristics of the data. For example, a terminal frequently initiates a user registration and deregistration request; frequently initiating a service request; after registration is completed, pdu is built/deleted particularly frequently, and the abnormal behavior of the industry terminal can be judged if the behavior is not that of a normal user. The security detection and analysis of each security domain is performed according to the actual situation of the security domain.
Further, the analyzing and displaying the security situation of the whole network includes:
carrying out security evaluation and situation analysis evaluation on network attacks of the whole network;
and the comprehensive security situation, the asset security situation, the slicing security situation and the vulnerability security situation are presented.
As shown in fig. 5, the network-level situation awareness system comprises a whole network security situation analysis and assessment module, a security situation early warning module, a security threat traceability module, an emergency treatment module and a visual display module;
the whole network security situation analysis and evaluation module analyzes and evaluates the situation by integrating security analysis results of each security domain, and the security situation of a certain security domain is presented by the visual display module according to the type, severity, number and the like of the attack events of each domain. The visual display module classifies and presents the comprehensive security situation, the asset security situation, the slicing security situation and the vulnerability security situation so as to facilitate searching and displaying, and supports merging analysis results of a plurality of security domains according to different attack types. For example, the security situation of the assets is that the assets are contained in all domains of access, bearing, MEC, 5GC and the like, and the conditions that all the assets are attacked can be integrated together for unified presentation.
Further, the method further comprises:
and carrying out situation early warning, emergency treatment, whole network event association analysis and security threat tracing on the security threats possibly appearing through a network-level situation awareness system.
The network-level situation awareness system senses the existence of safety risks by comprehensively analyzing the internal and external environment dynamic states; the method comprises the steps of taking big data as a core, and identifying, analyzing and processing potential threats of network security under an overall view angle; automatically mining network potential dangerous data hidden in the network potential dangerous data; the commonality and the dissimilarity between the network potential hazard data are specifically analyzed by mining the network potential hazard data, and potential rules between the network potential hazard data are searched on the basis; judging whether a network security risk event exists or not through network data preparation, network abnormal data searching and summarizing network abnormal data rules; the security threat is subjected to situation pre-warning, emergency disposal, whole network event association analysis and security threat tracing through the security situation pre-warning module, the emergency disposal module and the security threat tracing module, so that the security of the whole network is ensured.
The embodiment of the disclosure fully considers the architecture, asset organization form and business attribute of the 5G network, gives out a three-level network security situation awareness system architecture, carries out vulnerability analysis and security detection and analysis on single-domain assets of the corresponding network security domain by setting up different security situation awareness subsystems, integrates analysis results by the network-level situation awareness system, analyzes and displays the security situation of the whole network, realizes the network security situation awareness of the whole 5G network, and solves the problem that the general network security situation awareness system cannot adapt to the operation and maintenance of the 5G business.
Fig. 6 is a architecture diagram of a network security situation awareness system according to a second embodiment of the present disclosure, as shown in fig. 6, where the system includes:
an acquisition module 11 arranged to acquire basic analysis data of the network via the information acquisition node;
the establishing module 12 is configured to establish a plurality of security situation awareness subsystems according to the domain division characteristics of the network architecture, and acquire basic analysis data of the network acquired by the information acquisition nodes in the corresponding security domain for each security situation awareness subsystem;
the analysis module 13 is configured to perform vulnerability analysis and security detection and analysis on the single-domain assets of the network security domains corresponding to the analysis module through the security situation awareness subsystems;
an integration module 14, configured to integrate the analysis results of the respective security situation awareness subsystems through the network-level situation awareness system, and analyze and present the security situation of the entire network.
Further, the basic analysis data of the network includes:
network slice, network element, virtual machine, physical machine, network equipment, safety equipment and network asset data of network management system;
the method comprises the steps of processes of a physical machine and a virtual machine, open port data of the physical machine and the virtual machine, version information and configuration information of network equipment and safety equipment;
uu interface, N4 interface, EMS system flow interface or control plane, user plane and management plane flow of system;
data of a log system, a vulnerability system, and an asset management system.
Further, the security posture awareness subsystem includes:
the method comprises the steps of accessing a security domain situation awareness subsystem, a bearing security domain situation awareness subsystem, an edge security domain situation awareness subsystem, a core security domain situation awareness subsystem and an operation and maintenance security domain situation awareness subsystem.
Further, the vulnerability analysis comprises vulnerability analysis, configuration compliance analysis and weak password analysis;
the network security domains comprise an access security domain, a bearing security domain, an edge security domain, a core security domain and an operation and maintenance security domain;
the security detection and analysis of the access security domain includes: detecting and analyzing a wireless side signaling storm and a pseudo base station and positioning pseudo signals;
the security detection and analysis of the bearer security domain includes: ARP flooding/spoofing attack detection analysis and IP spoofing/malformed message attack detection analysis;
the security detection and analysis of the edge security domain includes: flow attack, service abnormality attack, third party application attack, MEC platform attack and detection analysis of abnormal behaviors of industry terminals;
the security detection and analysis of the core security domain comprises detection and analysis of abnormal access and illegal service registration between network elements, network slicing attack, open interface abnormality, east-west flow abnormality and virtualized platform attack;
the security detection and analysis of the operation and maintenance security domain comprises detection and analysis of user behavior abnormality, abnormal login and unauthorized access.
Further, the integration module 14 is specifically configured to:
carrying out security evaluation and situation analysis evaluation on network attacks of the whole network;
and the comprehensive security situation, the asset security situation, the slicing security situation and the vulnerability security situation are presented.
Further, the integration module 14 is further configured to:
and carrying out situation early warning, emergency treatment, whole network event association analysis and security threat tracing on the security threats possibly appearing through a network-level situation awareness system.
The network security situation awareness system of the embodiment of the present disclosure is used to implement the network security situation awareness method of the first embodiment of the method, so that the description is simpler, and specifically, reference may be made to the related description of the first embodiment of the method, which is not repeated herein.
In addition, as shown in fig. 7, the third embodiment of the present disclosure further provides an electronic device, including a memory 100 and a processor 200, where the memory 100 stores a computer program, and when the processor 200 runs the computer program stored in the memory 100, the processor 200 executes the above possible methods.
The memory 100 is connected to the processor 200, the memory 100 may be a flash memory, a read-only memory, or other memories, and the processor 200 may be a central processing unit or a single chip microcomputer.
Furthermore, embodiments of the present disclosure also provide a computer-readable storage medium having stored thereon a computer program that is executed by a processor to perform the various possible methods described above.
Computer-readable storage media include volatile or nonvolatile, removable or non-removable media implemented in any method or technology for storage of information such as computer-readable instructions, data structures, computer program modules or other data. Computer-readable storage media includes, but is not limited to, RAM (Random Access Memory ), ROM (Read-Only Memory), EEPROM (Electrically Erasable Programmable Read Only Memory, charged erasable programmable Read-Only Memory), flash Memory or other Memory technology, CD-ROM (Compact Disc Read-Only Memory), digital versatile disks (DVD, digital Video Disc) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can be accessed by a computer.
It is to be understood that the above embodiments are merely exemplary embodiments employed to illustrate the principles of the present disclosure, however, the present disclosure is not limited thereto. Various modifications and improvements may be made by those skilled in the art without departing from the spirit and substance of the disclosure, and are also considered to be within the scope of the disclosure.
Claims (7)
1. A network security posture awareness method, the method comprising:
basic analysis data of the network are collected through the information collection node;
aiming at the domain division characteristics of a network architecture, a plurality of security situation awareness subsystems are established, and basic analysis data of the network acquired by the information acquisition nodes in the corresponding security domain are acquired for each security situation awareness subsystem;
carrying out vulnerability analysis and security detection and analysis on the single-domain assets of the network security domain corresponding to each security situation through each security situation perception subsystem;
integrating analysis results of all the security situation awareness subsystems through a network-level situation awareness system, and analyzing and displaying the security situation of the whole network;
the basic analysis data of the network comprises:
network slice, network element, virtual machine, physical machine, network equipment, safety equipment and network asset data of network management system;
the method comprises the steps of processes of a physical machine and a virtual machine, open port data of the physical machine and the virtual machine, version information and configuration information of network equipment and safety equipment;
an interface Uu interface between a user and a base station, an interface N4 interface between a session management function SMF and a user port function UPF, a system flow interface of a network element management system EMS or a control plane, a user plane and a management plane flow of the system;
data of a log system, a vulnerability system, and an asset management system;
the security posture awareness subsystem includes:
the method comprises the steps of accessing a security domain situation awareness subsystem, a bearing security domain situation awareness subsystem, an edge security domain situation awareness subsystem, a core security domain situation awareness subsystem and an operation and maintenance security domain situation awareness subsystem.
2. The network security posture awareness method of claim 1, wherein,
the vulnerability analysis comprises vulnerability analysis, configuration compliance analysis and weak password analysis;
the network security domains comprise an access security domain, a bearing security domain, an edge security domain, a core security domain and an operation and maintenance security domain;
the security detection and analysis of the access security domain includes: detecting and analyzing a wireless side signaling storm and a pseudo base station and positioning pseudo signals;
the security detection and analysis of the bearer security domain includes: address resolution protocol ARP flooding/spoofing attack detection analysis and IP spoofing/malformed message attack detection analysis;
the security detection and analysis of the edge security domain includes: flow attack, service abnormality attack, third party application attack, mobile edge computing MEC platform attack and detection analysis of abnormal behaviors of industry terminals;
the security detection and analysis of the core security domain comprises detection and analysis of abnormal access and illegal service registration between network elements, network slicing attack, open interface abnormality, east-west flow abnormality and virtualized platform attack;
the security detection and analysis of the operation and maintenance security domain comprises detection and analysis of user behavior abnormality, abnormal login and unauthorized access.
3. The network security posture awareness method of claim 1, wherein the analyzing and presenting the security posture of the entire network comprises:
carrying out security evaluation and situation analysis evaluation on network attacks of the whole network;
and the comprehensive security situation, the asset security situation, the slicing security situation and the vulnerability security situation are presented.
4. A network security posture awareness method according to claim 3, characterized in that the method further comprises:
and carrying out situation early warning, emergency treatment, whole network event association analysis and security threat tracing on the security threats possibly appearing through a network-level situation awareness system.
5. A network security posture awareness system, the system comprising:
the acquisition module is used for acquiring basic analysis data of the network through the information acquisition node;
the establishing module is used for establishing a plurality of security situation awareness subsystems aiming at the domain division characteristics of the network architecture and acquiring basic analysis data of the network acquired by the information acquisition nodes in the corresponding security domain for each security situation awareness subsystem;
the analysis module is used for carrying out vulnerability analysis and security detection and analysis on the single-domain assets of the network security domain corresponding to each security situation perception subsystem;
the integration module is arranged to integrate analysis results of all the security situation awareness subsystems through the network-level situation awareness system and analyze and display the security situation of the whole network;
the basic analysis data of the network comprises:
network slice, network element, virtual machine, physical machine, network equipment, safety equipment and network asset data of network management system;
the method comprises the steps of processes of a physical machine and a virtual machine, open port data of the physical machine and the virtual machine, version information and configuration information of network equipment and safety equipment;
an interface Uu interface between a user and a base station, an interface N4 interface between a session management function SMF and a user port function UPF, a system flow interface of a network element management system EMS or a control plane, a user plane and a management plane flow of the system;
data of a log system, a vulnerability system, and an asset management system;
the security posture awareness subsystem includes:
the method comprises the steps of accessing a security domain situation awareness subsystem, a bearing security domain situation awareness subsystem, an edge security domain situation awareness subsystem, a core security domain situation awareness subsystem and an operation and maintenance security domain situation awareness subsystem.
6. An electronic device comprising a memory and a processor, the memory having a computer program stored therein, the processor performing the network security posture awareness method of any of claims 1-4 when the processor runs the computer program stored in the memory.
7. A computer-readable storage medium, comprising: computer program which, when run on a computer, causes the computer to perform the network security posture awareness method according to any one of claims 1-4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211128114.5A CN115567258B (en) | 2022-09-16 | 2022-09-16 | Network security situation awareness method, system, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211128114.5A CN115567258B (en) | 2022-09-16 | 2022-09-16 | Network security situation awareness method, system, electronic equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115567258A CN115567258A (en) | 2023-01-03 |
| CN115567258B true CN115567258B (en) | 2024-03-01 |
Family
ID=84740302
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211128114.5A Active CN115567258B (en) | 2022-09-16 | 2022-09-16 | Network security situation awareness method, system, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115567258B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115776411B (en) * | 2023-01-30 | 2023-05-23 | 网思科技股份有限公司 | Data security analysis method, system and readable storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110740141A (en) * | 2019-11-15 | 2020-01-31 | 国网山东省电力公司信息通信公司 | integration network security situation perception method, device and computer equipment |
| CN114124503A (en) * | 2021-11-15 | 2022-03-01 | 北京邮电大学 | Intelligent network sensing method for optimizing efficiency of progressive concurrent cache |
| CN114697963A (en) * | 2022-03-29 | 2022-07-01 | 中国南方电网有限责任公司 | Terminal identity authentication method and device, computer equipment and storage medium |
| CN115051879A (en) * | 2022-08-17 | 2022-09-13 | 珠海市鸿瑞信息技术股份有限公司 | Data analysis system of network security situation perception system based on machine learning |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CA2968710A1 (en) * | 2016-05-31 | 2017-11-30 | Valarie Ann Findlay | Security threat information gathering and incident reporting systems and methods |
-
2022
- 2022-09-16 CN CN202211128114.5A patent/CN115567258B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110740141A (en) * | 2019-11-15 | 2020-01-31 | 国网山东省电力公司信息通信公司 | integration network security situation perception method, device and computer equipment |
| CN114124503A (en) * | 2021-11-15 | 2022-03-01 | 北京邮电大学 | Intelligent network sensing method for optimizing efficiency of progressive concurrent cache |
| CN114697963A (en) * | 2022-03-29 | 2022-07-01 | 中国南方电网有限责任公司 | Terminal identity authentication method and device, computer equipment and storage medium |
| CN115051879A (en) * | 2022-08-17 | 2022-09-13 | 珠海市鸿瑞信息技术股份有限公司 | Data analysis system of network security situation perception system based on machine learning |
Non-Patent Citations (1)
| Title |
|---|
| 李建华.能源关键基础设施网络安全威胁与防御技术综述.《电子与信息学报》.2020,全文. * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115567258A (en) | 2023-01-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107958322B (en) | Urban network space comprehensive treatment system | |
| CN114584405B (en) | Electric power terminal safety protection method and system | |
| CN114372286A (en) | Data security management method and device, computer equipment and storage medium | |
| CN111859393A (en) | Risk assessment system and method based on situation awareness alarm | |
| CN106452955B (en) | A kind of detection method and system of abnormal network connection | |
| CN104702603A (en) | Multi-view-angle security auditing system for mobile internet | |
| CN113055379A (en) | Risk situation perception method and system for key infrastructure of whole network | |
| CN115567258B (en) | Network security situation awareness method, system, electronic equipment and storage medium | |
| CN104486320B (en) | Intranet sensitive information leakage evidence-obtaining system and method based on sweet network technology | |
| CN108234426B (en) | APT attack warning method and APT attack warning device | |
| CN111970233B (en) | Analysis and identification method for network violation external connection scene | |
| CN109388963A (en) | A kind of mobile terminal user's private data means of defence and device | |
| CN112104659A (en) | Real-time monitoring platform based on government affair application safety | |
| CN116050841B (en) | Information security risk assessment method, device, terminal equipment and storage medium | |
| CN115913652A (en) | Abnormal access behavior detection method and device, electronic equipment and readable storage medium | |
| CN114268481A (en) | Method, device, equipment and medium for processing illegal external connection information of intranet terminal | |
| CN104052852B (en) | Communication means and device | |
| CN113852984A (en) | Wireless terminal access monitoring system and method, electronic equipment and readable storage device | |
| WO2016150516A1 (en) | Optimizing data detection in communications | |
| CN116980239B (en) | SASE-based network security monitoring and early warning method and system | |
| CN111125692B (en) | Anti-crawler method and device | |
| CN219287668U (en) | Safety situation perception monitoring device | |
| CN111835540B (en) | Method and device for alarming | |
| CN115603944A (en) | Vehicle data safety management method based on Internet of vehicles | |
| CN116545743A (en) | Digital network fusion processing system and digital network fusion processing method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |