CN115622738A - RBF neural network-based safety emergency disposal system and method - Google Patents
RBF neural network-based safety emergency disposal system and method Download PDFInfo
- Publication number
- CN115622738A CN115622738A CN202211140104.3A CN202211140104A CN115622738A CN 115622738 A CN115622738 A CN 115622738A CN 202211140104 A CN202211140104 A CN 202211140104A CN 115622738 A CN115622738 A CN 115622738A
- Authority
- CN
- China
- Prior art keywords
- network
- network security
- module
- event
- emergency
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1491—Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention discloses a safety emergency disposal system and an emergency disposal method based on a RBF neural network. The invention not only can realize the inspection and analysis of known or unknown network security events, but also can realize the early warning of the abnormal behaviors of network users, thereby playing an early warning effect on the network security events, facilitating the timely correction and correction of network security risks and greatly improving the emergency disposal efficiency of the network security events; in addition, the RBF neural network has the advantages of compact topological structure, realization of separation learning of structural parameters and high convergence speed, so that the corresponding emergency disposal schemes can be recommended for the network security events based on the risk levels of the network security events, the efficiency and the accuracy of the recommendation of the emergency disposal schemes are effectively improved, and the emergency disposal requirements of the network security events can be better met.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a RBF neural network-based security emergency disposal system and an emergency disposal method.
Background
With the development of the internet and the network technology, the scale and the application field of the internet are continuously strengthened, the basic and global positions of the internet are gradually enhanced, meanwhile, network attacks and destruction behaviors are increasingly common, and the characteristics of organization densification, behavior trending, target directness and the like are gradually presented. The problem of network security is endless, illegal activities such as network intrusion and network attack threaten the information security of China, the network attack aims at important infrastructure such as energy, electric power and finance, finally causes the damage of the infrastructure and produces adverse social effects, and various security events such as computer viruses, network intrusion and attack bring more and more threats and more damages to the network, so that a security event early warning system is urgently needed to be established and perfected, and the overall network security guarantee level is improved.
However, the prior art still has certain defects that the main discussion of the network security event is the analysis link of the network security event, and the emergency disposal link is not described too much, and in actual operation, the emergency disposal link of the network security event is usually disposed in a manual mode, and is greatly influenced by personal factors, for example, the manual disposal efficiency is unstable, and the efficiency is suddenly high and low; manual treatment processes are not uniform, time consumption is long, treatment results are inaccurate, and management of the treatment results is inconvenient; therefore, the invention provides a safety emergency disposal system and an emergency disposal method based on an RBF neural network.
Disclosure of Invention
Aiming at the defects of the prior art, the invention provides the emergency disposal system and the emergency disposal method for the network security incident, which not only can effectively improve the emergency disposal efficiency of the network security incident, but also can effectively improve the recommendation efficiency and the accuracy of the emergency disposal scheme, thereby solving the problems in the background art.
In order to realize the advantages of effectively improving the emergency disposal efficiency of the network security event and effectively improving the recommendation efficiency and accuracy of the emergency disposal scheme, the invention adopts the following specific technical scheme:
according to one aspect of the invention, an emergency disposal system for network security events is provided, and the system comprises a data acquisition module, an event disposal module, an event early warning module, a risk assessment module, an emergency scheme recommendation module, an abnormal data protection module, a knowledge database, a security detection tool and a remote auxiliary module;
the data acquisition module is used for acquiring basic information of network security events;
the event handling module is used for analyzing known or unknown network security events;
the event early warning module is used for early warning the abnormal behavior of the network user based on a deep neural network algorithm;
the risk evaluation module is used for evaluating the risk level of the network security event;
the emergency scheme recommending module is used for recommending a corresponding emergency disposal scheme for the network security event based on a hybrid collaborative filtering recommending algorithm of the RBF neural network;
the abnormal data protection module is used for performing emergency storage on data in the system when a safety accident is detected;
the knowledge database is used for storing system data and expert knowledge data based on network security events;
the security detection tool is used for providing an auxiliary detection tool for the detection of the network security event;
the remote assistance module is used for assisting in handling the network security event by utilizing a remote control technology.
Further, the event handling module comprises a known network security event handling module and an unknown network security event handling module;
the known network security event handling module is used for analyzing the known network security event by utilizing a security detection tool;
the unknown network security event handling module is used for analyzing the unknown network security event by utilizing the security honeypot and the security sandbox.
Further, the event early warning module comprises a user behavior data acquisition module, a network model analysis module and an abnormal behavior feedback module;
the user behavior data acquisition module is used for acquiring behavior characteristic data of the network user;
the network model analysis module is used for analyzing the behavior characteristic data of the network user by utilizing a pre-constructed deep neural network model to obtain the behavior score of the network user;
and the abnormal behavior feedback module is used for feeding back the abnormal behavior with the behavior score lower than a preset threshold value to the network security event analyst.
Further, the network model analysis module analyzes the behavior feature data of the network user by using a pre-constructed deep neural network model to obtain the behavior score of the network user, and comprises the following steps:
mapping the behavior characteristics of the network users into a high-dimensional space, and taking the high-dimensional space as the input of a deep neural network model;
training the deep neural network model parameters by taking the click behavior records of the network users as training samples;
extracting network user information, calculating the correlation between the user and the normal behavior of the user, obtaining the correlation score between the user and the user behavior and sequencing;
the relevance score is obtained by calculating the semantic relevance R (U, V) of the user U and the user normal behavior data set V, and the calculation formula is as follows:
in the formula, y U Distributed vectors, y, representing analytically extracted user information V A distributed vector representing the analyzed set of normal behavior data of the user, cosine () representing a cosine function, y U T Denotes y U Transposed vectors of (a), with | | representing vector values.
Further, the deep neural network model is constructed by the following steps:
setting x, y to represent the input vector and the output vector, respectively, the hidden layer in the neural network is represented by h, W represents the weight matrix in the neural network, and b represents the bias in the neural network, then there are the following formulas:
h 1 =W 1 x+b 1
h m =f(W m h m-1 +b m ),m=2,...,N-1
y=f(W N h N-1 +b N )
wherein m represents the number of layers, m =1,2, \8230;, N-1, N represents a non-zero natural number, f (x) represents an activation function, and tanh is used as the activation function of the hidden layer and the output layer, and the formula is as follows:
Further, the risk evaluation module comprises a risk weight setting module and an information security risk comprehensive evaluation module;
the risk weight setting module is used for setting the risk weights of the large and small elements in the network security event;
the information security risk comprehensive evaluation module is used for calculating the comprehensive information security risk level evaluated in the network security event.
Further, the calculation formula of the comprehensive information security risk level is as follows:
where n represents the number of secondary risk items, k represents a particular risk, RR k Representing secondary element weight values, RW k Representing a primary element weight value;
the primary elements comprise network communication safety, personnel safety, physical safety, risk control safety and asset and management safety; the secondary elements comprise encryption measures, access control, personnel resources, safety awareness of operators, equipment safety, environment safety, a safety audit function, anti-hacker intrusion measures, the number of information, the value of the information, information cracking difficulty, key management, personnel management and equipment management.
Further, when the hybrid collaborative filtering recommendation algorithm based on the RBF neural network recommends a corresponding emergency treatment scheme for the network security event, the emergency scheme recommendation module includes the following steps:
establishing a scoring matrix of a network security event-emergency disposal scheme;
establishing a set of security events of the adjacent network: calculating the adjacent network security event set T (U) of the target event by utilizing a similarity calculation formula i ) And a set of proximal emergency disposal plans T (I) for the target emergency disposal plan j );
Calculating a preliminary recommendation: calculating the recommendation score of the target network security event by using a network security event collaborative filtering recommendation algorithm based on the RBF neural network to obtain a first recommendation score P U ′(U i ,I j ) The formula is as follows:
P' U (U i ,I j )=θ 1 P U (U i ,I j )+(1-θ 1 )P I (U i ,I j );
in the formula, P U (U i ,I j ) Representing collaborative filtering recommendations based on network security events, P I (U i ,I j ) Represents collaborative filtering recommendations based on emergency treatment scenarios, θ 1 Denotes a first scale factor, U i Imminent network security event, indicating a target event, I j A proximal emergency disposition scenario representing a target emergency disposition scenario;
calculating the recommendation score of the target network security event by using an RBF neural network-based emergency disposal scheme collaborative filtering recommendation algorithm to obtain a second recommendation score P I ′(U i ,I j ) The calculation formula is as follows:
P' I (U i ,I j )=θ 1 P I (U i ,I j )+(1-θ 1 )P U (U i ,I j );;
calculation of balance factor: in the near network Security event set T (U) i ) Calculating a balance factor Bla of a target network security event U The calculation formula is as follows:
wherein T (U) represents the set of network security events approaching the target network security event U, sim (U) x U) represents the target network security event U and the network security event U x Similarity calculation result of (2), sim' (U) x U) represents the result calculated based on the improved similarity calculation formula, r represents a threshold factor, I represents a target emergency disposal scheme, I) x Indicating an emergency disposal plan I x ,|I x n-U I represents a target emergency disposal scheme I and an emergency disposal scheme I x Min represents the minimum value of the score intersection;
at the near emergency disposal scheme set T (I) j ) Calculating a balance factor Bla of a target emergency disposal scheme I The calculation formula is as follows:
where T (I) represents the proximal emergency treatment protocol set of the target emergency treatment protocol I, sim (I) x And I) represents a target emergency disposal scheme I and an emergency disposal scheme I x Similarity calculation result of (1), sim' (I) x I) represents the result of calculation based on the improved similarity calculation formula, | U x N U | represents the target network security event U and the network security event U x Score intersection, | U x U | represents target network security event U and networkNetwork security event U x A union of scores of;
calculating a scale factor: selecting a control factor eta, and combining a balance factor Bla of a target network security event U And a balance factor Bla of the target emergency disposal scheme I And calculating a final scale factor theta according to the following calculation formula:
and calculating a final result: based on the first recommendation score P U ′(U i ,I j ) Second recommendation score P I ′(U i ,I j ) And calculating a final scale factor theta to obtain a recommended score of the target network security event, wherein the calculation formula is as follows:
and recommending a corresponding emergency disposal scheme for the target network security event based on the recommended score of the target network security event.
Further, the security detection tool comprises a vulnerability verification tool for verifying the existence condition of the vulnerability of the target object and a virus horse hanging detection tool for detecting whether the target object exists in the backdoor, and the security detection tool further comprises a log analysis tool, a log segmentation tool and a file recovery tool.
According to another aspect of the present invention, there is provided a method for emergency handling of network security events, the method comprising the steps of:
s1, acquiring basic information of a website source code, an operating system log, a website web access log and a middleware log of a network security event by using a data acquisition module;
s2, checking and analyzing known or unknown network security events through an event handling module to obtain corresponding clue trees and attacker information;
s3, the event early warning module carries out early warning on the abnormal behaviors of the network users by using a deep neural network algorithm;
s4, confirming the analysis result of the S2 and the early warning result of the S3 by using a knowledge database, if the result is confirmed to be correct, executing S5, and if the result is not confirmed to be correct, returning to the S2;
s5, performing risk grade evaluation on the detected network security event through a risk evaluation module;
and S6, the emergency scheme recommending module recommends a corresponding emergency disposal scheme for the network security event according to the risk level by using a hybrid collaborative filtering recommending algorithm of the RBF neural network.
The invention has the beneficial effects that:
1) Through being provided with event processing module and event early warning module, not only can inspect and analyze known or unknown network security incident under the effect of event processing module, but also can realize early warning to network user's unusual action based on the deep neural network algorithm under the effect of event early warning module, thereby can feed back network user's unusual action to network security incident's analyst, and then can play the early warning effect for network security incident, be convenient for in time reform transform and revise the network security risk, the emergency treatment leak detection and the flow of reforming have significantly reduced, the emergent efficiency of dealing with of network security incident has greatly been improved.
2) By arranging the risk evaluation module and the emergency scheme recommendation module, the risk level of the network security event can be evaluated under the action of the risk evaluation module, and the corresponding emergency disposal scheme can be recommended for the network security event based on the RBF neural network hybrid collaborative filtering recommendation algorithm under the action of the emergency disposal scheme recommendation module.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings needed in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings without creative efforts.
Fig. 1 is a block diagram of an emergency handling system for network security events according to an embodiment of the present invention.
In the figure:
1. a data acquisition module; 3. an event handling module; 31. a known network security event handling module; 32. an unknown network security event handling module; 2. an event early warning module; 21. a user behavior data acquisition module; 22. a network model analysis module; 23. an abnormal behavior feedback module; 4. a risk assessment module; 41. a risk weight setting module; 42. an information security risk comprehensive evaluation module; 5. an emergency plan recommendation module; 6. an abnormal data protection module; 7. a knowledge database; 8. a safety detection tool; 9. and a remote assistance module.
Detailed Description
For further explanation of the various embodiments, the drawings which form a part of the disclosure and which are incorporated in and constitute a part of this specification, illustrate embodiments and, together with the description, serve to explain the principles of operation of the embodiments, and to enable others of ordinary skill in the art to understand the various embodiments and advantages of the invention, and, by reference to these figures, reference is made to the accompanying drawings, which are not to scale and wherein like reference numerals generally refer to like elements.
According to the embodiment of the invention, an emergency disposal system and an emergency disposal method for network security events are provided.
Referring to the drawings and the detailed description, as shown in fig. 1, according to an embodiment of the present invention, there is provided an RBF neural network-based security emergency treatment system, which includes a data acquisition module 1, an event treatment module 3, an event early warning module 2, a risk assessment module 4, an emergency plan recommendation module 5, an abnormal data protection module 6, a knowledge database 7, a security detection tool 8, and a remote auxiliary module 9;
the data acquisition module 1 is used for acquiring basic information of network security events;
the data acquisition module is used for acquiring information including website source codes, operating system logs, website web access logs, middleware logs and the like.
The data acquisition and analysis of the network security event mainly adopts two methods of centralized acquisition and distributed acquisition, the data acquisition is the basis of data analysis and processing, data needs to be converted into unstructured data according to the relevant requirements of a big data platform during storage, and a proper storage architecture needs to be selected from the cost perspective while the storage requirements are met during data storage, for example, a distributed storage architecture based on a cheap PC server and a large-capacity SATA hard disk is adopted.
After the network security data is collected, before big data analysis, processing is required, including importing, summarizing and sorting the network security data. The data import mainly comprises manual input data, static data link, dynamic data link and the like on a website, the induction and the arrangement of the data adopt extraction-transformation-Load (ETL) tools, and the target data are extracted to a knowledge database according to a defined association rule.
The event handling module 3 is used for analyzing known or unknown network security events;
wherein the event handling module 3 comprises a known network security event handling module 31 and an unknown network security event handling module 32;
the known network security event handling module 31 is configured to analyze a known network security event using a security detection tool;
the unknown network security event handling module 32 is configured to analyze the unknown network security event by using a security honeypot and a security sandbox;
specifically, the known security event is a security event extracted by the network security device through an analysis model of the security event after preprocessing the collected log information of the monitored object and the security event and performing data format normalization to detect part of attack information; the security data of the attack information which can not be detected by the network security equipment is input into a security honeypot and a security sandbox for detection after being preprocessed and normalized by data format so as to extract unknown security events.
The process of extracting unknown security events by the security honeypots and the security sandboxes is as follows: firstly, a suspected threat sample and threat information thereof are collected by using a safety honeypot, wherein the threat information comprises an attack source IP, an adopted protocol and port number, attack characteristics, a domain name and vulnerability information; then, introducing the threat sample collected by using the safety honeypot into a safety sandbox, and detecting and testing the threat sample by using the safety sandbox; the security sandbox detects and tests viruses, untrusted applications, untrusted documents, and untrusted internet access behaviors by intercepting system calls and monitoring program behaviors, thereby obtaining unknown security events and attack attributes, propagation behavior characteristics, and attack paths thereof.
The event early warning module 2 is used for early warning the abnormal behavior of the network user based on a deep neural network algorithm;
the event early warning module 2 comprises a user behavior data acquisition module 21, a network model analysis module 22 and an abnormal behavior feedback module 23;
the user behavior data acquiring module 21 is configured to acquire behavior feature data of a network user;
the network model analysis module 22 is configured to analyze the behavior feature data of the network user by using a pre-constructed deep neural network model to obtain a behavior score of the network user;
specifically, the network model analysis module 22 analyzes the behavior feature data of the network user by using the pre-constructed deep neural network model to obtain the behavior score of the network user, and includes the following steps:
mapping the behavior characteristics of the network users into a high-dimensional space, and taking the high-dimensional space as the input of a deep neural network model;
specifically, the deep neural network model is constructed by the following steps:
setting x, y to represent the input vector and the output vector, respectively, the hidden layer in the neural network is represented by h, W represents the weight matrix in the neural network, and b represents the bias in the neural network, then there are the following formulas:
h 1 =W 1 x+b 1
h m =f(W m h m-1 +b m ),m=2,...,N-1
y=f(W N h N-1 +b N )
where m denotes the number of layers, m =1,2, \8230;, N-1, N denotes a non-zero natural number, f (x) denotes the activation function, and tanh is used as the activation function for the hidden and output layers, the formula of which is as follows:
e denotes the natural logarithm.
Training the deep neural network model parameters by taking the click behavior records of the network users as training samples;
extracting network user information, calculating the correlation between the user and the normal behavior of the user, obtaining the correlation score between the user and the user behavior and sequencing;
the relevance score is obtained by calculating the semantic relevance R (U, V) of the user U and the user normal behavior data set V, and the calculation formula is as follows:
in the formula, y U Distributed vector, y, representing analytically extracted user information V A distributed vector representing the analyzed set of normal behavior data of the user, cosine () representing a cosine function, y U T To representy U Transposed vectors of (a), with | | representing vector values.
In addition, in this embodiment, the analysis of the behavior feature data of the network user may also be implemented by using a clustering algorithm, an Adam algorithm, a collaborative filtering algorithm based on content, and the like.
The abnormal behavior feedback module 23 is configured to feed back, to a network security event analyst, an abnormal behavior whose behavior score is lower than a preset threshold;
the risk assessment module 4 is used for assessing the risk level of the network security event;
the risk evaluation module 4 comprises a risk weight setting module 41 and an information security risk comprehensive evaluation module 42;
the risk weight setting module 41 is configured to set risk weights of the large and small elements in the network security event;
the traditional weight setting method is to adopt a Borda sequence value method to quantitatively sort evaluation elements according to importance, then establish an AHP judgment matrix based on weight value determination of the AHP, and calculate the weight to obtain the weight value RW of each risk item. This is improved in this embodiment because the risk elements can be divided into several large terms, but among these large terms, the risk elements can be subdivided specifically, and the determination of the risk weight only for these large risk elements can seriously affect the accuracy of the evaluation. The improvement method of the embodiment comprises the following steps: firstly, calculating the risk weight of several major risk elements according to the above mode, then decomposing each major item into specific minor items on the basis, then, carrying out importance analysis through a fuzzy complementary judgment matrix in an expert evaluation mode, multiplying the obtained numerical value by the weight of the major item to obtain the new weight of each minor item, carrying out normalization processing, and finally obtaining the comprehensive information security risk level of the evaluated organization. The specific method is described below.
Calculation of risk weights for major elements:
1. obtaining the sequence value number of the major elements according to a Borda sequence value method, and establishing a comprehensive judgment matrix A;
2. determining the weight of each risk element of a large item by using a root finding method in an analytic hierarchy process, wherein the method comprises the following steps:
a. multiplication by rows yields: a. The 1 =[a 1 ,a 2 ,…,a n ]N is an integer and represents the number of large risk element items;
b. to A 1 Performing the opening to the power of n to obtain: a. The 1 =[a 1 ’,a 2 ’,…,a n ’];
c. To A 2 Carrying out normalization treatment to obtain: a. The 3 =[a 1 n ,a 2 n ,…,a n n ]Obtaining the weight value of the major key elements;
the fuzzy complementary judgment matrix is used for analyzing the importance of the small elements as follows:
establishing a plurality of expert fuzzy complementary judging matrixes according to the requirements of the expert fuzzy complementary judging matrixes introduced in the theoretical knowledge part, setting the total weight of experts to be 1 through internal discussion of experts, then carrying out weighted summation by using each respective weight to obtain a final unique expert fuzzy complementary judging matrix, setting the importance of a first element to be 1 on the basis of the matrix, obtaining the importance value of each small element through the expert fuzzy complementary judging matrix, multiplying the importance value by the weight of the corresponding large element to obtain a group of new weight comparison values, and then carrying out normalization processing to obtain the weight of the small element.
After the final unique expert fuzzy complementary judgment matrix is obtained, the judgment is carried out according to the property of the consistent fuzzy complementary matrix, whether the consistent fuzzy complementary matrix is the consistent fuzzy complementary matrix or not and whether the consistency check is qualified or not are judged, and if not, fine adjustment is carried out on the basis of the matrix.
The information security risk comprehensive assessment module 42 is configured to calculate a comprehensive information security risk level evaluated in the network security event.
Specifically, the calculation formula of the comprehensive information security risk level is as follows:
where n represents the number of secondary risk items, k represents a particular risk, RR k Representing weight values of secondary (minor) elements, RW k Represents a first (large) level element weight value;
the major elements comprise network communication safety, personnel safety, physical safety, risk control safety and asset and management safety; the small elements comprise encryption measures, access control, personnel resources, safety awareness of operators, equipment safety, environment safety, a safety audit function, anti-hacker invasion measures, information quantity, information value, information cracking difficulty, key management, personnel management and equipment management.
The emergency scheme recommending module 5 is used for recommending a corresponding emergency disposal scheme for the network security event based on a hybrid collaborative filtering recommending algorithm of the RBF neural network;
the collaborative filtering recommendation based on the network security event has the capability of cross-type recommendation, but the scoring data is required to be saturated, so that the recommendation result can be more accurate. And the collaborative filtering recommendation based on the emergency treatment scheme can greatly relieve the problem of sparse score data, but the personalization degree is low. In order to take the advantages of the two algorithms into consideration and improve recommendation precision, the scoring prediction result based on the network security event collaborative filtering algorithm and the scoring prediction result based on the collaborative filtering algorithm of the emergency disposal scheme are weighted by using a scale factor, so that the final scoring of the target emergency disposal scheme by the target network security event is obtained. The network security event-emergency disposal scheme mixed collaborative filtering algorithm comprehensively considers the common influence of the network security event and the emergency disposal scheme, so that the prediction result is more comprehensive.
The emergency scheme recommending module 5, when recommending a corresponding emergency disposal scheme for a network security event based on a hybrid collaborative filtering recommending algorithm of an RBF neural network, includes the following steps:
establishing a scoring matrix of a network security event-emergency disposal scheme;
establishing a set of security events of the adjacent network: calculating the set T (U) of the security events of the nearby network of the target event by using a similarity calculation formula i ) And a set of proximal emergency disposal plans T (I) for the target emergency disposal plan j );
Calculating a preliminary recommendation result: calculating the recommendation score of the target network security event by using a network security event collaborative filtering recommendation algorithm based on RBF neural network to obtain a first recommendation score P U ′(U i ,I j ) The formula is as follows:
P' U (U i ,I j )=θ 1 P U (U i ,I j )+(1-θ 1 )P I (U i ,I j )
in the formula, P U (U i ,I j ) Representing collaborative filtering recommendations based on network security events, P I (U i ,I j ) Represents collaborative filtering recommendations based on emergency treatment scenarios, θ 1 Represents a scale factor, U i Indicating a proximity network security event of the target event, I j A near emergency treatment plan representing a target emergency treatment plan, a scale factor theta 1 And (1-theta) 1 ) The balance factors of the collaborative filtering recommendation result based on the network security event and the collaborative filtering recommendation result based on the emergency disposal scheme are respectively, and the sum of the two is 1, then the following relationship exists:
when theta is 1 If the value is not less than 1, recommending the event according to a collaborative filtering recommendation algorithm based on the network security event;
when theta is 1 If the answer is no more than 0, recommending the emergency treatment scheme completely according to a collaborative filtering recommendation algorithm based on the emergency treatment scheme;
when theta is measured 1 Value of [0,1]If so, mixing a collaborative filtering recommendation result based on the network security event and a collaborative recommendation filtering result based on the emergency disposal scheme;
calculating the recommendation score of the target network security event by using an RBF neural network-based emergency disposal scheme collaborative filtering recommendation algorithm to obtain a second recommendation score P I ′(U i ,I j ) The calculation formula is as follows:
P' I (U i ,I j )=θ 1 P I (U i ,I j )+(1-θ 1 )P U (U i ,I j );;
calculation of balance factor: in the near network Security event set T (U) i ) Balancing factor Bla for calculating target network security event in computer U The calculation formula is as follows:
wherein T (U) represents a set of proximal network security events of the target network security event U, sim (U) x U) represents a target network security event U and a network security event U x Similarity calculation result of (1), sim' (U) x U) represents the result calculated based on the improved similarity calculation formula, r represents a threshold factor, I represents a target emergency disposal scheme, I) x Indicating an emergency disposal plan I x ,|I x N-shaped I | represents a target emergency disposal scheme I and an emergency disposal scheme I x Min represents the minimum value of the score intersection;
at the near emergency disposal scheme set T (I) j ) Calculating a balance factor Bla of a target emergency disposal scheme I The calculation formula is as follows:
wherein T (I) represents a proximal emergency treatment protocol set of the target emergency treatment protocol I,sim(I x And I) represents a target emergency disposal scheme I and an emergency disposal scheme I x Similarity calculation result of (1), sim' (I) x I) represents the result of calculation based on the improved similarity calculation formula, | U x N U represents the target network security event U and the network security event U x Score intersection, | U x U | represents a target network security event U and a network security event U x The score union of (3);
calculating a scale factor: selecting a control factor eta, and combining a balance factor Bla of a target network security event U And balance factor Bla of target emergency disposal scheme I And calculating a final scale factor theta according to the following calculation formula:
from the formula, when the neighbor set of the target network security event is empty, the network security event related balance factor Bla is present U =0, then the final scale factor θ =0, and then the result prediction is performed completely according to the collaborative filtering recommendation algorithm based on the emergency disposal scheme; similarly, bla when the neighboring set of target emergency treatment plans is empty I If the value is not less than 0, the result is completely predicted according to a collaborative filtering algorithm based on the network security event; if the adjacent sets of the target network security event and the target emergency disposal scheme are not empty, comparing the sizes of the network security event related balance factor and the emergency disposal scheme related factor, and manually adjusting the value of the control factor eta to control the prediction result to be calculated according to which collaborative filtering algorithm;
and calculating the final result: based on the first recommendation score P U ′(U i ,I j ) Second recommendation score P I ′(U i ,I j ) And finally calculating the scale factor theta to obtain the deduction of the target network security eventThe recommendation score is calculated according to the following formula:
and recommending a corresponding emergency disposal scheme for the target network security event based on the recommended score of the target network security event.
The abnormal data protection module 6 is used for performing emergency storage on data in the system when a safety accident is detected;
the knowledge database 7 is used for storing system data and expert knowledge data based on network security events;
the security detection tool 8 is used for providing an auxiliary detection tool for the detection of network security events;
the security detection tool 8 comprises a vulnerability verification tool for verifying the vulnerability existence condition of the target object and a virus Trojan horse detection tool for detecting whether the target object exists in the backdoor, and the security detection tool 8 further comprises a log analysis tool, a log segmentation tool and a file recovery tool.
Specifically, the vulnerability verification tools comprise a system vulnerability verification tool, a website vulnerability verification tool, a database vulnerability verification tool and an SQL injection verification tool; the virus horse-hanging detection tool comprises a virus detection tool, a Trojan detection tool, a malicious code detection tool, a log analysis tool, a log segmentation tool, a file recovery tool and the like, and the vulnerability verification tool and the virus horse-hanging detection tool in the embodiment are auxiliary tools which are conventionally used in the field, and can be set by a person skilled in the art according to requirements.
The remote assistance module 9 is used to assist in handling network security events using remote manipulation techniques.
According to another embodiment of the present invention, there is provided a method for emergency handling of network security events, the method including the steps of:
s1, acquiring basic information of a website source code, an operating system log, a website web access log and a middleware log of a network security event by using a data acquisition module;
s2, checking and analyzing known or unknown network security events through the event handling module to obtain corresponding clue trees and attacker information;
s3, the event early warning module carries out early warning on the abnormal behaviors of the network users by using a deep neural network algorithm;
s4, confirming the analysis result of the S2 and the early warning result of the S3 by using a knowledge database, if the result is confirmed to be correct, executing S5, and if the result is not confirmed to be correct, returning to the S2;
s5, carrying out risk grade evaluation on the detected network security event through a risk evaluation module;
and S6, the emergency scheme recommending module recommends a corresponding emergency disposal scheme for the network security event according to the risk level by using a hybrid collaborative filtering recommending algorithm of the RBF neural network.
In summary, according to the technical scheme of the present invention, by providing the event handling module and the event early warning module, not only known or unknown network security events can be checked and analyzed under the action of the event handling module, but also the abnormal behavior of the network user can be early warned based on the deep neural network algorithm under the action of the event early warning module, so that the abnormal behavior of the network user can be fed back to an analyst of the network security event, and an early warning effect can be provided for the network security event, thereby facilitating timely correction and correction of network security risks, greatly reducing the flow of emergency processing vulnerability detection and correction, and greatly improving the emergency processing efficiency of the network security event.
In addition, by arranging the risk evaluation module and the emergency scheme recommendation module, the risk level of the network security event can be evaluated under the action of the risk evaluation module, and the corresponding emergency disposal scheme can be recommended for the network security event based on the hybrid collaborative filtering recommendation algorithm of the RBF neural network under the action of the emergency disposal scheme recommendation module, so that the corresponding emergency disposal scheme can be recommended for the network security event based on the risk level of the network security event, the recommendation efficiency and accuracy of the emergency disposal scheme are effectively improved, and the emergency disposal requirement of the network security event can be better met
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents, improvements and the like that fall within the spirit and principle of the present invention are intended to be included therein.
Claims (9)
1. A safety emergency disposal system based on a RBF neural network is characterized by comprising a data acquisition module (1), an event disposal module (3), an event early warning module (2), a risk assessment module (4), an emergency scheme recommendation module (5), an abnormal data protection module (6), a knowledge database (7), a safety detection tool (8) and a remote auxiliary module (9);
the data acquisition module (1) is used for acquiring basic information of network security events;
the event handling module (3) is used for analyzing known or unknown network security events;
the event early warning module (2) is used for early warning the abnormal behavior of the network user based on a deep neural network algorithm;
the risk assessment module (4) is used for assessing the risk level of the network security event;
the emergency scheme recommending module (5) is used for recommending a corresponding emergency disposal scheme for the network security event based on a hybrid collaborative filtering recommending algorithm of the RBF neural network; the emergency scheme recommending module (5) comprises the following steps when a hybrid collaborative filtering recommending algorithm based on the RBF neural network recommends a corresponding emergency handling scheme for the network security event:
establishing a scoring matrix of a network security event-emergency disposal scheme;
establishing a set of security events of the adjacent network: calculating the set T (U) of the security events of the nearby network of the target event by using a similarity calculation formula i ) And a set of proximal emergency disposal plans T (I) for the target emergency disposal plan j );
Calculating a preliminary recommendation result: network security event coordination using RBF neural networkCalculating the recommendation score of the target network security event by using a filter recommendation algorithm to obtain a first recommendation score P U ′(U i ,I j ) The formula is as follows:
P' U (U i ,I j )=θ 1 P U (U i ,I j )+(1-θ 1 )P I (U i ,I j )
in the formula, P U (U i ,I j ) Representing collaborative filtering recommendations based on network security events, P I (U i ,I j ) Represents collaborative filtering recommendations based on emergency treatment scenarios, θ 1 Denotes a first scale factor, U i Imminent network security event, indicating a target event, I j A proximal emergency disposition scenario representing a target emergency disposition scenario;
calculating the recommendation score of the target network security event by using an RBF neural network-based emergency disposal scheme collaborative filtering recommendation algorithm to obtain a second recommendation score P I ′(U i ,I j ) The calculation formula is as follows:
P' I (U i ,I j )=θ 1 P I (U i ,I j )+(1-θ 1 )P U (U i ,I j );
calculation of balance factor: in the near network Security event set T (U) i ) Calculating a balance factor Bla of a target network security event U The calculation formula is as follows:
wherein T (U) represents a set of proximal network security events of the target network security event U, sim (U) x U) represents a target network security event U and a network security event U x Result of similarity calculation,sim’(U x U) represents the result calculated based on the improved similarity calculation formula, r represents a threshold factor, I represents a target emergency disposal scheme, I) x Represents an emergency disposal scheme, | I x n-U I represents a target emergency disposal scheme I and an emergency disposal scheme I x Min represents the minimum value of the score intersection;
at the near emergency disposal scheme set T (I) j ) Calculating a balance factor Bla of a target emergency disposal scheme I The calculation formula is as follows:
in the formula, T (I) represents a near emergency disposal scheme set of a target emergency disposal scheme I, sim (I) x And I) represents a target emergency disposal scheme I and an emergency disposal scheme I x Similarity calculation result of (1), sim' (I) x I) represents the result of calculation based on the improved similarity calculation formula, | U x N U represents the target network security event U and the network security event U x Score intersection, | U x U | represents a target network security event U and a network security event U x A union of scores of;
calculating a scale factor: selecting a control factor eta, and combining a balance factor Bla of a target network security event U And balance factor Bla of target emergency disposal scheme I And calculating a final scale factor theta according to the following calculation formula:
and calculating a final result: based on the first recommendation score P U ′(U i ,I j ) And a second recommendation score of P' I (U i ,I j ) And calculating a final scale factor theta to obtain a recommendation score of the target network security event, wherein the calculation formula is as follows:
recommending a corresponding emergency disposal scheme for the target network security event based on the recommended score of the target network security event, wherein max represents the maximum value of the score intersection;
the abnormal data protection module (6) is used for carrying out emergency storage on data in the system when a safety accident is detected;
the knowledge database (7) is used for storing system data and expert knowledge data based on network security events;
the safety detection tool (8) is used for providing an auxiliary detection tool for the detection of network safety events;
the remote assistance module (9) is used for assisting in handling network security events by means of remote manipulation technology.
2. The RBF neural network-based security emergency treatment system as claimed in claim 1, wherein the event handling module (3) comprises a known network security event handling module (31) and an unknown network security event handling module (32);
the known network security event handling module (31) is used for analyzing the known network security event by utilizing a security detection tool;
the unknown network security event handling module (32) is used for analyzing unknown network security events by utilizing a security honeypot and a security sandbox.
3. The safety emergency treatment system based on the RBF neural network is characterized in that the event early warning module (2) comprises a user behavior data acquisition module (21), a network model analysis module (22) and an abnormal behavior feedback module (23);
the user behavior data acquisition module (21) is used for acquiring behavior characteristic data of the network user;
the network model analysis module (22) is used for analyzing the behavior characteristic data of the network user by utilizing a pre-constructed deep neural network model to obtain the behavior score of the network user;
the abnormal behavior feedback module (23) is used for feeding back the abnormal behavior with the behavior score lower than the preset threshold value to the network security event analyst.
4. The RBF neural network-based safety emergency disposal system as claimed in claim 3, wherein the network model analysis module (22) comprises the following steps when analyzing the behavior feature data of the network user by using a pre-constructed deep neural network model to obtain the behavior score of the network user:
mapping the behavior characteristics of the network users into a high-dimensional space, and taking the high-dimensional space as the input of a deep neural network model;
training the deep neural network model parameters by taking the click behavior records of the network users as training samples;
extracting network user information, calculating the correlation between the user and the normal behavior of the user, obtaining the correlation score between the user and the user behavior and sequencing;
the relevance score is obtained by calculating the semantic relevance R (U, V) of the user U and the user normal behavior data set V, and the calculation formula is as follows:
in the formula, y U Distributed vectors, y, representing analytically extracted user information V Distributed vectors representing the analyzed set of normal behavioural data of the user, cosine () represents the cosine function, y U T Denotes y U Transposed vectors of (a), with | | representing vector values.
5. The RBF neural network based security emergency disposal system of claim 4, wherein the deep neural network model is constructed by the following steps:
setting x, y to represent the input vector and the output vector, respectively, the hidden layer in the neural network is represented by h, W represents the weight matrix in the neural network, and b represents the bias in the neural network, then there are the following formulas:
h 1 =W 1 x+b 1
h m =f(W m h m-1 +b m ),m=2,...,N-1
y=f(W N h N-1 +b N )
where m denotes the number of layers, m =1,2, \8230;, N-1, N denotes a non-zero natural number, f (x) denotes the activation function, and tanh is used as the activation function for the hidden and output layers, the formula of which is as follows:
e denotes the natural logarithm.
6. The RBF neural network-based security emergency treatment system as claimed in claim 1, wherein the risk assessment module (4) comprises a risk weight setting module (41) and an information security risk comprehensive assessment module (42);
the risk weight setting module (41) is used for setting the risk weight of the big and small elements in the network security event;
the information security risk comprehensive evaluation module (42) is used for calculating the comprehensive information security risk level evaluated in the network security event.
7. The RBF neural network based security emergency disposal system of claim 6, wherein the calculation formula of the integrated information security risk level is as follows:
where n represents the number of secondary risk items, k represents a particular risk, RR k Representing secondary element weight values, RW k Representing a primary element weight value;
the primary elements comprise network communication safety, personnel safety, physical safety, risk control safety, asset and management safety; the secondary elements comprise encryption measures, access control, personnel resources, safety awareness of operators, equipment safety, environment safety, a safety audit function, anti-hacker intrusion measures, the number of information, the value of the information, information cracking difficulty, key management, personnel management and equipment management.
8. The emergency handling system for network security events according to claim 1, wherein the security detection tool (8) comprises a vulnerability verification tool for verifying existence of a vulnerability of a target object and a virus Trojan detection tool for detecting whether the target object exists in a backdoor, and the security detection tool (8) further comprises a log analysis tool, a log segmentation tool and a file recovery tool.
9. An emergency handling method for a network security event, for use in the emergency handling system for a network security event of any one of claims 1 to 8, the method comprising the steps of:
s1, acquiring basic information of a website source code, an operating system log, a website web access log and a middleware log of a network security event by using a data acquisition module;
s2, checking and analyzing known or unknown network security events through an event handling module to obtain corresponding clue trees and attacker information;
s3, the event early warning module carries out early warning on the abnormal behaviors of the network users by using a deep neural network algorithm;
s4, confirming the analysis result of the S2 and the early warning result of the S3 by using a knowledge database, if the result is confirmed to be correct, executing S5, and if the result is not confirmed to be correct, returning to the S2;
s5, performing risk grade evaluation on the detected network security event through a risk evaluation module;
and S6, the emergency scheme recommending module recommends a corresponding emergency disposal scheme for the network security event according to the risk level by using a hybrid collaborative filtering recommendation algorithm of the RBF neural network.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211140104.3A CN115622738A (en) | 2022-09-20 | 2022-09-20 | RBF neural network-based safety emergency disposal system and method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211140104.3A CN115622738A (en) | 2022-09-20 | 2022-09-20 | RBF neural network-based safety emergency disposal system and method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115622738A true CN115622738A (en) | 2023-01-17 |
Family
ID=84858932
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211140104.3A Pending CN115622738A (en) | 2022-09-20 | 2022-09-20 | RBF neural network-based safety emergency disposal system and method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115622738A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116566729A (en) * | 2023-06-15 | 2023-08-08 | 广州谦益科技有限公司 | Network security operation analysis method and device based on security cloud, electronic equipment and storage medium |
| CN117319077A (en) * | 2023-11-09 | 2023-12-29 | 青海秦楚信息科技有限公司 | Network security emergency linkage system and method |
| CN117390567A (en) * | 2023-12-08 | 2024-01-12 | 南京博晟宇网络科技有限公司 | Abnormal behavior comprehensive management and control platform |
-
2022
- 2022-09-20 CN CN202211140104.3A patent/CN115622738A/en active Pending
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116566729A (en) * | 2023-06-15 | 2023-08-08 | 广州谦益科技有限公司 | Network security operation analysis method and device based on security cloud, electronic equipment and storage medium |
| CN116566729B (en) * | 2023-06-15 | 2024-02-13 | 广州谦益科技有限公司 | Network security operation analysis method and device based on security cloud, electronic equipment and storage medium |
| CN117319077A (en) * | 2023-11-09 | 2023-12-29 | 青海秦楚信息科技有限公司 | Network security emergency linkage system and method |
| CN117319077B (en) * | 2023-11-09 | 2024-04-16 | 青海秦楚信息科技有限公司 | Network security emergency linkage system and method |
| CN117390567A (en) * | 2023-12-08 | 2024-01-12 | 南京博晟宇网络科技有限公司 | Abnormal behavior comprehensive management and control platform |
| CN117390567B (en) * | 2023-12-08 | 2024-02-13 | 南京博晟宇网络科技有限公司 | Abnormal behavior comprehensive management and control platform |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110958220B (en) | Network space security threat detection method and system based on heterogeneous graph embedding | |
| CN109347801B (en) | Vulnerability exploitation risk assessment method based on multi-source word embedding and knowledge graph | |
| CN115622738A (en) | RBF neural network-based safety emergency disposal system and method | |
| Mahor et al. | Cyber warfare threat categorization on cps by dark web terrorist | |
| CN109714341A (en) | A kind of Web hostile attack identification method, terminal device and storage medium | |
| Fang et al. | WOVSQLI: Detection of SQL injection behaviors using word vector and LSTM | |
| CN111881451B (en) | Vulnerability association mining method for industrial control system | |
| CN112637108B (en) | Internal threat analysis method and system based on anomaly detection and emotion analysis | |
| CN114785563B (en) | Encryption malicious traffic detection method of soft voting strategy | |
| CN108063776A (en) | Inside threat detection method based on cross-domain behavioural analysis | |
| Yin et al. | Towards accurate intrusion detection based on improved clonal selection algorithm | |
| Aydin et al. | Using attribute-based feature selection approaches and machine learning algorithms for detecting fraudulent website URLs | |
| CN111600905A (en) | Anomaly detection method based on Internet of things | |
| CN115987544A (en) | Network security threat prediction method and system based on threat intelligence | |
| CN112765660A (en) | Terminal security analysis method and system based on MapReduce parallel clustering technology | |
| Kumar et al. | Performance evaluation of machine learning techniques for detecting cross-site scripting attacks | |
| Liu et al. | A Markov detection tree-based centralized scheme to automatically identify malicious webpages on cloud platforms | |
| Nebbione et al. | A Methodological Framework for AI-Assisted Security Assessments of Active Directory Environments | |
| AL-Maliki et al. | Comparison study for NLP using machine learning techniques to detecting SQL injection vulnerabilities | |
| CN112804247B (en) | Industrial control system network intrusion detection method and system based on ternary concept analysis | |
| Holm et al. | A metamodel for web application injection attacks and countermeasures | |
| CN111368291A (en) | Method and system for realizing honeypot-like defense | |
| Guo et al. | Intelligent mining vulnerabilities in python code snippets | |
| Amuda et al. | A Predictive User Behaviour Analytic Model for Insider Threats in Cyberspace | |
| CN115051833B (en) | Intercommunication network anomaly detection method based on terminal process |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |