CN115664860B - Network security threat assessment method and system - Google Patents
Network security threat assessment method and system Download PDFInfo
- Publication number
- CN115664860B CN115664860B CN202211673796.8A CN202211673796A CN115664860B CN 115664860 B CN115664860 B CN 115664860B CN 202211673796 A CN202211673796 A CN 202211673796A CN 115664860 B CN115664860 B CN 115664860B
- Authority
- CN
- China
- Prior art keywords
- network
- security
- data
- host
- attack
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to the technical field of network information security, in particular to a network security threat assessment method and system. The method comprises the following steps: obtaining a threat assessment model based on network flow characteristics by using a BilSTM neural network model; carrying out network security threat assessment on the feature data of the preprocessed network traffic data to be detected by using a threat assessment model based on network traffic features to obtain a threat assessment result based on the network traffic features; performing network security threat assessment on the preprocessed security alarm event flow based on the network security incident cognitive map to obtain an assessment result based on the network security incident cognitive map; and fusing the threat evaluation result of the network to be detected based on the network flow characteristics and the evaluation result based on the network security affair cognitive map. The invention evaluates the network security threat from different dimensions and different levels, and improves the accuracy and recall rate of the network security threat evaluation.
Description
Technical Field
The present invention relates to the field of network information security technologies, and in particular, to a method and a system for evaluating a network security threat.
Background
A network security threat assessment system in the prior art is usually installed on a physical server, and network traffic is mirrored onto a network card of the physical server, so that the network security threat assessment system collects and analyzes the network traffic through the network card; or sending alarm information generated by the safety equipment in the network to a network safety threat evaluation system, and further carrying out network safety threat analysis based on the alarm information of the safety equipment.
With the rapid development of internet technology, network traffic is larger and larger, applications are richer and richer, network attack behaviors are more and more abundant, attack modes are more and more hidden, the traditional network security analysis system is more and more difficult to meet the requirements of enterprises and public institutions on network security, and especially under the condition of a large-scale complex network of a park, the network security faces more challenges. In order to deal with increasingly complex network security threats, the security requirements of a large-scale network environment cannot be well met by means of a single security detection technology, for example, a network traffic analysis technology based on a neural network technology is adopted, so that the advantages of recognizing unknown security attacks are achieved, but the accuracy is to be improved; by adopting the knowledge graph technology, the method has the advantage of higher accuracy, but the recall rate needs to be improved.
The case cognition map is a case logic knowledge base and describes the evolution rule and mode between events. The fact graph is a directed cyclic graph like the knowledge graph, and different from the knowledge graph, the nodes of the knowledge graph represent entities, edges represent the entities and have relations, and the nodes of the fact graph represent events, and the edges represent the case logic relations such as sequential bearing, cause and effect, conditions, upper and lower positions and the like among the events. The knowledge graph has been applied in a certain scale after years of development, but has certain defects in describing dynamic reality social knowledge and cognitive intelligence thought. In terms of knowledge, static knowledge requires an upper-level knowledge application logic system, and a knowledge logic system requires a bottom-level powerful knowledge base as an effective bearer. The situational awareness map is an important breakthrough of cognitive intelligence as a new knowledge organization, representation and management mode.
Disclosure of Invention
The invention aims to overcome at least one defect (deficiency) of the prior art and provides a network security threat assessment method and a network security threat assessment system, a case cognition map and a neural network are applied to network security event threat degree assessment, network attack behaviors are predicted by using the analysis reasoning advantages of the case cognition map, network security threats are assessed from different dimensions and different levels, and the accuracy and recall rate of the network security threat assessment are improved.
The technical scheme adopted by the invention is as follows:
in a first aspect, a network security threat assessment method is provided, including:
collecting characteristic data of network flow as a sample set, and preprocessing the extracted characteristic data;
predefining the label information type of the characteristic data, and manually marking the preprocessed network flow characteristic data according to the label information type;
constructing a BilSTM neural network model, and training and testing the BilSTM neural network model by utilizing the preprocessed network traffic characteristic data and the manually labeled label information type to obtain a threat assessment model based on the network traffic characteristics;
acquiring a classification library, wherein the classification library contains data related to attack behaviors;
presetting an internal affair logic relationship of at least two attack behaviors, judging the internal affair logic relationship of the attack behaviors corresponding to the data in the classification library, classifying the data in the classification library according to a judgment result, and generating a network security affair cognitive map according to the classification result;
collecting network flow data to be detected, extracting characteristic data of the network flow data to be detected, and preprocessing the extracted characteristic data;
carrying out network security threat assessment on the feature data of the preprocessed network traffic data to be detected by using a threat assessment model based on network traffic features to obtain a threat assessment result based on the network traffic features;
extracting a safety alarm event stream according to the network traffic data to be detected, and preprocessing the extracted safety alarm event stream;
performing network security threat assessment on the preprocessed security alarm event stream based on the network security incident cognitive map to obtain an assessment result based on the network security incident cognitive map;
and fusing the threat assessment result of the network to be detected based on the network flow characteristics and the assessment result based on the network security affair cognitive map to obtain a final network security threat assessment result.
Compared with the network security threat assessment method in the prior art, the network security threat assessment method is different in that the network traffic characteristic analysis based on the neural network and the security alarm event analysis technology based on the case cognition map are fused, the accuracy and the recall rate of the network security threat analysis are improved, the analysis reasoning advantages of the case cognition map are fully utilized, and the network attack behavior is predicted.
Further, the presetting of the internal matter logic relationship of at least two attack behaviors, the judgment of the internal matter logic relationship of the attack behaviors corresponding to the data in the classification library, the classification of the data in the classification library according to the judgment result, and the generation of the network security matter cognitive map according to the classification result specifically comprises:
presetting internal affair logic relation types of at least two attack behaviors;
traversing data in a classification library, the data of the classification library at least comprising: the method comprises the steps of classifying library numbers, attack method names and product names;
reading each attack method, further reading the product name corresponding to the attack method, and finding out the classification library number associated with the attack method by using the product name;
defining an attack method with an internal matter logic relationship with the attack method in the classification library as an associated attack method, and judging the corresponding internal matter logic relationship type between the attack method and the associated attack method;
classifying according to the internal matter logic relation type between the attack method and the associated attack method, and storing the classification result into an attack behavior matter logic knowledge base, wherein the matter logic knowledge base comprises: the method comprises the steps of classifying library numbers, attack method names, associated attack method IDs, internal affair logic relation types and associated vulnerability lists;
forming a network security affair cognition graph G = { V, E, R } according to the affair logic knowledge base, wherein the names of attack methods of the affair logic knowledge base are used as nodes, and an attack behavior node set of the network security affair cognition graph is constructed
The internal matter logic relation type of the matter logic knowledge base is used as a label to construct an edge set of the network security matter cognitive map
,v i And v j Representing two different nodes of attack behavior,
denotes v i And v j The type of internal matter logic between them,
and R represents a set of intrinsic case logic types.
The classification library is basic data which can be obtained by the internet, is manually processed into an attack behavior case logic knowledge base on the basis of the classification library, and then forms a network security case cognitive map according to the case logic knowledge base. Most network security analysis in the prior art does not establish the internal matter logic relationship of the attack behavior, illustratively, the internal matter logic relationship established among the network attack behaviors is a sequential relationship, a causal relationship and a conditional relationship, and a network security matter cognition map is generated.
Further, the extracting the security alarm event stream of the network to be detected specifically includes:
defining the equipment in the network to be detected corresponding to the network traffic data to be detected as a host h,
defining the host set as: h = { H = 1 ,h 2 ,...,h i ,...,h n H therein i Representing the ith host, and n representing the total number of hosts in the network to be detected;
collecting security alarm events corresponding to the security events of each host in the network to be detected corresponding to the network traffic data to be detected, and collecting the security alarm events to the target host h i Is defined as a ij ,a ij The method comprises the steps of a source address SIP, a source port SPort, a destination address DIP, a destination port DPort and an event MSG;
collection host h i Obtaining the safety alarm events from different safety devices in a unit time interval to obtain a host h i Security alert event stream of (2): a. The i ={a i1 ,a i2 ,...,a ij ,...,a in };
And collecting the security alarm event streams of all the hosts in the network to be detected to obtain the security alarm event stream of the network traffic data to be detected.
Because networked devices in the network to be detected may have vulnerabilities or vulnerabilities, either from the device hardware (e.g., routers, switches, computer terminals) or from software (operating systems, databases, applications) deployed on the hardware devices, the defined host h has the following attributes: the number, the type of the host (hardware, operating system, software), the user to which the host belongs, the organization to which the host belongs, the host networking IP address, the port opened by the host, the host hardware version, the host operating system, the host application software, the vulnerability list existing in the host, and the vulnerability list existing in the host. Meanwhile, security devices such as a firewall, an intrusion detection device, a Web application firewall, a log audit system and the like in the network to be detected generate a large amount of alarm information every day, and security alarm events from different security devices in a unit time interval are extracted in the unit time interval, so that a security alarm event stream is obtained.
Further, the preprocessing the extracted security alarm event stream specifically includes:
selecting a Security alarm event a ij ;
Finding a Security alarm event a in the set H ij Whether a host corresponding to the destination address of (1) exists;
if not, the security alarm event a is discarded ij If yes, selecting host H corresponding to destination address from set H i ;
The attributes of the host hi comprise a vulnerability list CVEs existing in the host and a vulnerability list CWEs existing in the host, and the host h is inquired i List of existing vulnerabilities, denoted as vulnerability set
;
Identifying security alarm events a ij Existing vulnerabilities, denoted as vulnerability sets
;
If it is not
If the security alarm event is empty, discarding the security alarm event;
if it is used
If not, then compare
And
two sets of vulnerabilities;
if it is used
If the security alarm event does not have threat, the security alarm event a is sent ij Flagging and filtering as false alarms;
if it is not
If yes, it shows that the security alarm event has threat, and the security alarm event a is retained ij ;
All reserved security alarm events are defined as a pre-processed security alarm event stream.
The vulnerability of the security alarm event is compared with a host vulnerability list, the extracted security alarm event stream is preprocessed, a part of security alarm events without threats can be preliminarily eliminated, the data volume input into the network security incident cognitive map is reduced, and the accuracy of the evaluation result based on the network security incident cognitive map is improved.
Further, the network security event stream after the preprocessing is subjected to network security threat assessment based on the network security incident cognitive map to obtain an assessment result based on the network security incident cognitive map, which specifically includes:
make a vulnerability aggregate
At the host h i Find the corresponding vulnerability of the vulnerability Vuls in the attribute of (1)
WE, and then traverse all attacks in the network Security incident cognitive mapJudging whether a vulnerability CWE corresponding to the vulnerability Vuls exists in a vulnerability list of a certain attack behavior node in the network security affair cognitive map or not;
the specific judgment process formula is as follows:
wherein g is (A) i ) Representing the network Security incident cognitive map assessment results, A i CVE denotes the Security alert event stream A i Existing loophole, h i CVES denotes host h i A list of existing vulnerabilities; v. of j RelatedID represents the attack behavior node v j The CWE represents the vulnerability corresponding to the vulnerability Vuls; v. of j CWES represents an attack behavior node v j A list of vulnerabilities of;
the evaluation result of the network to be detected based on the network security incident cognitive map is as follows:
if K =0, it indicates the host h i The weakness of triggering the alarm message does not exist, and the threat does not exist;
if K =1, it indicates the host h i And the vulnerability of triggering the alarm message exists, the threat exists, and the attack method name and the associated attack method ID of the attack behavior node are output.
When the evaluation result K =1 based on the network security affair cognition graph shows that the threat degree of the alarm message is high, the host h is shown i Vulnerabilities exist and security alarm events are generated for host vulnerabilities; according to the speculation of the matter cognition map, the next attack behavior is the associated attack node of the attack behavior node where the CWE corresponding to the vulnerability Vuls is located, therefore, besides the attack method name of the attack behavior node, the associated attack method ID also needs to be output, the method can predict the network attack behavior by utilizing the analysis reasoning advantages of the matter cognition map, and the accuracy of network security threat assessment is improved.
Further, collecting the characteristic data of the network traffic as a sample set, and preprocessing the extracted characteristic data, and/or collecting the network traffic data to be detected, extracting the characteristic data of the network traffic data to be detected, and preprocessing the extracted characteristic data, the method specifically comprises the following steps:
extracting network connection basic characteristics of network traffic data: the method comprises the following steps of starting Time of network connection, duration of network connection, source IP address SIP of network connection, destination IP address DIP of network connection, source port SPort of network connection, destination port DPort of network connection, protocol type Proto of network connection, number Packets of data Packets generated in the network connection process, number Bytes generated in the network connection process, and flag string flag of data Packets in the network connection process;
extracting network connection advanced features of network flow data: the source host network connection number SFlow, the destination host network connection number DFlow and the destination host service use times DPortFlow;
normalizing the Duration of the characteristic network connection, the number Packets of the data Packets generated in the network connection process, the number Bytes generated in the network connection process, the number SFlow of the source host network connection, the number DFlow of the destination host network connection and the number DPortFlow of the service use times of the destination host, and performing One-hot coding on a source IP address SIP of the characteristic network connection, a destination IP address DIP of the network connection, a source port SPort of the network connection, a destination port DPort of the network connection, a protocol type Proto of the network connection and a flag string flag of the data Packets in the network connection process;
the specific mode of the normalization processing is as follows:
let a certain network connect feature X j Is x j ,x min Equal to feature X in unit time T j Minimum value, x max Equal to feature X in unit time T j Maximum value of (2), then x j After normalization, feature X j Is normalized as
;
Forming a feature vector Y, Y = { Y) of network connection in a unit time interval T according to the feature data after normalization processing and One-hot coding processing 1 ,y 2 ,...,y m And m represents a feature dimension set after data preprocessing.
In network transmission, time division multiplexing technology is widely used to realize that multiple services share network resources, multiple paths of network transmission can be simultaneously performed on one transmission link, and data packets of different network connections are usually mixed on one link. In the prior art, the attack identification technology based on network connection mainly determines whether the network is abnormal by analyzing the abnormal situation of the IP attribute, for example, by analyzing the source IP or the destination IP, the source port or the destination port, and the protocol type. On the basis, according to the characteristics of continuity and concealment of novel network threats such as Advanced Persistent Threats (APT), the invention increases the high-level characteristics such as the network connection number SFlow of the source host, the network connection number DFlow of the destination host, the service use times DPortFlow of the destination host and the like, and effectively improves the universality and the accuracy of the threat assessment result based on the network flow characteristics.
More specifically, in order to maintain consistency with the evaluation result based on the network security affair cognitive map, the unit time selected when the extracted feature data is preprocessed needs to be consistent with the unit time for preprocessing the extracted security alarm event stream. And generating a characteristic vector through preprocessing, and performing network security threat assessment on the preprocessed characteristic data of the network traffic data to be detected by a threat assessment model based on network traffic characteristics subsequently, thereby obtaining a threat assessment result based on the network traffic characteristics.
Further, the threat assessment model based on network traffic characteristics performs network security threat assessment on the feature data of the preprocessed to-be-detected network traffic data to obtain a threat assessment result based on network traffic characteristics, and specifically includes:
let the unit time interval be T, let T 0 =0,t 1 =t 0 +T,t i =t i-1 + T, i is greater than or equal to 1, and the acquisition start Time Time is greater than or equal to T i-1 And Time < t i And according to the sequence of the connection start Time, forming a series of network connections C, C = { C) per unit Time 1 ,C 2 ,...,C i ,...,C n }; wherein C i The unit time interval represents the ith network connection Con, and n represents n network connections in the network link in the T time interval;
let the network connection of the network traffic data to be detected be C Y ,C Y The feature vector of the data is Y, and the label information types of the predefined feature data comprise normal flow, attack flow and attacked flow;
the threat assessment result of the network to be detected based on the network traffic characteristics is as follows: l = BiLSTM (Y);
if L =0, it indicates the current network connection C Y Is normal flow;
if L =1, it indicates the current network connection C Y Is attack traffic, i.e. the source host launches a network attack;
if L =2, it indicates the current network connection C Y Is attacked traffic, i.e. the destination host is attacked.
The invention adopts a neural network model BilSTM (Bi-directional Long Short-Term Memory) as a network security threat assessment model, the BilSTM neural network is formed by combining forward LSTM and backward LSTM, is a special bidirectional cyclic neural network, can have better performance in a longer time sequence compared with a single LSTM neural network, considers the context relationship at the same time, and is very suitable for processing network flow data. And constructing a training set and a testing set by using the sample set, training the BilSTM neural network model through the training set, verifying the training result by using the testing set, wherein the BiLSTM neural network model passing the test is a trained threat assessment model based on the network flow characteristics, and can carry out threat assessment based on the network flow characteristics. The threat assessment of the network flow characteristics is carried out by using the method for training the neural network model, and compared with manual assessment, the accuracy and reliability of finding the assessment result can be improved.
Further, the threat assessment result of the network to be detected based on the network flow characteristics and the assessment result based on the network security incident cognitive map are fused, and the specific formula is as follows:
wherein Y represents the feature vector of the network connection of the network traffic data to be detected, bilSTM (Y) represents the threat assessment result based on the network traffic features, A i Safety alarm information flow representing data of network traffic measured g (A) i ) Represents the threat assessment result based on the network security affairs cognition map,
and
representing the weight coefficients.
The threat assessment result based on the network flow characteristics by using the BilSTM neural network has high recall ratio and low precision ratio; the assessment result based on the network security affair cognition map has high precision ratio but low recall ratio, so the advantages of the two models are combined, the recall ratio can be improved, the precision ratio can be improved, the reasoning capability of the physical cognition map is fully utilized, and the next attack behavior can be predicted. Meanwhile, the weight coefficient can be adjusted
And
and further adjusting the weight of the threat assessment result based on the network flow characteristic and the assessment result based on the network security affair cognitive map, for example, when the network security equipment is complete and more alarm information is obtained, the weight can be increased
Otherwise, the specific gravity is reduced.
Further, suppose
And obtaining a final network security threat assessment result as follows:
if E =0, the threat degree is 0, and the current time interval flow is normal flow;
if E =1, the threat level is 1, i.e. BilSTM (Y) =1 and g (A) i ) =0 or BilSTM (Y) =0 and g (A) i ) =1, which means that the threat assessment model based on the traffic characteristics determines that the source host sends an attack but the threat assessment model based on the network security affair cognitive map determines that the target host does not have a threat, or the threat assessment model based on the traffic characteristics determines that the source host does not have an attack behavior or the target host does not have an attack behavior, but the threat assessment model based on the network security affair cognitive map determines that the target host has a threat, and at this time, the network threat level is low;
if E =2, it indicates a threat level of 2, i.e. BilSTM (Y) =2 and g (A) i ) =0 or BilSTM (Y) =1 and g (A) i ) =1, namely, it represents that the traffic-feature-based threat assessment model determines that the destination host is attacked, but the traffic-feature-based threat assessment model determines that the destination host does not have a threat; or the threat assessment model based on the flow characteristics judges that the source host sends out an attack and judges that the target host has a threat based on the threat assessment model of the network security incident cognitive map, and at the moment, the network threat degree is of a medium level;
if E =3, the threat level is 3, i.e. BilSTM (Y) =2 and g (A) i ) And =1, that is, the threat assessment model based on the traffic characteristics determines that the target host is attacked, and the threat assessment model based on the network security affair cognitive map determines that the target host has a threat, where the network threat level is high.
Suppose that
Then it indicates the weighted phase of the two evaluation resultsMeanwhile, the higher the value of E is, the greater the threat degree is, when g (A) i ) If =1, the next attack behavior can be predicted. The advantages of the two network security assessment methods are fully utilized, and the precision ratio and the recall ratio of network security threat assessment are improved.
In a second aspect, a cyber-security threat assessment system is provided, including:
the network flow acquisition module is used for acquiring the characteristic data of the network flow as a sample set; predefining the label information type of the characteristic data, and manually marking the preprocessed network flow characteristic data according to the label information type; and/or collecting the network traffic data to be detected, and extracting the characteristic data of the network traffic data to be detected;
the network flow processing module is used for preprocessing the extracted characteristic data;
constructing a BilSTM neural network model by using a threat assessment model management module based on network traffic characteristics, and training and testing the BilSTM neural network model by using preprocessed network traffic characteristic data and manually labeled label information types to obtain a threat assessment model based on the network traffic characteristics; carrying out network security threat assessment on the feature data of the preprocessed network traffic data to be detected by using a threat assessment model based on network traffic features to obtain a threat assessment result based on the network traffic features;
the safety alarm event acquisition module extracts a safety alarm event stream according to the to-be-detected network flow data;
the safety alarm event processing module is used for preprocessing the extracted safety alarm event stream;
the network security affair cognitive map management module is used for acquiring a classification library, wherein the classification library comprises data related to attack behaviors, presetting the internal affair logic relationship of at least two attack behaviors, judging the internal affair logic relationship of the attack behaviors corresponding to the data in the classification library, classifying the data in the classification library according to the judgment result, and generating a network security affair cognitive map according to the classification result; performing network security threat assessment on the preprocessed security alarm event flow based on the network security incident cognitive map to obtain an assessment result based on the network security incident cognitive map;
and the network security threat assessment result fusion module is used for fusing a threat assessment result of the network to be detected based on the network flow characteristics and an assessment result based on the network security incident cognitive map to obtain a final network security threat assessment result.
Compared with the prior art, the invention has the beneficial effects that:
(1) The internal affair logic relations among the network attack behaviors are constructed to be sequential relations, causal relations and condition relations, and a network security affair cognitive map is generated, and the internal affair logic relations are beneficial to improving the accuracy of network security threat assessment and attack behavior prediction;
(2) According to the characteristics of continuity and concealment of novel network threats such as advanced continuous threats, the advanced characteristics such as the network connection number SFlow of a source host, the network connection number DFlow of a target host, the service use times DPortFlow of the target host are increased, and the universality and the accuracy of a threat assessment result based on network flow characteristics are effectively improved;
(3) The threat assessment result of the network to be detected based on the network flow characteristics and the assessment result based on the network security affair cognitive map are fused, the network security threats are assessed from different dimensions and different levels, and the accuracy and the recall rate of the network security threat assessment are improved.
Drawings
FIG. 1 is a flowchart of a method of example 1 of the present invention.
Fig. 2 is a system configuration diagram of embodiment 2 of the present invention.
Detailed Description
The drawings are only for purposes of illustration and are not to be construed as limiting the invention. For the purpose of better illustrating the following embodiments, certain features of the drawings may be omitted, enlarged or reduced, and do not represent the size of an actual product; it will be understood by those skilled in the art that certain well-known structures in the drawings and descriptions thereof may be omitted.
Example 1
As shown in fig. 1, the present embodiment provides a network security threat assessment method, including:
s1, collecting characteristic data of network flow as a sample set, and preprocessing the extracted characteristic data;
s2, predefining the label information type of the characteristic data, and manually marking the preprocessed network flow characteristic data according to the label information type;
s3, constructing a BilSTM neural network model, and training and testing the BilSTM neural network model by utilizing the preprocessed network traffic characteristic data and the manually labeled label information type to obtain a threat assessment model based on the network traffic characteristics;
s4, acquiring a classification library, wherein the classification library comprises data related to the attack behavior;
s5, presetting the internal affair logic relationship of at least two attack behaviors, judging the internal affair logic relationship of the attack behaviors corresponding to the data in the classification library, classifying the data in the classification library according to the judgment result, and generating a network security affair cognitive map according to the classification result;
s6, collecting network flow data to be detected, extracting characteristic data of the network flow data to be detected, and preprocessing the extracted characteristic data;
s7, carrying out network security threat assessment on the feature data of the preprocessed network traffic data to be detected by the threat assessment model based on the network traffic features to obtain a threat assessment result based on the network traffic features;
s8, extracting a safety alarm event stream according to the to-be-detected network traffic data, and preprocessing the extracted safety alarm event stream;
s9, performing network security threat assessment on the preprocessed security alarm event stream based on the network security incident cognitive map to obtain an assessment result based on the network security incident cognitive map;
and S10, fusing a threat assessment result of the network to be detected based on the network flow characteristics and an assessment result based on the network security incident cognitive map to obtain a final network security threat assessment result.
The network security threat assessment method has the advantages that the threat assessment model based on the network flow characteristics and the network security incident cognitive map are respectively constructed, and then the threat assessment result of the network to be detected based on the network flow characteristics and the assessment result based on the network security incident cognitive map are fused for network security threat assessment, so that the accuracy and the recall rate of network security threat analysis can be effectively improved.
In the embodiment, a CIDDS-01 (Coburg Intrusion Detection Data Sets) public Data set is adopted for sample set acquisition, the CIDDS-01 Data set is captured in a simulated enterprise environment and lasts for four weeks, and the acquired network flow comprises network attack behaviors such as SSH violent attack, doS (security denial of service), port scanning and the like. The characteristic data field of the CIDDS-01 data set comprises: connecting the first occurring time Date first seen, duration, protocol type Proto, source node address Src IP Addr, destination node address Dst IP Addr, source node port Src Pt, destination node port Dst Pt, number of Packets, byte number Bytes, data flow, identifier Flags, service type Tos, connection manual Label type Label: attack traffic attetter, normal traffic normal, attacked traffic victim, attack type atteckType, attack IDatteckID and attack description
The specific steps of step S1 include:
s101, extracting network connection basic characteristics of network flow data: the method comprises the following steps of starting Time of network connection, duration of network connection, source IP address SIP of network connection, destination IP address DIP of network connection, source port SPort of network connection, destination port DPort of network connection, protocol type Proto of network connection, number Packets of data Packets generated in the network connection process, number Bytes generated in the network connection process, and flag string flag of data Packets in the network connection process;
extracting network connection advanced features of network traffic data: the source host network connection number SFlow, the destination host network connection number DFlow and the destination host service use times DPortFlow;
s102, normalizing the Duration of the characteristic network connection, the number Packets of the data Packets generated in the network connection process, the number Bytes generated in the network connection process, the number SFlow of the source host network connection, the number DFlow of the destination host network connection and the number DPortFlow of the service use times of the destination host, and performing One-hot coding processing on a source IP address SIP of the characteristic network connection, a destination IP address DIP of the network connection, a source port SPort of the network connection, a destination port DPort of the network connection, a protocol type Proto of the network connection and a flag string flag of the data Packets in the network connection process;
the specific mode of the normalization processing is as follows:
let a certain network connect feature X j Is x j ,x min Equal to feature X in unit time T j Minimum value, x max Equal to feature X in unit time T j Maximum value of (2), then x j After normalization, feature X j Is normalized as
;
S103, forming a feature vector Y, Y = { Y } of network connection in a unit time interval T according to feature data after normalization processing and One-hot coding processing 1 ,y 2 ,...,y m And m represents a feature dimension set after data preprocessing.
In an actual use process, in this embodiment, 50 ten thousand records are selected from the CIDDS-01 data set as a sample set, and the sample set is preprocessed, with 80% of data of the sample set as a training set, and the remaining data as a test set.
In the step S2 of this embodiment, the preprocessed network traffic characteristic data is manually labeled, and each network connection is labeled as three types, i.e., attack traffic attecker, normal traffic normal, and attacked traffic victim, so that the BiLSTM neural network model can be effectively trained.
In step S3 of this embodiment, a neural network model BiLSTM (Bi-directional Long Short-Term Memory) is used as a network security threat assessment model, the BiLSTM neural network is formed by combining a forward LSTM and a backward LSTM, and is a special bidirectional cyclic neural network, which can perform better in a longer time sequence compared with a single LSTM neural network, and considers a context relationship, so that the method is very suitable for processing network traffic data. And constructing a training set and a testing set by using the sample set, training the BilSTM neural network model by using the training set, verifying the training result by using the testing set, wherein the tested BilSTM neural network model is the trained threat assessment model based on the network flow characteristics, and can carry out threat assessment based on the network flow characteristics. The threat assessment of the network flow characteristics is carried out by using the method for training the neural network model, and compared with manual assessment, the accuracy and reliability of the assessment result can be improved.
In the actual use process, a BilSTM neural network model code can be obtained through a Pythrch toolkit, an Adam optimizer and a Categorical _ crosstalk loss function are adopted to train the BilSTM neural network model, the Adam learning rate is 0.0001, epoch is 2000, batch \ size is 128, momentum in batch normalization is 0.85, alpha in LeakyReLU is set to 0.2, dropout is set to 0.4, recovery _ dropout in the BilSTM neural network is set to 0.01, and the converged BilSTM neural network model is obtained after training, so that the threat assessment model based on the network flow characteristics is obtained.
In this embodiment, the specific method of extracting the feature data of the network traffic data to be detected in step S4 and preprocessing the extracted feature data is the same as that in step S1.
Step S5 in this embodiment specifically includes:
let the unit time interval be T, let T 0 =0,t 1 =t 0 +T,t i =t i-1 + T, i is greater than or equal to 1, and the acquisition start Time Time is greater than or equal to T i-1 And Time < t i And forming a network connection series C in unit Time according to the sequence of the connection starting Time Time, wherein C = { C = } 1 ,C 2 ,...,C i ,...,C n }; wherein C is i Denotes the ith network connection Con in a unit time interval, n denotes the number of n networks in the network link in the T time intervalConnecting;
let the network connection of the network traffic data to be detected be C Y ,C Y The feature vector of the data is Y, and the label information types of the predefined feature data comprise normal flow, attack flow and attacked flow;
the threat assessment result of the network to be detected based on the network traffic characteristics is as follows: l = BiLSTM (Y);
if L =0, it indicates the current network connection C Y Is normal flow;
if L =1, it indicates the current network connection C Y Is attack traffic, i.e. the source host launches a network attack;
if L =2, it indicates the current network connection C Y Is attacked traffic, i.e. the destination host is attacked.
In step S6 of this embodiment, a Common attach Pattern execution and Classification (CAPAC) is used to construct an intrinsic event logic relationship between network Attack behaviors. CAPAC is a public knowledge base maintained by the MITER organization that provides common classification of attack patterns. The CAPEC classification library organizes attack mode classification such as SQL injection, buffer overflow, cross-site script, click hijack and the like by a hierarchy definition method, and main fields in a data file comprise: the method comprises the steps Of CAPEC classification library numbering, attack method Name, attack method Description, possibility Of Attack method utilization, linked Attack Of attach, linked Attack method Related attach Patterns, linked weak points, attack method Execution Flow, prerequisite requirements for Attack method utilization, skill Skills requirements for Attack methods, resource requirements for Attack methods and mitigation measures.
Step S7 of this embodiment specifically includes:
s701, presetting internal logic relationship types of at least two attack behaviors;
s702, traversing data in a classification library, wherein the data in the classification library at least comprises: the method comprises the steps of classifying library numbers, attack method names and product names;
s703, reading each attack method, further reading a product name corresponding to the attack method, and finding out a classification library number associated with the attack method by using the product name;
s704, defining the attack method with the internal matter logic relationship with the attack method in the classification library as a correlation attack method, and judging the corresponding internal matter logic relationship type between the attack method and the correlation attack method;
s705, classifying according to the internal affair logic relation type between the attack method and the associated attack method, and storing the classification result into an attack behavior affair logic knowledge base, wherein the affair logic knowledge base comprises: the method comprises the steps of classifying library numbers, attack method names, associated attack method IDs, internal affair logic relation types and associated vulnerability lists;
s706, forming a network security affair cognition graph G = { V, E, R } according to the affair logic knowledge base, wherein the names of attack methods of the affair logic knowledge base are used as nodes, and an attack behavior node set of the network security affair cognition graph is constructed
The internal matter logic relation type of the matter logic knowledge base is used as a label to construct an edge set of the network security matter cognitive map
,v i And v j Representing two different nodes of attack behavior,
denotes v i And v j The type of internal matter logic between them,
and R represents a set of intrinsic case logic types.
In the actual use process, the preset internal affair logic relationship type of the Attack behavior is sequential bearing relationship, causal relationship and condition relationship, data of the CAPEC classification library is traversed, each Attack method is read, a Related Attack Patterns field of the Attack method is further read, the Related ID of the Attack method is found out by utilizing the Related Attack Patterns field, whether the internal affair logic relationship of the Attack method and the Related Attack method belongs to the sequential bearing relationship, the causal relationship or the condition relationship is judged manually, classification is carried out, the classification result is stored in the Attack behavior affair logic knowledge library, and the network security affair cognition map is formed.
Taking the SQL Injection Attack type as an example, the SQL Injection Attack method reads the value of the Related Attack Patterns field in the CAPEC classification library with the corresponding CAPEC number ID of 66, extracts the ID associated with the Attack and the corresponding relationship from the Related Attack Patterns field, the ID associated with the SQL Injection Attack is 248, and the relationship type is ChildOf, therefore, the Attack mode with the CAPEC number ID of 66 and the Attack mode with the CAPEC number ID of 248 are in an order relationship, and writes the record [ CapecID =66, capecname = "SQL Injection", relatedID =248, patterns = "order relationship" ] into the fact logic knowledge base.
The step S8 of extracting the security alarm event stream of the network to be detected specifically includes:
s801, defining the equipment in the network to be detected corresponding to the network traffic data to be detected as a host h,
s802, defining a host set as follows: h = { H = 1 ,h 2 ,...,h i ,...,h n In which h is i The host is represented as the ith host, and n represents the total number of the hosts in the network to be detected;
s803, collecting the security alarm event corresponding to the security event generated by each host in the network to be detected corresponding to the network traffic data to be detected, and collecting the collected security alarm event to the target host h i Is defined as a ij ,a ij The method comprises the steps of a source address SIP, a source port SPort, a destination address DIP, a destination port DPort and an event MSG;
s804, collecting host h i Obtaining the safety alarm events from different safety devices in a unit time interval to obtain a host h i Security alarm event stream of (2): a. The i ={a i1 ,a i2 ,...,a ij ,...,a in };
S805, collecting the security alarm event streams of all the hosts in the network to be detected to obtain the security alarm event stream of the network traffic data to be detected.
Since all the devices in the network to be detected have network information such as IP addresses and ports, the networking device is defined as the host h in this embodiment. Because networked devices may have vulnerabilities or vulnerabilities, both from the device hardware (e.g., routers, switches, computer terminals) and from software (operating systems, databases, applications) deployed on the hardware devices, the host h has attributes including: ID number, type of host (Hardware, operating system, software), user of host, organization of host, IP address of host network, ports opened by host, port of host network the method comprises the following steps of a host Hardware version Hardware, a host operating system OS, a host application Software, a host existing vulnerability list CVEs, and a host existing vulnerability list CWEs.
Security devices such as firewalls, intrusion detection devices, web application firewalls, log auditing systems, and the like in a managed network generate a large amount of alarm information each day. In an actual use process, an Open Source Security Information Management system OSSIM (Open Source Security Information Management, OSSIM) platform is used to collect and summarize alarm Information generated by the Security device, and output the alarm Information according to a uniform format. The OSSIM platform collects the target host as a host h i Is defined as a ij In order to keep consistent with the time interval of the threat assessment model based on the network connection characteristics, 1 minute is taken as a unit time interval, security alarm events from different security equipment in the unit time interval are extracted and are collected according to the destination IP, and the destination host is obtained as a host h i The security alarm information flow of (1).
In this embodiment S8, the preprocessing the extracted security alarm event stream specifically includes:
s806, selecting a safety alarm event a ij ;
S807, searching security alarm event a in set H ij Whether a host corresponding to the destination address of (1) exists;
S808、if not, the security alarm event a is discarded ij If yes, selecting host H corresponding to destination address from set H i ;
S809, inquiring the host h according to the attributes of the host hi including a vulnerability list CVEs existing in the host and a vulnerability list CWEs existing in the host i List of existing vulnerabilities, denoted as vulnerability set
;
S810, identifying a safety alarm event a ij Existing vulnerabilities, denoted as vulnerability sets
;
S811, if
If the security alarm event is empty, discarding the security alarm event; if it is not
If not, then compare
And
two sets of vulnerabilities;
s812, if
If so, the security alarm event is not threatened, and the security alarm event a is sent ij Flagging and filtering as false alarms; if it is not
If yes, it shows that the security alarm event has threat, and the security alarm event a is retained ij ;
S813, all the reserved security alarm events are defined as the security alarm event flow after preprocessing.
Because the alarm event received by the OSSIM is the alarm information from multiple security devices, and the alarm information of the multiple security devices has the situations of duplication, false alarm, and the like, preprocessing is required to reduce the duplication and false alarm rate. The data volume input into the network security incident cognition map is reduced, and the accuracy of the evaluation result based on the network security incident cognition map is improved.
This embodiment S9 specifically includes:
make a vulnerability aggregate
At the host h i Find the corresponding vulnerability of the vulnerability Vuls in the attribute of (1)
The WE traverses the vulnerability lists of all the attack behavior nodes in the network security affair cognitive map, and judges whether the vulnerability list of a certain attack behavior node in the network security affair cognitive map has a vulnerability CWE corresponding to the vulnerability Vuls;
the specific judgment process formula is as follows:
wherein g (A) i ) Representing the network Security incident cognitive map assessment results, A i CVE denotes the Security alert event stream A i Existing vulnerability, h i CVES denotes host h i A list of existing vulnerabilities; v. of j RelatedID represents the attack behavior node v j The CWE represents the vulnerability corresponding to the vulnerability Vuls; v. of j CWES represents an attack behavior node v j A vulnerability list of;
the evaluation result of the network to be detected based on the network security affair cognitive map is as follows:
if K =0, it indicates the host h i The weakness of triggering the alarm message does not exist, and the threat does not exist;
if K =1, it indicates the host h i And the vulnerability of triggering the alarm message exists, the threat exists, and the attack method name and the associated attack method ID of the attack behavior node are output.
When the evaluation result K =1 based on the network security affair cognitive map indicates that the threat degree of the alarm message is high, the host h is indicated i Vulnerabilities exist and security alarm events are generated for host vulnerabilities; according to the speculation of the physical cognition map, the next step of attack behavior is the associated attack node of the attack behavior node where the CWE corresponding to the vulnerability Vuls is located, therefore, besides the attack method name of the attack behavior node, the associated attack method ID also needs to be output, the method can predict the network attack behavior by utilizing the analysis reasoning advantages of the physical cognition map, and the accuracy of network security threat assessment is improved.
This embodiment S10 specifically includes:
fusing a threat evaluation result of the network to be detected based on the network flow characteristics and an evaluation result based on the network security incident cognitive map, wherein the specific formula is as follows:
wherein Y represents the feature vector of the network connection of the network traffic data to be detected, bilSTM (Y) represents the threat assessment result based on the network traffic features, A i Safety alarm information flow representing data of network traffic measured g (A) i ) Represents the threat assessment result based on the network security affairs cognition map,
and
representing the weight coefficients.
The threat assessment result based on the network flow characteristics using the BilSTM neural network has high recall ratio and low precision ratio; the assessment result based on the network security affair cognition map has high precision ratio but low recall ratio, so the advantages of the two models are combined, the recall ratio can be improved, the precision ratio can be improved, the reasoning capability of the physical cognition map is fully utilized, and the next attack behavior can be predicted.
In the actual use process, the weight coefficient can be adjusted
And
and further adjusting the weight of the threat assessment result based on the network flow characteristics and the assessment result based on the network security affair cognitive map, for example, when the network security equipment is complete and more alarm information is obtained, the weight can be increased
Otherwise, the specific gravity is reduced.
Suppose that
And obtaining a final network security threat assessment result as follows:
if E =0, the threat degree is 0, and the current time interval flow is normal flow;
if E =1, the threat level is 1, i.e. BilSTM (Y) =1 and g (A) i ) =0 or BilSTM (Y) =0 and g (A) i ) =1, which means that the threat assessment model based on the traffic characteristics determines that the source host sends an attack but the threat assessment model based on the network security affair cognitive map determines that the target host does not have a threat, or the threat assessment model based on the traffic characteristics determines that the source host does not have an attack behavior or the target host does not have an attack behavior, but the threat assessment model based on the network security affair cognitive map determines that the target host has a threat, and at this time, the network threat level is low;
if E =2, it indicates a threat level of 2, i.e. BilSTM (b: (b) ())Y) =2 and g (A) i ) =0 or BilSTM (Y) =1 and g (A) i ) =1, namely, the traffic-characteristic-based threat assessment model determines that the destination host is attacked, but the traffic-characteristic-based threat assessment model determines that the destination host is not threatening; or the threat assessment model based on the flow characteristics judges that the source host sends out an attack and the threat assessment model based on the network security affair cognitive map judges that the target host has a threat, and at the moment, the network threat degree is of a medium level;
if E =3, the threat level is 3, i.e. BilSTM (Y) =2 and g (A) i ) And =1, namely the traffic-characteristic-based threat assessment model determines that the target host is attacked, and the network security affair cognitive map-based threat assessment model determines that the target host has a threat, wherein the network threat level is at a high level.
Suppose that
The weight occupied by the two evaluation results is the same, the higher the value of E is, the greater the threat degree is, when g (A) i ) If =1, the next attack behavior can be predicted. The advantages of the two network security assessment methods are fully utilized, and the precision ratio and the recall ratio of network security threat assessment are improved.
Example 2
As shown in fig. 2, the present embodiment provides a network security threat assessment system, including:
the network flow acquisition module is used for acquiring the characteristic data of the network flow as a sample set; predefining the label information type of the characteristic data, and manually marking the preprocessed network flow characteristic data according to the label information type; and/or collecting the network traffic data to be detected and extracting the characteristic data of the network traffic data to be detected.
Extracting network connection basic characteristics of network traffic data: the method comprises the following steps of starting Time of network connection, duration of network connection, source IP address SIP of network connection, destination IP address DIP of network connection, source port SPort of network connection, destination port DPort of network connection, protocol type Proto of network connection, number Packets of data Packets generated in the network connection process, number Bytes generated in the network connection process and flag bit string Flags of the data Packets in the network connection process;
extracting network connection advanced features of network traffic data: number of source host network connections
Flow, network connection number DFlow of a target host and service use times DPortflow of the target host;
and the network flow processing module is used for preprocessing the extracted characteristic data.
Normalizing the Duration of the characteristic network connection, the number Packets of the data Packets generated in the network connection process, the number Bytes generated in the network connection process, the number SFlow of the source host network connection, the number DFlow of the destination host network connection and the number DPortFlow of the service use times of the destination host, and performing One-hot coding on a source IP address SIP of the characteristic network connection, a destination IP address DIP of the network connection, a source port SPort of the network connection, a destination port DPort of the network connection, a protocol type Proto of the network connection and a flag string flag of the data Packets in the network connection process;
the specific mode of the normalization processing is as follows:
let a certain network connect with a characteristic X j Is x j ,x min Equal to feature X in unit time T j Minimum value, x max Equal to feature X in unit time T j Maximum value of (2), then x j After normalization, feature X j Normalized result of
;
Forming a feature vector Y, Y = { Y) connected with a network in a unit time interval T according to the feature data after normalization processing and One-hot coding processing 1 ,y 2 ,...,y m And m represents a feature dimension set after data preprocessing.
Constructing a BilSTM neural network model by using a threat assessment model management module based on network traffic characteristics, and training and testing the BilSTM neural network model by using preprocessed network traffic characteristic data and manually labeled label information types to obtain a threat assessment model based on the network traffic characteristics; and carrying out network security threat assessment on the feature data of the preprocessed network flow data to be detected by the threat assessment model based on the network flow features to obtain a threat assessment result based on the network flow features.
Let the unit time interval be T, let T 0 =0,t 1 =t 0 +T,t i =t i-1 + T, i is greater than or equal to 1, and the acquisition start Time Time is greater than or equal to T i-1 And Time < t i And forming a network connection series C in unit Time according to the sequence of the connection starting Time Time, wherein C = { C = } 1 ,C 2 ,...,C i ,...,C n }; wherein C i The unit time interval represents the ith network connection Con, and n represents n network connections in the network link in the T time interval;
let the network connection of the network traffic data to be detected be C Y ,C Y The feature vector of the data is Y, and the label information types of the predefined feature data comprise normal flow, attack flow and attacked flow;
the threat assessment result of the network to be detected based on the network traffic characteristics is as follows: l = BiLSTM (Y);
if L =0, it indicates the current network connection C Y Is normal flow;
if L =1, it indicates the current network connection C Y Is attack traffic, i.e. the source host launches a network attack;
if L =2, it indicates the current network connection C Y Is the attacked traffic, i.e. the destination host is attacked.
And the safety alarm event acquisition module extracts a safety alarm event stream according to the to-be-detected network traffic data.
Defining equipment in a network to be detected corresponding to the network traffic data to be detected as a host h, wherein the host set is defined as follows: h = { H = 1 ,h 2 ,...,h i ,...,h n },Wherein h is i Representing the ith host, and n representing the total number of hosts in the network to be detected; collecting security alarm events corresponding to the security events generated by each host in the network to be detected corresponding to the network flow data to be detected, and collecting the security alarm events to a target host h i Is defined as a ij ,a ij The method comprises the steps of a source address SIP, a source port SPort, a destination address DIP, a destination port DPort and an event MSG; collection host h i Obtaining the safety alarm events from different safety devices in a unit time interval to obtain a host h i Security alarm event stream of (2): a. The i ={a i1 ,a i2 ,...,a ij ,...,a in }; and collecting the security alarm event streams of all the hosts in the network to be detected to obtain the security alarm event stream of the network traffic data to be detected.
And the safety alarm event processing module is used for preprocessing the extracted safety alarm event stream.
Selecting a Security alarm event a ij (ii) a Finding a Security alarm event a in the set H ij Whether a host corresponding to the destination address of (1) exists; if not, the security alarm event a is discarded ij If yes, selecting host H corresponding to destination address from set H i (ii) a The attributes of the host hi comprise a vulnerability list CVEs existing in the host and a vulnerability list CWEs existing in the host, and the host h is inquired i List of existing vulnerabilities, denoted as vulnerability set
(ii) a Identifying security alarm events a ij Existing vulnerabilities, denoted as vulnerability sets
(ii) a If it is not
If the security alarm event is empty, discarding the security alarm event; if it is not
If not empty, then ratioCompared with
And
two sets of vulnerabilities; if it is not
If so, the security alarm event is not threatened, and the security alarm event a is sent ij Flagging and filtering as false alarms; if it is not
If yes, it shows that the security alarm event has threat, and the security alarm event a is retained ij (ii) a All reserved security alarm events are defined as a pre-processed security alarm event stream.
The network security affair cognitive map management module is used for acquiring a classification library, wherein the classification library comprises data related to the attack behaviors, presetting the internal affair logic relationship of at least two attack behaviors, judging the internal affair logic relationship of the attack behaviors corresponding to the data in the classification library, classifying the data in the classification library according to the judgment result, and generating a network security affair cognitive map according to the classification result; and performing network security threat assessment on the preprocessed security alarm event flow based on the network security incident cognitive map to obtain an assessment result based on the network security incident cognitive map.
Presetting internal affair logic relation types of at least two attack behaviors; traversing data in a classification library, the data of the classification library comprising at least: the method comprises the steps of classifying library numbers, attack method names and product names; reading each attack method, further reading a product name corresponding to the attack method, and finding out a classification library number associated with the attack method by using the product name; defining an attack method with an internal matter logic relationship with the attack method in the classification library as an associated attack method, and judging the corresponding internal matter logic relationship type between the attack method and the associated attack method; according to the attack method and associated attackerClassifying the internal matter logic relation types among the methods, and storing the classification result into an attack behavior matter logic knowledge base, wherein the matter logic knowledge base comprises the following components: the method comprises the steps of classifying library numbers, attack method names, associated attack method IDs, internal matter logic relation types and associated vulnerability lists; forming a network security affair cognition graph G = { V, E, R } according to the affair logic knowledge base, wherein the names of attack methods of the affair logic knowledge base are used as nodes, and an attack behavior node set of the network security affair cognition graph is constructed
The internal affair logic relation type of the affair logic knowledge base is used as a label to construct an edge set of the network security affair cognitive map
,v i And v j Representing two different nodes of attack behavior,
denotes v i And v j The type of internal matter logic between them,
and R represents a set of intrinsic case logic types.
Make a vulnerability aggregate
At the host h i Find the corresponding vulnerability of the vulnerability Vuls in the attribute of (1)
The WE traverses the vulnerability lists of all the attack behavior nodes in the network security affair cognitive map, and judges whether the vulnerability list of a certain attack behavior node in the network security affair cognitive map has a vulnerability CWE corresponding to the vulnerability Vuls;
the specific judgment process formula is as follows:
wherein Y represents the feature vector of the network connection of the network traffic data to be detected, bilSTM (Y) represents the threat assessment result based on the network traffic features, A i Safety alarm information flow representing data of network traffic measured g (A) i ) Represents the threat assessment result based on the network security affairs cognition map,
and
representing the weight coefficients.
The evaluation result of the network to be detected based on the network security incident cognitive map is as follows:
if K =0, it indicates the host h i The weakness of triggering alarm information does not exist, and threat does not exist;
if K =1, it indicates the host h i And the vulnerability of triggering the alarm message exists, the threat exists, and the attack method name and the associated attack method ID of the attack behavior node are output.
And the network security threat assessment result fusion module is used for fusing a network to be detected based on the threat assessment result of the network flow characteristics and the assessment result based on the network security affair cognitive map to obtain a final network security threat assessment result.
The specific formula is as follows:
wherein Y represents the characteristic vector of the network connection of the network traffic data to be detected, bilSTM (Y) represents the network security threat assessment result, A i A safety alarm information flow representing the data of the measured network traffic gA i ) Representing the evaluation result of the network security affair cognitive map,
and
representing the weight coefficients.
Suppose that
And obtaining a final network security threat assessment result as follows:
if E =0, the threat degree is 0, and the current time interval flow is normal flow;
if E =1, the threat level is 1, i.e. BilSTM (Y) =1 and g (A) i ) =0 or BilSTM (Y) =0 and g (A) i ) =1, which means that the threat assessment model based on the traffic characteristics determines that the source host sends an attack but the threat assessment model based on the network security affair cognitive map determines that the target host has no threat, or the threat assessment model based on the traffic characteristics determines that the source host has no attack behavior or the target host has no attacked behavior, but the threat assessment model based on the network security affair cognitive map determines that the target host has threat, and at this time, the network threat degree is low level;
if E =2, the threat level is 2, i.e. BilSTM (Y) =2 and g (A) i ) =0 or BilSTM (Y) =1 and g (A) i ) =1, namely, the traffic-characteristic-based threat assessment model determines that the destination host is attacked, but the traffic-characteristic-based threat assessment model determines that the destination host is not threatening; or the threat assessment model based on the flow characteristics judges that the source host sends out an attack and the threat assessment model based on the network security affair cognitive map judges that the target host has a threat, and at the moment, the network threat degree is of a medium level;
if E =3, the threat level is 3, i.e. BilSTM (Y) =2 and g (A) i ) =1, i.e. threat assessment model determination objective indicating that host of threat assessment model determination objective based on traffic characteristics is attacked and based on network security incident cognitive mappingThe host computer has a threat, and the network threat degree is high.
In the actual use process, the network security threat assessment result fusion module can use the alarm modes of page reminding, mail reminding and WeChat reminding.
It should be understood that the above-mentioned embodiments of the present invention are only examples for clearly illustrating the technical solutions of the present invention, and are not intended to limit the specific embodiments of the present invention. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present invention claims should be included in the protection scope of the present invention claims.
Claims (10)
1. A method for assessing cyber-security threats, comprising:
collecting characteristic data of network flow as a sample set, and preprocessing the extracted characteristic data;
predefining the label information type of the characteristic data, and manually marking the preprocessed network flow characteristic data according to the label information type;
constructing a BilSTM neural network model, and training and testing the BilSTM neural network model by utilizing the preprocessed network traffic characteristic data and the manually labeled label information type to obtain a threat assessment model based on the network traffic characteristics;
acquiring a classification library, wherein the classification library contains data related to attack behaviors;
presetting an internal affair logic relationship of at least two attack behaviors, judging the internal affair logic relationship of the attack behaviors corresponding to the data in the classification library, classifying the data in the classification library according to a judgment result, and generating a network security affair cognitive map according to the classification result;
collecting network flow data to be detected, extracting characteristic data of the network flow data to be detected, and preprocessing the extracted characteristic data;
carrying out network security threat assessment on the feature data of the preprocessed network traffic data to be detected by using a threat assessment model based on network traffic features to obtain a threat assessment result based on the network traffic features;
extracting a safety alarm event stream according to the network traffic data to be detected, and preprocessing the extracted safety alarm event stream;
performing network security threat assessment on the preprocessed security alarm event stream based on the network security incident cognitive map to obtain an assessment result based on the network security incident cognitive map;
and fusing the threat assessment result of the network to be detected based on the network flow characteristics and the assessment result based on the network security affair cognitive map to obtain a final network security threat assessment result.
2. The method for assessing network security threats according to claim 1, wherein the presetting of the internal matter logic relationship of at least two attack behaviors determines the internal matter logic relationship of the attack behaviors corresponding to the data in the classification library, classifies the data in the classification library according to the determination result, and generates the network security matter cognitive map according to the classification result, specifically comprises:
presetting internal affair logic relation types of at least two attack behaviors;
traversing data in a classification library, the data of the classification library comprising at least: the method comprises the steps of classifying library numbers, attack method names and product names;
reading each attack method, further reading the product name corresponding to the attack method, and finding out the classification library number associated with the attack method by using the product name;
defining an attack method with an internal matter logic relationship with the attack method in the classification library as an associated attack method, and judging the corresponding internal matter logic relationship type between the attack method and the associated attack method;
classifying according to the internal affair logic relationship type between the attack method and the associated attack method, and storing the classification result into an attack behavior affair logic knowledge base, wherein the affair logic knowledge base comprises: the method comprises the steps of classifying library numbers, attack method names, associated attack method IDs, internal matter logic relation types and associated vulnerability lists;
forming a network security affair cognition graph G = { V, E, R } according to the affair logic knowledge base, wherein the names of attack methods of the affair logic knowledge base are used as nodes, and an attack behavior node set of the network security affair cognition graph is constructed
The internal affair logic relation type of the affair logic knowledge base is used as a label to construct an edge set of the network security affair cognitive map
Vi and vj denote two different attack behavior nodes,
representing the intrinsic case logic type between vi and vj,
and R represents a set of intrinsic case logic types.
3. The method according to claim 2, wherein the extracting the security alarm event stream of the network to be detected specifically includes:
defining equipment in a network to be detected corresponding to the network traffic data to be detected as a host h;
defining the host set as: h = { H1, H2,. Hi,. Hn }, where hi represents the ith host and n represents the total number of hosts in the network to be detected;
collecting security alarm events corresponding to security events of each host in a to-be-detected network corresponding to-be-detected network traffic data, and defining the jth security alarm event collected to the target host hi as aij, wherein the aij comprises a source address SIP, a source port SPort, a destination address DIP, a destination port DPort and an event MSG;
collecting security alarm events from different security devices within a unit time interval of the host hi to obtain a security alarm event stream of the host hi: ai = { Ai1, ai 2., aij,. Ang, ain };
and collecting the security alarm event streams of all the hosts in the network to be detected to obtain the security alarm event stream of the network traffic data to be detected.
4. The cyber-security threat assessment method according to claim 3, wherein the preprocessing the extracted security alarm event stream specifically comprises:
selecting a safety alarm event aij;
searching whether a host corresponding to the destination address of the safety alarm event aij exists in the set H;
if the host hi corresponding to the destination address is not in the set H, discarding the security alarm event aij;
the attributes of the host hi comprise a vulnerability list CVEs existing in the host and a vulnerability list CWEs existing in the host, the vulnerability list existing in the host hi is inquired and is recorded as a vulnerability set
;
Identifying the vulnerability existing in the security alarm event aij and recording the vulnerability as a vulnerability set
;
If it is not
If the security alarm event is empty, discarding the security alarm event;
if it is not
If not, then compare
And
two sets of vulnerabilities;
if it is used
If so, the security alarm event is marked as a false alarm and filtered, and no threat exists in the security alarm event;
if it is not
If yes, the security alarm event is threatened, and the security alarm event aij is reserved;
all reserved security alarm events are defined as a pre-processed security alarm event stream.
5. The method for evaluating network security threats according to claim 4, wherein the evaluating network security threats of the preprocessed security alarm event streams based on the cognitive network security event graph to obtain an evaluation result based on the cognitive network security event graph specifically comprises:
make a vulnerability aggregate
Searching a vulnerability CWE corresponding to the vulnerability Vuls in the attribute of the host hi, traversing the vulnerability lists of all attack behavior nodes in the network security affair cognitive map, and judging whether the vulnerability CWE corresponding to the vulnerability Vuls exists in the vulnerability list of a certain attack behavior node in the network security affair cognitive map or not;
the specific judgment process formula is as follows:
wherein g (Ai) represents a network security affair cognitive atlas evaluation result, ai.CVE represents a vulnerability existing in a security alarm event stream Ai, and hi.CVES represents a vulnerability list existing in a host hi; the relatedID represents an associated attack method ID of the attack behavior node vj, and the CWE represents a corresponding weakness of the vulnerability Vuls; CWEs represents a vulnerability list of the attack behavior node vj;
the evaluation result of the network to be detected based on the network security affair cognitive map is as follows:
if K =0, it means that the host hi has no weakness causing the alarm message, and no threat exists;
if K =1, it indicates that the host hi has a weakness causing an alarm message, and a threat exists, and outputs an attack method name and an associated attack method ID of the attack behavior node.
6. The cyber-security threat assessment method according to claim 5, wherein the characteristic data of the network traffic is collected as a sample set, and the extracted characteristic data is preprocessed, and/or the characteristic data of the network traffic to be detected is collected, the characteristic data of the network traffic to be detected is extracted, and the extracted characteristic data is preprocessed, and the method specifically comprises the steps of:
extracting network connection basic characteristics of network traffic data: the method comprises the following steps of starting Time of network connection, duration of network connection, source IP address SIP of network connection, destination IP address DIP of network connection, source port SPort of network connection, destination port DPort of network connection, protocol type Proto of network connection, number Packets of data Packets generated in the network connection process, number Bytes generated in the network connection process and flag bit string Flags of the data Packets in the network connection process;
extracting network connection advanced features of network flow data: the source host network connection number SFlow, the destination host network connection number DFlow and the destination host service use times DPortFlow;
normalizing the Duration of the characteristic network connection, the number Packets of the data Packets generated in the network connection process, the number Bytes generated in the network connection process, the number SFlow of the source host network connection, the number DFlow of the destination host network connection and the number DPortFlow of the service use times of the destination host, and performing One-hot coding on a source IP address SIP of the characteristic network connection, a destination IP address DIP of the network connection, a source port SPort of the network connection, a destination port DPort of the network connection, a protocol type Proto of the network connection and a flag string flag of the data Packets in the network connection process;
the specific mode of the normalization processing is as follows:
making the specific value of a certain network connection characteristic Xj be Xj, where xmin is equal to the minimum value of the characteristic Xj in the unit time T, and xmax is equal to the maximum value of the characteristic Xj in the unit time T, and after the Xj is normalized, the normalization result of the characteristic Xj is
;
And forming a feature vector Y, Y = { Y1, Y2,. Once, ym } of network connection in a unit time interval T according to the feature data after the normalization processing and the One-hot encoding processing, wherein m represents a feature dimension set after data preprocessing.
7. The network security threat assessment method according to claim 6, wherein the threat assessment model based on the network traffic characteristics performs network security threat assessment on the feature data of the preprocessed network traffic data to be detected to obtain a threat assessment result based on the network traffic characteristics, and specifically comprises:
setting a unit Time interval as T, letting T0=0, T1= T0+ T, ti = ti-1+ T, i ≧ 1, acquiring all network connections with a start Time being greater than or equal to ti-1 and a Time being less than ti, and forming a network connection series C, C = { C1, C2,. Once, ci,. Once, cn } in the unit Time according to the sequence of the start connection Time; wherein Ci represents the ith network connection Con in a unit time interval, and n represents n network connections in a network link in a T time interval;
making network connection of network traffic data to be detected be CY, the feature vector of the CY be Y, and predefining the label information types of the feature data to comprise normal traffic, attack traffic and attacked traffic;
the threat assessment result of the network to be detected based on the network traffic characteristics is as follows: l = BiLSTM (Y);
if L =0, it indicates that the current network connection CY is normal traffic;
if L =1, it indicates that the current network connection CY is attack traffic, that is, the source host launches a network attack;
if L =2, it indicates that the current network connection CY is attacked traffic, i.e. the destination host is attacked.
8. The network security threat assessment method according to claim 7, wherein the threat assessment result based on the network traffic characteristics of the network to be detected and the assessment result based on the network security incident cognitive map are fused, and the specific formula is as follows:
wherein Y represents a characteristic vector of network connection of the network traffic data to be detected, bilSTM (Y) represents a threat assessment result based on network traffic characteristics, ai represents a safety alarm information flow for measuring the network traffic data, g (Ai) represents a threat assessment result based on a network safety affair cognitive map,
and
representing the weight coefficients.
9. The cyber security threat assessment method according to claim 8, wherein the assumption is made that
And obtaining a final network security threat assessment result as follows:
if E =0, the threat degree is 0, and the current time interval flow is normal flow;
if E =1, the threat degree is 1, that is, bilSTM (Y) =1 and g (Ai) =0 or BilSTM (Y) =0 and g (Ai) =1, which means that the threat assessment model based on the traffic characteristics determines that the source host sends an attack but the threat assessment model based on the network security affair cognitive map determines that the target host does not have a threat, or the threat assessment model based on the traffic characteristics determines that the source host does not have an attack behavior or the target host is not attacked, but the threat assessment model based on the network security affair cognitive map determines that the target host has a threat, and at this time, the network threat degree is low level;
if E =2, the threat degree is 2, that is, bilSTM (Y) =2 and g (Ai) =0 or BilSTM (Y) =1 and g (Ai) =1, that is, the threat assessment model based on the traffic characteristics determines that the destination host is attacked, but the threat assessment model based on the traffic characteristics determines that the destination host does not have the threat; or the threat assessment model based on the flow characteristics judges that the source host sends out an attack and the threat assessment model based on the network security affair cognitive map judges that the target host has a threat, and at the moment, the network threat degree is of a medium level;
if E =3, it indicates that the threat level is 3, i.e. BiLSTM (Y) =2 and g (Ai) =1, i.e. it indicates that the destination host is attacked based on the threat assessment model of traffic characteristics and it determines that the destination host has a threat based on the threat assessment model of network security affairs cognitive map, and at this time, the network threat level is high.
10. A cyber-security threat assessment system, comprising:
the network flow acquisition module is used for acquiring the characteristic data of the network flow as a sample set; predefining the label information type of the characteristic data, and manually marking the preprocessed network flow characteristic data according to the label information type; and/or collecting the network traffic data to be detected, and extracting the characteristic data of the network traffic data to be detected;
the network flow processing module is used for preprocessing the extracted characteristic data;
constructing a BilSTM neural network model by using a threat assessment model management module based on network traffic characteristics, and training and testing the BilSTM neural network model by using preprocessed network traffic characteristic data and manually labeled label information types to obtain a threat assessment model based on the network traffic characteristics; carrying out network security threat assessment on the feature data of the preprocessed network traffic data to be detected by using a threat assessment model based on network traffic features to obtain a threat assessment result based on the network traffic features;
the safety alarm event acquisition module extracts a safety alarm event stream according to the to-be-detected network flow data;
the safety alarm event processing module is used for preprocessing the extracted safety alarm event stream;
the network security affair cognitive map management module is used for acquiring a classification library, wherein the classification library comprises data related to the attack behaviors, presetting the internal affair logic relationship of at least two attack behaviors, judging the internal affair logic relationship of the attack behaviors corresponding to the data in the classification library, classifying the data in the classification library according to the judgment result, and generating a network security affair cognitive map according to the classification result; performing network security threat assessment on the preprocessed security alarm event flow based on the network security incident cognitive map to obtain an assessment result based on the network security incident cognitive map;
and the network security threat assessment result fusion module is used for fusing a network to be detected based on the threat assessment result of the network flow characteristics and the assessment result based on the network security affair cognitive map to obtain a final network security threat assessment result.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211673796.8A CN115664860B (en) | 2022-12-26 | 2022-12-26 | Network security threat assessment method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211673796.8A CN115664860B (en) | 2022-12-26 | 2022-12-26 | Network security threat assessment method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115664860A CN115664860A (en) | 2023-01-31 |
| CN115664860B true CN115664860B (en) | 2023-03-31 |
Family
ID=85023107
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211673796.8A Active CN115664860B (en) | 2022-12-26 | 2022-12-26 | Network security threat assessment method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115664860B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116827687B (en) * | 2023-08-28 | 2023-11-03 | 北京安天网络安全技术有限公司 | Network security protection method, device and medium |
| CN117319082B (en) * | 2023-11-24 | 2024-03-08 | 厦门星汉数智科技有限公司 | APT attack detection method and system |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP2386830A2 (en) * | 2010-05-12 | 2011-11-16 | Technisat Digital Gmbh | Satellite navigation system with a device and method for adjusting a calculated route on the basis of current traffic events |
| CN114430331A (en) * | 2020-10-28 | 2022-05-03 | 北京简易科技有限公司 | Network security situation sensing method and system based on knowledge graph |
| CN115186015A (en) * | 2022-09-13 | 2022-10-14 | 广东财经大学 | Network security knowledge graph construction method and system |
| CN115277258A (en) * | 2022-09-27 | 2022-11-01 | 广东财经大学 | Network attack detection method and system based on temporal-spatial feature fusion |
| CN115296924A (en) * | 2022-09-22 | 2022-11-04 | 中国电子科技集团公司第三十研究所 | Network attack prediction method and device based on knowledge graph |
| CN115499240A (en) * | 2022-09-30 | 2022-12-20 | 绿盟科技集团股份有限公司 | Data processing method, device, equipment and medium |
-
2022
- 2022-12-26 CN CN202211673796.8A patent/CN115664860B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP2386830A2 (en) * | 2010-05-12 | 2011-11-16 | Technisat Digital Gmbh | Satellite navigation system with a device and method for adjusting a calculated route on the basis of current traffic events |
| CN114430331A (en) * | 2020-10-28 | 2022-05-03 | 北京简易科技有限公司 | Network security situation sensing method and system based on knowledge graph |
| CN115186015A (en) * | 2022-09-13 | 2022-10-14 | 广东财经大学 | Network security knowledge graph construction method and system |
| CN115296924A (en) * | 2022-09-22 | 2022-11-04 | 中国电子科技集团公司第三十研究所 | Network attack prediction method and device based on knowledge graph |
| CN115277258A (en) * | 2022-09-27 | 2022-11-01 | 广东财经大学 | Network attack detection method and system based on temporal-spatial feature fusion |
| CN115499240A (en) * | 2022-09-30 | 2022-12-20 | 绿盟科技集团股份有限公司 | Data processing method, device, equipment and medium |
Non-Patent Citations (4)
| Title |
|---|
| Zheng Weifa.A SVM Text Classification Approch Based on Binary Tree.2009 International Forum on Computer Science-Technology and Applications.2009,全文. * |
| 王军平 ; 张文生 ; 王勇飞 ; 孙正雅 ; .面向大数据领域的事理认知图谱构建与推断分析.中国科学:信息科学.2020,(第07期),全文. * |
| 郑伟发 ; .基于CNN-LSTM混合模型的入侵检测算法研究.网络安全技术与应用.2020,(第05期),全文. * |
| 马昂等.基于强化学习的知识图谱综述.《计算机研究与发展》.2022,全文. * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115664860A (en) | 2023-01-31 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN115664860B (en) | Network security threat assessment method and system | |
| KR102046789B1 (en) | Deep-learning-based intrusion detection method, system and computer program for web applications | |
| CN109962891A (en) | Monitor method, apparatus, equipment and the computer storage medium of cloud security | |
| Elejla et al. | Flow-based IDS for ICMPv6-based DDoS attacks detection | |
| Akbar et al. | Intrusion detection system methodologies based on data analysis | |
| Mukhopadhyay et al. | Back propagation neural network approach to Intrusion Detection System | |
| Novikov et al. | Anomaly detection based intrusion detection | |
| Thakar et al. | Honeyanalyzer–analysis and extraction of intrusion detection patterns & signatures using honeypot | |
| Farhan et al. | Performance analysis of intrusion detection for deep learning model based on CSE-CIC-IDS2018 dataset | |
| Zhu et al. | You do (not) belong here: detecting DPI evasion attacks with context learning | |
| JP2023549284A (en) | Malware detection through distributed telemetry data analysis | |
| Qureshi et al. | Network Forensics: A Comprehensive Review of Tools and Techniques | |
| Wang et al. | Using intuitionistic fuzzy set for anomaly detection of network traffic from flow interaction | |
| Xin et al. | Fuzzy feature extraction and visualization for intrusion detection | |
| CN109728977A (en) | JAP anonymity flow rate testing methods and system | |
| Shittu | Mining intrusion detection alert logs to minimise false positives & gain attack insight | |
| CN113596037B (en) | APT attack detection method based on event relation directed graph in network full flow | |
| Kim et al. | A fuzzy logic based expert system as a network forensics | |
| Farasat et al. | Detecting and analyzing border gateway protocol blackholing activity | |
| Gouveia et al. | Deep Learning for Network Intrusion Detection: An Empirical Assessment | |
| Bhuyan et al. | Alert management and anomaly prevention techniques | |
| Wagh et al. | Effective framework of j48 algorithm using semi-supervised approach for intrusion detection | |
| Rohrmair et al. | Using CSP to detect insertion and evasion possibilities within the intrusion detection area | |
| Kushwah et al. | An approach to meta-alert generation for anomalous tcp traffic | |
| Subbulakshmi et al. | Detection and classification of DDoS attacks using fuzzy inference system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |