CN115706669A - Network security situation prediction method and system - Google Patents
Network security situation prediction method and system Download PDFInfo
- Publication number
- CN115706669A CN115706669A CN202110892857.9A CN202110892857A CN115706669A CN 115706669 A CN115706669 A CN 115706669A CN 202110892857 A CN202110892857 A CN 202110892857A CN 115706669 A CN115706669 A CN 115706669A
- Authority
- CN
- China
- Prior art keywords
- event
- data
- processing
- network
- network data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention provides a method and a system for predicting network security situation, wherein the method comprises the following steps: collecting network data; preprocessing the network data to obtain preprocessed network data; and performing event processing on the preprocessed network data to obtain a target event sequence, performing anomaly detection processing on the target event sequence based on a sliding window to obtain an anomaly detection result, and predicting the network security situation based on the anomaly detection result. The invention can realize the unified management of network data, effectively form a comprehensive network security defense system, realize the network security prediction function and unified network security management, can become the platform support of network security situation information fusion and intelligent evaluation, and provides a real-time and reliable management decision basis for the network security management.
Description
Technical Field
The invention relates to the technical field of computers, in particular to a network security situation prediction method and a network security situation prediction system.
Background
With the increasing popularization of various information networks, network intrusion means are increasing, and the frequency of network viruses is further increasing.
In the related art, event information generated by network equipment is monitored based on a network management model, event information generated by the network equipment is monitored based on a management model of equipment such as intrusion detection equipment, a firewall and network viruses, event information of application service is monitored based on an application service model mechanism, operation event information is monitored based on an operation model event mechanism, various event information is analyzed, corresponding safety protection measures are implemented based on an analysis result, and network operation safety is guaranteed.
In the related technology, data formats generated by various devices are not uniform, intelligent analysis on diversified network intrusion events cannot be realized, and the current network cannot be effectively predicted and evaluated, so that the network safety cannot be guaranteed.
Disclosure of Invention
The invention provides a network security situation prediction method and a network security situation prediction system, which are used for solving the technical problems that the data formats generated by various devices in the related technology are not uniform, the intelligent analysis on diversified network intrusion events cannot be realized, the current network cannot be effectively predicted and evaluated, and the network security cannot be guaranteed.
In a first aspect, the present invention provides a method for predicting a network security situation, including:
collecting network data;
preprocessing the network data to obtain preprocessed network data;
and performing event processing on the preprocessed network data to obtain a target event sequence, performing anomaly detection processing on the target event sequence based on a sliding window to obtain an anomaly detection result, and predicting the network security situation based on the anomaly detection result.
In an embodiment, the performing event processing on the preprocessed network data to obtain a target event sequence specifically includes:
performing correlation analysis processing on the preprocessed network data to obtain a first event;
performing statistical analysis processing on the first event to obtain the first event characteristic;
and sequentially carrying out merging processing, filtering processing, fusion processing and association processing on the first event based on the first event characteristics to obtain a target event sequence.
In an embodiment, the performing, based on the sliding window, the abnormality detection processing on the target event sequence specifically includes:
constructing features of the target event sequence for the target event sequence based on a reference window;
and carrying out anomaly detection processing on the characteristics of the target event sequence based on a detection window.
In an embodiment, the predicting a network security situation based on an anomaly detection result specifically includes:
and if the abnormal detection rate of the target event sequence exceeds a preset threshold value, confirming that the network has risks.
In an embodiment, the preprocessing the network data to obtain the preprocessed network data specifically includes:
and sequentially carrying out data analysis, data standardization processing and data enrichment processing on the network data to obtain preprocessed network data.
In an embodiment, after the preprocessing the network data to obtain the preprocessed network data, the method further includes:
and storing the preprocessed network data to a database corresponding to the type of the preprocessed network data based on the type of the preprocessed network data.
In a second aspect, the present invention provides a network security situation prediction system, including:
the data acquisition module is used for acquiring network data and sending the network data to the data preprocessing module;
the data preprocessing module is used for preprocessing the network data to obtain preprocessed network data;
and the data analysis module is used for carrying out event processing on the preprocessed network data to obtain a target event sequence, carrying out anomaly detection processing on the target event sequence based on a sliding window to obtain an anomaly detection result, and predicting the network security situation based on the anomaly detection result.
In one embodiment, the data analysis module comprises a complex event processing sub-module, an event merging sub-module, an event filtering sub-module, an event fusion sub-module and an event correlation sub-module;
the complex event processing submodule is used for performing correlation analysis processing on the preprocessed network data to obtain a first event, and performing statistical analysis processing on the first event to obtain a first event characteristic;
the event merging submodule is used for merging the first event based on the first event characteristic to obtain a second event;
the event filtering submodule is used for filtering the second event to obtain a third event;
the event fusion submodule is used for carrying out fusion processing on the third event to obtain a fourth event;
and the event correlation submodule is used for performing correlation processing on the fourth event to obtain a target event sequence.
In a third aspect, the present invention provides an electronic device, including a memory and a memory storing a computer program, where the processor implements the steps of the network security situation prediction method in the first aspect when executing the program.
In a fourth aspect, the present invention provides a processor-readable storage medium, which stores a computer program for causing a processor to execute the steps of the network security situation prediction method of the second aspect.
According to the network security situation prediction method and system provided by the invention, the network data is preprocessed by acquiring the network data to obtain the preprocessed network data, so that the unified management of the network data can be realized, the preprocessed network data is subjected to event processing to obtain a target event sequence, the target event sequence is subjected to abnormity detection processing based on the sliding window to obtain an abnormity detection result, the network security situation is predicted based on the abnormity detection result, a comprehensive network security defense system is effectively formed, a network security prediction function is realized, the unified network security management can be used as a platform support for network security situation information fusion and intelligent evaluation, and a real-time and reliable management decision basis is provided for the network security management.
Drawings
In order to more clearly illustrate the technical solutions of the present invention or the prior art, the drawings needed for the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and those skilled in the art can also obtain other drawings according to the drawings without creative efforts.
FIG. 1 is a schematic flow chart of a method for predicting a network security situation according to the present invention;
FIG. 2 is a schematic view of a scenario for performing anomaly detection processing on a target event sequence based on a sliding window according to the present invention;
FIG. 3 is a schematic structural diagram of a network security situation prediction system provided by the present invention;
FIG. 4 is a schematic view of a network security situation prediction system provided in the present invention;
fig. 5 is a schematic structural diagram of an electronic device provided in the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention clearer, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is obvious that the described embodiments are some, but not all embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In order to solve the technical problems that in the related art, data formats generated by various devices are not uniform, intelligent analysis on diversified network intrusion events cannot be realized, prediction and evaluation on the current network cannot be effectively performed, and therefore network security cannot be guaranteed, an embodiment of the invention provides a network security situation prediction method, and fig. 1 is a flow diagram of the network security situation prediction method provided by the embodiment of the invention. As shown in fig. 1, the method comprises the steps of:
In order to realize uniform security management of various network security devices, it is necessary to collect mass network data of various network security devices.
In one embodiment, the network data includes log data, network traffic data, and support data.
Optionally, the log data includes log and alarm information recorded by the network security device.
Optionally, the support data includes all asset information, related personnel information, account information in the network, and vulnerability information and threat intelligence information related to the asset.
In one embodiment, mass network data of various types of network security devices is collected, wherein the network data includes log data, network traffic data, and support data.
In order to solve the technical problems that the data formats generated by various devices in the related technology are not uniform, the intelligent analysis on diversified network intrusion events cannot be realized, the prediction and evaluation on the current network cannot be effectively carried out, and the network safety cannot be guaranteed, the collected mass network data of various network safety devices needs to be preprocessed, and the uniform management on the network data is realized.
In one embodiment, the preprocessing the network data includes performing data parsing, data standardization processing, and data enrichment processing on the network data in sequence.
In one embodiment, the network data is subjected to data analysis, data standardization and data enrichment in sequence to obtain preprocessed network data.
And 102, performing event processing on the preprocessed network data to obtain a target event sequence, performing anomaly detection processing on the target event sequence based on a sliding window to obtain an anomaly detection result, and predicting the network security situation based on the anomaly detection result.
It should be noted that, the preprocessed network data is analyzed and processed based on the event processing technology and the detection model, the network threat is identified, and the network threat is responded, so that the transition from passive to active of network defense is realized, and the network security situation awareness capability is established.
In one embodiment, the event processing includes complex event processing, event merging processing, event filtering processing, event fusion processing, and event correlation processing.
Wherein, the event processing is mainly applied to an event-driven system architecture so as to develop a more complex logic structure and realize the intelligent processing of the system,
in one embodiment, the detection model is a sliding window technique.
The network security situation is that in a large-scale network environment, security elements which can cause the network situation to change are obtained and analyzed, and the future network security development trend is predicted according to the current network situation.
The target event sequence is at least one simple event for predicting a network security posture, such as a World Wide Web (Web) attack.
In one embodiment, the method comprises the steps of sequentially performing complex event processing, event merging processing, event filtering processing, event fusion processing and event association processing on preprocessed network data to obtain a target event sequence, performing anomaly detection processing on the target event sequence based on a sliding window to obtain an anomaly detection result, and predicting the network security situation based on the anomaly detection result.
Optionally, the predicting a network security situation based on an anomaly detection result specifically includes:
and if the abnormal detection rate of the target event sequence exceeds a preset threshold value, confirming that the network has risks.
And the abnormality detection result is the abnormality detection rate of the target event sequence.
In one embodiment, if the abnormal detection rate of the target event sequence exceeds a preset threshold, it is determined that the network is in a risk state, and if the abnormal detection rate of the target event sequence does not exceed the preset threshold, it is determined that the network is in a safe state.
According to the network security situation prediction method provided by the embodiment of the invention, network data are collected and preprocessed to obtain preprocessed network data, so that unified management of the network data can be realized, the preprocessed network data are subjected to event processing to obtain a target event sequence, the target event sequence is subjected to anomaly detection processing based on a sliding window to obtain an anomaly detection result, the network security situation is predicted based on the anomaly detection result, a comprehensive network security defense system is effectively formed, unified network security management is achieved, a network security prediction function is realized, platform support of network security situation information fusion and intelligent evaluation can be called, and a real-time and reliable management decision basis is provided for network security management.
Based on any of the above embodiments, the performing event processing on the preprocessed network data to obtain a target event sequence specifically includes:
performing correlation analysis processing on the preprocessed network data to obtain a first event;
performing statistical analysis processing on the first event to obtain the first event characteristic;
and sequentially carrying out merging processing, filtering processing, fusion processing and association processing on the first event based on the first event characteristics to obtain a target event sequence.
It should be noted that, by performing event processing on the preprocessed network data, heuristic learning can be performed on events, so that the rate of missing reports is reduced, and the system accuracy is improved.
The association analysis process is to search for frequent patterns, association rules, correlations or causal results among existing item sets or object sets, and convert the preprocessed network data into simple events.
The first event is at least one simple event having a frequent pattern, association rule, correlation, or causal structure.
For example, a Firewall, a Web Application Firewall (WAF), or a security device such as an intrusion detection audit log a security event entering a network, and for a large amount of alarm information generated by a specific security event, a large amount of alarm information is converted into a first event based on correlation analysis processing.
The statistical analysis processing is based on a statistical method, and the data such as the state, frequency and occurrence period of the event are calculated to obtain the event characteristics.
For example, the event characteristics include distribution conditions of event data, main characteristics of events, trends of event sequences, whether abnormal values exist in the events and event summary results.
The first event characteristic includes a characteristic type of the first event and a characteristic value of the first event.
And merging, namely merging the events if the attribute values of the events are the same within the preset time.
For example, the attribute value of the event includes a time type, an Internet Protocol (IP) address of an event source, an IP address of a target accessed by the event, a Protocol used by the event, and the like.
It should be noted that, if the sensor identification numbers (IDs) of the multiple events are the same, the multiple events are in a repetitive relationship, and if the sensor IDs of the multiple events are different, the multiple events are in a concurrent relationship.
And the filtering processing is to filter the event based on the preset condition to obtain the event meeting the preset condition.
Optionally, the preset condition comprises at least one of:
any attribute of an event does not belong to a legal set;
at least one key attribute vacancy in the event;
the confirmation event is an attack event which cannot be successfully completed, or the confirmation event is marked as a packet loss event.
The fusion processing is to quantify the weight of the event, add a confidence interval and fuse the event by a fusion technology.
Alternatively, fusion techniques include statistical theory and Dempster-Shafer evidence theory.
The correlation process is to correlate events based on logical relationships.
In one embodiment, the method includes performing correlation analysis processing on preprocessed network data to obtain a first event, performing statistical analysis processing on the first event to obtain a first event characteristic, wherein the first event characteristic includes a characteristic type of the first event and a characteristic value of the first event, and sequentially performing merging processing, filtering processing, fusing processing and correlation processing on the first event based on the first event characteristic to obtain a target event sequence.
According to the network security situation prediction method provided by the embodiment of the invention, the first event is obtained by performing correlation analysis processing on the preprocessed network data, the first event is subjected to statistical analysis processing to obtain the first event characteristic, the first event is subjected to combination processing, filtering processing, fusion processing and correlation processing in sequence based on the first event characteristic to obtain the target event sequence, the complexity of the event can be effectively reduced, the network security situation can be more accurately predicted based on the target event sequence, a comprehensive network security defense system is further effectively formed, uniform network security management is achieved, a network security prediction function is realized, a platform support called network security situation information fusion and intelligent evaluation is provided, and a real-time and reliable management decision basis is provided for network security management.
Based on any of the above embodiments, the performing, based on the sliding window, the abnormality detection processing on the target event sequence specifically includes:
constructing features of the target event sequence for the target event sequence based on a reference window;
and carrying out anomaly detection processing on the characteristics of the target event sequence based on a detection window.
In order to adapt to the dynamic change of the alarm event sequence in time and accurately predict the new trend of the alarm event sequence, a sliding window is adopted.
In one embodiment, the sliding window includes a reference window and a detection window.
The reference window is used for constructing the characteristics of the target event sequence for the target event sequence.
The detection window is used for carrying out abnormity detection processing on the characteristics of the target event sequence.
The abnormal detection processing is performed on the characteristics of the target event sequence based on the detection window, and specifically includes:
for each target event, judging whether the characteristics of the target event meet the detection standard or not based on a detection window, and if not, determining that the target event is an abnormal event;
and acquiring the number of abnormal events in the target event sequence, and confirming the abnormal detection rate of the target event sequence based on the number of the abnormal events.
The anomaly detection rate of the target event sequence is the ratio of the number of the anomalous events to the total number of the target event sequence.
In one embodiment, the features of the target event sequence are constructed for the target event sequence based on a reference window, and the features of the target event sequence are subjected to anomaly detection processing based on a detection window.
Further, for each target event, whether the characteristics of the target event meet the detection standard or not is judged based on the detection window, if yes, the target event is determined to be a network security event, if not, the target event is determined to be an abnormal event, the number of abnormal events in the target event sequence is obtained, and the abnormal detection rate of the target event sequence is obtained based on the number of the abnormal events.
According to the network security situation prediction method provided by the embodiment of the invention, the characteristics of the target event sequence are constructed on the basis of the reference window, the abnormality detection processing is carried out on the characteristics of the target event sequence on the basis of the detection window, the network security situation is predicted according to the abnormality detection result, the dynamic change of the target event sequence can be adapted in time, the accuracy of predicting the network security situation is improved, the network security prediction function is further realized, the unified network security management is realized, the platform support of network security situation information fusion and intelligent evaluation can be formed, and a real-time and reliable management decision basis is provided for the network security management.
The principle of performing anomaly detection processing on a target event sequence based on a sliding window is specifically described with reference to fig. 2. Fig. 2 is a scene schematic diagram of performing anomaly detection processing on a target event sequence based on a sliding window according to an embodiment of the present invention.
As shown in fig. 2, using x i The axis represents the distribution of a sliding window of the target event sequence at a certain time point n, the sliding window comprising a reference window W basic And a detection window W test Wherein the reference window W basic Has a timing length of N, a reference window W basic The timing sequence range of [ n +1, n + N +]Detection window W test Has a time sequence length of q-p, a detection window W test Has a timing range of [ n + p +1, n + q +q]Wherein 1 is<N<p+1<q, reference window W basic Is a window with a timing sequence for constructing a reference, a detection window W test Is a window at the back of the timing for performing the abnormality detection processing, and the reference window W basic And a detection window W test There is an overlap, M represents any target event in the sequence of target events, and the timing length of the target event is N-K.
If the target event appears in the time sequence range [ N +1, N + p +1], the target event does not belong to an abnormal event, if the target event appears in the time sequence range [ N + K, N + N ], whether the target event meets the detection standard or not is detected, if yes, the target event is determined to be the abnormal event, the abnormal detection rate of the target event sequence is obtained according to the ratio of the number of the abnormal events in the target event sequence to the total number of the target event sequence, and if the abnormal detection rate of the target event sequence exceeds a preset threshold value, the network is determined to have risks.
Based on any of the above embodiments, the preprocessing the network data to obtain preprocessed network data specifically includes:
and sequentially carrying out data analysis, data standardization processing and data enrichment processing on the network data to obtain preprocessed network data.
The data standardization processing is to convert data into unified standardized data based on a customized unified data format.
The data enrichment treatment is to perform field completion on the data.
In one embodiment, field filling the data comprises at least one of:
completing the IP address of the data source and the IP address of the target of data access;
completing the IP address of the data source, the source port of the data, the protocol adopted by the data, the target IP address of the data access and the target port of the data access;
associating the IP address of the data source with the IP address in a Geospatial (geo) library, and completing the country, province, city and longitude and latitude corresponding to the IP address of the data source;
associating the data source IP address or the target IP address of the data access with asset information in an asset library, and completing asset ID, asset type, an organization mechanism to which the asset belongs, a service system to which the asset belongs, a security domain and a geographic position corresponding to the data source IP address or the target IP address of the data access;
the device IP is associated with the asset library and the asset ID of the device and the asset type ID of the device are complemented.
In one embodiment, the network data is subjected to data analysis processing to obtain analyzed network data, the analyzed network data is subjected to standardization processing based on a customized unified data format to obtain standardized network data, and the standardized network data is subjected to data enrichment processing to obtain preprocessed network data.
The network security situation prediction method provided by the embodiment of the invention is used for analyzing the network data to obtain the analyzed network data, standardizing the analyzed network data based on the customized unified data format to obtain the standardized network data, providing a unified standardized data structure for subsequent event processing, facilitating the implementation of event retrieval and real-time correlation analysis of events, enriching the standardized network data to obtain the preprocessed network data, ensuring the integrity of the data, realizing the unified management of the network data, providing more dimensionalities for the subsequent event processing, improving the reliability of the event processing and reducing the false alarm rate of the predicted network security situation.
Based on any of the above embodiments, after the preprocessing the network data to obtain the preprocessed network data, the method further includes:
and storing the preprocessed network data to a database corresponding to the type of the preprocessed network data based on the type of the preprocessed network data.
It should be noted that, in order to implement quick query and visual management on massive network data, the preprocessed network data is stored in the database.
Optionally, the type of the preprocessed network data includes at least one of host log data, security alarm data, threat intelligence data, and high confidence alarm data.
Optionally, the database corresponding to the type of the preprocessed network data includes at least one of a host log database, a security alarm database, a threat intelligence database, and a high-confidence alarm database.
In one embodiment, if the preprocessed network data is the host log data, the host log data is stored in a host log database, if the preprocessed network data is the security alarm data, the security alarm data is stored in a security alarm database, if the preprocessed network data is the threat information data, the threat information data is stored in the threat information database, and if the preprocessed network data is the high credibility alarm data, the high credibility alarm data is stored in the high credibility alarm database.
According to the network security situation prediction method provided by the embodiment of the invention, the preprocessed network data are stored in the database corresponding to the type of the preprocessed network data based on the type of the preprocessed network data, so that the rapid query and the visual management of mass data can be realized.
Fig. 3 is a schematic structural diagram of a network security situation prediction system provided in an embodiment of the present invention, and as shown in fig. 3, the network security situation prediction system includes: a data acquisition module 300, a data pre-processing module 310, and a data analysis module 320, wherein,
the data acquisition module 300 is configured to acquire network data and send the network data to the data preprocessing module.
In one embodiment, the network data includes log data, network traffic data, and support data.
Optionally, the log data includes log and alarm information recorded by the network security device.
Optionally, the support data includes all asset information, related personnel information, account information in the network, and vulnerability information and threat intelligence information related to the asset.
The data preprocessing module 310 is configured to preprocess the network data to obtain preprocessed network data.
In one embodiment, the preprocessing the network data includes sequentially performing data parsing, data standardization processing, and data enrichment processing on the network data.
The data analysis module 320 is configured to perform event processing on the preprocessed network data to obtain a target event sequence, perform anomaly detection processing on the target event sequence based on a sliding window to obtain an anomaly detection result, and predict a network security situation based on the anomaly detection result.
In one embodiment, the data analysis module 320 includes a complex event processing sub-module, an event merging sub-module, an event filtering sub-module, an event fusion sub-module, and an event correlation sub-module.
The target event sequence is at least one simple event for predicting a network security posture, such as a web attack.
And the abnormality detection result is the abnormality detection rate of the target event sequence.
Optionally, the predicting a network security situation based on an anomaly detection result specifically includes:
and if the abnormal detection rate of the target event sequence exceeds a preset threshold value, confirming that the network has risks.
Optionally, the network security situation prediction system further comprises a data storage module, wherein,
the data storage module is used for storing the preprocessed network data to a database corresponding to the type of the preprocessed network data based on the type of the preprocessed network data.
Optionally, the type of the pre-processed network data comprises at least one of host log data, security alarm data, threat intelligence data, and high confidence alarm data.
Optionally, the database corresponding to the type of the preprocessed network data includes at least one of a host log database, a security alarm database, a threat intelligence database, and a high-confidence alarm database.
It should be noted that, the network security situation prediction system concentrates alarm data or other events of various security devices and systems in the network, and compared with the prior art, the network security situation prediction system can make a more accurate and effective response to the network security threat, and can be applied to various network security event application scenarios, such as password guessing attack or web attack.
In one embodiment, the predicting a network security situation of a password guessing attack based on a network security situation prediction system specifically includes:
event processing and abnormality detection processing are carried out on preprocessed System login log data, intrusion Detection Systems (IDS), intrusion Prevention Systems (IPS) and WAF alarms, detection results of suspected password guessing or database collision attack behaviors are identified and found, and password guessing or brute force attack is extracted as an event source based on the detection results.
For example, within a preset time period, for the same target IP address and different device numbers (devNO), if the login behavior is characterized by a password brute force attack, all login behavior times are merged into the same event, the original log of the merged event needs to be retained, and for the same detection result, the source device and the source index which obtain the same detection result are merged into output.
In one embodiment, the predicting a network security situation of a web attack based on a network security situation prediction system specifically includes:
the method comprises the steps of performing detection analysis on equipment alarm log data, web middleware access log data, server log data and network flow log data, performing correlation analysis processing on identified attack behaviors such as Challenge black hole (CC) attack, structured Query Language (SQL) injection attack, webShell attack and cross-site attack, merging results belonging to the same attack event in detection results according to access time, an IP address, a port and access request content to ensure that only one result is output by the same event, reserving an original log of the merged event, and merging source equipment and a source index which obtain the same result into output for the same detection result.
In the network security situation prediction system provided by the embodiment of the invention, the data acquisition module is used for acquiring network data and sending the network data to the data preprocessing module, so that unified management of the network data can be realized, the data preprocessing module is used for preprocessing the network data to obtain preprocessed network data, the data analysis module is used for processing events of the preprocessed network data to obtain a target event sequence, the target event sequence is subjected to abnormality detection processing based on the sliding window to obtain an abnormality detection result, and the network security situation is predicted based on the abnormality detection result, so that a comprehensive network security defense system is effectively formed, a network security prediction function is realized, unified network security management can be used as a platform support for network security situation information fusion and intelligent evaluation, and a real-time and reliable management decision basis is provided for the network security management.
Optionally, the data analysis module 320 includes a complex event processing sub-module, an event merging sub-module, an event filtering sub-module, an event fusion sub-module, and an event correlation sub-module;
the complex event processing submodule is used for performing correlation analysis processing on the preprocessed network data to obtain a first event, and performing statistical analysis processing on the first event to obtain the first event characteristic;
the event merging submodule is used for merging the first event based on the first event characteristic to obtain a second event;
the event filtering submodule is used for filtering the second event to obtain a third event;
the event fusion submodule is used for carrying out fusion processing on the third event to obtain a fourth event;
and the event correlation submodule is used for performing correlation processing on the fourth event to obtain a target event sequence.
The association analysis process is to search for frequent patterns, association rules, correlations or causal results among existing item sets or object sets, and convert the preprocessed network data into simple events.
The first event is at least one simple event having a frequent pattern, association rule, correlation, or causal structure.
The first event characteristic includes a characteristic type of the first event and a characteristic value of the first event.
And merging, namely merging the events if the attribute values of the events are the same within the preset time.
The second event is at least one event obtained by combining the first events.
And the filtering treatment is to filter the event based on the preset condition to obtain the event meeting the preset condition.
Optionally, the preset condition comprises at least one of:
any attribute of an event does not belong to a legal set;
at least one key attribute vacancy in an event;
the confirmation event is an attack event which cannot be successfully completed, or the confirmation event is marked as a packet loss event.
The fusion processing is to quantify the weight of the event, add a confidence interval and fuse the event by a fusion technology.
The third event is at least one event obtained after the second event is filtered.
The correlation process is to correlate events based on logical relationships.
According to the network security situation prediction system provided by the embodiment of the invention, the complex event processing submodule is used for processing the preprocessed network data to obtain a first event, the event merging submodule is used for sequentially merging the first event to obtain a second event, the event filtering submodule is used for filtering the second event to obtain a third event, the event merging submodule is used for merging the third event to obtain a fourth event, the event correlation submodule is used for correlating the fourth event to obtain a target event sequence, the complexity of the event can be effectively reduced, the network security situation can be more accurately predicted based on the target event sequence, a comprehensive network security defense system is effectively formed, uniform network security management is achieved, the network security prediction function is realized, the platform support of network security situation information fusion and intelligent evaluation can be called, and a real-time and reliable management decision basis is provided for the network security management.
An application scenario of the network security situation prediction system is specifically described with reference to fig. 4. Fig. 4 is a scene schematic diagram of a network security situation prediction system according to an embodiment of the present invention.
As shown in fig. 4, the network security situation prediction system includes an acquisition engine, a data preprocessing module, a data storage module, a data analysis module, and a data application module.
The collection engine is used for collecting log data, flow data, intelligence threat data and other data and sending the collected data to the data preprocessing module.
The data preprocessing module is used for preprocessing the collected log data, the flow data, the intelligence threat data and other data to obtain preprocessed data, and storing the preprocessed data in the data storage module.
And the data storage module is used for storing the preprocessed data.
The data analysis module is used for analyzing the real-time data in real time, analyzing the historical data in history and applying the data analysis result to the data application module.
The data application module is used for applying the analysis result to a specific application scene, and comprises a situation awareness submodule, a tracking and tracing submodule, a security vulnerability detection submodule and an alarm management submodule.
And the situation awareness submodule is used for predicting the network security situation based on the data analysis result.
And the tracing and tracing submodule is used for searching a data source with the network threat based on the data analysis result.
And the security vulnerability sub-module is used for predicting security vulnerabilities based on data analysis results.
And the alarm management submodule is used for managing the alarm event based on the data analysis result.
Fig. 5 illustrates a physical structure diagram of an electronic device, which may include, as shown in fig. 5: a processor (processor) 510, a Communication Interface (Communication Interface) 520, a memory (memory) 530 and a Communication bus 540, wherein the processor 510, the Communication Interface 520 and the memory 530 are communicated with each other via the Communication bus 540. Processor 510 may invoke computer programs in memory 530 to perform the steps of the network security posture prediction method, including, for example:
collecting network data;
preprocessing the network data to obtain preprocessed network data;
and performing event processing on the preprocessed network data to obtain a target event sequence, performing anomaly detection processing on the target event sequence based on a sliding window to obtain an anomaly detection result, and predicting the network security situation based on the anomaly detection result.
Furthermore, the logic instructions in the memory 530 may be implemented in the form of software functional units and stored in a computer readable storage medium when the software functional units are sold or used as independent products. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-only memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
In another aspect, the present invention also provides a computer program product, which includes a computer program stored on a non-transitory computer-readable storage medium, the computer program including program instructions, when the program instructions are executed by a computer, the computer being capable of executing the network security situation prediction method provided by the above methods, the method including:
collecting network data;
preprocessing the network data to obtain preprocessed network data;
and performing event processing on the preprocessed network data to obtain a target event sequence, performing anomaly detection processing on the target event sequence based on a sliding window to obtain an anomaly detection result, and predicting the network security situation based on the anomaly detection result.
On the other hand, an embodiment of the present application further provides a processor-readable storage medium, where the processor-readable storage medium stores a computer program, where the computer program is configured to cause the processor to execute the method provided in each of the foregoing embodiments, for example, the method includes:
collecting network data;
preprocessing the network data to obtain preprocessed network data;
and performing event processing on the preprocessed network data to obtain a target event sequence, performing anomaly detection processing on the target event sequence based on a sliding window to obtain an anomaly detection result, and predicting the network security situation based on the anomaly detection result.
The processor-readable storage medium can be any available medium or data storage device that can be accessed by a processor, including, but not limited to, magnetic memory (e.g., floppy disks, hard disks, magnetic tape, magneto-optical disks (MOs), etc.), optical memory (e.g., CDs, DVDs, BDs, HVDs, etc.), and semiconductor memory (e.g., ROMs, EPROMs, EEPROMs, non-volatile memory (NAND FLASH), solid State Disks (SSDs)), etc.
The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (10)
1. A network security situation prediction method is characterized by comprising the following steps:
collecting network data;
preprocessing the network data to obtain preprocessed network data;
and performing event processing on the preprocessed network data to obtain a target event sequence, performing anomaly detection processing on the target event sequence based on a sliding window to obtain an anomaly detection result, and predicting the network security situation based on the anomaly detection result.
2. The method for predicting a network security situation according to claim 1, wherein the performing event processing on the preprocessed network data to obtain a target event sequence specifically comprises:
performing correlation analysis processing on the preprocessed network data to obtain a first event;
performing statistical analysis processing on the first event to obtain the first event characteristic;
and sequentially carrying out merging processing, filtering processing, fusion processing and association processing on the first event based on the first event characteristics to obtain a target event sequence.
3. The method for predicting a network security situation according to claim 1, wherein the performing anomaly detection processing on the target event sequence based on the sliding window specifically includes:
constructing characteristic features of the target event sequence for the target event sequence based on a reference window;
and carrying out anomaly detection processing on the characteristics of the target event sequence based on a detection window.
4. The method for predicting a network security situation according to claim 1, wherein the predicting a network security situation based on the anomaly detection result specifically includes:
and if the abnormal detection rate of the target event sequence exceeds a preset threshold value, confirming that the network has risks.
5. The method according to claim 1, wherein the preprocessing the network data to obtain preprocessed network data specifically comprises:
and sequentially carrying out data analysis, data standardization processing and data enrichment processing on the network data to obtain preprocessed network data.
6. The method according to claim 1, wherein the preprocessing the network data to obtain preprocessed network data further comprises:
and storing the preprocessed network data to a database corresponding to the type of the preprocessed network data based on the type of the preprocessed network data.
7. A network security posture prediction system, comprising:
the data acquisition module is used for acquiring network data and sending the network data to the data preprocessing module;
the data preprocessing module is used for preprocessing the network data to obtain preprocessed network data;
and the data analysis module is used for carrying out event processing on the preprocessed network data to obtain a target event sequence, carrying out anomaly detection processing on the target event sequence based on a sliding window to obtain an anomaly detection result, and predicting the network security situation based on the anomaly detection result.
8. The system according to claim 7, wherein the data analysis module comprises a complex event processing sub-module, an event merging sub-module, an event filtering sub-module, an event fusion sub-module, and an event correlation sub-module;
the complex event processing submodule is used for performing correlation analysis processing on the preprocessed network data to obtain a first event, and performing statistical analysis processing on the first event to obtain a first event characteristic;
the event merging submodule is used for merging the first event based on the first event characteristic to obtain a second event;
the event filtering submodule is used for filtering the second event to obtain a third event;
the event fusion submodule is used for carrying out fusion processing on the third event to obtain a fourth event;
and the event correlation submodule is used for performing correlation processing on the fourth event to obtain a target event sequence.
9. An electronic device comprising a processor and a memory storing a computer program, wherein the processor implements the steps of the network security situation prediction method according to any one of claims 1 to 6 when executing the computer program.
10. A processor-readable storage medium, characterized in that the processor-readable storage medium stores a computer program for causing a processor to execute the steps of the network security situation prediction method according to any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110892857.9A CN115706669A (en) | 2021-08-04 | 2021-08-04 | Network security situation prediction method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110892857.9A CN115706669A (en) | 2021-08-04 | 2021-08-04 | Network security situation prediction method and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115706669A true CN115706669A (en) | 2023-02-17 |
Family
ID=85178760
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110892857.9A Pending CN115706669A (en) | 2021-08-04 | 2021-08-04 | Network security situation prediction method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115706669A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115776409A (en) * | 2023-01-29 | 2023-03-10 | 信联科技(南京)有限公司 | Industrial network security event basic data directional acquisition method and system |
-
2021
- 2021-08-04 CN CN202110892857.9A patent/CN115706669A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115776409A (en) * | 2023-01-29 | 2023-03-10 | 信联科技(南京)有限公司 | Industrial network security event basic data directional acquisition method and system |
| CN115776409B (en) * | 2023-01-29 | 2023-06-06 | 信联科技(南京)有限公司 | Directional acquisition method and system for basic data of industrial network security event |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108881265B (en) | Network attack detection method and system based on artificial intelligence | |
| CN111654489B (en) | Network security situation sensing method, device, equipment and storage medium | |
| CN105009132A (en) | Event correlation based on confidence factor | |
| CN108833185B (en) | Network attack route restoration method and system | |
| CN114915479B (en) | Web attack stage analysis method and system based on Web log | |
| CN108259202A (en) | A kind of CA monitoring and pre-alarming methods and CA monitoring and warning systems | |
| CN115996146A (en) | Numerical control system security situation sensing and analyzing system, method, equipment and terminal | |
| CN105812200A (en) | Abnormal behavior detection method and device | |
| CN112560029A (en) | Website content monitoring and automatic response protection method based on intelligent analysis technology | |
| US20150358292A1 (en) | Network security management | |
| Marchetti et al. | Identification of correlated network intrusion alerts | |
| CN115001934A (en) | Industrial control safety risk analysis system and method | |
| Angelini et al. | An attack graph-based on-line multi-step attack detector | |
| Ghorbanian et al. | Signature-based hybrid Intrusion detection system (HIDS) for android devices | |
| CN115706669A (en) | Network security situation prediction method and system | |
| Sen et al. | Towards an approach to contextual detection of multi-stage cyber attacks in smart grids | |
| CN117375985A (en) | Method and device for determining security risk index, storage medium and electronic device | |
| CN114006719B (en) | AI verification method, device and system based on situation awareness | |
| CN113067835B (en) | Integrated self-adaptive collapse index processing system | |
| CN115801307A (en) | Method and system for carrying out port scanning detection by using server log | |
| Sabri et al. | Hybrid of rough set theory and artificial immune recognition system as a solution to decrease false alarm rate in intrusion detection system | |
| KR20180118869A (en) | Integration security anomaly symptom monitoring system | |
| Prabu et al. | An Automated Intrusion Detection and Prevention Model for Enhanced Network Security and Threat Assessment | |
| CN113596051B (en) | Detection method, detection apparatus, electronic device, medium, and computer program | |
| CN117376030B (en) | Flow anomaly detection method, device, computer equipment and readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |