CN115767550A - Network risk assessment method and device for 5G private network - Google Patents
Network risk assessment method and device for 5G private network Download PDFInfo
- Publication number
- CN115767550A CN115767550A CN202211531582.7A CN202211531582A CN115767550A CN 115767550 A CN115767550 A CN 115767550A CN 202211531582 A CN202211531582 A CN 202211531582A CN 115767550 A CN115767550 A CN 115767550A
- Authority
- CN
- China
- Prior art keywords
- risk
- data
- private network
- identifier
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
A method and a device for evaluating network risk of a 5G private network relate to the technical field of information. The system consists of a private network dynamic risk identification module, a private network environment risk identification module and a private network comprehensive risk assessment module; the private network dynamic risk identification module consists of a private network data acquisition and analysis submodule, a private network data association submodule and a private network risk identification submodule; the private network environment risk identification module consists of a private network vulnerability identification submodule and a private network environment risk identification submodule. According to the invention, the network security risk existing in the 5G private network is identified through risk events in the signaling plane and user plane traffic, loopholes of the terminal and the server, private network data control conditions, influence of terminal off-line on service, terminal environment risk and the like, and risk early warning is provided.
Description
Technical Field
The invention relates to the technical field of information.
Background
The 5G license plate of the fifth generation mobile communication technology in China has been released for three years. By the beginning of 6 months in 2022, three operators have shown that more than 5000 5G private networks are built from published materials, and the 5G sail planning goal is completed in advance. According to the development speed and the background that the ecology of the 5G industry is mature and the cost is reduced, the scale of the Internet of the 5G processing industry is increased explosively.
The industrial internet becomes one of important parts in the 5G system everything interconnection, and the manufacturing end can share the big data and cloud resources of the mobile internet and can interact information in the industrial internet at any place and any time through a mobile window, so that the industrial internet is really integrated into the mobile electronic commerce.
While enterprises enjoy the dividend of the 5G process industry internet, the consequent changes and risks of introducing new technologies must also be appreciated: the IP address distributed by the industrial equipment of the industrial intranet is unchanged; the 5G terminal accesses the 5G network through the IP allocated by the UPF, and the IP address changes; the 5G + industrial internet breaks through the original industrial white environment, and the boundary between the industry and the outside becomes fuzzy; after the malicious terminal acquires the private network configuration, the malicious terminal can be accessed to the 5G industry application or even the enterprise data center to carry out transverse attack. Network security of the 5G + industrial internet is challenged; the malicious terminal tries to register through the gNB, so that the resource of the gNB can be exhausted to influence the normal service of the 5G + industrial Internet; novel terminals such as a remote control AGV (automatic guided vehicle) and a high-definition industrial camera/camera are introduced into the 5G + industrial internet. The equipment type variety is various and the equipment is many in unmanned on duty's open air, and the equipment credibility is relatively poor. The machine-card separation is easy to occur, so that a malicious terminal is accessed to a network, and network security accidents of a private network are caused; the network risk assessment of the 5G private network is enhanced, and the method has important significance for improving the safety level of enterprises and promoting the healthy development of the 5G private network and the ecosystem thereof.
Currently, network risk assessment of an industrial internet mostly includes detecting and identifying safety risks existing in an industrial terminal and obtaining network potential safety hazards through log correlation analysis of safety products; the 5G private network has no hierarchical protection of the industrial internet and no security product matched with the private network, so that network security analysis can not be carried out from a security log, and industrial terminal risks can not be detected through an active detection technology. And the network risk assessment needs to combine the respective characteristics of the 5G and the industrial Internet.
Generally, most of the network security risk assessment for the industrial internet adopts a mode of reversely analyzing firmware defects and business logic bugs to obtain industrial security protection equipment such as gatekeeper/firewall data and assess the native risk of the industrial internet. However, after the 5G private network is introduced, the signaling plane and the data plane are not protected by the industrial internet, logs of conventional security products are not analyzed, and the network security risk of the 5G private network is analyzed and evaluated from the aspects of terminal loopholes, data management and control conditions, influence of terminal off-line on services, terminal environmental risks and the like, so that the risk evaluation result is limited.
According to the technology, a private network dynamic risk assessment method and a private network environment risk assessment method are introduced, a 5G private network dynamic network risk baseline is established by means of machine learning, high-risk 5G private network risk events are identified from mass data, and a protection strategy of a 5G private network is improved in a targeted mode.
Description of the prior art used
And the UPF user plane function is responsible for packet routing forwarding, policy implementation, flow reporting and Qos processing.
SMF session management function, which is responsible for tunnel maintenance, IP address allocation and management, UP function selection, policy enforcement, qoS control, charging data collection, roaming, etc.
The N3 interface in the 5G network interface is positioned between the 5G access network and the user port function, and is mainly used for transmitting uplink and downlink user plane data by using a GTP-U protocol.
And the N4 interface in the 5G network interface is an interface between the SMF and the UPF and is used for transmitting control plane information between the SMF and the UPF.
The N11 interface in the 5G network interface is an interface between network elements.
hive is a data warehouse tool based on Hadoop, which is used for data extraction, transformation and loading, and is a mechanism capable of storing, querying and analyzing large-scale data stored in Hadoop.
The PFCP Session Delete message and the PFCP Session establishment message are links in the 5G signaling flow.
The SVM is a two-classification model, the basic model of the SVM is a linear classifier with the maximum interval defined on a feature space, and the maximum interval makes the SVM different from a perceptron; the SVM also includes kernel skills, which make it a substantially non-linear classifier. The learning strategy of the SVM is interval maximization, and can be formalized as a problem of solving convex quadratic programming, which is also equivalent to the minimization problem of a regularized hinge loss function. The learning algorithm of the SVM is an optimization algorithm for solving convex quadratic programming. Classification is a very important task in the field of data mining, and its purpose is to learn a classification function or classification model (or so-called classifier), and the support vector machine itself is a supervised learning method. A Support Vector Machine (SVM) is a machine learning method based on a statistical learning theory and developed in the middle of 90 s, the generalization capability of a learning machine is improved by seeking for the minimum structured risk, and the minimization of experience risk and a confidence range is realized, so that the aim of obtaining a good statistical rule under the condition of less statistical sample quantity is fulfilled.
The KKT condition is a general optimization problem with equality and inequality constraints. 1. The Lagrange multiplier method and the KKT condition are needed in the process of solving the optimized parameters by the support vector machine. 2. In dealing with the problem of g (x), if the optimal solution is in the range of g (x) < 0, the overall constraint does not affect the final result, so the constraint can be relaxed.
Disclosure of Invention
In view of the defects of the prior art, the method and the device for evaluating the network risk of the 5G private network provided by the invention consist of a private network dynamic risk identification module, a private network environment risk identification module and a private network comprehensive risk evaluation module; the private network dynamic risk identification module consists of a private network data acquisition and analysis submodule, a private network data association submodule and a private network risk identification submodule; the private network risk identifier sub-module consists of a signaling security identifier, a data security identifier and a network security identifier; the private network environment risk identification module consists of a private network vulnerability identification submodule and a private network environment risk identification submodule; the private network environment risk identifier sub-module consists of a data management and control risk identifier, a terminal fault risk identifier and a terminal environment identifier;
the private network data acquisition and analysis submodule is used for deploying user plane information acquisition equipment on an N3 interface and acquiring all information of the N3 interface as user plane information; deploying signaling plane information acquisition equipment on the N4 interface and the N11 interface, and acquiring all information of the N4 interface and the N11 interface as signaling plane information; the private network data acquisition and analysis submodule collects user plane information and signaling plane information by respectively deploying user plane information acquisition equipment on the side of a UPF network element and signaling plane information acquisition equipment on the side of a 5G core network;
the private network data acquisition and analysis submodule identifies a protocol type, a source data interface, a tunnel number, a source IP address and port number, a destination IP address and port number, uplink and downlink flow, a protocol type, an equipment type, a service type, equipment version information and a user plane load in user plane information;
the private network data acquisition and analysis submodule identifies the protocol type, source data interface, tunnel number, user permanent identifier, universal public user identifier, permanent equipment identifier, uplink and downlink protocol flow identifier, 5G cell information, slice information, base station information and signaling surface load in the signaling surface information;
the private network data association submodule backfills the user permanent identifier, the universal public user identifier, the permanent equipment identifier, the 5G cell information, the slice information, the base station information and the base station information in the signaling plane into the user plane information through the tunnel number according to the mapping relation among the user permanent identifier, the universal public user identifier, the permanent equipment identifier, the 5G cell information, the slice information, the mapping relation among the tunnel number, the source IP address, the destination IP address and the user plane load in the signaling plane information; after the correlation backfill is completed, the private network data correlation submodule outputs a signaling surface log and a user surface log; the signaling plane log comprises original signaling plane information; the user plane log comprises original user plane information, and comprises a user permanent identifier, a universal public user identifier, a permanent equipment identifier, 5G cell information, slice information and base station information;
the private network data association submodule stores the signaling surface log and the user surface log in a hive database;
the signaling safety recognizer acquires a signaling surface log from the hive database and conducts signaling safety risk research and judgment on the key field; the key fields include: a source IP address, a destination IP address, a user permanent identifier, a universal public user identity, a permanent equipment identifier, a signaling payload; the key fields are combined into a risk study rule, which comprises the following steps: the association relationship of the user permanent identifier, the common public user identifier and the permanent equipment identifier is used as a machine-card relationship list; defining the UPF address as an IP white list, the base station IP address as an IP white list, the session management function SMF IP address as an IP white list, and the access and mobile management function AMF IP address as an IP white list; when the user permanent identifier, the universal public user identifier and the permanent equipment identifier in the key field are inconsistent with the machine-card relation list, judging that the machine card is separated from the risk; when the source IP address in the key field is not in the IP white list, the risk of the white list is determined; when the destination IP address in the key field is not in the IP white list, the risk of the white list is determined; when the analysis number of the signaling plane logs containing the same user permanent identifier exceeds a threshold value within the interval time, judging that the terminal is a safe access event; the interval time and the threshold value are obtained by setting; the signaling safety recognizer outputs the recognized safety event as a signaling safety log;
the data security identifier acquires a user surface log from the hive database and conducts data security risk study and judgment on the key fields; the key fields include: the type of the industrial internet protocol, the source IP address, the destination IP address and the field analyzed by the industrial internet protocol;
the data security identifier acquires data classification grading rules in a preset mode, wherein the data classification grading rules comprise industrial enterprise data, industrial Internet platform data and industrial Internet identification analysis data; the industrial enterprise data is divided into research and development domain data, production domain data, operation and maintenance domain data, management domain data and external data; the fields and the data after the industrial internet protocol analysis are classified to complete a mapping relation, and a data classification table is formed; the data grade can be divided into three grades, which are respectively industrial general data, industrial important data and industrial core data, and the data classification table and the data grade table are mapped to form a complete data classification grading rule:
when the user surface log carries the field analyzed by the industrial Internet protocol and hits the data classification and classification rule, the data safety recognizer outputs a data recognition log; the data identification log comprises identification time, industrial Internet protocol names, analyzed fields, data classification, data group number and data number;
the data security recognizer obtains a user plane log from the hive database, and conducts data transmission abnormal behavior study and judgment on key fields, wherein the key fields comprise: a source IP address, a destination IP address, uplink and downlink flow, flow starting and stopping time, a user permanent identifier, an application layer protocol, a protocol analysis field and an effective kernel load; combining the key fields into a risk study and judgment rule; when the data level in the data identification log is industrial important data and industrial core data, sensitive data plaintext transmission exists in the data stream, and the data safety identifier triggers a sensitive data plaintext transmission risk rule and judges that the sensitive data plaintext transmission risk exists; when the source IP address or the destination IP address of the same user permanent identifier in the user surface log is not in the data flow transfer baseline, triggering a data flow range risk rule and judging as a data flow range risk; a data transfer range baseline is obtained through setting; when the generation time of the uplink and downlink flow of the same user permanent identifier in the user surface log is not in the data flow transfer time baseline, triggering a data flow transfer time risk rule and judging as a data flow transfer time risk; the data transfer time base line is obtained through setting; when the destination IP address of the same user permanent identifier in the user plane log is an IP address baseline in the non-campus area, triggering a data leakage risk rule and judging the data leakage risk; the IP address base line in the garden is obtained through setting; the data security identifier outputs the identified risks as a data risk log;
the network risk recognizer obtains a user plane log from the hive database, and associates and compares a key field with an information center obtained by a network crawler, wherein the key field comprises the following steps: a source IP address, a destination IP address, a user permanent identifier, an application layer protocol, a protocol analysis field and an effective kernel load; the network crawler periodically acquires national Internet emergency center information, tencent threat information center information and QiAnxin threat information center information, and the acquired information content comprises the following steps: malicious IP, kernel-borne Hash, and domain name; when the key field hits the information of the information center, the network risk is judged to occur, and the network risk is divided into a network behavior attack subclass and a malicious program attack subclass according to different matched network risk types; the network risk recognizer outputs the recognized risk as a network risk log;
the private network risk identification submodule stores the signaling safety log, the data identification log, the data risk log and the network risk log into the big data hive so as to carry out data modeling and correlation analysis, and then establishes an abnormal analysis index according to a private network dynamic risk assessment model: the risk type is 5G private network risk, the risk classification is data safety, when the risk subclass is data transmission abnormal behavior, the risk characteristic is X1, and the risk weight is W1; the risk type is 5G private network risk, the risk classification is data safety, when the risk subclass is data classification, the risk characteristic is X2, and the risk weight is W2; the risk type is 5G private network risk, the risk is classified into signaling risk, when the risk subclass is a signaling safety event, the risk characteristic is X3, and the risk weight is W3; the risk type is 5G private network risk, the risk is classified into signaling risk, when the risk subclass is a terminal security event, the risk characteristic is X4, and the risk weight is W4; the risk type is 5G private network risk, the risk is classified into network risk, when the risk subclass is network behavior attack, the risk characteristic is X5, and the risk weight is W5; the risk type is 5G private network risk, the risk is classified into network risk, when the risk subclass is malicious program attack, the risk characteristic is X6, and the risk weight is W6;
the private network vulnerability identification submodule acquires a user plane log from the hive database, and associates and compares the key fields with vulnerability information acquired by the web crawler, wherein the key fields comprise: device hardware information, middleware version information and development dependency version information; the network crawler regularly acquires vulnerability information published by a national information security vulnerability sharing platform and a general vulnerability disclosure platform, wherein the vulnerability information comprises: the vulnerability number, the vulnerability type, the vulnerability name and the vulnerability relate to a product; the private network vulnerability identification submodule analyzes the vulnerability description and influence range, the trigger scene and the like with equipment hardware information, middleware version information, development dependency version information and the like, identifies vulnerability information existing in a terminal, a middleware, a database and the like, and forms a private network terminal vulnerability library, a private network middleware vulnerability library and a private network server vulnerability library; the private network terminal leak library, the private network middleware leak library and the private network server leak library are divided into high-risk leaks, medium-risk leaks and low-risk leaks according to leak conditions disclosed by the national information security leak sharing platform and the general leak disclosure platform; the private network vulnerability identification submodule outputs the identified vulnerability information as a private network vulnerability log;
the data management and control risk recognizer completes data management and control risk recognition of the industry application server; the data management and control risk identifier acquires a user surface log from the hive database, reads a key field and acquires a log of an industry application server for risk study and judgment, wherein the key field comprises: a source IP address, a destination IP address, a user permanent identifier and a database execution operation type; the data management and control risk identifier compares the risk identification tables preset in logs of the industry application server, the risk identification tables are provided with data levels which are divided into general industrial data, important industrial data and core industrial data, the operation types allowed to be executed are different according to different data levels in the risk identification tables, and the operation types comprise: inquiring, writing, exporting, desensitizing, inquiring in batches and exporting in batches, wherein each operation type sets an execution time threshold;
the data management and control risk identifier identifies the data level in a risk identification table corresponding to a database execution operation object in a user plane log; when the operation types allowed to be executed by the data levels in the risk identification table corresponding to the database execution operation objects in the user plane log cannot correspond to the database execution operation types in the user plane log, judging that the data authority risk occurs; when the operation type allowed to be executed by the data level in the risk identification table corresponding to the database execution operation object in the user face log is consistent with the database execution operation type in the user face log, judging that the data sharing risk occurs when the execution times of the operation type exceeds a threshold value;
the data management and control risk identifier outputs the data authority risk and the data sharing risk as a data management and control risk event as a data management and control risk log;
the terminal fault risk recognizer uses a preset equipment terminal fault risk evaluation rule table, the equipment terminal fault risk evaluation rule table comprises equipment identification, equipment value and part replacement cost, whether offline occurs or not and fault importance degree fields, and the fault importance degree is divided into three types of low, medium and high; the terminal fault risk recognizer reads a user plane log from a hive database, acquires a user permanent identifier, a source IP address and a destination IP address, removes the user permanent identifier, the source IP address and the destination IP address, and fills in an equipment identification field of a risk evaluation rule table, equipment value is depreciated every year according to 10% of original price, the equipment value and part replacement cost are added to be equipment cost, and the part replacement cost is generated part replacement cost; the equipment cost is set into three grades of low, medium and high according to a differential price equal division method; the determination conditions for the occurrence of offline are: reading a signaling plane log, and judging that the terminal is offline when no PFCP Session established message is generated for 2 hours after the terminal generates the N4 interface PFCP Session Delete message; the failure importance degree determination conditions are as follows: if the terminal is very important and can not be offline, the life and property safety or social stability and national safety of the user can be directly threatened if the terminal is offline, and the risk weight is high; if the terminal offline time is short, a certain degree of loss is caused, but the influence range and degree are controlled, the risk weight is centered, and if the terminal can be offline for a long time and the caused influence can be ignored, the risk weight is low;
the terminal fault risk recognizer outputs the equipment value and the terminal importance of the offline terminal fault risk as a terminal fault risk log;
the terminal environment identifier marks the park position, indoor environment and outdoor environment of the 5G cell through a preset 5G cell information mapping table; the terminal environment identifier reads a user surface log from the hive database, acquires 5G cell information and a user permanent identifier, performs association comparison with a 5G cell information mapping table, and outputs a terminal environment log after association is completed;
the private network environment risk identification sub-module stores private network vulnerability logs, data management and control risk logs, terminal fault risk logs and terminal environment logs into big data hive so as to carry out data modeling and association analysis, and then establishes an abnormal analysis index according to a private network environment risk assessment model: the risk type is the environment risk of the private network, the risk is classified into the terminal vulnerability risk, when the risk subclass is the high risk, the risk characteristic is X7, and the risk weight is W7; the risk type is a private network environment risk, the risk is classified into a terminal vulnerability risk, when the risk subclass is a medium risk, the risk characteristic is X8, and the risk weight is W8; the risk type is the environment risk of the private network, the risk is classified into the terminal vulnerability risk, when the risk subclass is the low risk, the risk characteristic is X9, and the risk weight is W9; the risk type is a private network environment risk, the risk is classified into a data management and control risk, when the risk subclass is a data sharing risk, the risk characteristic is X10, and the risk weight is W10; the risk type is a private network environment risk, the risk is classified into a data management and control risk, when the risk subclass is a data authority risk, the risk characteristic is X11, and the risk weight is W11; the risk type is a private network environment risk, the risk is classified into a terminal fault risk, when the risk subclass is equipment cost, the risk characteristic is X12, and the risk weight is W12; the risk type is the environment risk of the private network, the risk is classified into the terminal fault risk, when the risk subclass is the equipment importance degree, the risk characteristic is X13, and the risk weight is W13; the risk type is a private network environment risk, the risk is classified into a terminal environment risk, when the risk subclass is a terminal environment, the risk characteristic is X14, and the risk weight is W14;
a private network comprehensive risk assessment module carries out classification training on the acquired risk features and risk weights in hive by using a Support Vector Machine (SVM); the process of specifically substituting the support vector machine is as follows: by passing
Describing a hyperplane, wherein
The normal vector of the hyperplane represents risk weight, and determines the direction of the hyperplane;
the displacement term is a displacement term and determines the distance between the hyperplane and the origin; for any feature x in the sample space, the distance to the hyperplane is written as
To find out the satisfying constraint condition
Such that gamma is maximized,
when the sample data set can be correctly divided, no matter whether the label of the original sample data is +1 or-1,
the values of (a) and (b) are positive numbers greater than or equal to 1, and if a lagrange factor is introduced to convert the values into a dual problem, the values can be written as:
For equality constraint, a Lagrange factor can be directly used for obtaining an extremum, for inequality constraint, the solution is carried out when the constraint of KKT condition is satisfied, and the KKT condition corresponding to the model is as follows:
,
,
(ii) a Substituting W into the original function to obtain
Solving by using a universal quadratic programming algorithm to obtain a final private network feature classifier; and inputting the risk characteristic vectors subjected to characteristic selection by the private network dynamic risk identification module and the private network environment risk identification module into a private network characteristic classifier to obtain categories into which risks corresponding to the risk characteristic vectors are classified.
Advantageous effects
Most of the network security risk assessment of the industrial internet adopts a mode of reversely analyzing firmware defects and business logic bugs to obtain industrial security protection equipment such as a gatekeeper/firewall data and assess the original risk of the industrial internet. However, after the 5G private network is introduced, the signaling plane and the data plane are not protected by the industrial internet, the log of a conventional security product is not analyzed, and the network security risk analysis and evaluation of the 5G private network from the aspects of terminal leak, data management and control conditions, terminal off-line influence on the service, terminal environment risk and the like are not performed, so that the risk evaluation result is limited.
According to the invention, the network security risk existing in the 5G private network is identified through risk events in the signaling plane and user plane traffic, loopholes of the terminal and the server, private network data control conditions, influence of the terminal off-line on the service, the terminal environmental risk and the like, and risk early warning is provided.
Drawings
FIG. 1 is a system block diagram of the present invention.
Detailed Description
Referring to fig. 1, the method and apparatus for implementing network risk assessment of a 5G private network provided by the present invention is composed of a private network dynamic risk identification module 1, a private network environment risk identification module 2, and a private network comprehensive risk assessment module 3; the private network dynamic risk identification module 1 consists of a private network data acquisition and analysis submodule 10, a private network data association submodule 11 and a private network risk identification submodule 12; the private network risk identification submodule 12 consists of a signaling security identifier 120, a data security identifier 121 and a network security identifier 122; the private network environment risk identification module 2 consists of a private network vulnerability identification submodule 20 and a private network environment risk identification submodule 21; the private network environment risk identification submodule 21 consists of a data management and control risk identifier 210, a terminal fault risk identifier 211 and a terminal environment identifier 212;
the private network data acquisition and analysis submodule 10 is to deploy user plane information acquisition equipment on an N3 interface, and acquire all information of the N3 interface as user plane information; deploying signaling plane information acquisition equipment on the N4 interface and the N11 interface, and acquiring all information of the N4 interface and the N11 interface as signaling plane information; the private network data acquisition and analysis submodule 10 collects user plane information and signaling plane information by respectively deploying user plane information acquisition equipment on the side of a UPF network element and signaling plane information acquisition equipment on the side of a 5G core network;
the private network data acquisition and analysis submodule 10 identifies the protocol type, source data interface, tunnel number, source IP address and port number, destination IP address and port number, uplink and downlink flow, protocol type, equipment type, service type, equipment version information and user plane load in the user plane information;
the private network data acquisition and analysis submodule 10 identifies the protocol type, source data interface, tunnel number, user permanent identifier, universal public user identifier, permanent equipment identifier, uplink and downlink protocol stream identification, 5G cell information, slice information, base station information and signaling plane load in the signaling plane information;
the private network data association submodule 11 backfills the user permanent identifier, the universal public user identifier, the permanent equipment identifier, the 5G cell information, the slice information, the mapping relation between the base station information and the tunnel number in the signaling plane information and the mapping relation between the tunnel number and the source IP address, the destination IP address and the user plane load in the user plane information into the user plane information through the tunnel number according to the user permanent identifier, the universal public user identifier, the permanent equipment identifier, the 5G cell information, the slice information and the base station information in the signaling plane information; after the correlation backfill is completed, the private network data correlation submodule 11 outputs a signaling surface log and a user surface log; the signaling plane log comprises original signaling plane information; the user plane log comprises original user plane information, and comprises a user permanent identifier, a general public user identifier, a permanent equipment identifier, 5G cell information, slice information and base station information;
the private network data association submodule 11 stores the signaling plane log and the user plane log in a hive database;
the signaling safety identifier 120 acquires a signaling surface log from the hive database, and performs signaling safety risk study and judgment on the key field; the key fields include: a source IP address, a destination IP address, a user permanent identifier, a universal public user identity, a permanent equipment identifier, a signaling payload; the key fields are combined to form a risk study rule, which comprises the following steps: the association relationship of the user permanent identifier, the common public user identifier and the permanent equipment identifier is used as a machine-card relationship list; defining the UPF address as an IP white list, the base station IP address as an IP white list, the session management function SMF IP address as an IP white list, and the access and mobile management function AMF IP address as an IP white list; when the user permanent identifier, the common public user identifier and the permanent equipment identifier in the key field are inconsistent with the machine-card relationship list, determining that the machine-card separation risk exists; when the source IP address in the key field is not in the IP white list, the risk of the white list is determined; when the destination IP address in the key field is not in the IP white list, the risk of the white list is determined; when the analysis number of the signaling plane logs containing the same user permanent identifier exceeds a threshold value within the interval time, judging that the terminal is a safe access event; the interval time and the threshold value are obtained by setting; the signaling security identifier 120 outputs the identified security event as a signaling security log;
the data security identifier 121 acquires a user plane log from the hive database, and performs data security risk study and judgment on the key fields; the key fields include: the type of the industrial internet protocol, the source IP address, the destination IP address and the field analyzed by the industrial internet protocol;
the data security identifier 121 acquires data classification and classification rules in a preset manner, wherein the data classification and classification rules comprise industrial enterprise data, industrial internet platform data and industrial internet identification analysis data; the industrial enterprise data is divided into research and development domain data, production domain data, operation and maintenance domain data, management domain data and external data; the fields and the data after the industrial internet protocol analysis are classified to complete a mapping relation, and a data classification table is formed; the data grade can be divided into three grades, which are respectively industrial general data, industrial important data and industrial core data, and the data classification table and the data grade table are mapped to form a complete data classification grading rule:
when the user-side log carries the field analyzed by the industrial internet protocol and hits the data classification and classification rule, the data security identifier 121 outputs a data identification log; the data identification log comprises identification time, industrial Internet protocol names, analyzed fields, data classification, data group number and data number;
the data security identifier 121 obtains a user plane log from the hive database, and performs data transmission abnormal behavior study and judgment on key fields, where the key fields include: a source IP address, a target IP address, uplink and downlink flow, flow starting and stopping time, a user permanent identifier, an application layer protocol, a protocol analysis field and an effective kernel load; combining the key fields into a risk study and judgment rule; when the data grade in the data identification log is industrial important data and industrial core data, the data stream is transmitted by sensitive data plaintext, and the data security identifier 121 triggers a sensitive data plaintext transmission risk rule to determine that the sensitive data plaintext transmission risk is present; when the source IP address or the destination IP address of the same user permanent identifier in the user surface log is not in the data flow transfer baseline, triggering a data flow range risk rule and judging as a data flow range risk; a data transfer range baseline is obtained through setting; when the uplink and downlink traffic generation time of the same user permanent identifier in the user surface log is not within the data flow transfer time baseline, triggering a data flow transfer time risk rule and judging as a data flow transfer time risk; the data transfer time base line is obtained through setting; when the target IP address of the same user permanent identifier in the user surface log is the IP address baseline in the non-campus area, triggering a data leakage risk rule and judging the data leakage risk; the IP address base line in the garden is obtained through setting; the data security identifier 121 outputs the identified risk as a data risk log;
the cyber risk identifier 122 obtains a user plane log from the hive database, and associates and compares key fields with an information center obtained by a web crawler, wherein the key fields include: a source IP address, a destination IP address, a user permanent identifier, an application layer protocol, a protocol analysis field and an effective kernel load; the network crawler regularly acquires national internet emergency center information, tencent threat information center information and QiAnxin threat information center information, and the acquired information content comprises the following steps: malicious IP, kernel-borne Hash, and domain name; when the key field hits the information of the information center, the network risk is judged to occur, and the network risk is divided into a network behavior attack subclass and a malicious program attack subclass according to different matched network risk types; cyber risk identifier 122 outputs the identified risks as a cyber risk log;
the private network risk identification submodule 12 stores the signaling security log, the data identification log, the data risk log and the network risk log into the big data hive so as to perform data modeling and association analysis, and then establishes an anomaly analysis index according to a private network dynamic risk assessment model: the risk type is 5G private network risk, the risk classification is data safety, when the risk subclass is data transmission abnormal behavior, the risk characteristic is X1, and the risk weight is W1; the risk type is 5G private network risk, the risk classification is data safety, when the risk subclass is data classification, the risk characteristic is X2, and the risk weight is W2; the risk type is 5G private network risk, the risk is classified into signaling risk, when the risk subclass is a signaling safety event, the risk characteristic is X3, and the risk weight is W3; the risk type is 5G private network risk, the risk is classified into signaling risk, when the risk subclass is a terminal security event, the risk characteristic is X4, and the risk weight is W4; the risk type is 5G private network risk, the risk is classified into network risk, when the risk subclass is network behavior attack, the risk characteristic is X5, and the risk weight is W5; the risk type is 5G private network risk, the risk is classified into network risk, when the risk subclass is malicious program attack, the risk characteristic is X6, and the risk weight is W6;
the private network vulnerability identification submodule 20 acquires a user plane log from the hive database, and associates and compares key fields with vulnerability information acquired by a web crawler, wherein the key fields include: device hardware information, middleware version information, and development dependent version information; the network crawler regularly acquires vulnerability information published by a national information security vulnerability sharing platform and a general vulnerability disclosure platform, wherein the vulnerability information comprises: the vulnerability number, the vulnerability type, the vulnerability name and the vulnerability relate to the product; the private network vulnerability identification submodule 20 analyzes the vulnerability description, the influence range, the trigger scene and the like with the equipment hardware information, the middleware version information, the development dependent version information and the like, identifies the vulnerability information existing in the terminal, the middleware, the database and the like, and forms a private network terminal vulnerability library, a private network middleware vulnerability library and a private network server vulnerability library; the private network terminal leak library, the private network middleware leak library and the private network server leak library are divided into high-risk leaks, medium-risk leaks and low-risk leaks according to leak conditions disclosed by the national information security leak sharing platform and the general leak disclosure platform; the private network vulnerability identification submodule 20 outputs the identified vulnerability information as a private network vulnerability log;
the data management and control risk identifier 210 completes data management and control risk identification of the industry application server; the data management and control risk identifier 210 obtains a user surface log from the hive database to read a key field and obtains a log of an industry application server for risk study and judgment, wherein the key field includes: a source IP address, a destination IP address, a user permanent identifier and a database execution operation type; the data management and control risk identifier 210 compares the data levels set in the risk identification table in the log of the industry application server, and the risk identification table is set with data levels, which are divided into general industrial data, important industrial data and core industrial data, and the operation types allowed to be executed are different according to different data levels in the risk identification table, and the operation types include: inquiring, writing, exporting, desensitizing, inquiring in batches and exporting in batches, wherein an execution time threshold is set for each operation type;
the data management and control risk identifier 210 first identifies a data level in a risk identification table corresponding to a database execution operation object in a user plane log; when the operation type allowed to be executed by the data level in the risk identification table corresponding to the database execution operation object in the user face log cannot correspond to the database execution operation type in the user face log, judging that the data authority risk occurs; when the operation type allowed to be executed by the data level in the risk identification table corresponding to the database execution operation object in the user face log is consistent with the database execution operation type in the user face log, judging that the data sharing risk occurs when the execution times of the operation type exceeds a threshold value;
the data management and control risk identifier 210 outputs the data authority risk and the data sharing risk as a data management and control risk event as a data management and control risk log;
the terminal fault risk recognizer 211 uses a preset equipment terminal fault risk evaluation rule table, wherein the equipment terminal fault risk evaluation rule table comprises equipment identification, equipment value and component replacement cost, and fields of whether offline occurs and fault importance degree, and the fault importance degree is divided into three types, namely low, medium and high; the terminal fault risk recognizer 211 reads a user face log from a hive database, acquires a user permanent identifier, a source IP address and a destination IP address, removes the user permanent identifier, the source IP address and the destination IP address, and fills an equipment identification field of a risk evaluation rule table, wherein the equipment value is depreciated every year according to 10% of the original price, the equipment value and the part replacement cost are summed to be equipment cost, and the part replacement cost is the generated part replacement cost; the equipment cost is set into three grades of low, medium and high according to a differential price equal division method; the conditions for determining the occurrence of offline are: reading a signaling plane log, and judging that the terminal is offline when a PFCP Session Delete message is not generated for 2 hours after the terminal generates an N4 interface PFCP Session Delete message; the failure importance degree determination conditions are as follows: if the terminal is very important and can not be offline, the life and property safety or social stability and national safety of the user can be directly threatened if the terminal is offline, and the risk weight is high; if the terminal is offline for a short time, a certain degree of loss is caused, but the influence range and degree are controlled, the risk weight is centered, and if the terminal can be offline for a long time and the influence is negligible, the risk weight is low;
the terminal fault risk identifier 211 outputs the equipment value and the terminal importance of the offline terminal fault risk as a terminal fault risk log;
the terminal environment identifier 212 indicates the campus position, indoor and outdoor environments of the 5G cell by setting a mapping table of 5G cell information in advance; the terminal environment identifier 212 reads a user face log from the hive database, acquires 5G cell information and a user permanent identifier, performs association comparison with a 5G cell information mapping table, and outputs a terminal environment log after association is completed;
the private network environment risk identification submodule 21 stores the private network vulnerability log, the data management and control risk log, the terminal fault risk log and the terminal environment log into the big data hive so as to perform data modeling and association analysis, and then establishes an abnormal analysis index according to a private network environment risk assessment model: the risk type is the environment risk of the private network, the risk is classified into the terminal vulnerability risk, when the risk subclass is the high risk, the risk characteristic is X7, and the risk weight is W7; the risk type is the environment risk of the private network, the risk is classified into the terminal vulnerability risk, when the risk subclass is the medium risk, the risk characteristic is X8, and the risk weight is W8; the risk type is the environment risk of the private network, the risk is classified into the terminal vulnerability risk, when the risk subclass is the low risk, the risk characteristic is X9, and the risk weight is W9; the risk type is a private network environment risk, the risk is classified into a data management and control risk, when the risk subclass is a data sharing risk, the risk characteristic is X10, and the risk weight is W10; the risk type is a private network environment risk, the risk is classified into a data management and control risk, when the risk subclass is a data authority risk, the risk characteristic is X11, and the risk weight is W11; the risk type is a private network environment risk, the risk is classified into a terminal fault risk, when the risk subclass is equipment cost, the risk characteristic is X12, and the risk weight is W12; the risk type is the environment risk of the private network, the risk is classified into the terminal fault risk, when the risk subclass is the equipment importance degree, the risk characteristic is X13, and the risk weight is W13; the risk type is a private network environment risk, the risk is classified into a terminal environment risk, when the risk subclass is a terminal environment, the risk characteristic is X14, and the risk weight is W14;
the private network comprehensive risk assessment module 3 uses a Support Vector Machine (SVM) to carry out classification training on the acquired risk characteristics and risk weights in hive; the process of specifically substituting the support vector machine is as follows: by passing
Describing a hyperplane, wherein
The normal vector of the hyperplane represents risk weight, and determines the direction of the hyperplane;
is a feature of the hyperplane and represents a risk feature, b is a displacement term and determines the distance between the hyperplane and an originA distance; for any feature x in the sample space, the distance to the hyperplane is written as
Finding out conditions satisfying constraints
Such that gamma is maximized,
when the sample data set can be correctly divided, no matter whether the label of the original sample data is +1 or-1,
the values of (a) and (b) are all positive numbers greater than or equal to 1, and if a lagrange factor is introduced to convert the values into a dual problem, the values can be written as:
For equality constraint, a Lagrange factor can be directly used for obtaining an extremum, for inequality constraint, the solution is carried out when the constraint of KKT condition is satisfied, and the KKT condition corresponding to the model is as follows:
,
,
(ii) a Substituting W into the original function to obtain
Solving by using a general quadratic programming algorithm to obtain a final private network feature classifier 30; and inputting the risk characteristic vectors subjected to characteristic selection by the private network dynamic risk identification module 1 and the private network environment risk identification module 2 into the private network characteristic classifier 30 to obtain categories into which risks corresponding to the risk characteristic vectors are classified.
Claims (1)
1. A method and apparatus for network risk assessment of 5G private network, characterized by that to discern module, private network environmental risk and specialized network comprehensive risk assessment module to make up by the dynamic risk of private network; the private network dynamic risk identification module consists of a private network data acquisition and analysis submodule, a private network data association submodule and a private network risk identification submodule; the private network risk identifier sub-module consists of a signaling security identifier, a data security identifier and a network security identifier; the private network environment risk identification module consists of a private network vulnerability identification submodule and a private network environment risk identification submodule; the private network environment risk identifier sub-module consists of a data management and control risk identifier, a terminal fault risk identifier and a terminal environment identifier;
the private network data acquisition and analysis submodule is used for deploying user plane information acquisition equipment on an N3 interface and acquiring all information of the N3 interface as user plane information; deploying signaling plane information acquisition equipment on the N4 interface and the N11 interface, and acquiring all information of the N4 interface and the N11 interface as signaling plane information; the private network data acquisition and analysis submodule collects user plane information and signaling plane information by respectively deploying user plane information acquisition equipment on the side of a UPF network element and signaling plane information acquisition equipment on the side of a 5G core network;
the private network data acquisition and analysis submodule identifies a protocol type, a source data interface, a tunnel number, a source IP address and port number, a destination IP address and port number, uplink and downlink flow, a protocol type, an equipment type, a service type, equipment version information and a user plane load in user plane information;
the private network data acquisition and analysis submodule identifies the protocol type, source data interface, tunnel number, user permanent identifier, universal public user identifier, permanent equipment identifier, uplink and downlink protocol flow identifier, 5G cell information, slice information, base station information and signaling surface load in the signaling surface information;
the private network data association submodule backfills the user permanent identifier, the universal public user identifier, the permanent equipment identifier, the 5G cell information, the slice information, the mapping relation between the base station information and the tunnel number in the signaling plane information and the mapping relation between the tunnel number and the source IP address, the destination IP address and the user plane load in the user plane information into the user plane information through the tunnel number; after the correlation backfill is completed, the private network data correlation submodule outputs a signaling surface log and a user surface log; the signaling plane log comprises original signaling plane information; the user plane log comprises original user plane information, and comprises a user permanent identifier, a general public user identifier, a permanent equipment identifier, 5G cell information, slice information and base station information;
the private network data association submodule stores the signaling surface log and the user surface log in a hive database;
the signaling safety recognizer acquires a signaling surface log from the hive database and conducts signaling safety risk research and judgment on the key field; the key fields include: a source IP address, a destination IP address, a user permanent identifier, a universal public user identity, a permanent equipment identifier, a signaling payload; the key fields are combined into a risk study rule, which comprises the following steps: the association relationship of the user permanent identifier, the common public user identifier and the permanent equipment identifier is used as a machine-card relationship list; defining the UPF address as an IP white list, the base station IP address as an IP white list, the session management function SMF IP address as an IP white list, and the access and mobile management function AMF IP address as an IP white list; when the user permanent identifier, the common public user identifier and the permanent equipment identifier in the key field are inconsistent with the machine-card relationship list, determining that the machine-card separation risk exists; when the source IP address in the key field is not in the IP white list, the risk of the white list is determined; when the destination IP address in the key field is not in the IP white list, the risk of the white list is determined; when the analysis number of the signaling plane logs containing the same user permanent identifier exceeds a threshold value within the interval time, judging that the terminal is a safe access event; the interval time and the threshold value are obtained by setting; the signaling safety recognizer outputs the recognized safety event as a signaling safety log;
the data security identifier acquires a user surface log from the hive database and conducts data security risk study and judgment on the key fields; the key fields include: the type of the industrial internet protocol, the source IP address, the destination IP address and the field analyzed by the industrial internet protocol;
the data security identifier acquires data classification grading rules in a preset mode, and the data classification grading rules comprise industrial enterprise data, industrial internet platform data and industrial internet identification analysis data; the industrial enterprise data is divided into research and development domain data, production domain data, operation and maintenance domain data, management domain data and external data; the fields and the data after the industrial internet protocol analysis are classified to complete a mapping relation, and a data classification table is formed; the data grade can be divided into three grades, which are respectively industrial general data, industrial important data and industrial core data, and the data classification table and the data grade table are mapped to form a complete data classification grading rule:
when the user surface log carries the field analyzed by the industrial Internet protocol and hits the data classification and classification rule, the data safety recognizer outputs a data recognition log; the data identification log comprises identification time, industrial Internet protocol names, analyzed fields, data classification, data group number and data number;
the data security identifier acquires a user surface log from the hive database, and conducts data transmission abnormal behavior study and judgment on key fields, wherein the key fields comprise: a source IP address, a target IP address, uplink and downlink flow, flow starting and stopping time, a user permanent identifier, an application layer protocol, a protocol analysis field and an effective kernel load; combining the key fields into a risk study and judgment rule; when the data level in the data identification log is industrial important data and industrial core data, sensitive data plaintext transmission exists in the data stream, and the data safety identifier triggers a sensitive data plaintext transmission risk rule and judges that the sensitive data plaintext transmission risk exists; when the source IP address or the destination IP address of the same user permanent identifier in the user surface log is not in the data flow transfer baseline, triggering a data flow range risk rule and judging as a data flow range risk; a data transfer range baseline is obtained through setting; when the uplink and downlink traffic generation time of the same user permanent identifier in the user surface log is not within the data flow transfer time baseline, triggering a data flow transfer time risk rule and judging as a data flow transfer time risk; the data transfer time base line is obtained through setting; when the target IP address of the same user permanent identifier in the user surface log is the IP address baseline in the non-campus area, triggering a data leakage risk rule and judging the data leakage risk; the IP address base line in the park is obtained through setting; the data security identifier outputs the identified risks as a data risk log;
the network risk recognizer obtains a user plane log from the hive database, and associates and compares a key field with an information center obtained by a network crawler, wherein the key field comprises the following steps: a source IP address, a destination IP address, a user permanent identifier, an application layer protocol, a protocol analysis field and an effective kernel load; the network crawler periodically acquires national Internet emergency center information, tencent threat information center information and QiAnxin threat information center information, and the acquired information content comprises the following steps: malicious IP, kernel-borne Hash, and domain name; when the key field hits the information of the information center, the network risk is judged to occur, and the network risk is divided into a network behavior attack subclass and a malicious program attack subclass according to different matched network risk types; the network risk recognizer outputs the recognized risk as a network risk log;
the private network risk identification submodule stores the signaling safety log, the data identification log, the data risk log and the network risk log into the big data hive so as to carry out data modeling and correlation analysis, and then establishes an abnormal analysis index according to a private network dynamic risk assessment model: the risk type is 5G private network risk, the risk classification is data safety, when the risk subclass is data transmission abnormal behavior, the risk characteristic is X1, and the risk weight is W1; the risk type is 5G private network risk, the risk classification is data safety, when the risk subclass is data classification, the risk characteristic is X2, and the risk weight is W2; the risk type is 5G private network risk, the risk is classified into signaling risk, when the risk subclass is a signaling safety event, the risk characteristic is X3, and the risk weight is W3; the risk type is 5G private network risk, the risk is classified into signaling risk, when the risk subclass is a terminal security event, the risk characteristic is X4, and the risk weight is W4; the risk type is 5G private network risk, the risk is classified into network risk, when the risk subclass is network behavior attack, the risk characteristic is X5, and the risk weight is W5; the risk type is 5G private network risk, the risk is classified into network risk, when the risk subclass is malicious program attack, the risk characteristic is X6, and the risk weight is W6;
the private network vulnerability identification submodule acquires a user plane log from the hive database, and associates and compares key fields with vulnerability information acquired by a web crawler, wherein the key fields comprise: device hardware information, middleware version information, and development dependent version information; the network crawler regularly acquires vulnerability information published by a national information security vulnerability sharing platform and a general vulnerability disclosure platform, wherein the vulnerability information comprises: the vulnerability number, the vulnerability type, the vulnerability name and the vulnerability relate to a product; the private network vulnerability identification submodule analyzes the vulnerability description and influence range, the trigger scene and the like with equipment hardware information, middleware version information, development dependency version information and the like, identifies vulnerability information existing in a terminal, a middleware, a database and the like, and forms a private network terminal vulnerability library, a private network middleware vulnerability library and a private network server vulnerability library; the private network terminal leak library, the private network middleware leak library and the private network server leak library are divided into high-risk leaks, medium-risk leaks and low-risk leaks according to leak conditions disclosed by the national information security leak sharing platform and the general leak disclosure platform; the private network vulnerability identification submodule outputs the identified vulnerability information as a private network vulnerability log;
the data management and control risk recognizer completes data management and control risk recognition of the industry application server; the data management and control risk identifier acquires a user surface log from the hive database, reads a key field and acquires a log of an industry application server for risk study and judgment, wherein the key field comprises: a source IP address, a destination IP address, a user permanent identifier and a database execution operation type; the data management and control risk identifier compares the risk identification tables preset in logs of the industry application server, the risk identification tables are provided with data levels which are divided into general industrial data, important industrial data and core industrial data, the operation types allowed to be executed are different according to different data levels in the risk identification tables, and the operation types comprise: inquiring, writing, exporting, desensitizing, inquiring in batches and exporting in batches, wherein each operation type sets an execution time threshold;
the data management and control risk identifier identifies the data level in a risk identification table corresponding to a database execution operation object in a user surface log; when the operation type allowed to be executed by the data level in the risk identification table corresponding to the database execution operation object in the user face log cannot correspond to the database execution operation type in the user face log, judging that the data authority risk occurs; when the operation type allowed to be executed by the data level in the risk identification table corresponding to the database execution operation object in the user face log is consistent with the database execution operation type in the user face log, judging that the data sharing risk occurs when the execution times of the operation type exceeds a threshold value;
the data management and control risk identifier outputs the data authority risk and the data sharing risk as data management and control risk events to form data management and control risk logs;
the terminal fault risk recognizer uses a preset equipment terminal fault risk evaluation rule table, the equipment terminal fault risk evaluation rule table comprises equipment identification, equipment value and part replacement cost, whether offline occurs or not and fault importance degree fields, and the fault importance degree is divided into three types of low, medium and high; the terminal fault risk recognizer reads a user face log from a hive database, acquires a user permanent identifier, a source IP address and a destination IP address, removes the user permanent identifier, the source IP address and the destination IP address, and fills an equipment identification field of a risk evaluation rule table, equipment value is depreciated every year according to 10% of original price, equipment value and part replacement cost are summed to be equipment cost, and the part replacement cost is generated part replacement cost; the equipment cost is set as low, medium and high three grades according to a differential equi-division method; the determination conditions for the occurrence of offline are: reading a signaling plane log, and judging that the terminal is offline when no PFCP Session established message is generated for 2 hours after the terminal generates the N4 interface PFCP Session Delete message; the failure importance degree determination conditions are as follows: if the terminal is very important and can not be offline, if the terminal is offline, the life and property safety or social stability and national safety of the user can be threatened directly, and the risk weight is high; if the terminal is offline for a short time, a certain degree of loss is caused, but the influence range and degree are controlled, the risk weight is centered, and if the terminal can be offline for a long time and the influence is negligible, the risk weight is low;
the terminal fault risk recognizer outputs the equipment value and the terminal importance of the offline terminal fault risk as a terminal fault risk log;
the terminal environment identifier marks the park position, indoor environment and outdoor environment of the 5G cell through a preset 5G cell information mapping table; the terminal environment identifier reads a user face log from the hive database, acquires 5G cell information and a user permanent identifier, performs association comparison with a 5G cell information mapping table, and outputs a terminal environment log after association is completed;
the private network environment risk identification sub-module stores private network vulnerability logs, data management and control risk logs, terminal fault risk logs and terminal environment logs into big data hive so as to carry out data modeling and association analysis, and then establishes an abnormal analysis index according to a private network environment risk assessment model: the risk type is the environment risk of the private network, the risk is classified into the terminal vulnerability risk, when the risk subclass is the high risk, the risk characteristic is X7, and the risk weight is W7; the risk type is the environment risk of the private network, the risk is classified into the terminal vulnerability risk, when the risk subclass is the medium risk, the risk characteristic is X8, and the risk weight is W8; the risk type is the environment risk of the private network, the risk is classified into the terminal vulnerability risk, when the risk subclass is the low risk, the risk characteristic is X9, and the risk weight is W9; the risk type is a private network environment risk, the risk is classified into a data management and control risk, when the risk subclass is a data sharing risk, the risk characteristic is X10, and the risk weight is W10; the risk type is a private network environment risk, the risk is classified into a data management and control risk, when the risk subclass is a data authority risk, the risk characteristic is X11, and the risk weight is W11; the risk type is the environment risk of the private network, the risk classification is the terminal failure risk, when the risk subclass is the equipment cost, the risk characteristic is X12, and the risk weight is W12; the risk type is the environment risk of the private network, the risk classification is the terminal fault risk, when the risk subclass is the equipment importance degree, the risk characteristic is X13, and the risk weight is W13; the risk type is a private network environment risk, the risk is classified into a terminal environment risk, when the risk subclass is a terminal environment, the risk characteristic is X14, and the risk weight is W14;
a private network comprehensive risk assessment module carries out classification training on the risk characteristics and risk weights acquired in hive by using a Support Vector Machine (SVM); the process of specifically substituting the support vector machine is as follows: by passing
Describing a hyperplane, wherein
The normal vector of the hyperplane represents risk weight, and determines the direction of the hyperplane;
the characteristic of the hyperplane represents a risk characteristic, b is a displacement item and determines the distance between the hyperplane and an origin; for any feature x in the sample space, the distance to the hyperplane is written as
Finding out conditions satisfying constraints
Such that gamma is maximized,
when the sample data set can be correctly drawnIn this regard, regardless of whether the tag of the original sample data is +1 or-1,
the values of (a) and (b) are all positive numbers greater than or equal to 1, and if a lagrange factor is introduced to convert the values into a dual problem, the values can be written as:
For equality constraint, a Lagrange factor can be directly used for obtaining an extremum, for inequality constraint, the solution is carried out when the constraint of KKT condition is satisfied, and the KKT condition corresponding to the model is as follows:
,
,
(ii) a Substituting W into the original function to obtain
Solving by using a general quadratic programming algorithm to obtain a final private network feature classifier; and inputting the risk characteristic vectors subjected to characteristic selection by the private network dynamic risk identification module and the private network environment risk identification module into a private network characteristic classifier to obtain the category into which the risks corresponding to the risk characteristic vectors are classified.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211531582.7A CN115767550A (en) | 2022-12-02 | 2022-12-02 | Network risk assessment method and device for 5G private network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211531582.7A CN115767550A (en) | 2022-12-02 | 2022-12-02 | Network risk assessment method and device for 5G private network |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115767550A true CN115767550A (en) | 2023-03-07 |
Family
ID=85342419
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211531582.7A Pending CN115767550A (en) | 2022-12-02 | 2022-12-02 | Network risk assessment method and device for 5G private network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115767550A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116170829A (en) * | 2023-04-26 | 2023-05-26 | 浙江省公众信息产业有限公司 | Operation and maintenance scene identification method and device for independent private network service |
| CN116647836A (en) * | 2023-07-27 | 2023-08-25 | 深圳市芯保迪电子科技有限公司 | Network security intelligent monitoring system and method based on 5G communication technology |
| CN117556050A (en) * | 2024-01-12 | 2024-02-13 | 长春吉大正元信息技术股份有限公司 | Data classification and classification method and device, electronic equipment and storage medium |
-
2022
- 2022-12-02 CN CN202211531582.7A patent/CN115767550A/en active Pending
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116170829A (en) * | 2023-04-26 | 2023-05-26 | 浙江省公众信息产业有限公司 | Operation and maintenance scene identification method and device for independent private network service |
| CN116170829B (en) * | 2023-04-26 | 2023-07-04 | 浙江省公众信息产业有限公司 | Operation and maintenance scene identification method and device for independent private network service |
| CN116647836A (en) * | 2023-07-27 | 2023-08-25 | 深圳市芯保迪电子科技有限公司 | Network security intelligent monitoring system and method based on 5G communication technology |
| CN116647836B (en) * | 2023-07-27 | 2023-10-03 | 深圳市芯保迪电子科技有限公司 | Network security intelligent monitoring system and method based on 5G communication technology |
| CN117556050A (en) * | 2024-01-12 | 2024-02-13 | 长春吉大正元信息技术股份有限公司 | Data classification and classification method and device, electronic equipment and storage medium |
| CN117556050B (en) * | 2024-01-12 | 2024-04-12 | 长春吉大正元信息技术股份有限公司 | Data classification and classification method and device, electronic equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN115767550A (en) | Network risk assessment method and device for 5G private network | |
| US20210273957A1 (en) | Cyber security for software-as-a-service factoring risk | |
| Li et al. | Improving one-class SVM for anomaly detection | |
| Wang et al. | An exhaustive research on the application of intrusion detection technology in computer network security in sensor networks | |
| Maglaras et al. | Threats, protection and attribution of cyber attacks on critical infrastructures | |
| CN112560046A (en) | Method and device for evaluating service data security index | |
| US20230418943A1 (en) | Method and device for image-based malware detection, and artificial intelligence-based endpoint detection and response system using same | |
| Gao et al. | An intrusion detection method based on machine learning and state observer for train-ground communication systems | |
| CN115996146A (en) | Numerical control system security situation sensing and analyzing system, method, equipment and terminal | |
| Zhang et al. | Unknown network attack detection based on open‐set recognition and active learning in drone network | |
| CN117478433B (en) | Network and information security dynamic early warning system | |
| Zheng et al. | Smart grid: Cyber attacks, critical defense approaches, and digital twin | |
| Rajesh et al. | Evaluation of machine learning algorithms for detection of malicious traffic in scada network | |
| Ghanshala et al. | BNID: a behavior-based network intrusion detection at network-layer in cloud environment | |
| CN110798353A (en) | Network behavior risk perception and defense method based on behavior characteristic big data analysis | |
| Maglaras et al. | Novel intrusion detection mechanism with low overhead for SCADA systems | |
| CN114338407B (en) | Operation and maintenance management method for enterprise information security | |
| Shen et al. | Prior knowledge based advanced persistent threats detection for IoT in a realistic benchmark | |
| CN114697052B (en) | Network protection method and device | |
| Falowo et al. | Exploration of various machine learning techniques for identifying and mitigating DDoS attacks | |
| Hassan et al. | Achieving model explainability for intrusion detection in VANETs with LIME | |
| Minjie et al. | Abnormal Traffic Detection Technology of Power IOT Terminal Based on PCA and OCSVM | |
| EP4254241A1 (en) | Method and device for image-based malware detection, and artificial intelligence-based endpoint detection and response system using same | |
| Adharsh et al. | Prevention of Data Breach by Machine Learning Techniques | |
| Sun et al. | Research on the characteristics and security risks of the internet of vehicles data |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |