CN115834221A

CN115834221A - Intelligent analysis method, system, equipment and storage medium for network security

Info

Publication number: CN115834221A
Application number: CN202211514933.3A
Authority: CN
Inventors: 盛华; 袁传新; 王云霄; 张婕; 李超; 张腾; 陈剑飞; 程兴防; 赵丽娜; 黄华
Original assignee: State Grid Corp of China SGCC; Information and Telecommunication Branch of State Grid Shandong Electric Power Co Ltd
Current assignee: State Grid Corp of China SGCC; Information and Telecommunication Branch of State Grid Shandong Electric Power Co Ltd
Priority date: 2022-11-28
Filing date: 2022-11-28
Publication date: 2023-03-21

Abstract

The invention discloses a network security intelligent analysis method, a system, equipment and a storage medium, wherein the method comprises the following steps: collecting flow data and an alarm log of the safety monitoring equipment, and carrying out standardized processing on the alarm log; uniformly storing the acquired full-flow safety data, and carrying out deep reanalysis on the flow data; screening alarm information by using a machine learning method, and removing redundant alarms; clustering the alarm information according to the similarity of the alarm information; the alarm information is correlated with each other and linked to generate a complete attack chain and a threat report; and extracting alarm information characteristics, iteratively optimizing an alarm model, and studying and judging the alarm information. The method of the invention not only improves the identification precision of the alarm event, but also has self-learning optimization capability and improves the efficiency and the accuracy of alarm event handling through the continuous iteration of manual judgment and machine learning.

Description

Intelligent analysis method, system, equipment and storage medium for network security

Technical Field

The invention relates to a network security intelligent analysis method, a system, equipment and a storage medium, belonging to the technical field of network security analysis.

Background

The scale of computer networks is continuously enlarged, various applications are expanded, and the problem of network security is increasingly highlighted. Currently, access traffic in single-day networks is up to millions, where malicious cyber attacks are increasing. Therefore, in the traditional technology, early warning, discrimination and disposal of network attack are realized by relying on various safety devices and applying a feature library, and then safety protection in a network is identified.

The identification of the security device to the malicious attack still has certain limitation, the monitoring workload is large, and the judgment of all attack flows cannot be realized manually. When the network safety protection equipment is deployed to deal with network attacks, a large amount of redundant alarm information is easy to generate, meanwhile, false alarms are easy to generate on some normal flows by the safety equipment according to the characteristic library judgment, the workload of alarm processing is increased seriously, and the efficiency and the accuracy of alarm processing are greatly reduced.

Disclosure of Invention

In order to solve the problems, the invention provides a network security intelligent analysis method, a system, equipment and a storage medium, which can improve the accuracy and efficiency of alarm event processing.

The technical scheme adopted for solving the technical problems is as follows:

on one hand, the embodiment of the invention provides an intelligent network security analysis method, which comprises the following steps:

collecting flow data and alarm logs of safety monitoring equipment, and carrying out standardized processing on the alarm logs;

uniformly storing the acquired full-flow safety data, and carrying out deep reanalysis on the flow data;

screening alarm information by using a machine learning method to remove redundant alarms;

clustering the alarm information according to the similarity of the alarm information;

the alarm information is correlated with each other and linked to generate a complete attack chain and a threat report;

and extracting alarm information characteristics, iteratively optimizing an alarm model, and studying and judging the alarm information.

As a possible implementation manner of this embodiment, the uniformly storing the acquired full-flow security data and performing deep reanalysis on the flow data includes:

performing correlation analysis on comprehensive alarm information of the detection platform, abnormal information of network safety data, suspicious event information of safety equipment and abnormal information of other network safety time within a set time period;

filtering the abnormal conditions of the network data passing through the safety equipment by a strategy library;

and (4) adding and calculating the alarm information and the safety equipment events of the safety analysis platform, and grading the alarm information after the model analysis on the unified combat platform to uniformly display.

As a possible implementation manner of this embodiment, the screening alarm information and removing redundant alarms by using a machine learning method includes:

merging the alarm information collected by all the relevant platforms of the network safety equipment in a set time period;

calculating the emergency degree of the alarm information according to the maximum value of the network flow, the average value of the network flow, the weight of the safety equipment and the risk type in the safety equipment;

calculating the ratio of the correct alarm times to the total alarm times to obtain the alarm accuracy;

calculating the difference value between the time point for generating the alarm information and the processing time point;

screening suspected alarm information according to the alarm emergency degree, the accuracy and the time point difference;

and after a new alarm is found, traversing the alarm information in the alarm queue, respectively comparing all the attributes, and taking the alarm with the earliest occurrence time as the final result of the redundant alarm when the same alarm information appears.

As a possible implementation manner of this embodiment, the clustering according to the similarity of the alarm information includes:

extracting alarm information characteristics, and processing data by using a destination IP, a source IP, time and an event name;

data standardization processing, namely, using the absolute value of the difference between the original IP and the target IP to contact all alarms related to the original IP and the target IP within set time;

carrying out data format numeralization processing, and reconstructing a new alarm data set;

calculating the overall similarity of the alarm, improving the expectation of the minimum similarity of IP and time, and correspondingly reducing the weight of the overall similarity;

clustering the new alarm data set into a plurality of clusters by using an unsupervised machine learning algorithm DP-Kmeans, determining cluster values through initial calculation, adjusting the cluster values from the data set and experience, and calculating to obtain the final clustered clusters.

As a possible implementation manner of this embodiment, the alarm information is correlated with each other and linked to generate a complete attack chain and a threat report, including:

finishing data extraction and analysis work according to the alarm log information processed by the expression normal form;

converting the data into a data format which is suitable for being supported by a network security attack behavior mode scene;

based on all feature analysis, extracting key feature data through dimension reduction of a machine learning method;

from alarm records, mining a frequent attack sequence mode, constructing a record set based on a clustering algorithm and a sliding window, and then deeply mining an attack sequence by using a data mining technology;

clustering the alarm information, and dividing clustering root alarms and associated alarms according to the characteristics of the data;

the complete attack behavior is dispersed in a plurality of alarm information of an alarm log information base, and correlation analysis is carried out to generate a complete attack chain and a threat report after the alarm information is characterized.

As a possible implementation manner of this embodiment, the analyzing the alarm information in a correlated manner includes:

removing improper features from alarm information generated by the safety equipment according to priori knowledge, extracting alarm types, source and destination IP addresses and port numbers from alarm logs as effective features, and constructing an initial sequence set;

traversing the preprocessed alarm information initial sequence set by adopting an FP-growth algorithm, counting an initial frequent item set, respectively calculating the support of each set to generate a frequent item set sequence, and iterating FP-tree branches to generate a final frequent item set;

and outputting a rule meeting the minimum confidence coefficient according to the frequent item set, updating a rule base, and analyzing to obtain an attack chain.

As a possible implementation manner of this embodiment, the extracting alarm information features, iteratively optimizing an alarm model, and performing alarm information research and judgment includes:

coding the alarm information characteristics to obtain matrix data and initialize neural network parameters;

iteratively adjusting the neural network threshold, the number of hidden layers and the number of single-layer neurons, and taking the optimal classification parameters as final model parameters for extracting features;

extracting and preprocessing alarm information characteristics, and generating a network security alarm data training set by taking a man-made judgment label as a basis for real alarm;

training a plurality of machine learning models based on the processed network security alarm data training set;

and (3) using the trained model as a weak classifier, and integrating by taking the accuracy as the weight to obtain an alarm authenticity classification model with higher robustness, and judging false alarm and real alarm.

On the other hand, an intelligent analysis system for network security provided by the embodiment of the present invention includes:

the standardized processing module is used for acquiring flow data and an alarm log of the safety monitoring equipment and carrying out standardized processing on the alarm log;

the data storage module is used for uniformly storing the acquired full-flow safety data and carrying out deep reanalysis on the flow data;

the alarm information screening module is used for screening alarm information by using a machine learning method and removing redundant alarms;

the similar alarm clustering module is used for clustering the alarm information according to the alarm information similarity;

the alarm information correlation module is used for correlating the alarm information and generating a complete attack chain and a threat report by linking;

and the alarm information studying and judging module is used for extracting the alarm information characteristics, iteratively optimizing the alarm model and studying and judging the alarm information.

In a third aspect, an embodiment of the present invention provides a computer apparatus, including a processor, a memory and a bus, where the memory stores machine-readable instructions executable by the processor, and when the AGV simulation apparatus operates, the processor communicates with the memory through the bus, and the processor executes the machine-readable instructions to perform the steps of any one of the above methods for network security intelligence analysis.

In a fourth aspect, an embodiment of the present invention provides a readable storage medium, where the storage medium stores a computer program, and the computer program is executed by a processor to perform the steps of any one of the above-mentioned network security intelligent analysis methods.

The technical scheme of the embodiment of the invention has the following beneficial effects:

the invention carries out alarm information correlation analysis to generate a threat report for study of study and judgment personnel to continuously improve the network security level of the study and judgment personnel, the study and judgment personnel submit artificially judged alarm information to the system to iterate and optimize an alarm analysis model, and the study and judgment personnel can learn the security threat report and further improve the analysis level of the study and judgment personnel and can generate a standard alarm data set format through the continuous iteration of manual judgment and machine learning, thereby improving the study and judgment accuracy of an artificial intelligent judgment model, finally reducing the false alarm rate and improving the overall alarm efficiency of the system.

The invention collects the global data of network security, establishes a full-network flow pool, locally stores the full-flow security data, can provide support for tracing and evidence obtaining, and can also provide an interface for a third-party analysis platform or a unified operation platform to use, thereby realizing deep reanalysis of the flow data.

The invention carries out correlation analysis on the alarm information to generate a complete attack chain, can reason known and unknown types of vulnerability attacks and analyzes the attack intention.

The method of the invention improves the identification precision of the alarm event, has self-learning optimization capability, and can improve the efficiency and the accuracy of alarm event handling.

Drawings

FIG. 1 is a flow diagram illustrating a network security intelligence analysis method in accordance with an exemplary embodiment;

fig. 2 is a schematic diagram illustrating a network security intelligence analysis system in accordance with an exemplary embodiment.

Detailed Description

The invention is further illustrated by the following examples in conjunction with the accompanying drawings:

in order to clearly explain the technical features of the present invention, the following detailed description of the present invention is provided with reference to the accompanying drawings. The following disclosure provides many different embodiments, or examples, for implementing different features of the invention. To simplify the disclosure of the present invention, the components and arrangements of specific examples are described below. Furthermore, the present invention may repeat reference numerals and/or letters in the various examples. This repetition is for the purpose of simplicity and clarity and does not in itself dictate a relationship between the various embodiments and/or configurations discussed. It should be noted that the components illustrated in the figures are not necessarily drawn to scale. Descriptions of well-known components and processing techniques and procedures are omitted so as to not unnecessarily limit the invention.

As shown in fig. 1, an intelligent network security analysis method provided in an embodiment of the present invention includes the following steps:

collecting flow data and an alarm log of the safety monitoring equipment, and carrying out standardized processing on the alarm log;

and extracting alarm information characteristics, iteratively optimizing an alarm model, and studying and judging alarm information.

As a possible implementation manner of this embodiment, the acquiring flow data and an alarm log of the safety monitoring device includes:

determining that safety monitoring equipment has the capacity of sending alarm information and cannot send the equipment of the alarm information, installing an agent end on the safety monitoring equipment, and sending the alarm information through the agent end;

configuring the address of the safety monitoring equipment and/or the proxy end;

establishing communication connection between the safety monitoring equipment and/or the agent end and the server, acquiring a system log of the safety monitoring equipment, and sending alarm information to the server;

and gathering the safety data of the global network to form a flow pool, and uniformly gathering the alarms of the multi-level safety equipment.

As a possible implementation manner of the embodiment, each platform provides a plug-in, so that the early warning information can be linked to the unified combat platform when monitoring is carried out on each platform.

As a possible implementation manner of this embodiment, the early warning is collected from data obtained after a person manually selects a tag (true, suspected, and false alarm), and the data is derived from two detection schemes (for details, see a user function module — monitoring and handling). Compared with a monitoring log acquisition format, the data format is added with labels (true, suspected and false alarm).

As a possible implementation manner of this embodiment, a local company in the city deploys a flow probe, and the probe can capture, filter, and analyze a data packet, and it adopts a bypass deployment manner, which mainly has two functions: firstly, alarm information is generated, secondly, full flow collection is realized, basic information analysis and sensitive flow analysis can be realized by the probe, and the generated alarm information can be linked to a unified combat platform.

As a possible implementation manner of this embodiment, the normalizing the alarm log includes: and extracting the key field of the alarm information through the configured adaptive regularization expression, and loading the corresponding regularization expression by matching the equipment type field.

The full-flow data is stored locally, so that support can be provided for tracing and evidence obtaining, and an interface can be provided for a third-party analysis platform or a unified operation platform to use, so that deep reanalysis of the flow data is realized, and new alarm information is generated.

As a possible implementation manner of this embodiment, the screening of the alarm information by using the machine learning method to remove the redundant alarm includes:

data standardization processing, namely, adopting the absolute value of the difference between the original IP and the target IP to contact all alarms related to the original IP and the target IP within set time;

clustering the new alarm data set into a plurality of clusters by using an unsupervised machine learning algorithm DP-Kmeans, determining a cluster value through initial calculation, adjusting the cluster value from the data set and experience, and calculating to obtain a final clustered cluster.

As a possible implementation manner of this embodiment, the alarm information is correlated with each other, and is linked to generate a complete attack chain and a threat report, including:

converting the data into a data format which is suitable for a network security attack behavior mode scene support;

based on all feature analysis, extracting key feature data through dimension reduction by a machine learning method;

As a possible implementation manner of the embodiment, the security threat report may view information such as the time of the event occurrence, the personnel involved in the handling, the comprehensive handling timeliness and summary of the event, and the like.

As a possible implementation manner of this embodiment, a large amount of alarm information is integrated, and when redundant data is removed, an artificial intelligence fusion model is used to improve the accuracy and the level of automation of automatic detection and classification.

As a possible implementation manner of this embodiment, the problem of low accuracy is caused by the fact that features cannot be effectively extracted from complex and variable network security attack data information. And extracting features by adopting a neural network, removing an output layer of the neural network, and taking the last layer of hidden layer data as alarm information features.

As a possible implementation manner of this embodiment, the monitoring personnel learns the security threat report, and continuously improves the network security level of the monitoring personnel, the monitoring personnel submits the artificially distinguished alarm information to the system, and the system generates a standard alarm data set format through automatic processing, thereby improving the research and judgment accuracy of the artificial intelligence distinguishing model.

As shown in fig. 2, an intelligent network security analysis system provided in an embodiment of the present invention includes:

the alarm information correlation module is used for correlating the alarm information and linking to generate a complete attack chain and a threat report;

In a third aspect, a computer device includes a processor, a memory and a bus, the memory storing machine-readable instructions executable by the processor, the processor and the memory communicating via the bus when the computer device is running, the processor executing the machine-readable instructions to perform the steps of a network security intelligent analysis method as any one of the above.

The computer device provided by the embodiment of the invention comprises a processor, a memory and a bus, wherein the memory stores machine-readable instructions executable by the processor, when the device runs, the processor and the memory communicate through the bus, and the processor executes the machine-readable instructions to execute the steps of any one of the above network security intelligent analysis methods.

Specifically, the memory and the processor can be general-purpose memory and processor, which are not limited specifically, and when the processor runs a computer program stored in the memory, the network security intelligent analysis method can be executed.

Those skilled in the art will appreciate that the configuration of the computer device is not intended to be limiting and may include more or fewer components than those shown, or some components may be combined, some components may be split, or a different arrangement of components.

In some embodiments, the computer device may further include a touch screen operable to display a graphical user interface (e.g., a launch interface for an application) and to receive user operations with respect to the graphical user interface (e.g., launch operations with respect to the application). A particular touch screen may include a display panel and a touch panel. The Display panel may be configured in the form of an LCD (Liquid Crystal Display), an OLED (Organic Light-Emitting Diode), and the like. The touch panel may collect contact or non-contact operations of a user on or near the touch panel and generate preset operation instructions, for example, operations of the user on or near the touch panel using any suitable object or accessory such as a finger, a stylus, etc. In addition, the touch panel may include two parts of a touch detection device and a touch controller. The touch detection device detects the touch direction and gesture of a user, detects signals brought by touch operation and transmits the signals to the touch controller; the touch controller receives touch information from the touch detection device, converts the touch information into information capable of being processed by the processor, sends the information to the processor, and receives and executes commands sent by the processor. In addition, the touch panel may be implemented by various types such as a resistive type, a capacitive type, an infrared ray, a surface acoustic wave, and the like, and may also be implemented by any technology developed in the future. Further, the touch panel may overlay the display panel, a user may operate on or near the touch panel overlaid on the display panel according to a graphical user interface displayed by the display panel, the touch panel detects an operation thereon or nearby and transmits the operation to the processor to determine a user input, and the processor then provides a corresponding visual output on the display panel in response to the user input. In addition, the touch panel and the display panel can be realized as two independent components or can be integrated.

Corresponding to the method for starting the application program, an embodiment of the present invention further provides a storage medium, where a computer program is stored on the storage medium, and when the computer program is executed by a processor, the computer program performs any of the steps of the above-mentioned network security intelligent analysis method.

The starting device of the application program provided by the embodiment of the application program can be specific hardware on the device or software or firmware installed on the device. The device provided by the embodiment of the present application has the same implementation principle and technical effect as the foregoing method embodiments, and for the sake of brief description, reference may be made to the corresponding contents in the foregoing method embodiments where no part of the device embodiments is mentioned. It can be clearly understood by those skilled in the art that, for convenience and simplicity of description, the specific working processes of the system, the apparatus and the unit described above may all refer to the corresponding processes in the method embodiments, and are not described herein again.

As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, a division of modules is merely a division of logical functions, and an actual implementation may have another division, and for example, a plurality of modules or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection of devices or modules through some communication interfaces, and may be in an electrical, mechanical or other form.

Modules described as separate parts may or may not be physically separate, and parts displayed as modules may or may not be physical modules, may be located in one place, or may be distributed on a plurality of network modules. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment.

Finally, it should be noted that: the above embodiments are only for illustrating the technical solutions of the present invention and not for limiting the same, and although the present invention is described in detail with reference to the above embodiments, those of ordinary skill in the art should understand that: modifications and equivalents may be made to the embodiments of the invention without departing from the spirit and scope of the invention, which is to be covered by the claims.

Claims

1. An intelligent analysis method for network security is characterized by comprising the following steps:

uniformly storing the acquired full-flow safety data, and performing deep reanalysis on the flow data;

2. The intelligent network security analysis method according to claim 1, wherein the collected full-flow security data is uniformly stored, and the deep reanalysis of the flow data is performed, and the method comprises the following steps:

3. The intelligent network security analysis method of claim 1, wherein the filtering of alarm information and removing of redundant alarms by using a machine learning method comprises:

and after a new alarm is found, traversing the alarm information in the alarm queue, respectively comparing all attributes of the new alarm, and taking the alarm with the earliest occurrence time as the final result of the redundant alarm when the same alarm information appears.

4. The intelligent network security analysis method according to claim 1, wherein the clustering alarm information according to alarm information similarity comprises:

calculating the overall similarity of the alarm, improving the minimum similarity expectation of IP and time, and correspondingly reducing the weight of the overall similarity;

5. The intelligent network security analysis method of claim 1, wherein the alarm information is correlated and linked to generate a complete attack chain and a threat report, and the method comprises:

6. The intelligent analysis method for network security according to claim 5, wherein the analyzing the alarm information in association comprises:

7. The intelligent network security analysis method of claim 1, wherein the extracting the alarm information features, iteratively optimizing the alarm model, and performing alarm information analysis includes:

and (3) using the trained model as a weak classifier, and integrating by taking the accuracy as the weight to obtain an alarm authenticity classification model with higher robustness, and judging false alarms and real alarms.

8. A network security intelligent analysis system, comprising:

9. A computer device comprising a processor, a memory and a bus, wherein the memory stores machine-readable instructions executable by the processor, and when the computer device is running, the processor communicates with the memory via the bus, and the processor executes the machine-readable instructions to perform the steps of a network security intelligence analysis method as claimed in any one of claims 1-7.

10. A readable storage medium, wherein the readable storage medium has stored thereon a computer program, which when executed by a processor, implements the steps of a network security intelligence analysis method as claimed in any one of claims 1-7.