CN115834221A - Intelligent analysis method, system, equipment and storage medium for network security - Google Patents
Intelligent analysis method, system, equipment and storage medium for network security Download PDFInfo
- Publication number
- CN115834221A CN115834221A CN202211514933.3A CN202211514933A CN115834221A CN 115834221 A CN115834221 A CN 115834221A CN 202211514933 A CN202211514933 A CN 202211514933A CN 115834221 A CN115834221 A CN 115834221A
- Authority
- CN
- China
- Prior art keywords
- alarm
- alarm information
- data
- information
- network security
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000004458 analytical method Methods 0.000 title claims abstract description 43
- 238000012545 processing Methods 0.000 claims abstract description 27
- 238000010801 machine learning Methods 0.000 claims abstract description 21
- 238000012544 monitoring process Methods 0.000 claims abstract description 19
- 238000000034 method Methods 0.000 claims abstract description 16
- 238000012216 screening Methods 0.000 claims abstract description 15
- 238000012950 reanalysis Methods 0.000 claims abstract description 12
- 231100000279 safety data Toxicity 0.000 claims abstract description 11
- 230000002596 correlated effect Effects 0.000 claims abstract description 9
- 230000002159 abnormal effect Effects 0.000 claims description 9
- 238000004422 calculation algorithm Methods 0.000 claims description 9
- 238000004590 computer program Methods 0.000 claims description 9
- 238000012549 training Methods 0.000 claims description 9
- 238000013528 artificial neural network Methods 0.000 claims description 8
- 238000010219 correlation analysis Methods 0.000 claims description 8
- 238000001514 detection method Methods 0.000 claims description 8
- 230000006399 behavior Effects 0.000 claims description 6
- 239000010410 layer Substances 0.000 claims description 6
- 238000005065 mining Methods 0.000 claims description 6
- 238000005516 engineering process Methods 0.000 claims description 5
- 238000001914 filtration Methods 0.000 claims description 4
- 238000004364 calculation method Methods 0.000 claims description 3
- 238000013145 classification model Methods 0.000 claims description 3
- 238000007405 data analysis Methods 0.000 claims description 3
- 238000013075 data extraction Methods 0.000 claims description 3
- 238000007418 data mining Methods 0.000 claims description 3
- 238000013500 data storage Methods 0.000 claims description 3
- 239000011159 matrix material Substances 0.000 claims description 3
- 210000002569 neuron Anatomy 0.000 claims description 3
- 238000007781 pre-processing Methods 0.000 claims description 3
- 230000009467 reduction Effects 0.000 claims description 3
- 239000002356 single layer Substances 0.000 claims description 3
- 238000005457 optimization Methods 0.000 abstract description 2
- 230000000875 corresponding effect Effects 0.000 description 5
- 238000004891 communication Methods 0.000 description 4
- 239000003795 chemical substances by application Substances 0.000 description 3
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 238000011160 research Methods 0.000 description 3
- 239000000523 sample Substances 0.000 description 3
- 238000013473 artificial intelligence Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 230000003044 adaptive effect Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005206 flow analysis Methods 0.000 description 1
- 230000004927 fusion Effects 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012806 monitoring device Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 238000004088 simulation Methods 0.000 description 1
- 238000010897 surface acoustic wave method Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Images
Landscapes
- Alarm Systems (AREA)
Abstract
The invention discloses a network security intelligent analysis method, a system, equipment and a storage medium, wherein the method comprises the following steps: collecting flow data and an alarm log of the safety monitoring equipment, and carrying out standardized processing on the alarm log; uniformly storing the acquired full-flow safety data, and carrying out deep reanalysis on the flow data; screening alarm information by using a machine learning method, and removing redundant alarms; clustering the alarm information according to the similarity of the alarm information; the alarm information is correlated with each other and linked to generate a complete attack chain and a threat report; and extracting alarm information characteristics, iteratively optimizing an alarm model, and studying and judging the alarm information. The method of the invention not only improves the identification precision of the alarm event, but also has self-learning optimization capability and improves the efficiency and the accuracy of alarm event handling through the continuous iteration of manual judgment and machine learning.
Description
Technical Field
The invention relates to a network security intelligent analysis method, a system, equipment and a storage medium, belonging to the technical field of network security analysis.
Background
The scale of computer networks is continuously enlarged, various applications are expanded, and the problem of network security is increasingly highlighted. Currently, access traffic in single-day networks is up to millions, where malicious cyber attacks are increasing. Therefore, in the traditional technology, early warning, discrimination and disposal of network attack are realized by relying on various safety devices and applying a feature library, and then safety protection in a network is identified.
The identification of the security device to the malicious attack still has certain limitation, the monitoring workload is large, and the judgment of all attack flows cannot be realized manually. When the network safety protection equipment is deployed to deal with network attacks, a large amount of redundant alarm information is easy to generate, meanwhile, false alarms are easy to generate on some normal flows by the safety equipment according to the characteristic library judgment, the workload of alarm processing is increased seriously, and the efficiency and the accuracy of alarm processing are greatly reduced.
Disclosure of Invention
In order to solve the problems, the invention provides a network security intelligent analysis method, a system, equipment and a storage medium, which can improve the accuracy and efficiency of alarm event processing.
The technical scheme adopted for solving the technical problems is as follows:
on one hand, the embodiment of the invention provides an intelligent network security analysis method, which comprises the following steps:
collecting flow data and alarm logs of safety monitoring equipment, and carrying out standardized processing on the alarm logs;
uniformly storing the acquired full-flow safety data, and carrying out deep reanalysis on the flow data;
screening alarm information by using a machine learning method to remove redundant alarms;
clustering the alarm information according to the similarity of the alarm information;
the alarm information is correlated with each other and linked to generate a complete attack chain and a threat report;
and extracting alarm information characteristics, iteratively optimizing an alarm model, and studying and judging the alarm information.
As a possible implementation manner of this embodiment, the uniformly storing the acquired full-flow security data and performing deep reanalysis on the flow data includes:
performing correlation analysis on comprehensive alarm information of the detection platform, abnormal information of network safety data, suspicious event information of safety equipment and abnormal information of other network safety time within a set time period;
filtering the abnormal conditions of the network data passing through the safety equipment by a strategy library;
and (4) adding and calculating the alarm information and the safety equipment events of the safety analysis platform, and grading the alarm information after the model analysis on the unified combat platform to uniformly display.
As a possible implementation manner of this embodiment, the screening alarm information and removing redundant alarms by using a machine learning method includes:
merging the alarm information collected by all the relevant platforms of the network safety equipment in a set time period;
calculating the emergency degree of the alarm information according to the maximum value of the network flow, the average value of the network flow, the weight of the safety equipment and the risk type in the safety equipment;
calculating the ratio of the correct alarm times to the total alarm times to obtain the alarm accuracy;
calculating the difference value between the time point for generating the alarm information and the processing time point;
screening suspected alarm information according to the alarm emergency degree, the accuracy and the time point difference;
and after a new alarm is found, traversing the alarm information in the alarm queue, respectively comparing all the attributes, and taking the alarm with the earliest occurrence time as the final result of the redundant alarm when the same alarm information appears.
As a possible implementation manner of this embodiment, the clustering according to the similarity of the alarm information includes:
extracting alarm information characteristics, and processing data by using a destination IP, a source IP, time and an event name;
data standardization processing, namely, using the absolute value of the difference between the original IP and the target IP to contact all alarms related to the original IP and the target IP within set time;
carrying out data format numeralization processing, and reconstructing a new alarm data set;
calculating the overall similarity of the alarm, improving the expectation of the minimum similarity of IP and time, and correspondingly reducing the weight of the overall similarity;
clustering the new alarm data set into a plurality of clusters by using an unsupervised machine learning algorithm DP-Kmeans, determining cluster values through initial calculation, adjusting the cluster values from the data set and experience, and calculating to obtain the final clustered clusters.
As a possible implementation manner of this embodiment, the alarm information is correlated with each other and linked to generate a complete attack chain and a threat report, including:
finishing data extraction and analysis work according to the alarm log information processed by the expression normal form;
converting the data into a data format which is suitable for being supported by a network security attack behavior mode scene;
based on all feature analysis, extracting key feature data through dimension reduction of a machine learning method;
from alarm records, mining a frequent attack sequence mode, constructing a record set based on a clustering algorithm and a sliding window, and then deeply mining an attack sequence by using a data mining technology;
clustering the alarm information, and dividing clustering root alarms and associated alarms according to the characteristics of the data;
the complete attack behavior is dispersed in a plurality of alarm information of an alarm log information base, and correlation analysis is carried out to generate a complete attack chain and a threat report after the alarm information is characterized.
As a possible implementation manner of this embodiment, the analyzing the alarm information in a correlated manner includes:
removing improper features from alarm information generated by the safety equipment according to priori knowledge, extracting alarm types, source and destination IP addresses and port numbers from alarm logs as effective features, and constructing an initial sequence set;
traversing the preprocessed alarm information initial sequence set by adopting an FP-growth algorithm, counting an initial frequent item set, respectively calculating the support of each set to generate a frequent item set sequence, and iterating FP-tree branches to generate a final frequent item set;
and outputting a rule meeting the minimum confidence coefficient according to the frequent item set, updating a rule base, and analyzing to obtain an attack chain.
As a possible implementation manner of this embodiment, the extracting alarm information features, iteratively optimizing an alarm model, and performing alarm information research and judgment includes:
coding the alarm information characteristics to obtain matrix data and initialize neural network parameters;
iteratively adjusting the neural network threshold, the number of hidden layers and the number of single-layer neurons, and taking the optimal classification parameters as final model parameters for extracting features;
extracting and preprocessing alarm information characteristics, and generating a network security alarm data training set by taking a man-made judgment label as a basis for real alarm;
training a plurality of machine learning models based on the processed network security alarm data training set;
and (3) using the trained model as a weak classifier, and integrating by taking the accuracy as the weight to obtain an alarm authenticity classification model with higher robustness, and judging false alarm and real alarm.
On the other hand, an intelligent analysis system for network security provided by the embodiment of the present invention includes:
the standardized processing module is used for acquiring flow data and an alarm log of the safety monitoring equipment and carrying out standardized processing on the alarm log;
the data storage module is used for uniformly storing the acquired full-flow safety data and carrying out deep reanalysis on the flow data;
the alarm information screening module is used for screening alarm information by using a machine learning method and removing redundant alarms;
the similar alarm clustering module is used for clustering the alarm information according to the alarm information similarity;
the alarm information correlation module is used for correlating the alarm information and generating a complete attack chain and a threat report by linking;
and the alarm information studying and judging module is used for extracting the alarm information characteristics, iteratively optimizing the alarm model and studying and judging the alarm information.
In a third aspect, an embodiment of the present invention provides a computer apparatus, including a processor, a memory and a bus, where the memory stores machine-readable instructions executable by the processor, and when the AGV simulation apparatus operates, the processor communicates with the memory through the bus, and the processor executes the machine-readable instructions to perform the steps of any one of the above methods for network security intelligence analysis.
In a fourth aspect, an embodiment of the present invention provides a readable storage medium, where the storage medium stores a computer program, and the computer program is executed by a processor to perform the steps of any one of the above-mentioned network security intelligent analysis methods.
The technical scheme of the embodiment of the invention has the following beneficial effects:
the invention carries out alarm information correlation analysis to generate a threat report for study of study and judgment personnel to continuously improve the network security level of the study and judgment personnel, the study and judgment personnel submit artificially judged alarm information to the system to iterate and optimize an alarm analysis model, and the study and judgment personnel can learn the security threat report and further improve the analysis level of the study and judgment personnel and can generate a standard alarm data set format through the continuous iteration of manual judgment and machine learning, thereby improving the study and judgment accuracy of an artificial intelligent judgment model, finally reducing the false alarm rate and improving the overall alarm efficiency of the system.
The invention collects the global data of network security, establishes a full-network flow pool, locally stores the full-flow security data, can provide support for tracing and evidence obtaining, and can also provide an interface for a third-party analysis platform or a unified operation platform to use, thereby realizing deep reanalysis of the flow data.
The invention carries out correlation analysis on the alarm information to generate a complete attack chain, can reason known and unknown types of vulnerability attacks and analyzes the attack intention.
The method of the invention improves the identification precision of the alarm event, has self-learning optimization capability, and can improve the efficiency and the accuracy of alarm event handling.
Drawings
FIG. 1 is a flow diagram illustrating a network security intelligence analysis method in accordance with an exemplary embodiment;
fig. 2 is a schematic diagram illustrating a network security intelligence analysis system in accordance with an exemplary embodiment.
Detailed Description
The invention is further illustrated by the following examples in conjunction with the accompanying drawings:
in order to clearly explain the technical features of the present invention, the following detailed description of the present invention is provided with reference to the accompanying drawings. The following disclosure provides many different embodiments, or examples, for implementing different features of the invention. To simplify the disclosure of the present invention, the components and arrangements of specific examples are described below. Furthermore, the present invention may repeat reference numerals and/or letters in the various examples. This repetition is for the purpose of simplicity and clarity and does not in itself dictate a relationship between the various embodiments and/or configurations discussed. It should be noted that the components illustrated in the figures are not necessarily drawn to scale. Descriptions of well-known components and processing techniques and procedures are omitted so as to not unnecessarily limit the invention.
As shown in fig. 1, an intelligent network security analysis method provided in an embodiment of the present invention includes the following steps:
collecting flow data and an alarm log of the safety monitoring equipment, and carrying out standardized processing on the alarm log;
uniformly storing the acquired full-flow safety data, and carrying out deep reanalysis on the flow data;
screening alarm information by using a machine learning method to remove redundant alarms;
clustering the alarm information according to the similarity of the alarm information;
the alarm information is correlated with each other and linked to generate a complete attack chain and a threat report;
and extracting alarm information characteristics, iteratively optimizing an alarm model, and studying and judging alarm information.
As a possible implementation manner of this embodiment, the acquiring flow data and an alarm log of the safety monitoring device includes:
determining that safety monitoring equipment has the capacity of sending alarm information and cannot send the equipment of the alarm information, installing an agent end on the safety monitoring equipment, and sending the alarm information through the agent end;
configuring the address of the safety monitoring equipment and/or the proxy end;
establishing communication connection between the safety monitoring equipment and/or the agent end and the server, acquiring a system log of the safety monitoring equipment, and sending alarm information to the server;
and gathering the safety data of the global network to form a flow pool, and uniformly gathering the alarms of the multi-level safety equipment.
As a possible implementation manner of the embodiment, each platform provides a plug-in, so that the early warning information can be linked to the unified combat platform when monitoring is carried out on each platform.
As a possible implementation manner of this embodiment, the early warning is collected from data obtained after a person manually selects a tag (true, suspected, and false alarm), and the data is derived from two detection schemes (for details, see a user function module — monitoring and handling). Compared with a monitoring log acquisition format, the data format is added with labels (true, suspected and false alarm).
As a possible implementation manner of this embodiment, a local company in the city deploys a flow probe, and the probe can capture, filter, and analyze a data packet, and it adopts a bypass deployment manner, which mainly has two functions: firstly, alarm information is generated, secondly, full flow collection is realized, basic information analysis and sensitive flow analysis can be realized by the probe, and the generated alarm information can be linked to a unified combat platform.
As a possible implementation manner of this embodiment, the normalizing the alarm log includes: and extracting the key field of the alarm information through the configured adaptive regularization expression, and loading the corresponding regularization expression by matching the equipment type field.
As a possible implementation manner of this embodiment, the uniformly storing the acquired full-flow security data and performing deep reanalysis on the flow data includes:
performing correlation analysis on comprehensive alarm information of the detection platform, abnormal information of network safety data, suspicious event information of safety equipment and abnormal information of other network safety time within a set time period;
filtering the abnormal conditions of the network data passing through the safety equipment by a strategy library;
and (4) adding and calculating the alarm information and the safety equipment events of the safety analysis platform, and grading the alarm information after the model analysis on the unified combat platform to uniformly display.
The full-flow data is stored locally, so that support can be provided for tracing and evidence obtaining, and an interface can be provided for a third-party analysis platform or a unified operation platform to use, so that deep reanalysis of the flow data is realized, and new alarm information is generated.
As a possible implementation manner of this embodiment, the screening of the alarm information by using the machine learning method to remove the redundant alarm includes:
merging the alarm information collected by all the relevant platforms of the network safety equipment in a set time period;
calculating the emergency degree of the alarm information according to the maximum value of the network flow, the average value of the network flow, the weight of the safety equipment and the risk type in the safety equipment;
calculating the ratio of the correct alarm times to the total alarm times to obtain the alarm accuracy;
calculating the difference value between the time point for generating the alarm information and the processing time point;
screening suspected alarm information according to the alarm emergency degree, the accuracy and the time point difference;
and after a new alarm is found, traversing the alarm information in the alarm queue, respectively comparing all the attributes, and taking the alarm with the earliest occurrence time as the final result of the redundant alarm when the same alarm information appears.
As a possible implementation manner of this embodiment, the clustering according to the similarity of the alarm information includes:
extracting alarm information characteristics, and processing data by using a destination IP, a source IP, time and an event name;
data standardization processing, namely, adopting the absolute value of the difference between the original IP and the target IP to contact all alarms related to the original IP and the target IP within set time;
carrying out data format numeralization processing, and reconstructing a new alarm data set;
calculating the overall similarity of the alarm, improving the expectation of the minimum similarity of IP and time, and correspondingly reducing the weight of the overall similarity;
clustering the new alarm data set into a plurality of clusters by using an unsupervised machine learning algorithm DP-Kmeans, determining a cluster value through initial calculation, adjusting the cluster value from the data set and experience, and calculating to obtain a final clustered cluster.
As a possible implementation manner of this embodiment, the alarm information is correlated with each other, and is linked to generate a complete attack chain and a threat report, including:
finishing data extraction and analysis work according to the alarm log information processed by the expression normal form;
converting the data into a data format which is suitable for a network security attack behavior mode scene support;
based on all feature analysis, extracting key feature data through dimension reduction by a machine learning method;
from alarm records, mining a frequent attack sequence mode, constructing a record set based on a clustering algorithm and a sliding window, and then deeply mining an attack sequence by using a data mining technology;
clustering the alarm information, and dividing clustering root alarms and associated alarms according to the characteristics of the data;
the complete attack behavior is dispersed in a plurality of alarm information of an alarm log information base, and correlation analysis is carried out to generate a complete attack chain and a threat report after the alarm information is characterized.
As a possible implementation manner of the embodiment, the security threat report may view information such as the time of the event occurrence, the personnel involved in the handling, the comprehensive handling timeliness and summary of the event, and the like.
As a possible implementation manner of this embodiment, the analyzing the alarm information in a correlated manner includes:
removing improper features from alarm information generated by the safety equipment according to priori knowledge, extracting alarm types, source and destination IP addresses and port numbers from alarm logs as effective features, and constructing an initial sequence set;
traversing the preprocessed alarm information initial sequence set by adopting an FP-growth algorithm, counting an initial frequent item set, respectively calculating the support of each set to generate a frequent item set sequence, and iterating FP-tree branches to generate a final frequent item set;
and outputting a rule meeting the minimum confidence coefficient according to the frequent item set, updating a rule base, and analyzing to obtain an attack chain.
As a possible implementation manner of this embodiment, the extracting alarm information features, iteratively optimizing an alarm model, and performing alarm information research and judgment includes:
coding the alarm information characteristics to obtain matrix data and initialize neural network parameters;
iteratively adjusting the neural network threshold, the number of hidden layers and the number of single-layer neurons, and taking the optimal classification parameters as final model parameters for extracting features;
extracting and preprocessing alarm information characteristics, and generating a network security alarm data training set by taking a man-made judgment label as a basis for real alarm;
training a plurality of machine learning models based on the processed network security alarm data training set;
and (3) using the trained model as a weak classifier, and integrating by taking the accuracy as the weight to obtain an alarm authenticity classification model with higher robustness, and judging false alarm and real alarm.
As a possible implementation manner of this embodiment, a large amount of alarm information is integrated, and when redundant data is removed, an artificial intelligence fusion model is used to improve the accuracy and the level of automation of automatic detection and classification.
As a possible implementation manner of this embodiment, the problem of low accuracy is caused by the fact that features cannot be effectively extracted from complex and variable network security attack data information. And extracting features by adopting a neural network, removing an output layer of the neural network, and taking the last layer of hidden layer data as alarm information features.
As a possible implementation manner of this embodiment, the monitoring personnel learns the security threat report, and continuously improves the network security level of the monitoring personnel, the monitoring personnel submits the artificially distinguished alarm information to the system, and the system generates a standard alarm data set format through automatic processing, thereby improving the research and judgment accuracy of the artificial intelligence distinguishing model.
As shown in fig. 2, an intelligent network security analysis system provided in an embodiment of the present invention includes:
the standardized processing module is used for acquiring flow data and an alarm log of the safety monitoring equipment and carrying out standardized processing on the alarm log;
the data storage module is used for uniformly storing the acquired full-flow safety data and carrying out deep reanalysis on the flow data;
the alarm information screening module is used for screening alarm information by using a machine learning method and removing redundant alarms;
the similar alarm clustering module is used for clustering the alarm information according to the alarm information similarity;
the alarm information correlation module is used for correlating the alarm information and linking to generate a complete attack chain and a threat report;
and the alarm information studying and judging module is used for extracting the alarm information characteristics, iteratively optimizing the alarm model and studying and judging the alarm information.
In a third aspect, a computer device includes a processor, a memory and a bus, the memory storing machine-readable instructions executable by the processor, the processor and the memory communicating via the bus when the computer device is running, the processor executing the machine-readable instructions to perform the steps of a network security intelligent analysis method as any one of the above.
The computer device provided by the embodiment of the invention comprises a processor, a memory and a bus, wherein the memory stores machine-readable instructions executable by the processor, when the device runs, the processor and the memory communicate through the bus, and the processor executes the machine-readable instructions to execute the steps of any one of the above network security intelligent analysis methods.
Specifically, the memory and the processor can be general-purpose memory and processor, which are not limited specifically, and when the processor runs a computer program stored in the memory, the network security intelligent analysis method can be executed.
Those skilled in the art will appreciate that the configuration of the computer device is not intended to be limiting and may include more or fewer components than those shown, or some components may be combined, some components may be split, or a different arrangement of components.
In some embodiments, the computer device may further include a touch screen operable to display a graphical user interface (e.g., a launch interface for an application) and to receive user operations with respect to the graphical user interface (e.g., launch operations with respect to the application). A particular touch screen may include a display panel and a touch panel. The Display panel may be configured in the form of an LCD (Liquid Crystal Display), an OLED (Organic Light-Emitting Diode), and the like. The touch panel may collect contact or non-contact operations of a user on or near the touch panel and generate preset operation instructions, for example, operations of the user on or near the touch panel using any suitable object or accessory such as a finger, a stylus, etc. In addition, the touch panel may include two parts of a touch detection device and a touch controller. The touch detection device detects the touch direction and gesture of a user, detects signals brought by touch operation and transmits the signals to the touch controller; the touch controller receives touch information from the touch detection device, converts the touch information into information capable of being processed by the processor, sends the information to the processor, and receives and executes commands sent by the processor. In addition, the touch panel may be implemented by various types such as a resistive type, a capacitive type, an infrared ray, a surface acoustic wave, and the like, and may also be implemented by any technology developed in the future. Further, the touch panel may overlay the display panel, a user may operate on or near the touch panel overlaid on the display panel according to a graphical user interface displayed by the display panel, the touch panel detects an operation thereon or nearby and transmits the operation to the processor to determine a user input, and the processor then provides a corresponding visual output on the display panel in response to the user input. In addition, the touch panel and the display panel can be realized as two independent components or can be integrated.
Corresponding to the method for starting the application program, an embodiment of the present invention further provides a storage medium, where a computer program is stored on the storage medium, and when the computer program is executed by a processor, the computer program performs any of the steps of the above-mentioned network security intelligent analysis method.
The starting device of the application program provided by the embodiment of the application program can be specific hardware on the device or software or firmware installed on the device. The device provided by the embodiment of the present application has the same implementation principle and technical effect as the foregoing method embodiments, and for the sake of brief description, reference may be made to the corresponding contents in the foregoing method embodiments where no part of the device embodiments is mentioned. It can be clearly understood by those skilled in the art that, for convenience and simplicity of description, the specific working processes of the system, the apparatus and the unit described above may all refer to the corresponding processes in the method embodiments, and are not described herein again.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, a division of modules is merely a division of logical functions, and an actual implementation may have another division, and for example, a plurality of modules or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection of devices or modules through some communication interfaces, and may be in an electrical, mechanical or other form.
Modules described as separate parts may or may not be physically separate, and parts displayed as modules may or may not be physical modules, may be located in one place, or may be distributed on a plurality of network modules. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solutions of the present invention and not for limiting the same, and although the present invention is described in detail with reference to the above embodiments, those of ordinary skill in the art should understand that: modifications and equivalents may be made to the embodiments of the invention without departing from the spirit and scope of the invention, which is to be covered by the claims.
Claims (10)
1. An intelligent analysis method for network security is characterized by comprising the following steps:
collecting flow data and an alarm log of the safety monitoring equipment, and carrying out standardized processing on the alarm log;
uniformly storing the acquired full-flow safety data, and performing deep reanalysis on the flow data;
screening alarm information by using a machine learning method to remove redundant alarms;
clustering the alarm information according to the similarity of the alarm information;
the alarm information is correlated with each other and linked to generate a complete attack chain and a threat report;
and extracting alarm information characteristics, iteratively optimizing an alarm model, and studying and judging the alarm information.
2. The intelligent network security analysis method according to claim 1, wherein the collected full-flow security data is uniformly stored, and the deep reanalysis of the flow data is performed, and the method comprises the following steps:
performing correlation analysis on comprehensive alarm information of the detection platform, abnormal information of network safety data, suspicious event information of safety equipment and abnormal information of other network safety time within a set time period;
filtering the abnormal conditions of the network data passing through the safety equipment by a strategy library;
and (4) adding and calculating the alarm information and the safety equipment events of the safety analysis platform, and grading the alarm information after the model analysis on the unified combat platform to uniformly display.
3. The intelligent network security analysis method of claim 1, wherein the filtering of alarm information and removing of redundant alarms by using a machine learning method comprises:
merging the alarm information collected by all the relevant platforms of the network safety equipment in a set time period;
calculating the emergency degree of the alarm information according to the maximum value of the network flow, the average value of the network flow, the weight of the safety equipment and the risk type in the safety equipment;
calculating the ratio of the correct alarm times to the total alarm times to obtain the alarm accuracy;
calculating the difference value between the time point for generating the alarm information and the processing time point;
screening suspected alarm information according to the alarm emergency degree, the accuracy and the time point difference;
and after a new alarm is found, traversing the alarm information in the alarm queue, respectively comparing all attributes of the new alarm, and taking the alarm with the earliest occurrence time as the final result of the redundant alarm when the same alarm information appears.
4. The intelligent network security analysis method according to claim 1, wherein the clustering alarm information according to alarm information similarity comprises:
extracting alarm information characteristics, and processing data by using a destination IP, a source IP, time and an event name;
data standardization processing, namely, adopting the absolute value of the difference between the original IP and the target IP to contact all alarms related to the original IP and the target IP within set time;
carrying out data format numeralization processing, and reconstructing a new alarm data set;
calculating the overall similarity of the alarm, improving the minimum similarity expectation of IP and time, and correspondingly reducing the weight of the overall similarity;
clustering the new alarm data set into a plurality of clusters by using an unsupervised machine learning algorithm DP-Kmeans, determining cluster values through initial calculation, adjusting the cluster values from the data set and experience, and calculating to obtain the final clustered clusters.
5. The intelligent network security analysis method of claim 1, wherein the alarm information is correlated and linked to generate a complete attack chain and a threat report, and the method comprises:
finishing data extraction and analysis work according to the alarm log information processed by the expression normal form;
converting the data into a data format which is suitable for a network security attack behavior mode scene support;
based on all feature analysis, extracting key feature data through dimension reduction by a machine learning method;
from alarm records, mining a frequent attack sequence mode, constructing a record set based on a clustering algorithm and a sliding window, and then deeply mining an attack sequence by using a data mining technology;
clustering the alarm information, and dividing clustering root alarms and associated alarms according to the characteristics of the data;
the complete attack behavior is dispersed in a plurality of alarm information of an alarm log information base, and correlation analysis is carried out to generate a complete attack chain and a threat report after the alarm information is characterized.
6. The intelligent analysis method for network security according to claim 5, wherein the analyzing the alarm information in association comprises:
removing improper features from alarm information generated by the safety equipment according to priori knowledge, extracting alarm types, source and destination IP addresses and port numbers from alarm logs as effective features, and constructing an initial sequence set;
traversing the preprocessed alarm information initial sequence set by adopting an FP-growth algorithm, counting an initial frequent item set, respectively calculating the support of each set to generate a frequent item set sequence, and iterating FP-tree branches to generate a final frequent item set;
and outputting a rule meeting the minimum confidence coefficient according to the frequent item set, updating a rule base, and analyzing to obtain an attack chain.
7. The intelligent network security analysis method of claim 1, wherein the extracting the alarm information features, iteratively optimizing the alarm model, and performing alarm information analysis includes:
coding the alarm information characteristics to obtain matrix data and initialize neural network parameters;
iteratively adjusting the neural network threshold, the number of hidden layers and the number of single-layer neurons, and taking the optimal classification parameters as final model parameters for extracting features;
extracting and preprocessing alarm information characteristics, and generating a network security alarm data training set by taking a man-made judgment label as a basis for real alarm;
training a plurality of machine learning models based on the processed network security alarm data training set;
and (3) using the trained model as a weak classifier, and integrating by taking the accuracy as the weight to obtain an alarm authenticity classification model with higher robustness, and judging false alarms and real alarms.
8. A network security intelligent analysis system, comprising:
the standardized processing module is used for acquiring flow data and an alarm log of the safety monitoring equipment and carrying out standardized processing on the alarm log;
the data storage module is used for uniformly storing the acquired full-flow safety data and carrying out deep reanalysis on the flow data;
the alarm information screening module is used for screening alarm information by using a machine learning method and removing redundant alarms;
the similar alarm clustering module is used for clustering the alarm information according to the alarm information similarity;
the alarm information correlation module is used for correlating the alarm information and linking to generate a complete attack chain and a threat report;
and the alarm information studying and judging module is used for extracting the alarm information characteristics, iteratively optimizing the alarm model and studying and judging the alarm information.
9. A computer device comprising a processor, a memory and a bus, wherein the memory stores machine-readable instructions executable by the processor, and when the computer device is running, the processor communicates with the memory via the bus, and the processor executes the machine-readable instructions to perform the steps of a network security intelligence analysis method as claimed in any one of claims 1-7.
10. A readable storage medium, wherein the readable storage medium has stored thereon a computer program, which when executed by a processor, implements the steps of a network security intelligence analysis method as claimed in any one of claims 1-7.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202211514933.3A CN115834221A (en) | 2022-11-28 | 2022-11-28 | Intelligent analysis method, system, equipment and storage medium for network security |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202211514933.3A CN115834221A (en) | 2022-11-28 | 2022-11-28 | Intelligent analysis method, system, equipment and storage medium for network security |
Publications (1)
Publication Number | Publication Date |
---|---|
CN115834221A true CN115834221A (en) | 2023-03-21 |
Family
ID=85532874
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202211514933.3A Pending CN115834221A (en) | 2022-11-28 | 2022-11-28 | Intelligent analysis method, system, equipment and storage medium for network security |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN115834221A (en) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN116861419A (en) * | 2023-09-05 | 2023-10-10 | 国网江西省电力有限公司信息通信分公司 | Active defending log alarming method on SSR |
CN116915507A (en) * | 2023-09-12 | 2023-10-20 | 奇安星城网络安全运营服务(长沙)有限公司 | Computer network security analysis system based on security signal matching |
CN117236439A (en) * | 2023-10-07 | 2023-12-15 | 中国科学院地理科学与资源研究所 | Comprehensive analysis system and method for network space geographic map |
CN117978541A (en) * | 2024-03-28 | 2024-05-03 | 福州安渡神州科技有限公司 | Enterprise information security monitoring alarm system and method |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107645493A (en) * | 2017-08-20 | 2018-01-30 | 杭州安恒信息技术有限公司 | A kind of IP groups similarity calculating method |
WO2020134783A1 (en) * | 2018-12-26 | 2020-07-02 | 中兴通讯股份有限公司 | Method, device and system for dispatching alarm ticket, and computer readable storage medium |
CN114024829A (en) * | 2021-10-26 | 2022-02-08 | 广东电网有限责任公司 | Fault repairing method, device, equipment and storage medium of power communication network |
CN114281864A (en) * | 2021-12-17 | 2022-04-05 | 东南大学 | Correlation analysis method for power network alarm information |
CN114679342A (en) * | 2022-05-30 | 2022-06-28 | 广东电网有限责任公司佛山供电局 | Network security alarm information display method, device, equipment and medium |
-
2022
- 2022-11-28 CN CN202211514933.3A patent/CN115834221A/en active Pending
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107645493A (en) * | 2017-08-20 | 2018-01-30 | 杭州安恒信息技术有限公司 | A kind of IP groups similarity calculating method |
WO2020134783A1 (en) * | 2018-12-26 | 2020-07-02 | 中兴通讯股份有限公司 | Method, device and system for dispatching alarm ticket, and computer readable storage medium |
CN111369094A (en) * | 2018-12-26 | 2020-07-03 | 中兴通讯股份有限公司 | Alarm order dispatching method, device and system and computer readable storage medium |
CN114024829A (en) * | 2021-10-26 | 2022-02-08 | 广东电网有限责任公司 | Fault repairing method, device, equipment and storage medium of power communication network |
CN114281864A (en) * | 2021-12-17 | 2022-04-05 | 东南大学 | Correlation analysis method for power network alarm information |
CN114679342A (en) * | 2022-05-30 | 2022-06-28 | 广东电网有限责任公司佛山供电局 | Network security alarm information display method, device, equipment and medium |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN116861419A (en) * | 2023-09-05 | 2023-10-10 | 国网江西省电力有限公司信息通信分公司 | Active defending log alarming method on SSR |
CN116861419B (en) * | 2023-09-05 | 2023-12-08 | 国网江西省电力有限公司信息通信分公司 | Active defending log alarming method on SSR |
CN116915507A (en) * | 2023-09-12 | 2023-10-20 | 奇安星城网络安全运营服务(长沙)有限公司 | Computer network security analysis system based on security signal matching |
CN116915507B (en) * | 2023-09-12 | 2023-12-05 | 奇安星城网络安全运营服务(长沙)有限公司 | Computer network security analysis system based on security signal matching |
CN117236439A (en) * | 2023-10-07 | 2023-12-15 | 中国科学院地理科学与资源研究所 | Comprehensive analysis system and method for network space geographic map |
CN117978541A (en) * | 2024-03-28 | 2024-05-03 | 福州安渡神州科技有限公司 | Enterprise information security monitoring alarm system and method |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN115834221A (en) | Intelligent analysis method, system, equipment and storage medium for network security | |
CN112491796B (en) | Intrusion detection and semantic decision tree quantitative interpretation method based on convolutional neural network | |
CN111475804A (en) | Alarm prediction method and system | |
KR20160095856A (en) | System and method for detecting intrusion intelligently based on automatic detection of new attack type and update of attack type | |
CN111428231A (en) | Safety processing method, device and equipment based on user behaviors | |
US11586609B2 (en) | Abnormal event analysis | |
CN111563524A (en) | Multi-station fusion system operation situation abnormity monitoring and alarm combining method | |
CN112541022A (en) | Abnormal object detection method, abnormal object detection device, storage medium and electronic equipment | |
CN113283909B (en) | Ether house phishing account detection method based on deep learning | |
CN111709765A (en) | User portrait scoring method and device and storage medium | |
CN112738014A (en) | Industrial control flow abnormity detection method and system based on convolution time sequence network | |
CN111726351B (en) | Bagging-improved GRU parallel network flow abnormity detection method | |
CN116384736A (en) | Smart city risk perception method and system | |
CN114553591A (en) | Training method of random forest model, abnormal flow detection method and device | |
CN113343123B (en) | Training method and detection method for generating confrontation multiple relation graph network | |
CN116502171B (en) | Network security information dynamic detection system based on big data analysis algorithm | |
CN113746780B (en) | Abnormal host detection method, device, medium and equipment based on host image | |
CN116074092B (en) | Attack scene reconstruction system based on heterogram attention network | |
CN111723370A (en) | Method and equipment for detecting malicious behavior of container | |
CN110737890A (en) | internal threat detection system and method based on heterogeneous time sequence event embedding learning | |
CN115473667A (en) | APT attack sequence detection method based on subgraph matching | |
CN111951505B (en) | Fence vibration intrusion positioning and mode identification method based on distributed optical fiber system | |
CN111565377B (en) | Security monitoring method and device applied to Internet of things | |
CN107491696B (en) | Software security analysis method and system based on immune model | |
CN116861420B (en) | Malicious software detection system and method based on memory characteristics |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |