CN116015894B - Information security management method and system - Google Patents

Information security management method and system Download PDF

Info

Publication number
CN116015894B
CN116015894B CN202211694040.1A CN202211694040A CN116015894B CN 116015894 B CN116015894 B CN 116015894B CN 202211694040 A CN202211694040 A CN 202211694040A CN 116015894 B CN116015894 B CN 116015894B
Authority
CN
China
Prior art keywords
information
intrusion
preset
index
behaviors
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202211694040.1A
Other languages
Chinese (zh)
Other versions
CN116015894A (en
Inventor
李安
许噹噹
许东申
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Shenfei Zhiyuan Technology Co ltd
Original Assignee
Shenzhen Shenfei Zhiyuan Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Shenfei Zhiyuan Technology Co ltd filed Critical Shenzhen Shenfei Zhiyuan Technology Co ltd
Priority to CN202211694040.1A priority Critical patent/CN116015894B/en
Publication of CN116015894A publication Critical patent/CN116015894A/en
Application granted granted Critical
Publication of CN116015894B publication Critical patent/CN116015894B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention relates to an information security technology, and discloses an information security management method, which comprises the following steps: acquiring an information network environment, and performing behavior detection on illegal behaviors in the information network environment to obtain intrusion behaviors; extracting intrusion characteristics of intrusion behaviors, intercepting the intrusion behaviors to obtain intrusion information, and inputting the intrusion information into an information threat model to obtain an information threat index; filtering the intrusion information to obtain normal information behaviors in the information network environment; extracting normal information content corresponding to normal information behaviors, carrying out information encryption on the normal information content to obtain encrypted information, and calculating an information security index of the encrypted information; and managing the information security according to the information threat index and the information security index. The invention also provides an information security management system. The invention can improve the safety of information safety management.

Description

Information security management method and system
Technical Field
The present invention relates to the field of information security technologies, and in particular, to an information security management method and system.
Background
With the rapid development of science and technology, the use of the internet has penetrated into various fields, and data transmission and exchange are realized through the internet. However, the internet brings convenience to people and brings information security hidden danger and risk, and in order to improve information security, consideration needs to be given to the information security management from the inside and the outside of the network.
The existing information security management is mostly to set an identity authentication window on an information platform to control the entry of a user, so that the information security authentication of the user is realized. In practical applications, information security management involves multiple aspects of management, and only consider the singleness of information security management and the fixity of access of a designated user, which may cause breakdown of a database system and leakage of information, so that the security of information security management is low.
Disclosure of Invention
The invention provides an information security management method and system, and mainly aims to solve the problem of low security in information security management.
In order to achieve the above object, the present invention provides an information security management method, including:
s1, acquiring a preset information network environment, and performing behavior detection on illegal behaviors in the information network environment through preset log audit to obtain intrusion behaviors;
s2, extracting the intrusion characteristics of the intrusion behavior, intercepting the intrusion behavior by using a preset intrusion interception algorithm and the intrusion characteristics to obtain intrusion information, and inputting the intrusion information into a pre-constructed information threat model to obtain an information threat index;
S3, filtering the intrusion information through a preset filtering algorithm to obtain normal information behaviors in the information network environment, wherein the filtering the intrusion information through the preset filtering algorithm to obtain the normal information behaviors in the information network environment comprises the following steps:
s31, calculating the measurement value of the intrusion information by using the following measurement value formula:
wherein gamma is the measurement value, exp is an exponential function, G is the associated feature quantity of the intrusion information, delta is the fusion coefficient of the intrusion information, and a k As the fusion weight corresponding to the kth intrusion information,is the average value of the fusion weights of all intrusion information, v k T is the intrusion time of the intrusion information, and n is the quantity of the intrusion information;
s32, when the measurement value is greater than or equal to a preset measurement threshold value, the intrusion information corresponding to the measurement value is filtered into an intrusion information set by utilizing the filtering algorithm;
s33, filtering the corresponding intrusion information in the intrusion information set to obtain normal information behaviors in the information network environment;
s4, extracting normal information content corresponding to the normal information behavior, carrying out information encryption on the normal information content by using a preset data encryption algorithm to obtain encrypted information, and calculating an information security index of the encrypted information by using a preset security index analysis method;
S5, managing information safety according to the information threat index and the information safety index by using a preset dissimilation weighting algorithm.
Optionally, the performing behavior detection on the illegal network behavior in the information network environment through a preset log audit to obtain an intrusion behavior includes:
extracting log behavior data in the log audit;
matching the log behavior data with audit behavior data in a preset audit database one by one according to a preset dynamic matching rule to obtain a matching grade state;
and when the matching grade state is red grade or yellow grade, taking illegal network behaviors corresponding to the log behavior data in the information network environment as the intrusion behaviors.
Optionally, intercepting the intrusion behavior by using a preset intrusion interception algorithm and the intrusion feature to obtain intrusion information, including:
acquiring an intrusion data packet corresponding to the intrusion characteristic, and establishing an association relation for the intrusion data packet;
generating an intrusion tree by utilizing the association relation and the intrusion characteristics;
and intercepting the intrusion tree by using the intrusion interception algorithm to obtain intrusion information.
Optionally, the generating an intrusion tree by using the association relationship and the intrusion feature includes:
randomly selecting one intrusion feature as a root node, and splitting nodes on the root node according to the association relation;
and distributing the intrusion features corresponding to the association relations to the nodes to obtain the intrusion tree.
Optionally, before the intrusion information is input into the pre-constructed information threat model to obtain the information threat index, the method further includes:
constructing a training feature set according to the intrusion features in a preset intrusion feature library, and inputting the training feature set into a preset support vector machine to obtain a classification feature set;
calculating a loss value of the support vector machine according to the classification feature set and a preset loss function;
and when the loss value is smaller than a preset loss threshold value, outputting a current support vector machine as the information threat model.
Optionally, the constructing a training feature set according to the intrusion features in the preset intrusion feature library includes:
acquiring a multivariate time sequence of the intrusion features in a real-time network state;
calculating the embedding dimension of the preset phase space by using the following embedding dimension function and the multivariate time sequence:
Wherein C is the embedding dimension, N is the number in the multivariate time series, T i For the ith time point in the multivariate time series,for the average value of all time points in the multivariate time series, τ is the delay time, T i+τ Delaying a time point by τ for an i-th time point in the multivariate time series;
reconstructing the phase space according to the embedding dimension to obtain a reconstructed phase space;
calculating the distance value between each phase point in the phase space and each phase point in the reconstruction phase space by using the following distance value algorithm:
wherein D (Y i ,X i ) For the distance value between the ith phase point in the reconstruction phase space and the ith phase point in the phase space, C is the embedding dimension, Y i-(j-1)τ For the i- (j-1) th tau phase point, X in the reconstructed phase space i-(j-1)τ Is the i- (j-1) th tau phase point in the phase space;
sorting the phase points corresponding to the distance values according to the order from small to large to obtain sorted phase points;
and taking the ordered phase points as the training feature set.
Optionally, the inputting the intrusion information into a pre-constructed information threat model to obtain an information threat index includes:
extracting intrusion characteristics corresponding to the intrusion information;
Acquiring an intrusion time sequence corresponding to the intrusion characteristics;
and inputting the intrusion time sequence into the information threat model to obtain an information threat index.
Optionally, the encrypting the normal information content by using a preset data encryption algorithm to obtain encrypted information includes:
coding the normal information content to obtain plaintext coding data;
acquiring a preset encryption key by using a preset key management system;
and carrying out information encryption on the normal information content by utilizing the data encryption algorithm according to the plaintext coding data and the encryption key to obtain encryption information:
P=M e mod U
wherein P is the encryption information, M is the plaintext encoded data, e is the encryption key, mod is a remainder function, and U is the key length of the encryption key.
Optionally, the calculating the information security index of the encrypted information by using a preset security index analysis method includes:
extracting an encryption characteristic index of the encryption information;
calculating the index weight of the encryption characteristic index by using the security index analysis method:
wherein Q is the index weight, f is the index entropy value, r is the index weight quantity, S y The specific gravity of the y encryption characteristic index is the log of the y encryption characteristic index;
and determining the information security index of the encrypted information according to the index weight.
In order to solve the above problems, the present invention also provides an information security management system, which includes an intrusion behavior detection module, an information threat index determination module, an intrusion information filtering module, an information security index calculation module, and an information security management module, wherein,
the intrusion behavior detection module is used for acquiring a preset information network environment, and performing behavior detection on illegal behaviors in the information network environment through preset log audit to acquire intrusion behaviors;
the information threat index determining module is used for extracting the invasion characteristics of the invasion behaviors, intercepting the invasion behaviors by using a preset invasion interception algorithm and the invasion characteristics to obtain invasion information, and inputting the invasion information into a pre-constructed information threat model to obtain an information threat index;
the intrusion information filtering module is used for filtering the intrusion information through a preset filtering algorithm to obtain normal information behaviors in the information network environment;
The information security index calculation module is used for extracting normal information content corresponding to the normal information behavior, carrying out information encryption on the normal information content by using a preset data encryption algorithm to obtain encrypted information, and calculating the information security index of the encrypted information by using a preset security index analysis method;
the information security management module is used for managing information security according to the information threat index and the information security index by utilizing a preset dissimilation weighting algorithm.
According to the embodiment of the invention, the behavior in the information network environment is detected through log audit to obtain the intrusion behavior, the intrusion characteristics of the intrusion behavior are extracted, the intrusion behavior is intercepted according to the intrusion characteristics to obtain the intrusion information, and the information threat index under the intrusion behavior is determined according to the intrusion information, so that the timely response of the network information security to the intrusion behavior is facilitated, and the security of the network information is further improved. The intrusion information is filtered, normal information in the network information can be obtained, the normal information is encrypted, the information security index of the encrypted information is determined, the transmission and use security of the information is improved according to the encrypted information, and the security of the network information is further improved. The information security is managed according to the information threat index and the information security index, the management of the information security can be noticed in real time, management measures are taken for the information security in real time, and the information security is improved. Therefore, the information security management method and the information security management system can solve the problem of low security of information security management.
Drawings
FIG. 1 is a flow chart of an information security management method according to an embodiment of the present invention;
FIG. 2 is a flow chart illustrating the intrusion detection according to an embodiment of the present invention;
FIG. 3 is a flowchart illustrating an embodiment of the present invention for filtering intrusion information;
FIG. 4 is a functional block diagram of an information security management system according to an embodiment of the present invention.
The achievement of the objects, functional features and advantages of the present invention will be further described with reference to the accompanying drawings, in conjunction with the embodiments.
Detailed Description
It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention.
The embodiment of the application provides an information security management method. The execution subject of the information security management method includes, but is not limited to, at least one of a server, a terminal, and the like, which can be configured to execute the method provided by the embodiments of the present application. In other words, the information security management method may be performed by software or hardware installed in a terminal device or a server device, and the software may be a blockchain platform. The service end includes but is not limited to: a single server, a server cluster, a cloud server or a cloud server cluster, and the like. The server may be an independent server, or may be a cloud server that provides cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communications, middleware services, domain name services, security services, content delivery networks (Content Delivery Network, CDN), and basic cloud computing services such as big data and artificial intelligence platforms.
Referring to fig. 1, a flow chart of an information security management method according to an embodiment of the invention is shown. In this embodiment, the information security management method includes:
s1, acquiring a preset information network environment, and performing behavior detection on illegal network behaviors in the information network environment through preset log audit to obtain intrusion behaviors;
in the embodiment of the invention, the information network environment refers to the state of the current network environment, whether the current network environment is in a safe state or an unsafe state. If dangerous invasion exists in the unsafe state, when invasion behaviors occur, abnormal events and illegal behaviors in the network environment can be tracked and monitored by utilizing log audit.
In detail, the information network environment can be detected through the gateway device, the testing device and the packet grabber. The method and the device for verifying the network access server by the network client have the advantages that whether the router and the firewall parameters are configured correctly or not, whether the network bandwidth and the network traffic are normal or not, whether the network client accesses the server channel is normal or not and whether hardware faults and software faults are verified or not are verified, so that the environment safety of an information network can be comprehensively detected.
In the embodiment of the invention, the log audit records any necessary event to detect the known attack mode and the abnormal attack mode and records the information about the continuous and reliable operation of the system. For example, in log auditing, an event should include the date and time the event occurred, the user (address) event that originated the event, the location of the source destination, the event type, the success or failure of the event, etc. Thus, log audits can be used to detect illegal actions in a network environment.
In the embodiment of the present invention, referring to fig. 2, the performing behavior detection on the illegal network behavior in the information network environment through the preset log audit to obtain the intrusion behavior includes:
s21, extracting log behavior data in the log audit;
s22, matching the log behavior data with audit behavior data in a preset audit database one by one according to a preset dynamic matching rule to obtain a matching grade state;
and S23, when the matching grade state is red grade or yellow grade, taking illegal network behaviors corresponding to the log behavior data in the information network environment as the intrusion behaviors.
In detail, the log behavior data records a source IP address, a destination IP address, a time slice, and a protocol character of the behavior data. The audit behavior data in the audit database comprises normal behavior data and abnormal behavior data, and the abnormal behavior data can be detected by matching the IP protocol and the time segment of the log behavior data with the rule protocol, the time threshold value and the like in the audit behavior data.
Specifically, when performing behavior detection, log behavior data and audit behavior data in an audit database need to be matched one by one, so that most of matching time is occupied, and matching efficiency is reduced. Thus, the rule matching order in the audit database needs to be updated dynamically according to the dynamic matching rules. Wherein, the dynamic matching rule is to compare the number of matching times with the weight learned by the rule: when the matching times are higher than the weight, the rule is placed at the forefront of the audit database, and the sequence is determined by the value higher than the weight; when the matching times is lower than the weight, the rule is placed at the back of the audit database, the sequence is determined by the value of the low weight, and the rule matching sequence is dynamically updated according to the weight and the matching times, so that useless matching can be reduced. The dynamic matching rules include rule protocols, rule names, time thresholds, and threshold values.
Further, the match rating status includes a red rating status, a yellow rating status, and a green rating status. When the matching grade state is red, information indicating that the log is dangerous; when the matching grade state is a yellow grade state, the log contains suspicious information; when the matching level state is a green level state, it means that such log is a security log, and there is no dangerous information. After log behavior data and audit behavior data are matched, when the matching grade state is red grade or yellow grade, dangerous information, namely intrusion behavior, exists in the log can be judged.
S2, extracting the intrusion characteristics of the intrusion behavior, intercepting the intrusion behavior by using a preset intrusion interception algorithm and the intrusion characteristics to obtain intrusion information, and inputting the intrusion information into a pre-constructed information threat model to obtain an information threat index;
in the embodiment of the invention, when the intrusion behavior is detected to exist in the information network environment, measures are immediately taken to intercept the intrusion behavior, so that the information network environment is in a safe state.
In detail, the intrusion characteristics of the intrusion behavior can be obtained through log data in log audit. The intrusion characteristics refer to the index points of the intrusion, and include characteristic parameters such as intrusion time, intrusion tools, intrusion positions, network information of the intrusion and the like.
In the embodiment of the invention, the intrusion behavior is intercepted based on the P2DR model according to the intrusion interception algorithm, so that the network information reaches a safe state. The P2DR model is to comprehensively utilize various protection tools under the guidance of an overall safety strategy, and meanwhile, the detection tool is utilized to know the safety state of the system, and the system is adjusted to the state with the safest and lowest risk through proper reaction.
In the embodiment of the present invention, the intercepting the intrusion behavior by using a preset intrusion interception algorithm and the intrusion feature to obtain intrusion information includes:
acquiring an intrusion data packet corresponding to the intrusion characteristic, and establishing an association relation for the intrusion data packet;
generating an intrusion tree by utilizing the association relation and the intrusion characteristics;
and intercepting the intrusion tree by using the intrusion interception algorithm to obtain intrusion information.
In detail, when the intrusion tree faces to a mass data source, useful information is extracted from a plurality of data and is processed to form an intrusion tree. An intrusion tree is a data structure that treats each network packet and each operating system audit record as a minimum.
In particular, to form a complete intrusion tree through a fine data structure, association relation between data packets is required, that is, the correlation between different information items reaches a certain degree. For example, if an IP packet has attributes such as a source address, a destination address, a receiving time, and a value of each flag bit, there is a high probability that a series of packets having the same source address and destination address are associated with each other, such as a wide range of port scan behaviors, and a large number of packets having different source addresses but the same destination address and very close in time are also likely to be associated with each other. And the event recorder can establish an association relation for the intrusion data packet, selectively analyze and process all collected original information and record the information according to a certain format.
Further, the intercepting the intrusion tree by using the intercepting algorithm means that the system is configured or a firewall is configured on the premise of ensuring the normal use of the network system according to the analysis of the intrusion tree, so as to prevent intrusion. The intrusion information is recorded and used for updating the intrusion information in the intrusion database, and the intrusion database can respond and intercept in time when the same intrusion is encountered next time.
In the embodiment of the present invention, the generating an intrusion tree by using the association relationship and the intrusion feature includes:
randomly selecting one intrusion feature as a root node, and splitting nodes on the root node according to the association relation;
and distributing the intrusion features corresponding to the association relations to the nodes to obtain the intrusion tree.
In detail, the intrusion tree is a tree-like data structure describing network intrusion behavior, the root of the intrusion tree represents the beginning of the network intrusion behavior, the intermediate node represents the intermediate state of the network intrusion, and the leaf node represents the ending state of the network intrusion behavior. I.e. the intrusion tree can be regarded as a state transition diagram, and the intruder can strive to reach the final state from the beginning to the end state.
Illustratively, some basic information of the intrusion target can be known according to the association relation between intrusion features. If the IIS, telnet service and NetBIOS service are operated on the target main sentence through scanning, three forks are separated from the node where the port scanning is located, namely telnet password guess, IIS vulnerability attack and NetBIOS password guess. The obtained information is continuously associated and analyzed, so that the trail of the intruder can be slowly described, and further response and interception of the intrusion behavior can be performed.
In the embodiment of the present invention, before the intrusion information is input into the pre-constructed information threat model to obtain the information threat index, the method further includes:
constructing a training feature set according to the intrusion features in a preset intrusion feature library, and inputting the training feature set into a preset support vector machine to obtain a classification feature set;
calculating a loss value of the support vector machine according to the classification feature set and a preset loss function;
and when the loss value is smaller than a preset loss threshold value, outputting a current support vector machine as the information threat model.
In detail, the loss function is a loss function including, but not limited to, softmax; the information threat model is used for predicting the threat index suffered by the network information under the condition that the intrusion information exists, so that the index of the network information security can be judged.
Specifically, the support vector machine is used for processing the data classification problem, namely searching an optimal classification hyperplane meeting the classification requirement, and classifying the data by using the optimal classification hyperplane. Wherein the support vector machine derives a classification function similar in form to a neural network whose input is a linear combination of intermediate layer nodes, each intermediate layer node corresponding to the inner product of the input sample and a support vector.
In the embodiment of the present invention, the constructing a training feature set according to the intrusion features in the preset intrusion feature library includes:
acquiring a multivariate time sequence of the intrusion features in a real-time network state;
calculating the embedding dimension of the preset phase space by using the following embedding dimension function and the multivariate time sequence:
wherein C is the embedding dimension, N is the number in the multivariate time series, T i For the ith time point in the multivariate time series,for the average value of all time points in the multivariate time series, τ is the delay time, T i+τ Delaying a time point by τ for an i-th time point in the multivariate time series;
reconstructing the phase space according to the embedding dimension to obtain a reconstructed phase space;
Calculating the distance value between each phase point in the phase space and each phase point in the reconstruction phase space by using the following distance value algorithm:
wherein D (Y i ,X i ) For the distance value between the ith phase point in the reconstruction phase space and the ith phase point in the phase space, C is the embedding dimension, Y i-(j-1)τ For the i- (j-1) th tau phase point, X in the reconstructed phase space i-(j-1)τ Is the i- (j-1) th tau phase point in the phase space;
sorting the phase points corresponding to the distance values according to the order from small to large to obtain sorted phase points;
and taking the ordered phase points as the training feature set.
In detail, the intrusion behavior is generated within a certain period of time, and a time-series-based intrusion behavior sequence is obtained within the same time interval based on the start time and the end time of the intrusion behavior. On a time scale, threat indexes have some degree of similarity to time distribution over a period of time. Compared with a univariate time sequence, the multivariate time sequence can provide more complete dynamic information, and is more beneficial to the prediction of time sequence.
Specifically, τ in the embedded dimension function is delay time, under ideal conditions, reconstruction is not degraded by selecting any delay time, but in actual data, the sequence length is limited and noise in the data is unavoidable, so that the time delay cannot be selected arbitrarily, and if the time delay is too small, the correlation of each amount is too strong; the selection of the too large delay vector is completely uncorrelated. Therefore, the delay time can be acquired according to the average mutual information method, so that the relevance between the information is moderate, and the accuracy of the embedded parameters is improved.
Further, since the phase space dimension at the time of data acquisition is generally high, even infinite dimension, such as chaotic motion is not spread over the whole phase space, only smooth sub-manifold of the phase space is generally generated, and the data thereof is generally one-dimensional. Therefore, the embedding dimension calculated in advance is needed to reconstruct the phase space, so that the reconstructed phase space is more beneficial to the calculation of data, and the influence of noise is reduced.
Furthermore, the phase points arranged according to the ascending distance sequence are obtained, the K front phase points can be selected, the K front phase points are used as nearest neighbors of the preset phase points, and the nearest neighbors are used as training data to construct a training feature set.
In the embodiment of the present invention, the step of inputting the intrusion information into a pre-constructed information threat model to obtain an information threat index includes:
extracting intrusion characteristics corresponding to the intrusion information;
acquiring an intrusion time sequence corresponding to the intrusion characteristics;
and inputting the intrusion time sequence into the information threat model to obtain an information threat index.
In detail, the intrusion feature is an intrusion feature for performing intrusion on the intrusion behavior, namely the intrusion feature is based on information threat detection of a support vector machine, and a time sequence corresponding to the intrusion behavior is selected as an input vector.
Specifically, the intrusion time sequence corresponding to the intrusion feature can be obtained through the time corresponding to the intrusion record in the log audit. The intrusion time sequence refers to the time elapsed when intrusion is performed on intrusion behaviors. According to analysis of historical intrusion behaviors, a change curve of historical information threat indexes is obtained, and according to the currently obtained intrusion characteristics, the threat indexes to network information security when the intrusion behaviors occur can be obtained, so that the network information security indexes are determined.
Furthermore, in the network information security, the intrusion information is filtered out completely, and all normal information data can be obtained from the network information, so that the information security is ensured.
S3, filtering the intrusion information through a preset filtering algorithm to obtain normal information behaviors in the information network environment;
in the embodiment of the invention, the normal information behavior is the information behavior generated, transmitted, used and stored according to the legal method. Therefore, the intrusion information in the network information is filtered by using a filtering algorithm, only normal information behaviors are left, and the safety of the information data corresponding to the normal information behaviors is ensured.
In the embodiment of the present invention, referring to fig. 3, the filtering the intrusion information by a preset filtering algorithm to obtain a normal information behavior in the information network environment includes:
s31, calculating the measurement value of the intrusion information by using the following measurement value formula:
wherein gamma is the measurement value, exp is an exponential function, G is the associated feature quantity of the intrusion information, delta is the fusion coefficient of the intrusion information, and a k As the fusion weight corresponding to the kth intrusion information,is the average value of the fusion weights of all intrusion information, v k T is the intrusion time of the intrusion information, and n is the quantity of the intrusion information;
s32, when the measurement value is greater than or equal to a preset measurement threshold value, the intrusion information corresponding to the measurement value is filtered into an intrusion information set by utilizing the filtering algorithm;
s33, filtering the corresponding intrusion information in the intrusion information set to obtain normal information behaviors in the information network environment.
In detail, the associated feature quantity in the metric value formula is the quantity of information associated with each piece of intrusion information, and the intrusion information is fused, so that the accuracy of the intrusion information metric value calculation can be improved. The measurement value reflects the threat degree of the intrusion information to the information security, if the measurement value is larger than or equal to a preset measurement threshold value, serious threat is caused to the information security, the intrusion information in the network information must be filtered, and unnecessary loss is caused when the intrusion information corresponding to the abnormal behavior is transmitted to other network environments during information transmission. If the measurement value is smaller than the preset measurement threshold value, the intrusion information is indicated not to threaten the information security, the intrusion information can be cleared, and the intrusion information can be stored.
Specifically, the filtering algorithm is realized based on a clustering algorithm, and when the measurement value is larger than or equal to a preset measurement threshold value, the intrusion information is clustered together, namely clustered in intrusion information aggregation, and the corresponding intrusion information in the intrusion information set is filtered out, so that the information safety is ensured.
Illustratively, when the data information base suffers from abnormal intrusion, the corresponding information of the abnormal information and the behavior data, i.e., intrusion information, is obtained. Judging the measurement value of the intrusion information according to a measurement value formula, and filtering out the intrusion information corresponding to the intrusion behavior when the measurement value of the intrusion information is larger than a preset measurement threshold value, so as to ensure the safety of the information.
Furthermore, after the intrusion information is completely filtered, only normal information data is needed, and in order to prevent the normal information from being attacked in the data transmission and use process, the normal information data needs to be encrypted so as to further ensure the information security.
S4, extracting normal information content corresponding to the normal information behavior, carrying out information encryption on the normal information content by using a preset data encryption algorithm to obtain encrypted information, and calculating an information security index of the encrypted information by using a preset security index analysis method;
According to the normal information behavior, the data operation performed under the normal information behavior can be obtained specifically, and the normal information content corresponding to the normal information behavior can be obtained.
In detail, in order to prevent normal information from being attacked in the processes of data transmission, use and storage, it is necessary to encrypt normal information data to further secure information.
In the embodiment of the present invention, the encrypting the normal information content by using a preset data encryption algorithm to obtain encrypted information includes:
coding the normal information content to obtain plaintext coding data;
acquiring a preset encryption key by using a preset key management system;
and carrying out information encryption on the normal information content by utilizing the data encryption algorithm according to the plaintext coding data and the encryption key to obtain encryption information:
P=M e mod U
wherein P is the encryption information, M is the plaintext encoded data, e is the encryption key, mod is a remainder function, and U is the key length of the encryption key.
In detail, the first user attribute and the association relation can be encoded by using UTF-8 with an encoding function, wherein UTF-8 is a Unicode encoding system, and any character can be converted into a matched unique binary character string.
Specifically, the encryption key is public, anyone can obtain the encryption key, the encryption key becomes a public key again, the decryption key cannot be public and can only be used by himself, and the encryption key is called a private key, wherein the encryption key can be obtained by using the Key Management System (KMS). In data encryption, a plaintext and a secret key are kept secret, the plaintext can be encrypted according to the secret key and an encryption algorithm, and the plaintext is converted into a ciphertext, wherein the secret key length of the encryption secret key is obtained by multiplying two prime numbers p and q according to random generation, and the obtained product is the secret key length of the encryption secret key.
Further, in the case of encrypting the information, the information security index is further predicted, that is, the information security index is predicted by a pre-constructed information security model.
According to the embodiment of the invention, the information security index can be further determined by calculating the weight of the encryption information, and the higher the weight is, the higher the information security index is.
In the embodiment of the present invention, the calculating the information security index of the encrypted information by using a preset security index analysis method includes:
extracting an encryption characteristic index of the encryption information;
Calculating the index weight of the encryption characteristic index by using the security index analysis method:
wherein Q is the index weight, f is the index entropy value, r is the index weight quantity, S y The specific gravity of the y encryption characteristic index is the log of the y encryption characteristic index;
and determining the information security index of the encrypted information according to the index weight.
In detail, the safety index analysis method is based on an entropy value method, and the effectiveness and the value of the existing index are judged by utilizing the characteristic that entropy is an uncertain measure. The encryption characteristic indexes of the encryption information comprise encryption characteristic indexes such as encryption coding type, encryption key, encryption plaintext type and the like, and a weight coefficient is calculated for each encryption characteristic so as to determine the weight of the encryption information.
Specifically, the index entropy value can deeply reflect the utility value of the encryption information, and has higher credibility. And adding the index weights of all the encryption characteristic indexes of the encryption information to obtain the total weight of the encryption information, and determining the information security coefficient of the encryption information according to the weight of the encryption information. When the weight of the encrypted information is higher, the information security index is higher, the weight of the encrypted information is lower, and the information security index is lower.
Further, the information can be managed according to the information security index and the information threat index of the encrypted information, so that the information security is ensured.
S5, managing information safety according to the information threat index and the information safety index by using a preset dissimilation weighting algorithm.
In the embodiment of the invention, the information security is that the information is not revealed or destroyed in the process of generating, transmitting, using and storing, and the confidentiality, the integrity, the usability and the non-repudiation of the information are ensured. Information security mainly includes physical security, security control, and security services.
In the embodiment of the present invention, the managing information security according to the information threat index and the information security index by using a preset dissimilation weighting algorithm includes:
determining a first weight coefficient of the information threat index by using a preset analytic hierarchy process, and determining a second weight coefficient of the information security index by using the analytic hierarchy process;
calculating a safety management index of information safety according to the first weight coefficient, the second weight coefficient, the information threat index and the information safety index by using the dissimilation weighting algorithm:
A=α(100-B)+βD
wherein a is the security management index, α is the first weight coefficient, β is the second weight coefficient, B is the information threat index, and D is the information security index;
And managing information security according to the security management index.
In detail, the analytic hierarchy process is abbreviated as AHP, which refers to a decision method for decomposing elements related to decision into levels of targets, criteria, schemes and the like, and performing qualitative and quantitative analysis on the basis of the decomposition, and is a hierarchical weight decision analysis method.
Specifically, when the total index of the information security indexes is 100, the information threat indexes can be determined and subtracted according to the information threat indexes, so that the information security indexes can be obtained. The weight coefficient represents the importance of the information, and according to the information security index after the threat is intercepted and the information security index after the information is encrypted under the condition that the threat exists, the overall security index of the information security, namely the security management index after the information is managed through the threat interception and the information encryption, can be finally determined.
Further, when the information security index is higher, the management system for representing the network information security is more perfect; when the information security index is lower, the management system for representing the network information security needs to be perfected, and the information security can be managed by taking measures on three aspects of physical security, security mechanism and security service.
According to the embodiment of the invention, the behavior in the information network environment is detected through log audit to obtain the intrusion behavior, the intrusion characteristics of the intrusion behavior are extracted, the intrusion behavior is intercepted according to the intrusion characteristics to obtain the intrusion information, and the information threat index under the intrusion behavior is determined according to the intrusion information, so that the timely response of the network information security to the intrusion behavior is facilitated, and the security of the network information is further improved. The intrusion information is filtered, normal information in the network information can be obtained, the normal information is encrypted, the information security index of the encrypted information is determined, the transmission and use security of the information is improved according to the encrypted information, and the security of the network information is further improved. The information security is managed according to the information threat index and the information security index, the management of the information security can be noticed in real time, management measures are taken for the information security in real time, and the information security is improved. Therefore, the information security management method and the information security management system can solve the problem of low security of information security management.
Fig. 4 is a functional block diagram of an information security management system according to an embodiment of the present invention.
The information security management system 100 of the present invention may be installed in an electronic device. Depending on the functions implemented, the information security management system 100 may include an intrusion behavior detection module 101, an information threat index determination module 102, an intrusion information filtering module 103, an information security index calculation module 104, and an information security management module 105. The module of the invention, which may also be referred to as a unit, refers to a series of computer program segments, which are stored in the memory of the electronic device, capable of being executed by the processor of the electronic device and of performing a fixed function.
In the present embodiment, the functions concerning the respective modules/units are as follows:
the intrusion behavior detection module 101 is configured to obtain a preset information network environment, perform behavior detection on illegal behaviors in the information network environment through preset log audit, and obtain intrusion behaviors;
the information threat index determining module 102 is configured to extract an intrusion characteristic of the intrusion behavior, intercept the intrusion behavior by using a preset intrusion interception algorithm and the intrusion characteristic to obtain intrusion information, and input the intrusion information into a pre-constructed information threat model to obtain an information threat index;
The intrusion information filtering module 103 is configured to filter the intrusion information by using a preset filtering algorithm, so as to obtain a normal information behavior in the information network environment;
the information security index calculation module 104 is configured to extract normal information content corresponding to the normal information behavior, encrypt the normal information content by using a preset data encryption algorithm to obtain encrypted information, and calculate an information security index of the encrypted information by using a preset security index analysis method;
the information security management module 105 is configured to manage information security according to the information threat index and the information security index by using a preset dissimilation weighting algorithm.
In detail, each module in the information security management system 100 in the embodiment of the present invention adopts the same technical means as the information security management method described in fig. 1 to 3, and can produce the same technical effects, which are not described herein.
In the several embodiments provided by the present invention, it should be understood that the disclosed systems and methods may be implemented in other ways. For example, the system embodiments described above are merely illustrative, e.g., the division of the modules is merely a logical function division, and other manners of division may be implemented in practice.
The modules described as separate components may or may not be physically separate, and components shown as modules may or may not be physical units, may be located in one place, or may be distributed over multiple network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional module in the embodiments of the present invention may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units can be realized in a form of hardware or a form of hardware and a form of software functional modules.
It will be evident to those skilled in the art that the invention is not limited to the details of the foregoing illustrative embodiments, and that the present invention may be embodied in other specific forms without departing from the spirit or essential characteristics thereof.
The present embodiments are, therefore, to be considered in all respects as illustrative and not restrictive, the scope of the invention being indicated by the appended claims rather than by the foregoing description, and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein. Any reference signs in the claims shall not be construed as limiting the claim concerned.
Furthermore, it is evident that the word "comprising" does not exclude other elements or steps, and that the singular does not exclude a plurality. Multiple units or systems as set forth in the system claims may also be implemented by means of one unit or system in software or hardware. The terms first, second, etc. are used to denote a name, but not any particular order.
Finally, it should be noted that the above-mentioned embodiments are merely for illustrating the technical solution of the present invention and not for limiting the same, and although the present invention has been described in detail with reference to the preferred embodiments, it should be understood by those skilled in the art that modifications and equivalents may be made to the technical solution of the present invention without departing from the spirit and scope of the technical solution of the present invention.

Claims (10)

1. An information security management method, the method comprising:
s1, acquiring a preset information network environment, and performing behavior detection on illegal behaviors in the information network environment through preset log audit to obtain intrusion behaviors;
s2, extracting the intrusion characteristics of the intrusion behavior, intercepting the intrusion behavior by using a preset intrusion interception algorithm and the intrusion characteristics to obtain intrusion information, and inputting the intrusion information into a pre-constructed information threat model to obtain an information threat index;
S3, filtering the intrusion information through a preset filtering algorithm to obtain normal information behaviors in the information network environment, wherein the filtering the intrusion information through the preset filtering algorithm to obtain the normal information behaviors in the information network environment comprises the following steps:
s31, calculating the measurement value of the intrusion information by using the following measurement value formula:
wherein,,for the metric value, +.>As an exponential function +.>For the associated feature of the intrusion information, < > is>For the fusion coefficient of the intrusion information, +.>Is->Fusion weight corresponding to intrusion information +.>For the mean value of the fusion weights of all intrusion information, < +.>For the->Quantized feature values corresponding to the intrusion information +.>For the intrusion time of the intrusion information, +.>Is the amount of intrusion information;
s32, when the measurement value is greater than or equal to a preset measurement threshold value, the intrusion information corresponding to the measurement value is filtered into an intrusion information set by utilizing the filtering algorithm;
s33, filtering the corresponding intrusion information in the intrusion information set to obtain normal information behaviors in the information network environment;
s4, extracting normal information content corresponding to the normal information behavior, carrying out information encryption on the normal information content by using a preset data encryption algorithm to obtain encrypted information, and calculating an information security index of the encrypted information by using a preset security index analysis method;
S5, managing information safety according to the information threat index and the information safety index by using a preset dissimilation weighting algorithm.
2. The information security management method according to claim 1, wherein the performing behavior detection on illegal network behaviors in the information network environment through a preset log audit to obtain intrusion behaviors includes:
extracting log behavior data in the log audit;
matching the log behavior data with audit behavior data in a preset audit database one by one according to a preset dynamic matching rule to obtain a matching grade state;
and when the matching grade state is red grade or yellow grade, taking illegal network behaviors corresponding to the log behavior data in the information network environment as the intrusion behaviors.
3. The information security management method of claim 1, wherein intercepting the intrusion by using a preset intrusion interception algorithm and the intrusion feature to obtain intrusion information comprises:
acquiring an intrusion data packet corresponding to the intrusion characteristic, and establishing an association relation for the intrusion data packet;
generating an intrusion tree by utilizing the association relation and the intrusion characteristics;
And intercepting the intrusion tree by using the intrusion interception algorithm to obtain intrusion information.
4. The information security management method according to claim 3, wherein the generating an intrusion tree using the association relationship and the intrusion feature comprises:
randomly selecting one intrusion feature as a root node, and splitting nodes on the root node according to the association relation;
and distributing the intrusion features corresponding to the association relations to the nodes to obtain the intrusion tree.
5. The information security management method according to claim 1, wherein before the intrusion information is input into a pre-constructed information threat model to obtain an information threat index, the method further comprises:
constructing a training feature set according to the intrusion features in a preset intrusion feature library, and inputting the training feature set into a preset support vector machine to obtain a classification feature set;
calculating a loss value of the support vector machine according to the classification feature set and a preset loss function;
and when the loss value is smaller than a preset loss threshold value, outputting a current support vector machine as the information threat model.
6. The information security management method as claimed in claim 5, wherein the constructing a training feature set according to the intrusion features in the preset intrusion feature library includes:
Acquiring a multivariate time sequence of the intrusion features in a real-time network state;
calculating the embedding dimension of the preset phase space by using the following embedding dimension function and the multivariate time sequence:
wherein,,for the embedding dimension, +.>The number,/-in the multivariate time series>Is the first in the multivariate time seriesTime point(s)>For all time points in the multivariate time series, mean, < > in->For delay time, +.>For the +.sup.th in the multivariate time series>Time-point delay->A point in time after the time;
reconstructing the phase space according to the embedding dimension to obtain a reconstructed phase space;
calculating the distance value between each phase point in the phase space and each phase point in the reconstruction phase space by using the following distance value algorithm:
wherein,,is the +.>Individual phase points->And +.>Individual phase points->Distance value of>For the embedding dimension, +.>Is the +.>Phase points (I/O)>Is the +.>A phase point;
sorting the phase points corresponding to the distance values according to the order from small to large to obtain sorted phase points;
and taking the ordered phase points as the training feature set.
7. The information security management method of claim 1, wherein the inputting the intrusion information into a pre-constructed information threat model to obtain an information threat index comprises:
extracting intrusion characteristics corresponding to the intrusion information;
acquiring an intrusion time sequence corresponding to the intrusion characteristics;
and inputting the intrusion time sequence into the information threat model to obtain an information threat index.
8. The information security management method according to claim 1, wherein the encrypting the normal information content using a predetermined data encryption algorithm to obtain the encrypted information comprises:
coding the normal information content to obtain plaintext coding data;
acquiring a preset encryption key by using a preset key management system;
and carrying out information encryption on the normal information content by utilizing the data encryption algorithm according to the plaintext coding data and the encryption key to obtain encryption information:
wherein,,for the encryption information, < >>Encoding data for said plaintext, ->For the encryption key, < >>In order to take the function of the remainder,is the key length of the encryption key.
9. The information security management method according to claim 1, wherein the calculating the information security index of the encrypted information using a preset security index analysis method comprises:
Extracting an encryption characteristic index of the encryption information;
calculating the index weight of the encryption characteristic index by using the security index analysis method:
wherein,,for the index weight, ++>For index entropy value, < >>For the number of index weights, +.>Is->Specific gravity of the individual encryption characteristic index,/->As a logarithmic function;
and determining the information security index of the encrypted information according to the index weight.
10. An information security management system is characterized by comprising an intrusion behavior detection module, an information threat index determination module, an intrusion information filtering module, an information security index calculation module and an information security management module, wherein,
the intrusion behavior detection module is used for acquiring a preset information network environment, and performing behavior detection on illegal behaviors in the information network environment through preset log audit to acquire intrusion behaviors;
the information threat index determining module is used for extracting the invasion characteristics of the invasion behaviors, intercepting the invasion behaviors by using a preset invasion interception algorithm and the invasion characteristics to obtain invasion information, and inputting the invasion information into a pre-constructed information threat model to obtain an information threat index;
The intrusion information filtering module is used for filtering the intrusion information through a preset filtering algorithm to obtain normal information behaviors in the information network environment;
the information security index calculation module is used for extracting normal information content corresponding to the normal information behavior, carrying out information encryption on the normal information content by using a preset data encryption algorithm to obtain encrypted information, and calculating the information security index of the encrypted information by using a preset security index analysis method;
the information security management module is used for managing information security according to the information threat index and the information security index by utilizing a preset dissimilation weighting algorithm.
CN202211694040.1A 2022-12-28 2022-12-28 Information security management method and system Active CN116015894B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211694040.1A CN116015894B (en) 2022-12-28 2022-12-28 Information security management method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211694040.1A CN116015894B (en) 2022-12-28 2022-12-28 Information security management method and system

Publications (2)

Publication Number Publication Date
CN116015894A CN116015894A (en) 2023-04-25
CN116015894B true CN116015894B (en) 2023-07-21

Family

ID=86029293

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211694040.1A Active CN116015894B (en) 2022-12-28 2022-12-28 Information security management method and system

Country Status (1)

Country Link
CN (1) CN116015894B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116708708B (en) * 2023-08-01 2024-04-02 广州市艾索技术有限公司 Method and system for constructing paperless conference based on distribution
CN117614724A (en) * 2023-12-06 2024-02-27 北京东方通科技股份有限公司 Industrial Internet access control method based on system fine granularity processing

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115085385A (en) * 2022-08-03 2022-09-20 国网安徽省电力有限公司宿州供电公司 Power network safety monitoring and analyzing method

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10438207B2 (en) * 2015-04-13 2019-10-08 Ciena Corporation Systems and methods for tracking, predicting, and mitigating advanced persistent threats in networks
US10412111B2 (en) * 2016-12-30 2019-09-10 eSentire, Inc. System and method for determining network security threats
JP2022153081A (en) * 2021-03-29 2022-10-12 株式会社デンソー Attack analysis device, attack analysis method, and attack analysis program
CN113095322A (en) * 2021-04-22 2021-07-09 河南鑫安利安全科技股份有限公司 Enterprise safety index analysis method and system based on big data and artificial intelligence
CN113542298A (en) * 2021-07-28 2021-10-22 东莞市镁客教育科技有限公司 Strategy configuration method based on big data information security and artificial intelligence protection system
CN114499957A (en) * 2021-12-24 2022-05-13 广州电力设计院有限公司 Network information security dynamic evaluation system and method thereof
CN114943273A (en) * 2022-04-12 2022-08-26 阿里巴巴(中国)有限公司 Data processing method, storage medium, and computer terminal

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115085385A (en) * 2022-08-03 2022-09-20 国网安徽省电力有限公司宿州供电公司 Power network safety monitoring and analyzing method

Also Published As

Publication number Publication date
CN116015894A (en) 2023-04-25

Similar Documents

Publication Publication Date Title
CN116015894B (en) Information security management method and system
CN112398779B (en) Network traffic data analysis method and system
García et al. Survey on network‐based botnet detection methods
CN111277570A (en) Data security monitoring method and device, electronic equipment and readable medium
Hassan Network intrusion detection system using genetic algorithm and fuzzy logic
Boukhamla et al. CICIDS2017 dataset: performance improvements and validation as a robust intrusion detection system testbed
Liu et al. Detecting DNS tunnel through binary-classification based on behavior features
Burbeck et al. Adwice–anomaly detection with real-time incremental clustering
Lappas et al. Data mining techniques for (network) intrusion detection systems
Wan et al. Feature-selection-based ransomware detection with machine learning of data analysis
Corona et al. Information fusion for computer security: State of the art and open issues
US20230012220A1 (en) Method for determining likely malicious behavior based on abnormal behavior pattern comparison
Letteri et al. Feature selection strategies for http botnet traffic detection
He et al. Detection of tor traffic hiding under obfs4 protocol based on two-level filtering
Mangrulkar et al. Network attacks and their detection mechanisms: A review
Sree et al. HADM: detection of HTTP GET flooding attacks by using Analytical hierarchical process and Dempster–Shafer theory with MapReduce
CN113364745A (en) Log collecting and analyzing processing method
Luxemburk et al. Detection of https brute-force attacks with packet-level feature set
Fortunati et al. An improvement of the state-of-the-art covariance-based methods for statistical anomaly detection algorithms
Karaçay et al. Intrusion detection over encrypted network data
Sharma et al. An overview of flow-based anomaly detection
Ogawa et al. Malware originated http traffic detection utilizing cluster appearance ratio
Tian et al. A transductive scheme based inference techniques for network forensic analysis
Naidu et al. An effective approach to network intrusion detection system using genetic algorithm
Siboni et al. Botnet identification via universal anomaly detection

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant