CN116170203A - Prediction method and system for security risk event - Google Patents
Prediction method and system for security risk event Download PDFInfo
- Publication number
- CN116170203A CN116170203A CN202310135078.3A CN202310135078A CN116170203A CN 116170203 A CN116170203 A CN 116170203A CN 202310135078 A CN202310135078 A CN 202310135078A CN 116170203 A CN116170203 A CN 116170203A
- Authority
- CN
- China
- Prior art keywords
- data
- safety
- detection
- data set
- value
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 51
- 238000001514 detection method Methods 0.000 claims abstract description 114
- 238000012549 training Methods 0.000 claims description 38
- 230000015654 memory Effects 0.000 claims description 20
- 210000002569 neuron Anatomy 0.000 claims description 19
- 238000003062 neural network model Methods 0.000 claims description 16
- 230000005540 biological transmission Effects 0.000 claims description 13
- 238000013528 artificial neural network Methods 0.000 claims description 10
- 238000002372 labelling Methods 0.000 claims description 3
- 230000005856 abnormality Effects 0.000 description 8
- 238000012545 processing Methods 0.000 description 5
- 238000010586 diagram Methods 0.000 description 3
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 239000007787 solid Substances 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 238000012790 confirmation Methods 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 231100000279 safety data Toxicity 0.000 description 1
- 238000010408 sweeping Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
- G06N3/084—Backpropagation, e.g. using gradient descent
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Physics & Mathematics (AREA)
- Artificial Intelligence (AREA)
- Evolutionary Computation (AREA)
- Health & Medical Sciences (AREA)
- Biomedical Technology (AREA)
- Biophysics (AREA)
- Computational Linguistics (AREA)
- Data Mining & Analysis (AREA)
- Life Sciences & Earth Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Molecular Biology (AREA)
- General Physics & Mathematics (AREA)
- Mathematical Physics (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention provides a method and a system for predicting a security risk event, wherein the method comprises the following steps: acquiring original message data corresponding to a security risk event, writing the original message data into a log according to a preset format, and generating message log data; performing preliminary security detection on the message log data; when the preliminary safety detection result is safety, the message log data are input into a pre-constructed safety prediction model to carry out safety prediction, a predicted safety value is obtained, and whether the current safety risk event is safe or not is judged according to the predicted safety value. According to the method, the safety prediction model is constructed based on the historical data, and the safety risk event is detected in a secondary safety detection mode, so that the accuracy of safety detection is improved.
Description
Technical Field
The invention relates to the technical field of safety detection, in particular to a method and a system for predicting a safety risk event.
Background
Along with the increasing degree of informatization, network equipment and security equipment in enterprises are more and more, log records are correspondingly scattered, the volume is larger and larger, operation and maintenance personnel cannot accurately and timely find available information in massive log records, emergency alarms cannot be timely processed, the scattered information in all places cannot be comprehensively analyzed and utilized, and meanwhile, the overall security condition of the enterprises cannot be mastered, so that security strategies are not timely adjusted, and the system faces higher security risks.
The industrial information security log platform can collect and summarize the alarm condition and the network security condition of each security subsystem to form comprehensive supervision of the whole security system; the method overcomes the situation of snow before every sweeping door of each subsystem, gathers and analyzes the safety data of every supervision unit to form a network safety situation, and establishes an emergency plan by combining an internal safety basic database, establishes a regional intelligent safety precaution, early warning and emergency system, and improves the integral information safety protection capability of enterprises. Thus, there is a need for more accurate security detection of security risk events in network devices.
Disclosure of Invention
Therefore, the technical problem to be solved by the invention is to overcome the defect of safety detection of the safety risk event in the prior art, so as to provide a prediction method and a prediction system of the safety risk event, which can construct a safety prediction model based on historical data, detect the safety risk event in a two-level safety detection mode and improve the detection accuracy.
The technical scheme for solving the technical problems is as follows:
in a first aspect, the present invention provides a method for predicting a security risk event, including the steps of:
acquiring original message data corresponding to a security risk event, writing the original message data into a log according to a preset format, and generating message log data;
performing preliminary security detection on the message log data;
when the preliminary safety detection result is safe, the message log data are input into a pre-constructed safety prediction model to carry out safety prediction, and whether the current safety risk event is safe or not is judged according to the prediction result.
According to the prediction method of the security risk event, the original message data corresponding to the security risk event is obtained, the original message data is written into the log, the message log data is generated, preliminary security detection is carried out on the message log data, after the detection result is that the security is achieved, the message log data is input into a pre-built security prediction model for security prediction, and whether the current security risk event is safe or not is judged according to the prediction result. According to the method, the safety prediction model is constructed based on the historical data, and the safety risk event is detected in a secondary safety detection mode, so that the accuracy of safety detection is improved.
Optionally, the message log data includes: node, device type, device name, IP address, time, event level, alarm type, source IP address, destination IP address, event protocol, alarm information, and details.
According to the invention, the original message data corresponding to the security risk event is obtained, and the message data is written into the log according to the preset format to generate the message log data with rich contents, so that the accuracy of security detection can be improved through the detailed data.
Optionally, the content of performing preliminary security detection on the message log data includes: at least one of TCP/IP network connection anomaly detection, netstat command network connection anomaly detection, industrial control instruction anomaly detection, network storm detection and network session anomaly detection.
The invention confirms whether the burst head is safe in transmission or not by carrying out preliminary safety detection on the header information in the message log data, thereby preliminarily judging whether the transmission data is safe or not. The content of the preliminary security detection comprises at least one of TCP/IP network connection abnormality detection, netstat command network connection abnormality detection, industrial control instruction abnormality detection, network storm detection and network session abnormality detection, and the workload of the next security detection can be reduced to a certain extent under the condition of ensuring the security of data transmission.
Optionally, the process for constructing the safety prediction model includes: acquiring log messages in historical transmission data, and generating a corresponding training data set by judging end marks of the log messages; constructing an initial neural network model, loading each training data set for iterative training, and obtaining a corresponding safety detection vector and a corresponding loss value of the labeling data; and modifying model parameters of the initial neural network model through backward propagation based on the safety detection vector and the loss value until the loss value is smaller than or equal to a preset threshold value or the iteration number reaches a preset maximum iteration number, and generating a trained safety prediction model.
According to the method, the log message in the historical transmission data is obtained, different events are distinguished by judging the end (FIN) mark of the log message, and the data of the same event are added into the same training data set, so that the associated data can be judged, and the safety of the safety risk event can be detected more accurately by combining the associated information. And secondly, constructing a neural network model, training the data with relevance through the neural network model, and generating a trained safety prediction model. The safety prediction model includes a neural network and a storage structure, wherein the neural network includes a plurality of neuron structures. The input of the safety prediction model is message log data, and the input of each level of neuron structure is the output of the data in the storage structure and the last neuron structure. The characteristic of the security risk event is automatically learned in the detection process of the uncertain security risk event by utilizing the learning capability of the neural network, so that the characteristic variation of the event along with time is automatically adapted to, the optimal prediction of the security risk event is achieved, and the accuracy of security detection is improved.
Optionally, the process of acquiring the security detection vector includes: dividing the training data set into a first class data set and a second class data set, wherein the class of the first class data set comprises: port number, acknowledgement number, data offset field, reserved field and flag bit field, the categories of the second category data set include: a sequence number field and an acknowledgement number field; judging the first class data set and obtaining a training simple vector; constructing an initial neural network model, and loading the second class data set into the initial neural network model to obtain a training complex safety value; and constructing a safety detection vector according to the training complex safety value and the training simple vector.
The invention distinguishes the data types because of the need of two ways of security detection on the same data, and the first type data set is obtained by distinguishing according to the data form, which comprises the following steps: port number, acknowledgement number, data offset field, reserved field, and flag bit field; distinguishing according to the data front-back sequence characteristics to obtain a second class data set, comprising: a sequence number field and an acknowledgement number field. The two types of data are respectively judged, so that various unsafe conditions caused by the data can be detected, and the safety of the data can be accurately judged.
Optionally, the process of judging the first class data set and obtaining a training simple vector includes: performing AND operation on data corresponding to each category in each first category data set to obtain an equal judgment value; and constructing a training simple vector according to each equality judgment value, wherein the training simple vector is used for representing whether the data in the first class data set are equal or not.
The invention can confirm whether the data content is wrong by judging the data in the data form type, and judges whether the data is wrong or not by performing AND operation on various data in the first type data set because the transmission port, the confirmation number, the data offset field, the reserved field and the flag bit field of the same data belong to fixed values, thereby judging whether the data is safe in the transmission process.
Optionally, the process of obtaining the training complex security value includes: generating a corresponding second sub-data set by sequentially extracting data of corresponding positions in each second data set in a front-to-back order; acquiring the number of data in each second sub-data set as a length value of the corresponding second sub-data set; inputting the data of each data set in the second sub-data set into each neuron structure of the initial neural network model in turn based on the length value to obtain a corresponding detection value, and storing the detection value into a corresponding storage structure until the length value is zero; and inputting each detection value into a hidden layer of the initial neural network to obtain a corresponding training complex safety value.
The invention can judge the safety of the data more accurately by judging the data of the front-back sequence characteristic type of the data. Extracting serial number fields and acknowledgement number fields in the second data set according to the corresponding relation of the front-back sequence, and generating a second sub data set; controlling the data in each sub-data set to be sequentially input into the corresponding neuron structure through the length value of the sub-data set, and storing the detection value output by the neuron structure into the corresponding storage structure; and each time data is input into the neuron structure, the length value is reduced by 1, the next data is acquired and input into the next neuron structure again until the length value is 0, and the finally output detection value is the detection value of the corresponding sub-data set. If the length value is not 0, storing the detection value into a storage structure of the corresponding neuron structure; and if the length value is 0, carrying out zero resetting processing on the data in the storage structure. Therefore, the data with the sequence relation can be judged by combining the data of the last time, and the detection value obtained according to the length value of the data set is the detection value considering all the sequence relations, so that the data security can be judged more accurately. Each sub data set correspondingly obtains a detection value, each detection value is input to a hidden layer of the neural network, characteristics among data with different meanings can be obtained, and judgment is carried out together, so that whether the data are safe or not can be accurately judged.
In a second aspect, embodiments of the present invention provide a system for predicting a security risk event, the system comprising:
the data acquisition module is used for acquiring original message data corresponding to the security risk event, writing the original message data into a log according to a preset format and generating message log data;
the safety detection module is used for carrying out preliminary safety detection on the message log data;
and the safety prediction module is used for inputting the message log data into a pre-constructed safety prediction model to perform safety prediction and obtain a predicted safety value when the primary safety detection result is safe, and judging whether the current safety risk event is safe or not according to the predicted safety value.
According to the prediction system for the security risk event, provided by the embodiment of the invention, the original message data corresponding to the security risk event is obtained and written into the log, the message log data is generated, the preliminary security detection is carried out on the message log data, after the detection result is safe, the message log data is input into the pre-constructed security prediction model for security prediction, and whether the current security risk event is safe or not is judged according to the prediction result. According to the method, the safety prediction model is constructed based on the historical data, and the safety risk event is detected in a secondary safety detection mode, so that the accuracy of safety detection is improved.
In a third aspect, an embodiment of the present invention provides a computer apparatus, including: the system comprises a memory and a processor, wherein the memory and the processor are in communication connection, the memory stores computer instructions, and the processor executes the computer instructions, thereby executing the method in the first aspect or any optional implementation manner of the first aspect.
In a fourth aspect, embodiments of the present invention provide a computer-readable storage medium storing computer instructions for causing a computer to perform the method of the first aspect, or any one of the alternative embodiments of the first aspect.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are needed in the description of the embodiments or the prior art will be briefly described, and it is obvious that the drawings in the description below are some embodiments of the present invention, and other drawings can be obtained according to the drawings without inventive effort for a person skilled in the art.
Fig. 1 is a flow chart of a method for predicting a security risk event according to an embodiment of the present invention;
FIG. 2 is a schematic structural diagram of a prediction system for a security risk event according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram of a computer device according to an embodiment of the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments of the present invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
In addition, the technical features of the different embodiments of the present invention described below may be combined with each other as long as they do not collide with each other.
The embodiment of the invention provides a method for predicting a security risk event, as shown in fig. 1, which specifically comprises the following steps:
step S1: and acquiring original message data corresponding to the security risk event, writing the original message data into a log according to a preset format, and generating message log data.
Specifically, in the embodiment of the invention, if a security risk event occurs in the process of data transmission of the network device or the security device, the event needs to be detected to determine the security of the event. Therefore, the original message data corresponding to the security risk event is firstly obtained. And writing header information in the transmission layer data transmission process into a log to generate message log data, wherein the message log data can be used for judging the data security in an application layer. The message log content generated by the embodiment of the invention comprises the following steps: nodes, device type, device name, IP address, time, event level, alarm type, source IP address, destination IP address, event protocol, alarm information, and detailed information, but is not limited thereto.
Step S2: and carrying out preliminary safety detection on the message log data.
Specifically, in the embodiment of the invention, preliminary security detection is performed on the generated message log data, the preliminary detection security value is used for representing that the detection result is enough security, the preliminary detection security value is 1 to represent that the event preliminary detection is safe, and the preliminary detection security value is 0 to represent that the event preliminary detection is unsafe. The content of the preliminary security detection includes: at least one of TCP/IP network connection anomaly detection, netstat command network connection anomaly detection, industrial control instruction anomaly detection, network storm detection and network session anomaly detection, but not limited thereto. For example, TCP/IP network link abnormality detection is performed and a protocol abnormality detection value is obtained, where a protocol abnormality detection value of 1 indicates that the network connection is normal and a protocol abnormality detection value of 0 indicates that the network connection is abnormal.
Step S3: when the preliminary safety detection result is safety, the message log data are input into a pre-constructed safety prediction model to carry out safety prediction, a predicted safety value is obtained, and whether the current safety risk event is safe or not is judged according to the predicted safety value.
Specifically, in the embodiment of the invention, a safety prediction model is constructed in advance. The safety prediction model of the embodiment of the invention is an RNN neural network model, and comprises an RNN neural network and a storage structure. The RNN neural network comprises a plurality of RNN neuron structures, and the inputs of the RNN neuron structures are message log data; the inputs to the RNN neuron structure are the outputs of the data in the storage structure and the last RNN neuron structure. And after the message log data are input into the trained safety prediction model, a predicted safety value can be obtained, wherein 1 represents that the safety risk event is safe, and 0 represents that the safety risk event is unsafe. And if the conclusion is that the security risk event is indeed unsafe after the secondary detection, sending corresponding alarm data. The safety prediction model construction process comprises the following steps:
1. and acquiring log messages in the historical transmission data, and generating a corresponding training data set by judging the end mark of each log message. The acquired log messages may correspond to message data of a plurality of events, and thus are distinguished by judging the end mark (FIN mark) of each log. When two ends exchange TCP segments with FIN flags and each end acknowledges FIN packets sent by the other end, the TCP connection will close. The FIN bit literally means that the connecting party has no more data to send. However, those retransmitted data are transmitted until the receiving end acknowledges all the information. So if the FIN flag of the data is 0, continuing to place the data into the current data set; if the FIN mark of the data is 1, ending the data acquisition of the current data set and carrying out the acquisition of the next data set again. The training data set comprises a plurality of data sets, and the data sets correspond to different historical security risk events respectively.
2. And constructing an initial neural network model according to the RNN neural network format, initializing parameters in the initial neural network model, loading each training data set for iterative training, and obtaining the corresponding safety detection vector and the loss value of the corresponding labeling data. The process of acquiring the safety detection vector is as follows:
(1) Differentiating the training data set according to the data form to obtain a first class data set, including: the port number, the acknowledgement number, the data offset field, the reserved field and the flag bit field are fixed values, so that the data in the first type data set are subjected to AND operation to obtain equal judgment values, and whether the data are in error or not is judged, and whether the data are safe or not in the transmission process is judged. For example, extracting port numbers in the first class data set, and judging whether a plurality of port numbers in the first class data set are the same or not to obtain a port security value; a port security value of 1 indicates that the port numbers are the same, and a port security value of 0 indicates that the port numbers are different. If the port numbers are all the same, the equality judgment value is 1, which indicates security. If at least one port number is not the same, the equality judgment value is 0, which indicates unsafe. And constructing a training simple vector according to each equality judgment value, wherein the training simple vector is used for representing whether the data in the first class data set are equal or not.
(2) Distinguishing the training data set according to the data front-back sequence characteristic to obtain a second class data set, comprising: a sequence number field and an acknowledgement number field. Generating a corresponding second sub-data set by sequentially extracting corresponding data in each second data set in a front-to-back order; acquiring the number of data sets in each second sub-data set as a length value of the corresponding second sub-data set; for example, the second class data set of the embodiment of the present invention includes a sequence number field data set: [2,4,3] and acknowledgement number field data set: [7,8,9], but not limited thereto. Extracting corresponding data in the two data sets according to the sequence to obtain a second sub data set: [2,7], [4,8], [3,9], the length value of which is 3. Controlling the data in each sub-data set to be sequentially input into the corresponding neuron structure through the length value of the sub-data set, and storing the detection value output by the neuron structure into the corresponding storage structure; and each time data is input into the neuron structure, the length value is reduced by 1, the next data is acquired and input into the next neuron structure again until the length value is 0, and the finally output detection value is the detection value of the corresponding sub-data set. If the length value is not 0, storing the detection value into a storage structure of the corresponding neuron structure; and if the length value is 0, carrying out zero resetting processing on the data in the storage structure. Each sub data set correspondingly obtains a detection value, each detection value is input to a hidden layer of the neural network, characteristics among data with different meanings can be obtained, and judgment is carried out together, so that whether the data are safe or not is obtained accurately, 0 represents that the data are unsafe, and 1 represents that the data are safe.
(3) And constructing a safety detection vector according to the training complex safety value and the training simple vector.
3. And modifying model parameters of the initial neural network model through backward propagation based on the safety detection vector and the loss value until the loss value is smaller than or equal to a preset threshold value or the iteration number reaches a preset maximum iteration number, and generating a trained safety prediction model. For example, the maximum number of iterations selected in the present invention is 1200, but not limited thereto.
According to the prediction method of the security risk event, the original message data corresponding to the security risk event is obtained, the original message data is written into the log, the message log data is generated, preliminary security detection is carried out on the message log data, after the detection result is that the security is achieved, the message log data is input into a pre-built security prediction model for security prediction, and whether the current security risk event is safe or not is judged according to the prediction result. According to the method, the safety prediction model is constructed based on the historical data, and the safety risk event is detected in a secondary safety detection mode, so that the accuracy of safety detection is improved.
The embodiment of the invention provides a prediction system for a security risk event, as shown in fig. 2, the system comprises:
the data acquisition module 1 is used for acquiring original message data corresponding to the security risk event, writing the original message data into a log according to a preset format, and generating message log data. Details refer to the related description of step S1 in the above method embodiment, and will not be described herein.
And the safety detection module 2 is used for carrying out preliminary safety detection on the message log data. For details, refer to the related description of step S2 in the above method embodiment, and no further description is given here.
And the safety prediction module 3 is used for inputting the message log data into a pre-constructed safety prediction model to perform safety prediction and obtain a predicted safety value when the preliminary safety detection result is safe, and judging whether the current safety risk event is safe or not according to the predicted safety value. For details, refer to the related description of step S3 in the above method embodiment, and no further description is given here.
According to the prediction system for the security risk event, provided by the embodiment of the invention, the original message data corresponding to the security risk event is obtained and written into the log, the message log data is generated, the preliminary security detection is carried out on the message log data, after the detection result is safe, the message log data is input into the pre-constructed security prediction model for security prediction, and whether the current security risk event is safe or not is judged according to the prediction result. According to the method, the safety prediction model is constructed based on the historical data, and the safety risk event is detected in a secondary safety detection mode, so that the accuracy of safety detection is improved.
Fig. 3 shows a schematic structural diagram of a computer device according to an embodiment of the present invention, including: a processor 901 and a memory 902, wherein the processor 901 and the memory 902 may be connected by a bus or otherwise, for example in fig. 3.
The processor 901 may be a central processing unit (Central Processing Unit, CPU). The processor 901 may also be other general purpose processors, digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (Application Specific Integrated Circuit, ASIC), field programmable gate arrays (Field-Programmable Gate Array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, or a combination thereof.
The memory 902 is used as a non-transitory computer readable storage medium for storing a non-transitory server program, a non-transitory computer executable program, and modules, such as program instructions/modules corresponding to the methods in the above method embodiments. The processor 901 executes various functional applications of the processor and data processing, i.e., implements the methods in the above-described method embodiments, by running non-transitory server programs, instructions, and modules stored in the memory 902.
The memory 902 may include a storage program area and a storage data area, wherein the storage program area may store an operating system, at least one application program required for a function; the storage data area may store data created by the processor 901, and the like. In addition, the memory 902 may include high-speed random access memory, and may also include non-transitory memory, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid state storage device. In some embodiments, memory 902 optionally includes memory remotely located relative to processor 901, which may be connected to processor 901 via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
One or more modules are stored in the memory 902 that, when executed by the processor 901, perform the methods of the method embodiments described above.
The specific details of the computer device may be correspondingly understood by referring to the corresponding related descriptions and effects in the above method embodiments, which are not repeated herein.
It will be appreciated by those skilled in the art that implementing all or part of the above-described methods in the embodiments may be implemented by a computer program for instructing relevant hardware, and the implemented program may be stored in a computer readable storage medium, and the program may include the steps of the embodiments of the above-described methods when executed. The storage medium may be a magnetic Disk, an optical Disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a Flash Memory (Flash Memory), a Hard Disk (HDD), or a Solid State Drive (SSD); the storage medium may also comprise a combination of memories of the kind described above.
Although embodiments of the present invention have been described in connection with the accompanying drawings, various modifications and variations may be made by those skilled in the art without departing from the spirit and scope of the invention, and such modifications and variations are within the scope of the invention as defined by the appended claims.
Claims (10)
1. A method for predicting a security risk event, comprising the steps of:
acquiring original message data corresponding to a security risk event, writing the original message data into a log according to a preset format, and generating message log data;
performing preliminary security detection on the message log data;
when the preliminary safety detection result is safety, the message log data are input into a pre-constructed safety prediction model to carry out safety prediction, a predicted safety value is obtained, and whether the current safety risk event is safe or not is judged according to the predicted safety value.
2. The method for predicting a security risk event according to claim 1, wherein the message log data includes: node, device type, device name, IP address, time, event level, alarm type, source IP address, destination IP address, event protocol, alarm information, and details.
3. The method for predicting a security risk event according to claim 1, wherein the content of preliminary security detection on the message log data includes: at least one of TCP/IP network connection anomaly detection, netstat command network connection anomaly detection, industrial control instruction anomaly detection, network storm detection and network session anomaly detection.
4. The method for predicting a security risk event according to claim 1, wherein the process of constructing the security prediction model includes:
acquiring log messages in historical transmission data, and generating a corresponding training data set by judging end marks of the log messages;
constructing an initial neural network model, loading each training data set for iterative training, and obtaining a corresponding safety detection vector and a corresponding loss value of the labeling data;
and modifying model parameters of the initial neural network model through backward propagation based on the safety detection vector and the loss value until the loss value is smaller than or equal to a preset threshold value or the iteration number reaches a preset maximum iteration number, and generating a trained safety prediction model.
5. The method of claim 4, wherein the step of obtaining a security detection vector comprises:
dividing the training data set into a first class data set and a second class data set, wherein the class of the first class data set comprises: port number, acknowledgement number, data offset field, reserved field and flag bit field, the categories of the second category data set include: a sequence number field and an acknowledgement number field;
judging the first class data set and obtaining a training simple vector;
constructing an initial neural network model, and loading the second class data set into the initial neural network model to obtain a training complex safety value;
and constructing a safety detection vector according to the training complex safety value and the training simple vector.
6. The method of claim 5, wherein the determining the first class data set and obtaining a training simple vector comprises:
performing AND operation on data corresponding to each category in each first category data set to obtain an equal judgment value;
and constructing a training simple vector according to each equality judgment value, wherein the training simple vector is used for representing whether the data in the first class data set are equal or not.
7. The method of claim 5, wherein the process of obtaining training complex security values comprises:
generating a corresponding second sub-data set by sequentially extracting data of corresponding positions in each second data set in a front-to-back order;
acquiring the number of data sets in each second sub-data set as a length value of the corresponding second sub-data set;
inputting the data of each data set in the second sub-data set into each neuron structure of the initial neural network model in turn based on the length value to obtain a corresponding detection value, and storing the detection value into a corresponding storage structure until the length value is zero;
and inputting each detection value into a hidden layer of the initial neural network to obtain a corresponding training complex safety value.
8. A system for predicting a security risk event, comprising:
the data acquisition module is used for acquiring original message data corresponding to the security risk event, writing the original message data into a log according to a preset format and generating message log data;
the safety detection module is used for carrying out preliminary safety detection on the message log data;
and the safety prediction module is used for inputting the message log data into a pre-constructed safety prediction model to perform safety prediction and obtain a predicted safety value when the primary safety detection result is safe, and judging whether the current safety risk event is safe or not according to the predicted safety value.
9. An electronic device, comprising:
a memory and a processor, the memory and the processor being communicatively coupled to each other, the memory having stored therein computer instructions, the processor executing the computer instructions to perform the method of predicting a security risk event of any one of claims 1-7.
10. A computer-readable storage medium having stored thereon computer instructions for causing the computer to perform the method of predicting a security risk event according to any one of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310135078.3A CN116170203A (en) | 2023-02-10 | 2023-02-10 | Prediction method and system for security risk event |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310135078.3A CN116170203A (en) | 2023-02-10 | 2023-02-10 | Prediction method and system for security risk event |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116170203A true CN116170203A (en) | 2023-05-26 |
Family
ID=86412912
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310135078.3A Pending CN116170203A (en) | 2023-02-10 | 2023-02-10 | Prediction method and system for security risk event |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116170203A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116488947A (en) * | 2023-06-21 | 2023-07-25 | 北京锐服信科技有限公司 | Security element treatment method |
| CN118473829A (en) * | 2024-07-10 | 2024-08-09 | 长春工业大学 | IPv6 network safety protection system |
-
2023
- 2023-02-10 CN CN202310135078.3A patent/CN116170203A/en active Pending
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116488947A (en) * | 2023-06-21 | 2023-07-25 | 北京锐服信科技有限公司 | Security element treatment method |
| CN116488947B (en) * | 2023-06-21 | 2023-09-26 | 北京锐服信科技有限公司 | Security element treatment method |
| CN118473829A (en) * | 2024-07-10 | 2024-08-09 | 长春工业大学 | IPv6 network safety protection system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Zhao et al. | SeqFuzzer: An industrial protocol fuzzing framework from a deep learning perspective | |
| CN116170203A (en) | Prediction method and system for security risk event | |
| CN111191767B (en) | Vectorization-based malicious traffic attack type judging method | |
| CN111885060B (en) | Internet of vehicles-oriented nondestructive information security vulnerability detection system and method | |
| CN109842649A (en) | A kind of urban rail transit equipment health control method and device | |
| CN112800428B (en) | Method and device for judging safety state of terminal equipment | |
| CN106034051A (en) | Network monitoring data processing method and network monitoring data processing device | |
| CN113194126A (en) | Block chain-based transverse federated learning model construction method | |
| CN102684902B (en) | Based on the network failure locating method of probe prediction | |
| Ntalampiras et al. | A fault diagnosis system for interdependent critical infrastructures based on HMMs | |
| CN114647525A (en) | Diagnostic method, diagnostic device, terminal and storage medium | |
| CN113886225A (en) | Unknown industrial control protocol-oriented fuzzy test system and method | |
| KR20210128952A (en) | Method, apparatus, and device for testing traffic flow monitoring system | |
| RU2738460C1 (en) | Method for detecting anomalies in operation of automated system network | |
| CN114363212B (en) | Equipment detection method, device, equipment and storage medium | |
| KR20210131269A (en) | Method, apparatus, and device for testing traffic flow monitoring system | |
| Nam et al. | Virtual machine failure prediction using log analysis | |
| CN109784629B (en) | Transformer substation industrial control network fault positioning method based on neural network | |
| US20200186550A1 (en) | Method and a system for detecting an intrusion on a network | |
| CN113098837B (en) | Industrial firewall state detection method and device, electronic equipment and storage medium | |
| CN114785879B (en) | Method and system for identifying abnormal behaviors of OSPF protocol | |
| CN116723115B (en) | Traffic abnormality processing method and device, electronic equipment and storage medium | |
| CN113347021B (en) | Model generation method, collision library detection method, device, electronic equipment and computer readable storage medium | |
| CN115714717B (en) | Internet of things terminal communication link fault positioning method based on flow characteristics | |
| US20240214414A1 (en) | Incremental causal graph learning for attack forensics in computer systems |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |