CN116232774A - Network path analysis system and method for network security anomaly detection - Google Patents
Network path analysis system and method for network security anomaly detection Download PDFInfo
- Publication number
- CN116232774A CN116232774A CN202310512022.5A CN202310512022A CN116232774A CN 116232774 A CN116232774 A CN 116232774A CN 202310512022 A CN202310512022 A CN 202310512022A CN 116232774 A CN116232774 A CN 116232774A
- Authority
- CN
- China
- Prior art keywords
- network
- attack
- spl
- flow
- anomaly
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000004458 analytical method Methods 0.000 title claims abstract description 67
- 238000001514 detection method Methods 0.000 title claims abstract description 58
- 238000000034 method Methods 0.000 title claims abstract description 12
- 238000012360 testing method Methods 0.000 claims abstract description 49
- 238000004043 dyeing Methods 0.000 claims abstract description 24
- 238000001914 filtration Methods 0.000 claims abstract description 7
- 230000002159 abnormal effect Effects 0.000 claims description 24
- 238000004088 simulation Methods 0.000 claims description 23
- 238000004422 calculation algorithm Methods 0.000 claims description 12
- 230000005856 abnormality Effects 0.000 claims description 10
- 238000011156 evaluation Methods 0.000 claims description 10
- 238000012549 training Methods 0.000 claims description 9
- 238000012038 vulnerability analysis Methods 0.000 claims description 7
- 230000006399 behavior Effects 0.000 claims description 6
- 230000003993 interaction Effects 0.000 claims description 6
- 238000004364 calculation method Methods 0.000 claims description 2
- 241000700605 Viruses Species 0.000 claims 1
- 238000010186 staining Methods 0.000 claims 1
- 238000005516 engineering process Methods 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 230000008859 change Effects 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/142—Network analysis or design using statistical or mathematical methods
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/16—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using machine learning or artificial intelligence
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Mathematical Analysis (AREA)
- Pure & Applied Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Mathematical Optimization (AREA)
- Mathematical Physics (AREA)
- Probability & Statistics with Applications (AREA)
- Algebra (AREA)
- Artificial Intelligence (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Databases & Information Systems (AREA)
- Evolutionary Computation (AREA)
- Medical Informatics (AREA)
- Software Systems (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a network path analysis system and a method for network security anomaly detection, wherein the method comprises the following steps: performing flow dyeing and filtering treatment on a target network, and performing network flow anomaly analysis; setting a test model, and detecting network attack on a target network to obtain detection data; sequentially carrying out attack on the test model to obtain attack data, and carrying out network path anomaly analysis; and calculating a comprehensive score of the target network, and comprehensively evaluating the vulnerability of the network topology structure of the target network. Compared with the prior art, the method and the device can objectively and comprehensively accurately evaluate the vulnerability of the network topology structure of the target network, improve the accuracy of network anomaly detection and improve the reliability of network security analysis.
Description
Technical Field
The present invention relates to the field of network anomaly detection technologies, and in particular, to a network path analysis system and method for network security anomaly detection. Specifically, H04L belongs to the IPC classification.
Background
Along with the rapid development of the Internet and network services, the informatization degree of China is higher and higher, and the network brings great convenience to us at the present of higher and higher networking degree, and meanwhile, the problem of higher safety is unavoidable.
In network security service, network traffic path analysis and network attack path analysis have important values in specific service scenes such as attack tactics research and analysis, attack link tracing and analysis and the like. In a real service system, network security technicians and infrastructure maintenance personnel are difficult to acquire complete attack flow from a global angle, so that the problems of high difficulty in development and poor analysis effect exist in the above work.
In a simulation environment, the simulation infrastructure can provide complete network topology information and network traffic from a global perspective, and at this time, the conventional network path analysis technology based on two-layer/three-layer/application layer quintuple cannot effectively process and analyze the information provided by the simulation infrastructure. Thus, in the case of an upgrade in the information acquisition capability of the infrastructure, the network path analysis technology is also required to be improved.
Disclosure of Invention
The invention aims to provide a network path analysis system and a network path analysis method for network security anomaly detection, which can objectively and comprehensively accurately evaluate the vulnerability of a network topology structure of a target network, realize intelligent analysis and processing of data and improve the accuracy of network anomaly detection.
In order to achieve the above purpose, the present invention adopts the following technical scheme:
a network path analysis method for network security anomaly detection, comprising the steps of: s10, acquiring a network topology structure of a target network, wherein a controller performs dyeing treatment on an interface and a link, which are close to a terminal, in the target network, and performs filtering treatment on access traffic according to traffic dyeing values at a switch, which is close to a platform side, so as to obtain a normal network flow and a filtered abnormal network flow;
s20, carrying out network flow anomaly analysis on the normal network flow and the abnormal network flow to obtain a network flow anomaly score;
s30, setting a test model, detecting network attack on a target network, capturing a network flow sequence at a time interval delta T, and passing through a time period T 1 And T 2 After that, T 2 >T 1 Respectively obtaining detection data g 1 =(V 1 ,E 1 ) And g 2 =(V 2 ,E 2 ),V 1 And V 2 To test the network flow node set, E 1 And E is 2 An interaction relation set for testing network flows;
s40, utilizing different attack types to attack the test model in turn, capturing a network flow sequence at a time interval delta T, and passing through a time period T 1 And T 2 Then, attack data g are obtained respectively 1k ´=(V 1k ´,E 1k (ii) and g) 2k ´=(V 2k ´,E 2k (V), wherein V 1k ' and V 2k (for the attack network flow node sets corresponding to different attack types), E 1k ' and E 2k K is the total number of attack types, and the shortest path threshold value of the network attack is calculated by using the attack data;
s50, carrying out network path anomaly analysis on the detection data by utilizing the network attack shortest path threshold value to obtain a network path anomaly score;
s60, calculating a comprehensive score of a target network through the network flow anomaly score and the network path anomaly score, and comprehensively evaluating the vulnerability of a network topology structure of the target network;
and S70, outputting a network topology vulnerability analysis result of the target network and corresponding suggestions.
Preferably, S20 further comprises the steps of:
s21, extracting a normal data packet m carried by the normal network flow 1 And an abnormal data packet m carried by the abnormal network flow 2 ;
S22, calculating the abnormal flow rate duty ratio Q=m 2 /(m 1 +m 2 );
S23, when Q is less than Q min When network traffic anomaly score P Q At 8, when Q min ≤Q≤Q max When network traffic anomaly score P Q 6, when Q > Q max When network traffic anomaly score P Q 4, where Q min And Q max All are flow anomaly determination thresholds.
Preferably, S40 further comprises the steps of:
s41, setting an attack type label, identifying the attack type according to the obtained log information, and marking the attack type label on the corresponding attack behavior;
s42, calculating the elapsed time period T of the target network under different attack types 1 Post first network attack shortest path SPL 1k And a lapse of time period T 2 Post second network attack shortest path SPL 2k ,SPL 1k And SPL 2k Calculated by the following formula:
wherein d (v) i ,v j ) Representing the shortest distance between any 1 node pair in the network flow node set, wherein n is the number of node pairs, n= |v| (|v| -1)/2, and|v| is the number of network flow nodes corresponding to a certain time period;
s43, calculating the shortest path maximum threshold SPL of the network attack max And a minimum threshold SPL min :
SPL max =λ 1 SPL 11 +λ 2 SPL 12 +…+λ k SPL 1k ;
SPL min =λ 1 SPL 21 +λ 2 SPL 22 +…+λ k SPL 2k ;
Wherein lambda is k Is an attack factor of different attack types.
Preferably, S50 further comprises the steps of:
s51, calculating a first network shortest path SPL of the detection data according to the formula of S42 1 And a second network shortest path SPL 2 When calculating SPL 1 When the corresponding node pair number is n= |v 1 |(|V 1 1)/2, when calculating SPL 2 When the corresponding node pair number is n= |v 2 |(|V 2 |-1)/2;
S52, when passing through T 1 After that, SPL 1 >SPL max And pass through T 2 After that, SPL 2 <SPL min Judging that the target network is under malicious attack and determining network path anomaly score P L =3; otherwise, judging that the target network is not attacked maliciously, and scoring P of network path abnormality L =9。
Preferably, S60 further comprises the steps of:
s61, calculating a target network comprehensive score: p=αp Q +βP L Wherein α is an influence factor of network flow abnormality, β is an influence factor of network path abnormality, α > 0, β > 0, α+β=1;
s62, when P is less than 4, the vulnerability grade of the network topology structure of the target network is dangerous; when P is more than or equal to 4 and less than or equal to 7, the vulnerability grade of the network topology structure of the target network is medium; when P is more than 7 and less than or equal to 8.5, the vulnerability grade of the network topology structure of the target network is good; when P is more than 8.5, the vulnerability level of the network structure of the target network is excellent.
In particular, in step S40, after each attack, the test model parameters need to be reset, and after the test model state before the attack is restored, the next attack is performed.
In particular, the attack type tags include industrial worm attacks, logical bomb attacks, levovirus attacks, replay attacks, DDoS attacks, and IO hijacking attacks.
Preferably, the step S30 specifically includes the following steps:
s31, constructing a training center containing samples in a network, and configuring test models with the same network topology structure on network attack detection equipment and the training center;
s32, collecting network connection data in a target network by the network attack detection equipment, providing a training sample for a training center, then learning the training sample by the training center, realizing training of test model parameters, and transmitting the trained test model parameters to the network attack detection equipment;
s33, the network attack detection equipment utilizes the model parameters to carry out parameter configuration on the test model, thereby realizing network attack detection on the target network.
Preferably, d (v i ,v j ) Calculation using the florid algorithm:
(1) Initializing: initializing the distances between all nodes to infinity, and initializing the source node v i The distance to itself is initialized to 0.
(2) Updating: from source node v i Starting from the source node v, each update i Shortest paths to other nodes.
(3) Iteration: repeating the above steps until all nodes are updated, to obtain the shortest distance d (v) between any 2 nodes i ,v j )。
The invention also provides a network path analysis system for network security anomaly detection, which is used for realizing the method, and comprises a dyeing module, a network flow anomaly analysis module, a test simulation module, an attack simulation module, a network path anomaly analysis module, a comprehensive evaluation module and an output module;
the dyeing module is used for dyeing an interface and a link close to a terminal in a target network, and filtering the access flow at a switch close to a platform side according to the flow dyeing value to obtain a normal network flow and a filtered abnormal network flow;
the network flow anomaly analysis module is connected with the dyeing module and is used for carrying out network flow anomaly analysis on the normal network flow and the abnormal network flow to obtain a network flow anomaly score;
the test simulation module is used for setting a test model, detecting network attack on a target network and obtaining detection data;
the attack simulation module is connected with the test simulation module and is used for attacking the test model and obtaining attack data, and calculating a network attack shortest path threshold;
the network path anomaly analysis module is connected with the attack simulation module and is used for carrying out network path anomaly analysis on the detection data to obtain a network path anomaly score;
the comprehensive evaluation module is connected with the network flow anomaly analysis module and the network path anomaly analysis module and is used for calculating the comprehensive score of the target network and comprehensively evaluating the vulnerability of the network topology structure of the target network;
the output module is connected with the comprehensive evaluation module and is used for outputting the network topology vulnerability analysis result and corresponding advice of the target network.
Compared with the prior art, the invention has the beneficial technical effects that:
the invention can analyze network anomaly from two aspects of flow dyeing and network path, objectively and comprehensively and accurately evaluate the vulnerability of the network topology structure of the target network, realize intelligent analysis and processing of data, improve the accuracy of network anomaly detection and improve the reliability of network safety analysis.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are needed in the description of the embodiments or the prior art will be briefly described, and it is obvious that the drawings in the description below are some embodiments of the present invention, and other drawings can be obtained according to the drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of a network path analysis method for network security anomaly detection of the present invention;
FIG. 2 is a block diagram illustrating a network path analysis system for network security anomaly detection according to the present invention.
Reference numerals: 1. a dyeing module; 2. a network flow anomaly analysis module; 3. a test simulation module; 4. an attack simulation module; 5. a network path anomaly analysis module; 6. a comprehensive evaluation module; 7. and an output module.
Detailed Description
The following description of the embodiments of the present invention will be made apparent and fully in view of the accompanying drawings, in which some, but not all embodiments of the invention are shown. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
In the description of the present invention, it should be noted that the directions or positional relationships indicated by the terms "center", "upper", "lower", "left", "right", "vertical", "horizontal", "inner", "outer", etc. are based on the directions or positional relationships shown in the drawings, are merely for convenience of describing the present invention and simplifying the description, and do not indicate or imply that the devices or elements referred to must have a specific orientation, be configured and operated in a specific orientation, and thus should not be construed as limiting the present invention. Furthermore, the terms "first," "second," and "third" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance.
In the description of the present invention, it should be noted that, unless explicitly specified and limited otherwise, the terms "mounted," "connected," and "connected" are to be construed broadly, and may be either fixedly connected, detachably connected, or integrally connected, for example; can be mechanically or electrically connected; can be directly connected or indirectly connected through an intermediate medium, and can be communication between two elements. The specific meaning of the above terms in the present invention can be understood by those of ordinary skill in the art according to the specific circumstances.
The technical terms to which the present invention relates are explained first below:
network flow: in packet-switched networks, a network flow (or traffic flow, packet flow) refers to a sequence of packets from a source host to a destination host, where the destination host may be a device, a multi-broadcast group, or a broadcast domain. A network flow defines a transport connection that contains all of the packets on the flow.
And (3) node: a computer or other device is connected to a network having an independent address and having a function of transmitting or receiving data, and each of the workstation, server, terminal device, and network device, i.e., the device having its own unique network address is a network node.
Network shortest path (Shortest Path Length, SPL): the invention refers to the average shortest path of a complex network.
Referring to fig. 1, a network path analysis method for network security anomaly detection disclosed in the present invention includes the following steps:
s10, acquiring a network topology structure of a target network, wherein a controller performs dyeing treatment on an interface and a link, which are close to a terminal, in the target network, and at the moment, data packets carried by network flows are provided with dyeing marks, and the controller performs filtering treatment on access flow according to flow dyeing values at a switch (a plurality of switches) which are close to a platform side, so that normal network flows and filtered abnormal network flows are obtained.
S20, carrying out network flow anomaly analysis on the normal network flow and the abnormal network flow to obtain a network flow anomaly score.
S21, extracting a normal data packet m carried by the normal network flow 1 And an abnormal data packet m carried by the abnormal network flow 2 ;
S22, calculating the abnormal flow rate duty ratio Q=m 2 /(m 1 +m 2 );
S23, when Q is less than Q min When network traffic anomaly score P Q At 8, when Q min ≤Q≤Q max When network traffic anomaly score P Q 6, when Q > Q max When network traffic anomaly score P Q 4, where Q min And Q max Are all flow ratesAn abnormality determination threshold. The lower the network anomaly traffic ratio, the higher the network traffic anomaly score, which means that the topology of the target network is more stable.
It is noted that Q min And Q max The adjustments may be made manually based on historical network traffic data. Specifically, repeating step S10 to obtain historical network traffic data composed of multiple rounds of normal network flows and filtered abnormal network flows, and calculating multiple abnormal traffic duty ratios Q according to steps S21 and S22 i Calculating the average abnormal flow rate duty ratio Q': q' =1/i (Q 1 +…+Q i ),Q min =0.6Q´,Q max =1.1Q´。
S30, setting a test model, detecting network attack on a target network, capturing a network flow time sequence at a time interval delta T, and passing a time period T 1 And T 2 Then, the detection data g are obtained 1 =(V 1 ,E 1 ) And g 2 =(V 2 ,E 2 ) Wherein T is 1 And T 2 Is an integer multiple of Deltat, T 2 >T 1 ,V 1 And V 2 To test the network flow node set, E 1 And E is 2 To test the interaction relation set of the network flow.
F= [ sa, da ] for any network flow]Representation, where sa represents the source port and da represents the destination port. Then, the m network flows acquired over several time intervals may be represented as a network flow time series set f= [ F 1 ,f 2 ,…,f m ]. For occurrence at time t i And t j Two network flows f of (2) i And f j (t i <t j ) If t j ∈[t i ,t i +△t]Then it is denoted by f i To f j There is an interactive relationship, i.e. in network flow f i To f j A directed connection is established, otherwise no relationship exists. At this time, the network flow time sequence F is converted into a complex network g= (V, E), where V E V represents the network flow node, E represents the interaction relationship between two network flows, and the network edge e= (V) i ,v j ) The directionality of (a) indicates the flow v i Trigger stream v j Or stream v j Dependent on flow v i Is a relationship of interaction of (1).
S30 specifically comprises the following steps:
s31, constructing a training center containing samples in a network, and configuring test models with the same network topology structure on network attack detection equipment and the training center;
s32, collecting network connection data in a target network by the network attack detection equipment, providing a training sample for a training center, then learning the training sample by the training center, realizing training of test model parameters, and transmitting the trained test model parameters to the network attack detection equipment;
s33, the network attack detection equipment utilizes the model parameters to carry out parameter configuration on the test model, thereby realizing network attack detection on the target network.
S40, utilizing different attack types to attack the test model in turn, capturing a network flow sequence at a time interval delta T, and passing through a time period T 1 And T 2 Then, attack data g are obtained respectively 1k ´=(V 1k ´,E 1k (ii) and g) 2k ´=(V 2k ´,E 2k (V), wherein V 1k ' and V 2k (for the attack network flow node sets corresponding to different attack types), E 1k ' and E 2k And (c) calculating a network attack shortest path threshold value by using the attack data, wherein k is the total number of attack types and is the interaction relation set of the attack network flows corresponding to different attack types. It should be noted that, after each attack, the parameters of the test model need to be reset, and the state of the test model before the attack is restored, and then the next attack is performed.
S41, setting an attack type label, identifying the attack type according to the obtained log information, and marking the attack type label on the corresponding attack behavior, wherein the attack type label comprises industrial control worm attack, logic bomb attack, levovirus attack, replay attack, DDoS attack and IO hijacking attack, and different attack type labels correspond to the different attack types, so that the value of k is 1-6.
S42, meterCalculating the time period T of the target network under different attack types 1 Post first network attack shortest path SPL 1k And a lapse of time period T 2 Post second network attack shortest path SPL 2k ,T 2 >T 1 ,SPL 1k And SPL 2k Calculated by the following formula. T in the present embodiment 1 Can take 10 delta T, T 2 12 Δt can be taken.
Wherein d (v) i ,v j ) The shortest distance between any 1 node pair in the network flow node set is represented, n is the number of node pairs, n= |v| (|v| -1)/2, and|v| is the number of network flow nodes corresponding to a certain time period.
The shortest distance d (v) between 2 nodes (1 node pair) can be solved using the Floyd-Warshall algorithm i ,v j ) The florid algorithm comprises the following specific steps:
(1) Initializing: initializing the distances between all nodes to infinity, and initializing the source node v i The distance to itself is initialized to 0.
(2) Updating: from source node v i Starting from the source node v, each update i Shortest paths to other nodes.
(3) Iteration: repeating the above steps until all nodes are updated, to obtain the shortest distance d (v) between any 2 nodes i ,v j )。
The shortest distance between any two nodes is calculated by using the Floyd algorithm as the prior art, and the algorithm can be implemented by using C language, C++, matlab and the like, and is not repeated here.
When calculating SPL 1k When d (v) i ,v j ) The Floyard algorithm is adopted to carry out corresponding attack data g 1k And (3) solving, wherein the number of corresponding node pairs is n= |V 1k ´|(|V 1k '1' 2. Similarly, when calculating SPL 2k When d (v) i ,v j ) The Floyard algorithm is adopted to carry out corresponding attack data g 2k And (3) solving, wherein the number of corresponding node pairs is n= |V 2k ´|(|V 2k ´|-1)/2。
Specifically, for example, attack type one (industrial control worm attack) is adopted to attack a test model constructed by a target network, and the time period T passes 1 After which g is obtained 11 ´=(V 11 ´,E 11 (v) for a period of time T 2 After which g is obtained 21 ´=(V 21 ´,E 21 (v) calculating a first network shortest path SPL 11 :
Wherein d (v) i ,v j ) The Floyard algorithm is adopted to carry out corresponding attack data g 11 ' solve, n= |v 11 ´|(|V 11 ´|-1)/2。
Calculating a second network shortest path SPL 21 :
Wherein d (v) i ,v j ) The Floyard algorithm is adopted to carry out corresponding attack data g 21 ' solve, n= |v 21 ´|(|V 21 ´|-1)/2。
And the same is done to obtain SPL 12 To SPL 1k And SPL 22 To SPL 2k 。
Malicious attack is to attack specific central nodes in a network and cause related nodes and links to fail, so that a very small degree of malicious attack can cause a network topology structure to change greatly, an original flow transmission path or a communication path to change, and the growth of a related optimal transmission path is caused to be even unreachable. Thus, in general, under malicious attacks, the shortest path and network diameter of a complex network will increase and then decrease rapidly. Thus, we can set the decision threshold for network shortest path anomalies.
S43, calculating the shortest path maximum threshold SPL of the network attack max And a minimum threshold SPL min :
SPL max =λ 1 SPL 11 +λ 2 SPL 12 +…+λ k SPL 1k ;
SPL min =λ 1 SPL 21 +λ 2 SPL 22 +…+λ k SPL 2k ;
Wherein lambda is k Attack factors for different attack types, e.g. lambda 1 Represents an industrial worm attack factor lambda 2 Representing a logical bomb attack factor lambda 3 Represents the Leucovirus attack factor, lambda 4 Represents replay attack factor lambda 5 Represents DDoS attack factor, lambda 6 Representing the IO hijacking attack factor.
S50, carrying out network path anomaly analysis on the detection data by utilizing a network attack shortest path threshold value to obtain a network path anomaly score.
S51, calculating a first network shortest path SPL of the detection data by using the formula of S42 1 And a first network shortest path SPL 2 Similarly, when calculating SPL 1 When d (v) i ,v j ) The Floride algorithm is adopted to detect the corresponding detection data g 1 Solving, wherein the number of corresponding node pairs is n= |V 1 |(|V 1 -1)/2; when calculating SPL 2 When d (v) i ,v j ) The Floride algorithm is adopted to detect the corresponding detection data g 2 Solving, wherein the number of corresponding node pairs is n= |V 2 |(|V 2 |-1)/2。
S52, when passing through T 1 After that, SPL 1 >SPL max And pass through T 2 After that, SPL 2 <SPL min Judging that the target network is under malicious attack and determining network path anomaly score P L =3; otherwise, judging that the target network is not attacked maliciously, and scoring P of network path abnormality L =9。
And S60, calculating a comprehensive score of the target network through the network flow anomaly score and the network path anomaly score, and comprehensively evaluating the vulnerability of the network topology structure of the target network.
S61, calculating a target network comprehensive score: p=αp Q +βP L Wherein α is an influence factor of network flow abnormality, β is an influence factor of network path abnormality, α > 0, β > 0, α+β=1;
s62, when P is less than 4, the vulnerability grade of the network structure of the target network is dangerous, which means that the network topology structure is seriously affected, a large number of serious attack behaviors are found, and serious security holes exist; when P is more than or equal to 4 and less than or equal to 7, the vulnerability grade of the network structure of the target network is medium, which means that the network topology structure is affected to a certain extent, attack behaviors exist, and certain security holes exist; when P is more than 7 and less than or equal to 8.5, the vulnerability grade of the network structure of the target network is good, which means that the network topology structure is slightly influenced, a small amount of attack behaviors exist, and a small amount of security holes exist; when P is more than 8.5, the vulnerability level of the network structure of the target network is excellent, which means that the network operates normally, no obvious attack is caused, and almost no security hole exists.
S70, outputting a vulnerability analysis result of the network topology structure of the target network and corresponding suggestions.
The vulnerability analysis results are shown in the following table:
when the vulnerability of the network topology of the target network is critical, it is recommended to optimize the current network topology, for example, the ring topology is changed to a star topology, or a combined topology is created, etc.
Referring to fig. 2, another aspect of the present invention provides a network path analysis system for network security anomaly detection, for implementing the method according to the above embodiment, where the system includes a dyeing module 1, a network flow anomaly analysis module 2, a test simulation module 3, an attack simulation module 4, a network path anomaly analysis module 5, a comprehensive evaluation module 6, and an output module 7, where
The dyeing module 1 is used for dyeing an interface and a link close to a terminal in a target network, and filtering the access flow at a switch close to a platform side according to the flow dyeing value to obtain a normal network flow and a filtered abnormal network flow;
the network flow anomaly analysis module 2 is connected with the dyeing module 1 and is used for carrying out network flow anomaly analysis on the normal network flow and the abnormal network flow to obtain network flow anomaly scores;
the test simulation module 3 is used for setting a test model, detecting network attack on a target network and obtaining detection data;
the attack simulation module 4 is connected with the test simulation module 3 and is used for attacking the test model and obtaining attack data, and calculating a network attack shortest path threshold;
the network path anomaly analysis module 5 is connected with the attack simulation module 4 and is used for carrying out network path anomaly analysis on the detection data to obtain a network path anomaly score;
the comprehensive evaluation module 6 is connected with the network flow anomaly analysis module 2 and the network path anomaly analysis module 5 and is used for calculating the comprehensive score of the target network and comprehensively evaluating the vulnerability of the network topology structure of the target network;
the output module 7 is connected with the comprehensive evaluation module 6 and is used for outputting the network topology vulnerability analysis result and corresponding advice of the target network.
The working principle and working process of the system can refer to the method embodiment, and are not described herein.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present invention, and are not limiting; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some or all of the technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit of the invention.
Claims (10)
1. A network path analysis method for network security anomaly detection, comprising the steps of:
s10, acquiring a network topology structure of a target network, wherein a controller performs dyeing treatment on an interface and a link, which are close to a terminal, in the target network, and performs filtering treatment on access traffic according to traffic dyeing values at a switch, which is close to a platform side, so as to obtain a normal network flow and a filtered abnormal network flow;
s20, carrying out network flow anomaly analysis on the normal network flow and the abnormal network flow to obtain a network flow anomaly score;
s30, setting a test model, detecting network attack on a target network, capturing a network flow sequence at a time interval delta T, and passing through a time period T 1 And T 2 Then, the detection data g are obtained 1 =(V 1 ,E 1 ) And g 2 =(V 2 ,E 2 ) Wherein T is 2 >T 1 ,V 1 And V 2 To test the network flow node set, E 1 And E is 2 An interaction relation set for testing network flows;
s40, utilizing different attack types to attack the test model in turn, capturing a network flow sequence at a time interval delta T, and passing through a time period T 1 And T 2 Then, attack data g are obtained respectively 1k ´=(V 1k ´,E 1k (ii) and g) 2k ´=(V 2k ´,E 2k (V), wherein V 1k ' and V 2k (for the attack network flow node sets corresponding to different attack types), E 1k ' and E 2k K is the total number of attack types, and the shortest path threshold value of the network attack is calculated by using the attack data;
s50, carrying out network path anomaly analysis on the detection data by utilizing the network attack shortest path threshold value to obtain a network path anomaly score;
s60, calculating a comprehensive score of a target network through the network flow anomaly score and the network path anomaly score, and comprehensively evaluating the vulnerability of a network topology structure of the target network;
and S70, outputting a network topology vulnerability analysis result of the target network and corresponding suggestions.
2. The network path analysis method for network security anomaly detection according to claim 1, wherein S20 further comprises the steps of:
s21, extracting a normal data packet m carried by the normal network flow 1 And an abnormal data packet m carried by the abnormal network flow 2 ;
S22, calculating the abnormal flow rate duty ratio Q=m 2 /(m 1 +m 2 );
S23, when Q is less than Q min When network traffic anomaly score P Q At 8, when Q min ≤Q≤Q max When network traffic anomaly score P Q 6, when Q > Q max When network traffic anomaly score P Q 4, where Q min And Q max All are flow anomaly determination thresholds.
3. The network path analysis method for network security anomaly detection according to claim 2, wherein S40 further comprises the steps of:
s41, setting an attack type label, identifying the attack type according to the obtained log information, and marking the attack type label on the corresponding attack behavior;
s42, calculating the elapsed time period T of the target network under different attack types 1 Post first network attack shortest path SPL 1k And a lapse of time period T 2 Post second network attack shortest path SPL 2k ,SPL 1k And SPL 2k Calculated by the following formula:
wherein d (v) i ,v j ) Representing any 1 in a set of network flow nodesThe shortest distance between node pairs, n is the number of node pairs, n= |v| (|v| -1)/2, and|v| is the number of network flow nodes corresponding to a certain time period; when calculating SPL 1k When the corresponding node pair number is n= |v 1k ´|(|V 1k ' 1/2, when calculating SPL 2k When the corresponding node pair number is n= |v 2k ´|(|V 2k ´|-1)/2;
S43, calculating the shortest path maximum threshold SPL of the network attack max And a minimum threshold SPL min :
SPL max =λ 1 SPL 11 +λ 2 SPL 12 +…+λ k SPL 1k ;
SPL min =λ 1 SPL 21 +λ 2 SPL 22 +…+λ k SPL 2k ;
Wherein lambda is k Is an attack factor of different attack types.
4. The network path analysis method for network security anomaly detection according to claim 3, wherein S50 further comprises the steps of:
s51, calculating a first network shortest path SPL of the detection data according to the formula of S42 1 And a second network shortest path SPL 2 When calculating SPL 1 When the corresponding node pair number is n= |v 1 |(|V 1 1)/2, when calculating SPL 2 When the corresponding node pair number is n= |v 2 |(|V 2 |-1)/2;
S52, when passing through T 1 After that, SPL 1 >SPL max And pass through T 2 After that, SPL 2 <SPL min Judging that the target network is under malicious attack and determining network path anomaly score P L =3; otherwise, judging that the target network is not attacked maliciously, and scoring P of network path abnormality L =9。
5. The network path analysis method for network security anomaly detection of claim 4, wherein S60 further comprises the steps of:
s61, calculating a target network comprehensive score: p=αp Q +βP L Wherein α is an influence factor of network flow abnormality, β is an influence factor of network path abnormality, α > 0, β > 0, α+β=1;
s62, when P is less than 4, the vulnerability grade of the network topology structure of the target network is dangerous; when P is more than or equal to 4 and less than or equal to 7, the vulnerability grade of the network topology structure of the target network is medium; when P is more than 7 and less than or equal to 8.5, the vulnerability grade of the network topology structure of the target network is good; when P is more than 8.5, the vulnerability level of the network structure of the target network is excellent.
6. The network path analysis method for network security anomaly detection according to claim 1, wherein in step S40, the test model parameters are required to be reset after each attack, and the next attack is performed after the test model state before the attack is restored.
7. A network path analysis method for network security anomaly detection according to claim 3 wherein the attack type tags include industrial control worm attacks, logic bomb attacks, lux virus attacks, replay attacks, DDoS attacks and IO hijacking attacks.
8. The network path analysis method for network security anomaly detection according to claim 1, wherein the step S30 specifically comprises the steps of:
s31, constructing a training center containing samples in a network, and configuring test models with the same network topology structure on network attack detection equipment and the training center;
s32, collecting network connection data in a target network by the network attack detection equipment, providing a training sample for a training center, then learning the training sample by the training center, realizing training of test model parameters, and transmitting the trained test model parameters to the network attack detection equipment;
s33, the network attack detection equipment utilizes the model parameters to carry out parameter configuration on the test model, thereby realizing network attack detection on the target network.
9. A network path analysis method for network security anomaly detection according to claim 3 wherein d (v i ,v j ) Calculation using the florid algorithm:
(1) Initializing: initializing the distances between all nodes to infinity, and initializing the source node v i The distance to itself is initialized to 0;
(2) Updating: from source node v i Starting from the source node v, each update i Shortest paths to other nodes;
(3) Iteration: repeating the above steps until all nodes are updated to obtain the shortest distance d (v) between any 2 nodes i ,v j )。
10. Network path analysis system for network security anomaly detection, for implementing the method according to any of the preceding claims 1-9, characterized by comprising a staining module (1), a network flow anomaly analysis module (2), a test simulation module (3), an attack simulation module (4), a network path anomaly analysis module (5), a comprehensive evaluation module (6) and an output module (7);
the dyeing module (1) is used for dyeing an interface and a link close to a terminal in a target network, and filtering the access flow at a switch close to a platform side according to the flow dyeing value to obtain a normal network flow and a filtered abnormal network flow;
the network flow anomaly analysis module (2) is connected with the dyeing module (1) and is used for carrying out network flow anomaly analysis on the normal network flow and the abnormal network flow to obtain a network flow anomaly score;
the test simulation module (3) is used for setting a test model, detecting network attack on a target network and obtaining detection data;
the attack simulation module (4) is connected with the test simulation module (3) and is used for attacking the test model and obtaining attack data, and calculating a network attack shortest path threshold;
the network path anomaly analysis module (5) is connected with the attack simulation module (4) and is used for carrying out network path anomaly analysis on the detection data to obtain a network path anomaly score;
the comprehensive evaluation module (6) is connected with the network flow anomaly analysis module and the network path anomaly analysis module (5) and is used for calculating the comprehensive score of the target network and comprehensively evaluating the vulnerability of the network topology structure of the target network;
the output module (7) is connected with the comprehensive evaluation module (6) and is used for outputting the network topology vulnerability analysis result and corresponding advice of the target network.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310512022.5A CN116232774B (en) | 2023-05-09 | 2023-05-09 | Network path analysis system and method for network security anomaly detection |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310512022.5A CN116232774B (en) | 2023-05-09 | 2023-05-09 | Network path analysis system and method for network security anomaly detection |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116232774A true CN116232774A (en) | 2023-06-06 |
| CN116232774B CN116232774B (en) | 2023-07-07 |
Family
ID=86584726
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310512022.5A Active CN116232774B (en) | 2023-05-09 | 2023-05-09 | Network path analysis system and method for network security anomaly detection |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116232774B (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116938683A (en) * | 2023-09-15 | 2023-10-24 | 金盾检测技术股份有限公司 | Network path analysis system and method based on network security anomaly detection |
| CN117119460A (en) * | 2023-10-23 | 2023-11-24 | 西安航空学院 | Industrial Internet network security detection system and method based on cloud computing |
| CN117118849A (en) * | 2023-09-29 | 2023-11-24 | 江苏首捷智能设备有限公司 | Gateway system of Internet of things and implementation method |
| CN117459328A (en) * | 2023-12-26 | 2024-01-26 | 广州森弘信息科技有限公司 | Network path analysis system and method based on network security anomaly detection |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20140156826A1 (en) * | 2012-11-30 | 2014-06-05 | International Business Machines Corporation | Parallel Top-K Simple Shortest Paths Discovery |
| CN105991521A (en) * | 2015-01-30 | 2016-10-05 | 阿里巴巴集团控股有限公司 | Network risk assessment method and network risk assessment device |
| CN107135159A (en) * | 2017-03-31 | 2017-09-05 | 武汉绿色网络信息服务有限责任公司 | The method and system that optimal path is determined in a kind of SDN |
| CN107566369A (en) * | 2017-09-05 | 2018-01-09 | 中国南方电网有限责任公司超高压输电公司 | A kind of industry control information system information security isolation and defence efficiency evaluation method |
| US20190034254A1 (en) * | 2017-07-31 | 2019-01-31 | Cisco Technology, Inc. | Application-based network anomaly management |
| CN113408609A (en) * | 2021-06-17 | 2021-09-17 | 武汉卓尔信息科技有限公司 | Network attack detection method and system |
| CN114553475A (en) * | 2022-01-10 | 2022-05-27 | 国网浙江省电力有限公司杭州供电公司 | Network attack detection method based on network flow attribute directed topology |
| CN114978584A (en) * | 2022-04-12 | 2022-08-30 | 深圳市蔚壹科技有限公司 | Network security protection safety method and system based on unit cell |
| CN115719186A (en) * | 2022-12-08 | 2023-02-28 | 山东大学 | Regional traffic network toughness assessment method and system |
-
2023
- 2023-05-09 CN CN202310512022.5A patent/CN116232774B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20140156826A1 (en) * | 2012-11-30 | 2014-06-05 | International Business Machines Corporation | Parallel Top-K Simple Shortest Paths Discovery |
| CN105991521A (en) * | 2015-01-30 | 2016-10-05 | 阿里巴巴集团控股有限公司 | Network risk assessment method and network risk assessment device |
| CN107135159A (en) * | 2017-03-31 | 2017-09-05 | 武汉绿色网络信息服务有限责任公司 | The method and system that optimal path is determined in a kind of SDN |
| US20190034254A1 (en) * | 2017-07-31 | 2019-01-31 | Cisco Technology, Inc. | Application-based network anomaly management |
| CN107566369A (en) * | 2017-09-05 | 2018-01-09 | 中国南方电网有限责任公司超高压输电公司 | A kind of industry control information system information security isolation and defence efficiency evaluation method |
| CN113408609A (en) * | 2021-06-17 | 2021-09-17 | 武汉卓尔信息科技有限公司 | Network attack detection method and system |
| CN114553475A (en) * | 2022-01-10 | 2022-05-27 | 国网浙江省电力有限公司杭州供电公司 | Network attack detection method based on network flow attribute directed topology |
| CN114978584A (en) * | 2022-04-12 | 2022-08-30 | 深圳市蔚壹科技有限公司 | Network security protection safety method and system based on unit cell |
| CN115719186A (en) * | 2022-12-08 | 2023-02-28 | 山东大学 | Regional traffic network toughness assessment method and system |
Non-Patent Citations (1)
| Title |
|---|
| 陶丽颖: "网络路径异常检测工具的设计和开发", 《信息科技辑》 * |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116938683A (en) * | 2023-09-15 | 2023-10-24 | 金盾检测技术股份有限公司 | Network path analysis system and method based on network security anomaly detection |
| CN116938683B (en) * | 2023-09-15 | 2023-12-01 | 金盾检测技术股份有限公司 | Network path analysis system and method based on network security anomaly detection |
| CN117118849A (en) * | 2023-09-29 | 2023-11-24 | 江苏首捷智能设备有限公司 | Gateway system of Internet of things and implementation method |
| CN117118849B (en) * | 2023-09-29 | 2024-02-20 | 江苏首捷智能设备有限公司 | Gateway system of Internet of things and implementation method |
| CN117119460A (en) * | 2023-10-23 | 2023-11-24 | 西安航空学院 | Industrial Internet network security detection system and method based on cloud computing |
| CN117119460B (en) * | 2023-10-23 | 2024-02-02 | 西安航空学院 | Industrial Internet network security detection system and method based on cloud computing |
| CN117459328A (en) * | 2023-12-26 | 2024-01-26 | 广州森弘信息科技有限公司 | Network path analysis system and method based on network security anomaly detection |
| CN117459328B (en) * | 2023-12-26 | 2024-03-22 | 广州森弘信息科技有限公司 | Network path analysis system and method based on network security anomaly detection |
Also Published As
| Publication number | Publication date |
|---|---|
| CN116232774B (en) | 2023-07-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN116232774B (en) | Network path analysis system and method for network security anomaly detection | |
| CN110225008B (en) | SDN network state consistency verification method in cloud environment | |
| Braga et al. | Lightweight DDoS flooding attack detection using NOX/OpenFlow | |
| CN108632269B (en) | Distributed denial of service attack detection method based on C4.5 decision tree algorithm | |
| CN107040517B (en) | Cognitive intrusion detection method oriented to cloud computing environment | |
| Lee et al. | Detection of DDoS attacks using optimized traffic matrix | |
| KR101323074B1 (en) | Intelligence network anomaly detection using a type ⅱ fuzzy neural network | |
| CN109167798B (en) | Household Internet of things device DDoS detection method based on machine learning | |
| Le et al. | Data analytics on network traffic flows for botnet behaviour detection | |
| CN106612289A (en) | Network collaborative abnormality detection method based on SDN | |
| CN107819633B (en) | Method for rapidly discovering and processing network fault | |
| CN109274673A (en) | A kind of detection of exception of network traffic and defence method | |
| Khashab et al. | DDoS attack detection and mitigation in SDN using machine learning | |
| CN111181971B (en) | System for automatically detecting industrial network attack | |
| Wu et al. | Network anomaly detection using time series analysis | |
| CN112422556B (en) | Internet of things terminal trust model construction method and system | |
| KR102083028B1 (en) | System for detecting network intrusion | |
| CN111294342A (en) | Method and system for detecting DDos attack in software defined network | |
| Zhao | Network intrusion detection system model based on data mining | |
| Wang et al. | Botnet detection using social graph analysis | |
| KR100950079B1 (en) | Network abnormal state detection device using HMMHidden Markov Model and Method thereof | |
| Tan et al. | DDoS detection method based on Gini impurity and random forest in SDN environment | |
| CN112291226B (en) | Method and device for detecting abnormity of network flow | |
| Das et al. | Flood control: Tcp-syn flood detection for software-defined networks using openflow port statistics | |
| Erdenebaatar et al. | Analyzing traffic characteristics of instant messaging applications on android smartphones |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |