CN116366277A - Network security situation assessment method for information fusion - Google Patents

Network security situation assessment method for information fusion Download PDF

Info

Publication number
CN116366277A
CN116366277A CN202211565221.4A CN202211565221A CN116366277A CN 116366277 A CN116366277 A CN 116366277A CN 202211565221 A CN202211565221 A CN 202211565221A CN 116366277 A CN116366277 A CN 116366277A
Authority
CN
China
Prior art keywords
data
network
information
security
module
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211565221.4A
Other languages
Chinese (zh)
Inventor
鲁学仲
王庆鹏
杨雪慧
靳扬
包坚
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
State Grid Xinjiang Electric Power CorporationInformation & Telecommunication Co ltd
Original Assignee
State Grid Xinjiang Electric Power CorporationInformation & Telecommunication Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by State Grid Xinjiang Electric Power CorporationInformation & Telecommunication Co ltd filed Critical State Grid Xinjiang Electric Power CorporationInformation & Telecommunication Co ltd
Priority to CN202211565221.4A priority Critical patent/CN116366277A/en
Publication of CN116366277A publication Critical patent/CN116366277A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0631Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
    • H04L41/065Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis involving logical or physical relationship, e.g. grouping and hierarchies
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S10/00Systems supporting electrical power generation, transmission or distribution
    • Y04S10/50Systems or methods supporting the power network operation or management, involving a certain degree of interaction with the load-side end user applications

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

本发明公开一种信息融合的网络安全态势评估方法,能够对采集到的安全数据进行关联、综合和数据态势分析,从而获得问题数据相关参数和与问题数据相关数据。本发明方法步骤为:首先,建立网络安全态势评估模型;其次,采集网络安全事态信息;再次,对安全数据预处理;再次,信息融合分析模块对采集到的安全数据信息融合分析;再次,网络安全态势分析模块融合问题数据与安全信息,通过量化得到此时网络安全评估数据;最后,网络威胁指数低于一定阈值,启动报警模式,并定位显示故障数据所在地址。

Figure 202211565221

The invention discloses an information fusion network security situation assessment method, which can correlate, synthesize and analyze the collected security data, thereby obtaining problem data related parameters and data related to the problem data. The steps of the method of the present invention are as follows: firstly, establishing a network security situation assessment model; secondly, collecting network security situation information; thirdly, preprocessing the security data; thirdly, the information fusion analysis module fuses and analyzes the collected security data information; thirdly, the network The security situation analysis module integrates the problem data and security information, and obtains the current network security assessment data through quantification; finally, when the network threat index is lower than a certain threshold, the alarm mode is activated, and the address of the fault data is located and displayed.

Figure 202211565221

Description

一种信息融合的网络安全态势评估方法A network security situation assessment method based on information fusion

技术领域technical field

本发明涉及网络信息安全领域,且更确切地涉及一种信息融合的网络安全态势评估方法。The invention relates to the field of network information security, and more precisely relates to a network security situation assessment method based on information fusion.

背景技术Background technique

随着科技的发展,网络在人们生活中扎根多年,网络改变人们生活方式,使一些事情在网络上变得简单,它像一张网把世界连接起来,但是网的连接端并不只是一个,信息的流通在网络中也显得无所遁形,虽然有写加密信息的方法能使传输的过程中有一定的私密性,但是还是有些黑客会恶意拦截信息,甚至恶意访问网站,造网站崩溃,故能对网络运行环境的安全程度做出评估是一个亟待解决的问题。在网络安全态势评估技术中,利用信息融合对威胁评估是网络信息安全领域的一个关键技术。With the development of science and technology, the network has taken root in people's lives for many years. The network has changed people's lifestyles and made some things easier on the network. It is like a network connecting the world, but the connection end of the network is not just one, The circulation of information is also invisible in the network. Although there is a method of writing encrypted information to make the transmission process have a certain degree of privacy, some hackers will maliciously intercept information, and even maliciously visit the website, causing the website to crash. Therefore, it is an urgent problem to be solved to evaluate the security degree of the network operating environment. In network security situation assessment technology, using information fusion to assess threats is a key technology in the field of network information security.

网络安全态势评估技术近年也层出不穷,专利CN201811291094.7中提到通过网络中节点和链路收集指标信息,根据节点数据的损失率和链路传输数据延迟时间、堵塞率和丢失率计算节点和链路态势,进而衡量网络安全态势。但是节点态势往往太过笼统,再去精确计算分析具体被威胁地点和原因还需一定时间,如何高质量的对网络安全态势评估是本发明要解决的问题。Network security situation assessment technologies have also emerged in recent years. Patent CN201811291094.7 mentions collecting indicator information through nodes and links in the network, and calculating node and link information based on node data loss rate and link transmission data delay time, congestion rate and loss rate. Road situation, and then measure the network security situation. However, the node situation is often too general, and it will take some time to accurately calculate and analyze the specific threatened location and cause. How to evaluate the network security situation with high quality is the problem to be solved by the present invention.

发明内容Contents of the invention

针对上述问题,本发明公开一种信息融合的网络安全态势评估方法,能够对采集到的安全数据进行关联、综合和数据态势分析,获得问题数据相关参数和相关数据。In view of the above problems, the present invention discloses an information fusion network security situation assessment method, which can correlate, synthesize and analyze the collected security data, and obtain relevant parameters and relevant data of problem data.

为了实现上述技术效果,本发明采用以下技术方案:In order to realize above-mentioned technical effect, the present invention adopts following technical scheme:

一种信息融合的网络安全态势评估方法,评估步骤为:A network security situation assessment method based on information fusion, the assessment steps are:

S1:建立网络安全态势评估模型,模型用于分析服务器工作状态,分析问题信息的源头,对问题信息进行报警处理;S1: Establish a network security situation assessment model, which is used to analyze the working status of the server, analyze the source of problem information, and issue alarms for problem information;

S2:服务器信提取模块对网络安全事态信息进行采集,其中信息采集为持续性采集,不断采集新的网络安全数据和服务器安全数据;S2: The server information extraction module collects network security situation information, and the information collection is continuous collection, which continuously collects new network security data and server security data;

S3:对采集到的安全数据进行预处理,实现多源安全数据的集成、变换和归约;S3: Preprocess the collected security data to realize the integration, transformation and reduction of multi-source security data;

S4:信息融合分析模块对采集到的安全数据信息融合分析,时序逻辑模型对安全数据信息进行安全问题原因查找,关联分析模块根据查找出的问题原因通过因果关联算法对安全问题的因果关系进行描述分析;数据相关模块对安全数据信息进行多层次的分布式挖掘处理,确定安全数据信息之间的状态和彼此之间身份关系;估值综合模块通过似然-模糊算法预估网络安全信息的问题特征和关联问题的数据信息;S4: The information fusion analysis module fuses and analyzes the collected security data information, and the temporal logic model searches for the cause of the security problem on the security data information, and the association analysis module describes the causal relationship of the security problem through the causal association algorithm based on the found cause of the problem Analysis; the data correlation module conducts multi-level distributed mining processing of security data information to determine the status of security data information and the identity relationship between each other; the valuation synthesis module predicts the problem of network security information through the likelihood-fuzzy algorithm Data information on features and associated issues;

S5:网络安全态势分析模块融合问题数据与安全信息,通过量化得到此时网络安全评估数据;S5: The network security situation analysis module integrates problem data and security information, and obtains network security assessment data at this time through quantification;

S6:网络威胁指数低于一定阈值,则问题预报警模块启动报警模式,并定位显示问题数据地址。S6: When the network threat index is lower than a certain threshold, the problem pre-alarm module starts the alarm mode, and locates and displays the address of the problem data.

作为本发明的进一步方案,安全评估数据展现网络威胁指数、问题数据信息和与问题数据有关联的数据信息。As a further solution of the present invention, the security evaluation data presents network threat index, problem data information and data information associated with the problem data.

作为本发明的进一步方案,安全数据预处理通过不同层次算法实现数据的校准和规格化,用于对标准化的数据做初步融合处理。As a further solution of the present invention, the security data preprocessing implements data calibration and normalization through different levels of algorithms, and is used for preliminary fusion processing of standardized data.

作为本发明的进一步方案,态势分析通过融合-评估算法对服务器-网络-用户之间基层数据进行处理和运算,实现上层网络安全态势的评估。As a further solution of the present invention, the situation analysis processes and calculates the basic data between the server-network-user through the fusion-assessment algorithm, so as to realize the evaluation of the security situation of the upper layer network.

作为本发明的进一步方案,网络安全态势评估模型包括服务器信提取模块、数据预处理模块、信息融合分析模块、网络安全态势分析模块和问题预报警模块;其中服务器信提取模块连接数据预处理模块,数据预处理模块连接信息融合分析模块,信息融合分析模块连接网络安全态势分析模块,网络安全态势分析模块连接问题预报警模块。As a further solution of the present invention, the network security situation assessment model includes a server information extraction module, a data preprocessing module, an information fusion analysis module, a network security situation analysis module and a problem pre-alarm module; wherein the server information extraction module is connected to the data preprocessing module, The data preprocessing module is connected to the information fusion analysis module, the information fusion analysis module is connected to the network security situation analysis module, and the network security situation analysis module is connected to the problem pre-alarm module.

作为本发明的进一步方案,问题报警模块包括红色标记单元、数据位置追踪单元、数据对比单元和优先级控制单元,问题报警模块采用网络系统代码编写。As a further solution of the present invention, the problem alarm module includes a red marking unit, a data location tracking unit, a data comparison unit and a priority control unit, and the problem alarm module is written by network system code.

作为本发明进一步方案,采用聚类PageRank算法实现网络中安全态势评估,聚类PageRank算法对网络安全态势评估步骤如下:As a further solution of the present invention, the clustering PageRank algorithm is adopted to realize the security situation assessment in the network, and the clustering PageRank algorithm is as follows to the network security situation assessment steps:

S71:建立网络信息样本均值集合S71: Establish a network information sample mean value set

随机抽取网络信息数据作为样本集,定义样本集合为X={x1,x2,x3...xn},定义随机样本集中每类数据的中心数据集分别为V=(v1,v2,v3...vk),uc定义为样本数据xn属于中心数据vk的概率值,网络信息数据模糊聚类的目标函数为:Randomly extract network information data as a sample set, define the sample set as X={x 1 ,x 2 ,x 3 ...x n }, define the central data set of each type of data in the random sample set as V=(v 1 , v 2 ,v 3 ... v k ), u c is defined as the probability value that the sample data x n belongs to the central data v k , and the objective function of fuzzy clustering of network information data is:

Figure BDA0003985897820000031
Figure BDA0003985897820000031

式(1)中,m表示模糊划分参数,

Figure BDA0003985897820000032
表示同类网络信息样本数据在模糊划分参数m下数据xi属于中心数据vk的概率值,dik表示同类网络信息样本数据xi到中心数据vk的概率值的欧氏距离,n表示样本数量,k表示中心数据个数,i表示样本集合中第i个子集,其中i∈[1,n],y表示中心数据集中第y个子集,其中y∈[1,k],G(u,v)表示目标函数以概率值和中心数据作为基数;In formula (1), m represents the fuzzy partition parameter,
Figure BDA0003985897820000032
Indicates the probability value of the same kind of network information sample data under the fuzzy partition parameter m that data x i belongs to the central data v k , d ik represents the Euclidean distance between the same kind of network information sample data x i and the probability value of the central data v k , n represents the sample Quantity, k represents the number of central data, i represents the i-th subset in the sample set, where i∈[1,n], y represents the y-th subset in the central data set, where y∈[1,k], G(u ,v) indicates that the objective function takes the probability value and the central data as the base;

S72:更新每类数据的中心数据和样本数据之间的欧氏距离S72: Update the Euclidean distance between the center data and sample data of each type of data

每类数据的欧氏距离与概率值之间关系式如式(2)所示:The relationship between the Euclidean distance and the probability value of each type of data is shown in formula (2):

Figure BDA0003985897820000033
Figure BDA0003985897820000033

式(2)中,uik表示数据xi属于中心数据vk的概率值,

Figure BDA0003985897820000034
表示在模糊划分参数中心值时样本数据xi到中心数据vk的概率值的欧氏距离;不断更新每类数据的中心数据和样本数据之间的欧氏距离概率值,可以使目标函数不断缩小网络信息的搜搜范围,对每一类网络信息进行最优划分;In formula (2), u ik represents the probability value that data x i belongs to the central data v k ,
Figure BDA0003985897820000034
Indicates the Euclidean distance of the probability value from the sample data x i to the central data v k when the central value of the parameter is fuzzy divided; constantly updating the Euclidean distance probability value between the central data and the sample data of each type of data can make the objective function continuously Narrow the search range of network information, and optimally divide each type of network information;

S73:对优化后的每类网络信息进行信息安全性度量S73: Perform information security measurement on each type of network information after optimization

聚类PageRank算法对网络信息的安全性进行度量评价,计算公式为:The clustering PageRank algorithm measures and evaluates the security of network information, and the calculation formula is:

Figure BDA0003985897820000035
Figure BDA0003985897820000035

式(3)中,a表示安全性参数,b表示威胁性参数,Na为所有具有安全性参数a的网络信息集合,Kb为所有具有威胁性参数b的网络信息集合,P(a)表示网络安全性指标,P(b)表示网络威胁性指标;其中网络安全性指标越大,对应类别的网络信息安全态势越高,否则对应类别的网络信息危险程度加深,必须及时处理。In formula (3), a represents the security parameter, b represents the threat parameter, N a is the collection of all network information with security parameter a, K b is the collection of all network information with threat parameter b, P(a) Represents the network security index, P(b) represents the network threat index; the larger the network security index, the higher the security situation of the corresponding category of network information, otherwise the corresponding category of network information will become more dangerous and must be dealt with in time.

本发明有益的积极效果在于:The beneficial positive effect of the present invention is:

区别于常规技术,本发明通过信息融合人技术分析网络安全威胁态势并计算出网络安全威胁态势量化的评估。信息融合分析模块中通过因果关联算法和似然-模糊算法分析安全数据中的问题数据,并挖掘出与问题数据相关的其他数据,网络安全态势分析模块通过对问题数据的计算分析,展现网络威胁指数、问题数据信息和与问题数据有关联的数据信息。本发明对网络安全威胁态势进行高质量评估,直观展现问题数据的地址。Different from the conventional technology, the present invention analyzes the network security threat situation and calculates the quantitative evaluation of the network security threat situation through the information fusion technology. In the information fusion analysis module, the causal association algorithm and the likelihood-fuzzy algorithm are used to analyze the problem data in the security data, and other data related to the problem data are mined. The network security situation analysis module shows the network threat through the calculation and analysis of the problem data. index, problem data information and data information associated with the problem data. The invention performs high-quality assessment on the network security threat situation, and visually displays the address of problem data.

附图说明Description of drawings

为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动性的前提下,还可以根据这些附图获得其他的附图,其中:In order to more clearly illustrate the technical solutions in the embodiments of the present invention or the prior art, the following will briefly introduce the drawings that need to be used in the description of the embodiments or the prior art. Obviously, the accompanying drawings in the following description are only These are some embodiments of the present invention. For those of ordinary skill in the art, other drawings can also be obtained according to these drawings without creative labor, wherein:

图1展示了本发明一种信息融合的网络安全态势评估方法步骤图;Fig. 1 shows a step diagram of a network security situation assessment method of information fusion in the present invention;

图2展示了本发明网络安全态势分析图;Fig. 2 shows the network security situation analysis diagram of the present invention;

图3展示了本发明输入网络信号频率值图;Fig. 3 shows the frequency value diagram of the input network signal of the present invention;

图4展示了本发明传统网络态势评估方法检测问题信号特性图;Fig. 4 has shown the traditional network situation assessment method of the present invention detection problem signal characteristic figure;

图5展示了本发明信息融合网络态势评估方法检测问题信号特性图。Fig. 5 shows a signal characteristic diagram of detection problems by the information fusion network situation assessment method of the present invention.

具体实施方式Detailed ways

以下结合附图对本发明的优选实施例进行说明,应当理解,此处所描述的实施例仅用于说明和解释本发明,并不用于限定本发明;Preferred embodiments of the present invention will be described below in conjunction with the accompanying drawings. It should be understood that the embodiments described here are only used to illustrate and explain the present invention, and are not intended to limit the present invention;

在具体实施例中,如图1-图5所示,一种信息融合的网络安全态势评估方法,采用以下步骤:In a specific embodiment, as shown in Fig. 1-Fig. 5, a network security situation assessment method of information fusion adopts the following steps:

S1:建立网络安全态势评估模型,模型用于分析服务器工作状态,分析问题信息的源头,对问题信息进行报警处理;S1: Establish a network security situation assessment model, which is used to analyze the working status of the server, analyze the source of problem information, and issue alarms for problem information;

S2:服务器信提取模块对网络安全事态信息进行采集,其中信息采集为持续性采集,不断采集新的网络安全数据和服务器安全数据;S2: The server information extraction module collects network security situation information, and the information collection is continuous collection, which continuously collects new network security data and server security data;

S3:对采集到的安全数据进行预处理,实现多源安全数据的集成、变换和归约;S3: Preprocess the collected security data to realize the integration, transformation and reduction of multi-source security data;

S4:信息融合分析模块对采集到的安全数据信息融合分析,时序逻辑模型对安全数据信息进行安全问题原因查找,关联分析模块根据查找出的问题原因通过因果关联算法对安全问题的因果关系进行描述分析;数据相关模块对安全数据信息进行多层次的分布式挖掘处理,确定安全数据信息之间的状态和彼此之间身份关系;估值综合模块通过似然-模糊算法预估网络安全信息的问题特征和关联问题的数据信息;S4: The information fusion analysis module fuses and analyzes the collected security data information, and the temporal logic model searches for the cause of the security problem on the security data information, and the association analysis module describes the causal relationship of the security problem through the causal association algorithm based on the found cause of the problem Analysis; the data correlation module conducts multi-level distributed mining processing of security data information to determine the status of security data information and the identity relationship between each other; the valuation synthesis module predicts the problem of network security information through the likelihood-fuzzy algorithm Data information on features and associated issues;

S5:网络安全态势分析模块融合问题数据与安全信息,通过量化得到此时网络安全评估数据;在本发明中,网络威胁数据的分析分为两步,第一步是根据问题特征进行分类问题数据,根据问题数据信息计算出各类问题威胁指数;第二步是将各类问题威胁指数进行聚合,得到总的网络威胁指数。S5: The network security situation analysis module fuses problem data and security information, and obtains network security evaluation data at this time through quantification; in the present invention, the analysis of network threat data is divided into two steps, the first step is to classify problem data according to problem characteristics , according to the problem data information to calculate the threat index of various problems; the second step is to aggregate the threat indexes of various problems to obtain the total network threat index.

S6:网络威胁指数低于一定阈值,则问题预报警模块启动报警模式,并定位显示问题数据地址。在本发明中,为实现对网络威胁事件的管理和控制,将计算出的网络威胁指数进行等级化的处理。可根据网络威胁指数计算结果将网络威胁分为5个级别:“优、良、中、差、危”,当网络威胁指数大于等于6时,报警模块启动。S6: When the network threat index is lower than a certain threshold, the problem pre-alarm module starts the alarm mode, and locates and displays the address of the problem data. In the present invention, in order to realize the management and control of network threat events, the calculated network threat index is graded. According to the calculation results of the network threat index, the network threat can be divided into 5 levels: "excellent, good, medium, poor, and dangerous". When the network threat index is greater than or equal to 6, the alarm module will start.

在具体实施例中,安全评估数据展现网络威胁指数、问题数据信息和与问题数据有关联的数据信息。In a specific embodiment, the security assessment data presents a network threat index, problem data information, and data information associated with the problem data.

在具体实施例中,安全数据预处理通过不同层次算法实现数据的校准和规格化,用于对标准化的数据做初步融合处理。In a specific embodiment, the security data preprocessing implements data calibration and normalization through different levels of algorithms, and is used to perform preliminary fusion processing on the standardized data.

在具体实施例中,态势分析通过融合-评估算法对服务器-网络-用户之间基层数据进行处理和运算,实现上层网络安全态势的评估。In a specific embodiment, the situation analysis processes and calculates the basic data between the server-network-user through the fusion-assessment algorithm, so as to realize the evaluation of the security situation of the upper layer network.

在具体实施例中,网络安全态势评估模型包括服务器信提取模块、数据预处理模块、信息融合分析模块、网络安全态势分析模块和问题预报警模块;其中服务器信提取模块连接数据预处理模块,数据预处理模块连接信息融合分析模块,信息融合分析模块连接网络安全态势分析模块,网络安全态势分析模块连接问题预报警模块。In a specific embodiment, the network security situation assessment model includes a server information extraction module, a data preprocessing module, an information fusion analysis module, a network security situation analysis module, and a problem pre-alarm module; wherein the server information extraction module is connected to the data preprocessing module, and the data The preprocessing module is connected to the information fusion analysis module, the information fusion analysis module is connected to the network security situation analysis module, and the network security situation analysis module is connected to the problem pre-alarm module.

在具体实施例中,作为本发明的进一步方案,问题报警模块包括红色标记单元、数据位置追踪单元、数据对比单元和优先级控制单元,问题报警模块采用网络系统代码编写。在本发明中,红色标记单元用于显示并标记问题数据,警示工作人员问题出现,网络安全受到威胁;数据位置追踪单元用于追踪问题数据所在网络中的具体位置,也追踪与问题数据相关数据的网络位置;数据对比单元通过网络安全态势表查找对比网络安全态势评估数据是否处在安全水平;优先级控制单元用于锁定网络受威胁区域,此时网络中处理警告是最大优先级,无法处理其他信息;。In a specific embodiment, as a further solution of the present invention, the problem alarm module includes a red marking unit, a data location tracking unit, a data comparison unit, and a priority control unit, and the problem alarm module is written using network system codes. In the present invention, the red marking unit is used to display and mark the problem data to warn staff that problems occur and network security is threatened; the data location tracking unit is used to track the specific location of the problem data in the network and also track data related to the problem data The network location; the data comparison unit checks and compares the network security situation assessment data through the network security situation table to see if it is at a safe level; the priority control unit is used to lock the threatened area of the network. At this time, processing warnings in the network is the highest priority and cannot be processed other information;.

在具体实施例中,对本发明一种信息融合的网络安全态势评估方法的信息融合网络态势评估技术进行分析验证。In a specific embodiment, the information fusion network situation assessment technology of an information fusion network security situation assessment method of the present invention is analyzed and verified.

在具体实施例中,采用聚类PageRank算法实现网络中安全态势评估,聚类PageRank算法对网络安全态势评估步骤如下:In a specific embodiment, the clustering PageRank algorithm is used to realize the security situation assessment in the network, and the clustering PageRank algorithm is to the network security situation assessment steps as follows:

S71:建立网络信息样本均值集合S71: Establish a network information sample mean value set

随机抽取网络信息数据作为样本集,定义样本集合为X={x1,x2,x3...xn},定义随机样本集中每类数据的中心数据集分别为V=(v1,v2,v3...vk),uc定义为样本数据xn属于中心数据vk的概率值,网络信息数据模糊聚类的目标函数为:Randomly extract network information data as a sample set, define the sample set as X={x 1 ,x 2 ,x 3 ...x n }, define the central data set of each type of data in the random sample set as V=(v 1 , v 2 ,v 3 ... v k ), u c is defined as the probability value that the sample data x n belongs to the central data v k , and the objective function of fuzzy clustering of network information data is:

Figure BDA0003985897820000061
Figure BDA0003985897820000061

式(1)中,m表示模糊划分参数,

Figure BDA0003985897820000062
表示同类网络信息样本数据在模糊划分参数m下数据xi属于中心数据vk的概率值,dik表示同类网络信息样本数据xi到中心数据vk的概率值的欧氏距离,n表示样本数量,k表示中心数据个数,i表示样本集合中第i个子集,其中i∈[1,n],y表示中心数据集中第y个子集,其中y∈[1,k];G(u,v)表示目标函数以概率值和中心数据作为基数,本发明中网络信息数据模糊聚类的目标函数是每一类网络信息数据的目标函数,通过对每一种类的网络信息数据优化处理,获得每一类网络信息的优化结果。In formula (1), m represents the fuzzy partition parameter,
Figure BDA0003985897820000062
Indicates the probability value of the same kind of network information sample data under the fuzzy partition parameter m that data x i belongs to the central data v k , d ik represents the Euclidean distance between the same kind of network information sample data x i and the probability value of the central data v k , n represents the sample Quantity, k represents the number of central data, i represents the i-th subset in the sample set, where i∈[1,n], y represents the y-th subset in the central data set, where y∈[1,k]; G(u , v) represents that the objective function takes the probability value and the central data as the base, the objective function of the network information data fuzzy clustering among the present invention is the objective function of each type of network information data, by optimizing the network information data of each type, Obtain optimization results for each type of network information.

S72:更新每类数据的中心数据和样本数据之间的欧氏距离S72: Update the Euclidean distance between the center data and sample data of each type of data

每类数据的欧氏距离与概率值之间关系式如式(2)所示:The relationship between the Euclidean distance and the probability value of each type of data is shown in formula (2):

Figure BDA0003985897820000071
Figure BDA0003985897820000071

式(2)中,uik表示数据xi属于中心数据vk的概率值,

Figure BDA0003985897820000072
表示在模糊划分参数中心值时样本数据xi到中心数据vk的概率值的欧氏距离;不断更新每类数据的中心数据和样本数据之间的欧氏距离概率值,可以使目标函数不断缩小网络信息的搜搜范围,对每一类网络信息进行最优划分;In formula (2), u ik represents the probability value that data x i belongs to the central data v k ,
Figure BDA0003985897820000072
Indicates the Euclidean distance of the probability value from the sample data x i to the central data v k when the central value of the parameter is fuzzy divided; constantly updating the Euclidean distance probability value between the central data and the sample data of each type of data can make the objective function continuously Narrow the search range of network information, and optimally divide each type of network information;

S73:对优化后的每类网络信息进行信息安全性度量S73: Perform information security measurement on each type of network information after optimization

聚类PageRank算法对网络信息的安全性进行度量评价,计算公式为:The clustering PageRank algorithm measures and evaluates the security of network information, and the calculation formula is:

Figure BDA0003985897820000073
Figure BDA0003985897820000073

式(3)中,a表示安全性参数,b表示威胁性参数,Na为所有具有安全性参数a的网络信息集合,Kb为所有具有威胁性参数b的网络信息集合,P(a)表示网络安全性指标,P(b)表示网络威胁性指标;其中网络安全性指标越大,对应类别的网络信息安全态势越高,否则对应类别的网络信息危险程度加深,必须及时处理。本发明通过聚类PageRank算法对优化后的网络信息进行安全性指标计算,其中P(a)∈[1,10],只有当安全性指标P(a)大于等于8时,所计算的网络信息才是安全信息,可以稳定调用。In formula (3), a represents the security parameter, b represents the threat parameter, N a is the collection of all network information with security parameter a, K b is the collection of all network information with threat parameter b, P(a) Represents the network security index, P(b) represents the network threat index; the larger the network security index, the higher the security situation of the corresponding category of network information, otherwise the degree of danger of the corresponding category of network information will deepen and must be dealt with in time. The present invention calculates the security index of the optimized network information through the clustering PageRank algorithm, where P(a)∈[1,10], only when the security index P(a) is greater than or equal to 8, the calculated network information It is safe information and can be called stably.

实验环境为:Tensorflow人工智能框架、Jupyter Notebook编程环境、Simulink仿真软件。The experimental environment is: Tensorflow artificial intelligence framework, Jupyter Notebook programming environment, and Simulink simulation software.

为精确体现信息融合对网络态势评估精度,本次实验中用到传统网络态势评估方法作为对比,二者对收集到的网络信号进行网络态势评估,输入的网络信号频谱如图3所示。In order to accurately reflect the accuracy of network situation assessment by information fusion, the traditional network situation assessment method is used in this experiment as a comparison. The two methods evaluate the network situation on the collected network signals. The input network signal spectrum is shown in Figure 3.

传统网络态势评估方法对输入的网络信号的态势评估如图4所示,本发明信息融合网络态势评估方法对输入的网络信号的态势评估如图5所示。The traditional network situation assessment method for the situation assessment of the input network signal is shown in FIG. 4 , and the information fusion network situation assessment method of the present invention for the situation assessment of the input network signal is shown in FIG. 5 .

图4、5表示在一定时间周期内,两种方法对网络信号中的问题数据检测出的时频特性。由此可知,采用信息融合网络态势评估方法能够清晰的检测出网络问题信号特征。传统网络态势评估方法采用的是问题信号包络线幅度检测方法,易引起边界误差,从而分散检测到的问题信号时频特性。本发明采用的信息融合网络态势评估方法是通过问题信息特征分析处理方法,使用到的因果关联算法和似然-模糊算法具有一定的信息专属性,不会造成过大误差,对问题数据的描述也更加清晰,便于研究理解。Figures 4 and 5 show the time-frequency characteristics of the two methods for detecting problem data in network signals within a certain period of time. It can be seen that the use of information fusion network situation assessment method can clearly detect the signal characteristics of network problems. The traditional network situation assessment method uses the detection method of the envelope amplitude of the problem signal, which is easy to cause boundary errors, thus dispersing the time-frequency characteristics of the detected problem signal. The information fusion network situation assessment method adopted in the present invention is a method of analyzing and processing problem information characteristics, and the causal correlation algorithm and likelihood-fuzzy algorithm used have certain information specificity and will not cause excessive errors. The description of problem data It is also clearer and easier for research and understanding.

虽然以上描述了本发明的具体实施方式,但是本领域的技术人员应当理解,这些具体实施方式仅是举例说明,本领域的技术人员在不脱离本发明的原理和实质的情况下,可以对上述方法和系统的细节进行各种省略、替换和改变;例如,合并上述方法步骤,从而按照实质相同的方法执行实质相同的功能以实现实质相同的结果则属于本发明的范围;因此,本发明的范围仅由所附权利要求书限定。Although the specific embodiments of the present invention have been described above, those skilled in the art should understand that these specific embodiments are only examples, and those skilled in the art can make the above-mentioned Various omissions, substitutions and changes are made to the details of the methods and systems; for example, combining the above method steps so as to perform substantially the same functions in substantially the same way to achieve substantially the same results is within the scope of the present invention; therefore, the present invention The scope is limited only by the appended claims.

Claims (7)

1. A network security situation assessment method for information fusion is characterized in that:
s1: establishing a network security situation assessment model, wherein the model is used for analyzing the working state of a server, analyzing the source of problem information and carrying out alarm processing on the problem information;
s2: the server information extraction module collects network security state information, wherein the information collection is continuous collection, and new network security data and server security data are continuously collected;
s3: preprocessing the collected safety data to realize integration, transformation and reduction of multi-source safety data;
s4: the information fusion analysis module performs fusion analysis on the acquired safety data information, the time sequence logic model performs safety problem cause searching on the safety data information, and the association analysis module performs description analysis on the causal relationship of the safety problem through a causal association algorithm according to the searched problem cause; the data correlation module performs multi-level distributed mining processing on the safety data information, and determines the state and identity relationship between the safety data information; the evaluation comprehensive module predicts the problem characteristics of the network safety information and the data information of the related problems through a likelihood-fuzzy algorithm;
s5: the network security situation analysis module fuses the problem data and the security information, and network security evaluation data at the moment is obtained through quantification;
s6: and if the network threat index is lower than a certain threshold value, the problem pre-alarm module starts an alarm mode and displays the problem data address in a positioning way.
2. The network security posture assessment method for information fusion according to claim 1, wherein: the security assessment data exhibits a network threat index, issue data information, and data information associated with the issue data.
3. The network security posture assessment method for information fusion according to claim 1, wherein: the safety data preprocessing realizes the calibration and normalization of data through different layers of algorithms and is used for carrying out primary fusion processing on the standardized data.
4. The network security posture assessment method for information fusion according to claim 1, wherein: and the situation analysis processes and computes basic layer data among the server, the network and the users through a fusion-evaluation algorithm, so that the evaluation of the security situation of the upper network is realized.
5. The network security posture assessment method for information fusion according to claim 1, wherein: the network security situation assessment model comprises a server information extraction module, a data preprocessing module, an information fusion analysis module, a network security situation analysis module and a problem pre-alarm module; the server information extraction module is connected with the data preprocessing module, the data preprocessing module is connected with the information fusion analysis module, the information fusion analysis module is connected with the network security situation analysis module, and the network security situation analysis module is connected with the problem pre-alarm module.
6. The network security posture assessment method for information fusion according to claim 1, wherein: the problem alarm module comprises a red marking unit, a data position tracking unit, a data comparison unit and a priority control unit, and is written by adopting a network system code.
7. The network security posture assessment method for information fusion according to claim 1, wherein: the security situation assessment in the network is realized by adopting a clustering PageRank algorithm, and the step of evaluating the security situation of the network by the clustering PageRank algorithm is as follows: s71: establishing a network information sample mean value set
Randomly extracting network information data as a sample set, and defining the sample set as X= { X 1 ,x 2 ,x 3 ...x n Defining the central data set of each type of data in the random sample set as v= (V) 1 ,v 2 ,v 3 ...v k ),u c Defined as sample data x n Belonging to central data v k The probability value of the network information data fuzzy clustering is as follows:
Figure FDA0003985897810000021
in the formula (1), m represents a fuzzy dividing parameter,
Figure FDA0003985897810000022
data x representing similar network information sample data under fuzzy dividing parameter m i Belonging to central data v k Probability of (2)Value d ik Sample data x representing homogeneous network information i To central data v k Where n represents the number of samples, k represents the number of center data, i represents the i-th subset of the set of samples, where i e [1, n]Y represents the y-th subset of the central dataset, where y ε [1, k ]]G (u, v) represents the objective function with probability values and center data as cardinalities;
s72: updating Euclidean distance between center data and sample data for each class of data
The relation between Euclidean distance and probability value of each type of data is shown as formula (2):
Figure FDA0003985897810000023
in the formula (2), u ik Representing data x i Belonging to central data v k Is used to determine the probability value of (1),
Figure FDA0003985897810000031
representing sample data x at the time of blurring the parameter center value i To central data v k Euclidean distance of probability values of (a); the Euclidean distance probability value between the center data and the sample data of each type of data is updated continuously, so that the objective function can continuously reduce the search range of the network information, and the optimal division is carried out on each type of network information;
s73: information security measurement is carried out on each type of optimized network information
The clustering PageRank algorithm carries out measurement and evaluation on the security of network information, and the calculation formula is as follows:
Figure FDA0003985897810000032
in the formula (3), a represents a security parameter, b represents a threat parameter, and N a K for all network information sets with security parameters a b P (a) represents the network for all sets of network information with threatening parameters bA security indicator, P (b) representing a network threat indicator; the larger the network security index is, the higher the network information security situation of the corresponding category is, otherwise, the network information risk degree of the corresponding category is deepened, and the network information security situation must be processed in time.
CN202211565221.4A 2022-12-07 2022-12-07 Network security situation assessment method for information fusion Pending CN116366277A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211565221.4A CN116366277A (en) 2022-12-07 2022-12-07 Network security situation assessment method for information fusion

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211565221.4A CN116366277A (en) 2022-12-07 2022-12-07 Network security situation assessment method for information fusion

Publications (1)

Publication Number Publication Date
CN116366277A true CN116366277A (en) 2023-06-30

Family

ID=86939473

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211565221.4A Pending CN116366277A (en) 2022-12-07 2022-12-07 Network security situation assessment method for information fusion

Country Status (1)

Country Link
CN (1) CN116366277A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116756225A (en) * 2023-08-14 2023-09-15 南京展研信息技术有限公司 Situation data information processing method based on computer network security

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116756225A (en) * 2023-08-14 2023-09-15 南京展研信息技术有限公司 Situation data information processing method based on computer network security
CN116756225B (en) * 2023-08-14 2023-11-07 南京展研信息技术有限公司 Situation data information processing method based on computer network security

Similar Documents

Publication Publication Date Title
CN110620759B (en) Evaluation method and system of network security event hazard index based on multi-dimensional correlation
Wang et al. Heterogeneous network representation learning approach for ethereum identity identification
CN112491796B (en) An Intrusion Detection and Semantic Decision Tree Quantitative Interpretation Method Based on Convolutional Neural Networks
CN101582813B (en) Distributed migration network learning-based intrusion detection system and method thereof
CN117473571A (en) Data information security processing method and system
CN111612038B (en) Abnormal user detection method and device, storage medium and electronic equipment
CN117421735A (en) Mining evaluation method based on big data vulnerability mining
CN107249000B (en) A mobile user abnormal behavior detection method
CN106250442A (en) The feature selection approach of a kind of network security data and system
JP2023031255A (en) Anomaly detection
CN114598539B (en) Root cause positioning method and device, storage medium and electronic equipment
WO2021248707A1 (en) Operation verification method and apparatus
CN115277159A (en) A security situation assessment method for industrial Internet based on improved random forest
CN116384736A (en) Smart city risk perception method and system
Sangani et al. Crime prediction and analysis
CN105306438B (en) Network security situation evaluating method based on fuzzy coarse central
CN116366277A (en) Network security situation assessment method for information fusion
Aziz et al. Cluster Analysis-Based Approach Features Selection on Machine Learning for Detecting Intrusion.
KR100638480B1 (en) Intrusion Detection Visualization Method Using Correlation of Intrusion Detection Warning Message
Prerau et al. Unsupervised anomaly detection using an optimized K-nearest neighbors algorithm
CN115333814B (en) An analysis system and method for alarm data of industrial control systems
CN117014193A (en) Unknown Web attack detection method based on behavior baseline
Adebiyi et al. Network intrusion detection using K-nearest neighbors (KNN) and recurrent neural networks (RNN)
CN105187383A (en) Abnormal behaviour detection method based on communication network
Kumari et al. Prediction of data breaches using classification algorithms

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication