CN116366324A - Analysis method and device for behaviors of drilling personnel in network target range - Google Patents
Analysis method and device for behaviors of drilling personnel in network target range Download PDFInfo
- Publication number
- CN116366324A CN116366324A CN202310298554.3A CN202310298554A CN116366324A CN 116366324 A CN116366324 A CN 116366324A CN 202310298554 A CN202310298554 A CN 202310298554A CN 116366324 A CN116366324 A CN 116366324A
- Authority
- CN
- China
- Prior art keywords
- exercise
- drilling
- graph
- node
- nodes
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000005553 drilling Methods 0.000 title claims abstract description 124
- 230000006399 behavior Effects 0.000 title claims abstract description 106
- 238000004458 analytical method Methods 0.000 title claims abstract description 28
- 238000000034 method Methods 0.000 claims abstract description 54
- 230000008569 process Effects 0.000 claims abstract description 37
- 238000012360 testing method Methods 0.000 claims abstract description 36
- 238000004422 calculation algorithm Methods 0.000 claims abstract description 18
- 238000007621 cluster analysis Methods 0.000 claims abstract description 17
- 238000007689 inspection Methods 0.000 claims abstract description 14
- 239000013598 vector Substances 0.000 claims description 21
- 238000010586 diagram Methods 0.000 claims description 14
- 238000004364 calculation method Methods 0.000 claims description 6
- 230000001419 dependent effect Effects 0.000 claims description 4
- 238000012545 processing Methods 0.000 abstract description 7
- 238000012549 training Methods 0.000 description 8
- 238000005259 measurement Methods 0.000 description 5
- 235000014435 Mentha Nutrition 0.000 description 3
- 241001072983 Mentha Species 0.000 description 3
- 238000004590 computer program Methods 0.000 description 3
- 235000014569 mints Nutrition 0.000 description 3
- 230000007123 defense Effects 0.000 description 2
- 230000006872 improvement Effects 0.000 description 2
- 238000010276 construction Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012502 risk assessment Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/23—Clustering techniques
- G06F18/232—Non-hierarchical techniques
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Landscapes
- Engineering & Computer Science (AREA)
- Data Mining & Analysis (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Life Sciences & Earth Sciences (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computing Systems (AREA)
- Artificial Intelligence (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Bioinformatics & Computational Biology (AREA)
- Signal Processing (AREA)
- Evolutionary Biology (AREA)
- Evolutionary Computation (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention discloses an analysis method and device for behaviors of drilling personnel in a network target range, and relates to the technical field of network security, wherein the analysis method comprises the following steps: modeling the drilling process into a directed graph model as a drilling reference graph according to a target and an operation sequence expected to be achieved by the drilling process; performing network security exercise, recording an operation behavior log of an exercise person, and storing the recorded operation behavior log into a database; matching and modeling the behaviors of the testers with the exercise reference graph in real time based on the operation behavior log by adopting a matching algorithm so as to obtain a behavior path of the exercise staff as an exercise test graph; after the drilling is finished, storing drilling inspection graphs corresponding to all drilling personnel, and carrying out cluster analysis on the drilling personnel according to defined graph distances. The interactivity in the network security exercise process is improved, and the data processing time is shortened.
Description
Technical Field
The invention relates to the technical field of network security, in particular to an analysis method and an analysis device for behaviors of drilling personnel in a network target range.
Background
With the improvement of the security importance of network information, all organizations at home and abroad are actively put into the construction of a network target range. Currently, network targets have become an important infrastructure for supporting network space security technology verification, network weapon testing, attack and defense exercise and network risk assessment.
The implementation of network security training and the development of attack and defense drilling are important functions of a network target range platform, the whole process comprises scene design and overall planning in the early period of drilling, and the target range network environment in drilling implementation is monitored, managed and recorded, and the finishing analysis and feedback of a large amount of data after drilling are more complex processes. In the network security drilling process, a target range platform usually displays the target achieved by drilling personnel in an integral mode, and after drilling is finished, final scores are given according to the completion degree of the participators, but the mode lacks of describing the actual process that the drilling personnel reach the target and also lacks of analyzing finer granularity of personnel operation behaviors. Meanwhile, a large amount of historical data can be generated in the process of multiple exercises and participation of multiple persons, and the problems of time consumption and difficulty in processing are solved by the fact that the data are more and complicated to analyze and derive after the exercises. Therefore, the method for analyzing the behaviors of the personnel in the network shooting range can establish the behavior model of the personnel in real time, and provides a feasible solution for the automatic processing of the behavior data of the drilling personnel.
Disclosure of Invention
Aiming at the defects in the prior art, the invention aims to provide an analysis method and an analysis device for the behaviors of the drilling personnel in a network shooting range. According to the analysis method and the analysis device for the behaviors of the drilling personnel in the network target range, through paying attention to the behavior sequence of the personnel in the network security training, the interactivity in the network security drilling process is improved, the problems of the personnel in different groups in the drilling exploration process can be better analyzed, and therefore a more targeted training plan is developed for the different groups, and the data processing time is shortened.
In order to achieve the above purpose, the invention adopts the following technical scheme:
modeling the drilling process into a directed graph model as a drilling reference graph according to a target and an operation sequence expected to be achieved by the drilling process;
performing network security exercise, recording an operation behavior log of an exercise person, and storing the recorded operation behavior log into a database;
matching and modeling the behaviors of the testers with the exercise reference graph in real time based on the operation behavior log by adopting a matching algorithm so as to obtain a behavior path of the exercise staff as an exercise test graph;
after the drilling is finished, storing drilling inspection graphs corresponding to all drilling personnel, and carrying out cluster analysis on the drilling personnel according to defined graph distances.
On the basis of the technical scheme, the directed graph model is used for expressing the front-back relation of the operation of the drill staff by utilizing the partial sequence relation of the directed graph model, and the data structure of the nodes is used for representing the detailed content of each operation.
On the basis of the technical scheme, the attributes of the nodes comprise node names, operating tools, operating parameters and a dependent front node list.
On the basis of the technical scheme, the content of the operation behavior log comprises a time stamp, an operation tool and operation parameter information.
On the basis of the technical scheme, the matching algorithm is adopted to match and model the personnel behavior with the exercise reference graph in real time based on the operation behavior log so as to obtain the behavior path of the exercise personnel, and the specific steps are as follows:
initializing an empty node set Q, creating a directed graph according to the drilling reference graph, and repeating the steps:
adding nodes without front nodes in the directed graph into a node set Q;
taking out an operation behavior log according to time sequence, matching the log content with nodes in the node set Q, and according to a matching result:
if the matching is successful, the node obtained by the matching is moved out of the node set Q, the node is deleted from a front node list on which the next node pointed by the node depends, a node with the same content as the node is copied, and the copied node is added into the exercise check graph;
-if the matching is unsuccessful, creating a node with the operation behavior log content as attribute, as an error attempt node, and adding the created node to the exercise inspection graph.
On the basis of the technical scheme, the successful matching is that the operation tool in the current operation behavior log content is the same as the operation parameters of the nodes in the node set Q; the unsuccessful match is that the operating tool in the current piece of operation behavior log content is not the same as the operating parameters of the nodes in the node set Q.
On the basis of the technical scheme, the graph distance is obtained by a distance vector, and the distance vector is expressed as:
DV pq =(f 1 ,f 2 ,f 3 ,...f n )
wherein DV pq As a distance vector, f n And n is the number of nodes in the exercise reference graph and is the nth distance factor.
On the basis of the technical scheme, the calculating step of the distance factor comprises the following steps:
the nodes of the exercise reference graph are numbered according to a certain sequence, and correspond to the subscript of each distance factor in the distance, and the nth distance factor f n The definition is as follows:
wherein U is p For one of the two testers to reach the node set wrongly tried before numbering n nodes in the reference diagram, U q For the other of the two testers to arrive at the set of nodes that were erroneously tried before numbering n nodes in the reference graph,
for the Jaccard distance of the two sets, w is a configurable constant, phi (n) is the matching condition of the exercise test graphs of the two testers and the exercise reference graph at the node n, if the exercise test graphs of the two testers are matched or are not matched with the exercise reference graph at the node n, the value of phi (n) is 0, otherwise, the value of phi (n) is 1.
On the basis of the technical scheme, the clustering analysis is carried out on the drilling personnel according to the defined graph distance, and the specific steps comprise:
calculating the L2 norm of the distance vector by using a formula to obtain the distance between the drilling staff depicted by the test pattern, wherein the calculation formula is as follows:
wherein dist is the distance between the drill staff, f i Is the i-th distance factor;
and carrying out cluster analysis on the exercise personnel behaviors by adopting an OPTICS clustering method according to the defined graph distance.
The invention also provides an analysis device for the behaviors of the drill staff in the network target range, which comprises:
the acquisition module is used for acquiring a target and an operation sequence which are expected to be achieved in the drilling process;
the execution module is used for modeling the drilling process into a directed graph model as a drilling reference graph according to the obtained target and operation sequence obtained by the obtaining module; performing network security exercise, recording an operation behavior log of an exercise person, and storing the log into a database; matching and modeling the behaviors of the drilling personnel with the drilling reference graph in real time based on the operation behavior log by adopting a matching algorithm so as to obtain a behavior path of the drilling personnel as a drilling test graph; after the drilling is finished, storing drilling inspection graphs corresponding to all drilling personnel;
and the analysis module is used for carrying out cluster analysis on the drill staff according to the defined graph distance.
Compared with the prior art, the invention has the advantages that: according to the analysis method and the analysis device for the behaviors of the drilling personnel in the network target range, the interactivity of the network security drilling process is improved by paying attention to the behavior sequence of the personnel in the network security training; the distance measurement of the personnel behaviors is provided, and the clustering algorithm is combined, so that the problems of the personnel in different groups in the drilling exploration process can be better analyzed by clustering the personnel with similarity characteristics, namely similar behavior paths, and therefore, more targeted training plans are developed for the different groups, the data are easy to process, and the data processing time is shortened; the method has good practical significance in automatic analysis and treatment of a large amount of personnel data generated after exercise.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a flow chart of an analysis method of the behaviors of an exercise person in a network target range according to an embodiment of the present invention;
fig. 2 is a schematic diagram of a drilling reference diagram of an analysis method of the behaviors of drilling personnel in a network target range according to an embodiment of the present invention;
FIG. 3 is a pictorial view of an exercise test generated by one of two exercises in accordance with an embodiment of the present invention;
fig. 4 is a schematic view of an exercise test generated by the other of the two exercises in an embodiment of the invention.
Detailed Description
For the purposes of making the objects, technical solutions and advantages of the embodiments of the present application more clear, the technical solutions of the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is apparent that the described embodiments are some embodiments of the present application, but not all embodiments.
Referring to fig. 1, an embodiment of the present invention provides a method for analyzing behaviors of an exercise person in a network target range, including the following steps:
s1: modeling the drilling process into a directed graph model as a drilling reference graph according to a target and an operation sequence expected to be achieved by the drilling process;
s2: performing network security exercise, recording an operation behavior log of an exercise person, and storing the recorded operation behavior log into a database;
s3: matching and modeling the behaviors of the testers with the exercise reference graph in real time based on the operation behavior log by adopting a matching algorithm so as to obtain a behavior path of the exercise staff as an exercise test graph;
s4: after the drilling is finished, storing drilling inspection graphs corresponding to all drilling personnel, and carrying out cluster analysis on the drilling personnel according to defined graph distances.
Modeling the process of the network security exercise into a directed graph model according to the target and the operation sequence expected to be achieved by the network security exercise, and taking the directed graph model obtained by modeling as an exercise reference graph, wherein the directed graph model represents the operation sequence which needs to be achieved by one exercise process as shown in fig. 2, and the operation which needs to be carried out in a plurality of steps before executing one step exists, for example, the node op6 depends on two operations of the node op4 and the node op5, and the dependency relationship is better expressed in a graph mode; then, carrying out network security exercise, recording operation behavior logs of the exercise personnel, storing the operation behavior logs obtained by recording into a database, recording the operation behaviors of the exercise personnel in a shooting range environment as log data, and storing the log data into the database; matching and modeling the behaviors of the drilling personnel with the drilling reference graph in real time based on the operation behavior log by adopting a matching algorithm to obtain a personnel behavior path and generate a drilling inspection graph; after the exercise is finished, saving exercise test charts correspondingly generated by all exercise personnel, obtaining exercise test charts of two exercise personnel through the steps according to exercise reference charts, wherein the broken line nodes represent error trial nodes as shown in fig. 3 and 4 respectively, and the two exercise personnel are respectively defined as personnel A and personnel B for the convenience of distinguishing, wherein the exercise test charts in fig. 3 represent that the personnel A executes some error trial after starting and op3 and are recorded by a system, and the exercise test charts in fig. 4 represent that the personnel B takes some error trial actions after starting and op1 and op3 operations; and then carrying out cluster analysis on the drill staff according to the defined graph distance.
The modeling of the drilling process into the directed graph model is based on the principle that the drilling target is usually to attack the target plane or defend the attack behavior, and the whole process includes a series of operation actions and intermediate states of the system, so that the target system finally enters an unsafe state or returns to a safe state. Modeling expected operation behaviors in the exercise process as nodes in a graph model, and modeling relationships among expected operations by using partial order relationships represented by edges in a directed graph, wherein the directed node operations depend on the operations of the front nodes so as to achieve the final operation of an exercise target as a termination node.
Through the steps, the behaviors of the drilling personnel are depicted by using the directed graph model, and in order to effectively analyze and process a large amount of data generated after drilling, users with similar behavior paths are grouped, namely clustered, better training plans and feedback are formulated for different crowds, and meanwhile, the automatic mode can reduce the labor force during the analysis after drilling and has better practical significance.
In the invention, the directed graph model is used for expressing the front-back relation of the operation of the drill staff by utilizing the partial order relation of the directed graph model, and the data structure of the nodes is used for representing the detail of each operation.
That is, the graph model obtained by modeling expresses the front-to-back relationship of the operation of the drill person by using the partial order relationship of the model itself, and the data structure of the nodes is used for representing the detail of each operation.
In the invention, the attributes of the nodes comprise node names, operating tools, operating parameters and a dependent front node list.
I.e. the properties of the node include node name, node type, tools for the desired operation, operating parameters and list of dependent pre-nodes, the start and end nodes are used for identification only and not as actual structures.
In the invention, the content of the operation behavior log comprises a time stamp, an operation tool and operation parameter information.
I.e. the content of the operation behavior log comprises information of the tool used, tool parameters, time stamps, etc., in particular the log is a type of data that grows over time.
In the invention, a matching algorithm is adopted to match and model the personnel behavior with the exercise reference graph in real time based on an operation behavior log so as to obtain the behavior path of the exercise personnel as an exercise test graph, and the specific steps are as follows:
initializing an empty node set Q, creating a directed graph according to the drilling reference graph, and repeating the steps:
adding nodes without front nodes in the directed graph into a node set Q;
taking out an operation behavior log according to time sequence, matching the log content with nodes in the node set Q, and according to a matching result:
if the matching is successful, the node obtained by the matching is moved out of the node set Q, the node is deleted from a front node list on which the next node pointed by the node depends, a node with the same content as the node is copied, and the copied node is added into the exercise check graph;
-if the matching is unsuccessful, creating a node with the operation behavior log content as attribute, as an error attempt node, and adding the created node to the exercise inspection graph.
The related matching method models the operation behaviors of the drilling personnel in real time to generate a drilling test chart, the attributes of nodes of the test chart comprise a time stamp, an operation tool, an operation parameter, a post matching node list and a post error trial node list, the flow of the drilling test chart algorithm is that an empty node set Q is initialized firstly, a directed chart is created according to a drilling reference chart, and the following steps are repeatedly executed until drilling is finished and log traversal is completed: adding a node without a front node in the drilling reference graph into the set Q; and (3) taking out an operation log according to time sequence, matching the content of the operation log with nodes in the node set Q, moving the node out of the node set Q if the log is successfully matched with the node set Q, deleting the node from the dependency front node list of the next pointed node, and creating a node taking the log content as an attribute as an error try node and adding the error try node into the exercise check graph if the log is not successfully matched with the node set Q.
The step is to generate a check chart of the current drilling personnel in real time according to the log stream, if the last matching time is too long in the drilling process, the current step is represented by personnel suffering dilemma, the content in the current Q set is the expected next operation, and the platform can add real-time auxiliary information or prompt help personnel to make improvement if the platform needs to promote the personnel to obtain further results. After the whole exercise process is finished, generating test charts of all the people participating in the exercise, and storing the test charts.
In the invention, the successful matching is that the operation tool in the current operation behavior log content is the same as the operation parameters of the nodes in the node set Q;
the unsuccessful match is that the operating tool in the current piece of operation behavior log content is not the same as the operating parameters of the nodes in the node set Q.
That is, successful matching of the operation log content with the nodes in the node set Q is that the operation tool in the operation log is the same as the operation parameters in the node set Q, and unsuccessful matching of the operation log content with the nodes in the node set Q is that the operation tool in the operation log is not the same as the operation parameters in the node set Q.
In the invention, the graph distance is obtained by a distance vector, and the distance vector is expressed as:
DV pq =(f 1 ,f 2 ,f 3 ,...f n )
wherein DV pq As a distance vector, f n And n is the number of nodes in the exercise reference graph and is the nth distance factor.
I.e. the graph distance is defined between the generated drill test graphs after different drill staff completes the same drill. The variability between test charts of different drill staff depends not only on their completion, but also on drill reference charts, using a distance vector representation, formalized as:
DV pq =(f 1 ,f 2 ,f 3 ,...f n )
wherein DV pq As a distance vector, f n And n is the number of nodes in the exercise reference graph and is the nth distance factor.
In the invention, the calculating step of the distance factor comprises the following steps:
the nodes of the exercise reference graph are numbered according to a certain sequence, and correspond to the subscript of each distance factor in the distance, and the nth distance factor f n The definition is as follows:
wherein U is p For one of the two testers to reach the node set wrongly tried before numbering n nodes in the reference diagram, U q For the other of the two testers to arrive at the set of nodes that were erroneously tried before numbering n nodes in the reference graph,
for the Jaccard distance of the two sets, w is a configurable constant, phi (n) is the matching condition of the exercise test graphs of the two testers and the exercise reference graph at the node n, if the exercise test graphs of the two testers are matched or are not matched with the exercise reference graph at the node n, the value of phi (n) is 0, otherwise, the value of phi (n) is 1.
I.e. each distance factor f n The definition is as follows:
wherein U is p For one of the two testers to reach the node set wrongly tried before numbering n nodes in the reference diagram, U q For the other of the two testers to arrive at the set of nodes that were erroneously tried before numbering n nodes in the reference graph,
for the Jaccard distance of two sets, in order to simplify the calculation and improve the matching degree of similar behaviors, the node in the sets takes the attribute of an operating tool as a mark, and ignores the attributes such as operating parameters, time stamps and the like; w isAnd a constant can be configured, wherein phi (n) is the matching condition of the exercise test graphs of the two testers and the exercise reference graph at the node n, if the exercise test graphs of the two testers are matched or are not matched with the exercise reference graph at the node n, the value of phi (n) is 0, and otherwise, the value of phi (n) is 1.
In the invention, the training personnel are subjected to cluster analysis according to the defined graph distance, and the specific steps comprise:
calculating the L2 norm of the distance vector by using a formula to obtain the distance between the drilling staff depicted by the test pattern, wherein the calculation formula is as follows:
wherein dist is the distance between the drill staff, f i Is the i-th distance factor;
and carrying out cluster analysis on the exercise personnel behaviors by adopting an OPTICS clustering method according to the defined graph distance.
Namely, calculating the L2 norm of the distance vector by using a formula to obtain the distance between people marked by the inspection graph, wherein the calculation formula is as follows:
wherein dist is distance between the drill staff, i.e. distance measurement, f i Is the i-th distance factor;
and carrying out cluster analysis on the behaviors of the drilling personnel by adopting an OPTICS clustering method, wherein the clustering algorithm is based on the density of sample points, the input parameter is mints, the number of core points is represented, and the personnel are subjected to cluster analysis by combining distance measurement, so that the personnel clustering result can be finally obtained.
The complete steps of cluster analysis on the drill staff according to the defined graph distance are as follows:
the graph distance is defined first, and the graph distance is obtained by a distance vector, wherein the distance vector is expressed as:
DV pq =(f 1 ,f 2 ,f 3 ,...f n )
and n is the number of nodes in the exercise reference graph, the nodes of the exercise reference graph are numbered according to a certain sequence, and each subscript position in the distance vector is corresponding to the node. The embodiment will use the node reference numerals in fig. 2, where the value of n is 6, and each element represents a difference value at the node of the corresponding number, and the value is defined as:
for convenience of distinction, two drilling staff are respectively defined as drilling staff A and drilling staff B, U is shown in the above formula p Representing the node set of wrong attempts before the drill staff A reaches the number n nodes in the reference diagram, U q The drill person b achieves a set of nodes that were erroneously tried before numbering n nodes in the reference graph,
for Jaccard distance of two sets, in order to simplify calculation and improve matching degree of similar behaviors, a node in the set uses an attribute of an operating tool as an identifier, and ignores attributes such as an operating parameter, a time stamp and the like, w is a configurable constant, phi (n) represents matching situations of an exercise test diagram of an exercise person A and an exercise person B at the node n and an exercise reference diagram, if phi (n) is matched or not matched, the value of phi (n) is 0, and otherwise, the value of phi (n) is 1.
As shown in fig. 3 and 4, the distance vector DV is assumed to be the number after opX _err, which represents the tool used pq For (0.5, 1,0,0.33+w, w, 0), w is taken as 1, distance vector DV pq For (0.5,1,0,1.33,1,0), the distance between the persons depicted in the inspection map is obtained by calculating the L2 norm of the vector using the formula:
according to the embodiment, the distance vector can be calculated to obtain a distance measurement dist of 2.005, the distance measurement is established, an OPTICS algorithm is adopted, the clustering algorithm is based on the density of sample points, input parameters are mints, namely core points, the output result of the algorithm is affected by adjusting the mints parameters, the commonly suggested value is lnk, k is the total number of people participating in clustering, the clustering result of people can be finally obtained, the problems of different groups of people in the drilling exploration process can be better analyzed by clustering people with similarity features, namely similar behavior paths, and the problem of people in different groups of people in the drilling exploration process is better analyzed by combining with a checking diagram of the people, so that more targeted training plans are developed for different groups of people.
The embodiment of the invention also provides an analysis device for the behaviors of the drilling personnel in the network target range, which comprises the following steps:
the acquisition module is used for acquiring a target and an operation sequence which are expected to be achieved in the drilling process;
the execution module is used for modeling the drilling process into a directed graph model as a drilling reference graph according to the obtained target and operation sequence obtained by the obtaining module; performing network security exercise, recording an operation behavior log of an exercise person, and storing the log into a database; matching and modeling the behaviors of the drilling personnel with the drilling reference graph in real time based on the operation behavior log by adopting a matching algorithm so as to obtain a behavior path of the drilling personnel as a drilling test graph; after the drilling is finished, storing drilling inspection graphs corresponding to all drilling personnel;
and the analysis module is used for carrying out cluster analysis on the drill staff according to the defined graph distance.
The embodiment of the invention also comprises an analysis device for the behaviors of the drilling personnel in the network target range, which comprises an acquisition module, an execution module and an analysis module; the acquisition module is used for acquiring a target and an operation sequence which are expected to be achieved in the drilling process, and the execution module is used for modeling the drilling process into a directed graph model as a drilling reference graph according to the acquired target and operation sequence acquired by the acquisition module; performing network security exercise, recording an operation behavior log of an exercise person, and storing the log into a database; matching and modeling the behaviors of the drilling personnel with the drilling reference graph in real time based on the operation behavior log by adopting a matching algorithm so as to obtain a behavior path of the drilling personnel as a drilling test graph; after the drilling is finished, the drilling inspection graphs corresponding to all drilling personnel are stored, and the analysis module is used for carrying out cluster analysis on the drilling personnel according to the defined graph distance.
The foregoing is merely a specific embodiment of the application to enable one skilled in the art to understand or practice the application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
Claims (10)
1. The analysis method of the action of the drill staff in the network target range is characterized by comprising the following steps of:
modeling the drilling process into a directed graph model as a drilling reference graph according to a target and an operation sequence expected to be achieved by the drilling process;
performing network security exercise, recording an operation behavior log of an exercise person, and storing the recorded operation behavior log into a database;
matching and modeling the behaviors of the testers with the exercise reference graph in real time based on the operation behavior log by adopting a matching algorithm so as to obtain a behavior path of the exercise staff as an exercise test graph;
after the drilling is finished, storing drilling inspection graphs corresponding to all drilling personnel, and carrying out cluster analysis on the drilling personnel according to defined graph distances.
2. A method of analyzing the performance of an exercise person in a networked range as claimed in claim 1, wherein:
the directed graph model is used for expressing the front-to-back relation of the operation of the drill staff by utilizing the partial order relation of the directed graph model, and the data structure of the nodes is used for representing the detailed content of each operation.
3. A method of analyzing the performance of an exercise person in a networked range as claimed in claim 2, wherein:
the attributes of the nodes include node names, tools for operations, operating parameters, and a list of dependent pre-nodes.
4. A method of analysing the behaviour of an exercise person in a networked range as claimed in claim 3, wherein the content of said operation behaviour log comprises a time stamp, an operation tool and operation parameter information.
5. The method for analyzing the behaviors of an exercise person in a network shooting range according to claim 4, wherein the matching algorithm is adopted to match and model the behaviors of the person with an exercise reference map in real time based on an operation behavior log so as to obtain a behavior path of the exercise person as an exercise test map, and the specific steps are as follows:
initializing an empty node set Q, creating a directed graph according to the drilling reference graph, and repeating the steps:
adding nodes without front nodes in the directed graph into a node set Q;
taking out an operation behavior log according to time sequence, matching the log content with nodes in the node set Q, and according to a matching result:
if the matching is successful, the node obtained by the matching is moved out of the node set Q, the node is deleted from a front node list on which the next node pointed by the node depends, a node with the same content as the node is copied, and the copied node is added into the exercise check graph;
-if the matching is unsuccessful, creating a node with the operation behavior log content as attribute, as an error attempt node, and adding the created node to the exercise inspection graph.
6. A method of analyzing the performance of an exercise person in a networked range as claimed in claim 5, wherein:
the successful matching is that the operation tool in the current operation behavior log content is the same as the operation parameters of the nodes in the node set Q;
the unsuccessful match is that the operating tool in the current piece of operation behavior log content is not the same as the operating parameters of the nodes in the node set Q.
7. A method of analysing the behaviour of an exercise person in a networked range as claimed in claim 1, wherein the graph distances are derived from distance vectors expressed as:
DV pq =(f 1 ,f 2 ,f 3 ,...f n )
wherein DV pq As a distance vector, f n And n is the number of nodes in the exercise reference graph and is the nth distance factor.
8. The method of analyzing the behavior of an exercise person in a networked range as recited in claim 7, wherein the step of calculating the distance factor comprises:
the nodes of the exercise reference graph are numbered according to a certain sequence, and correspond to the subscript of each distance factor in the distance, and the nth distance factor f n The definition is as follows:
wherein U is p For one of the two testers to reach the node set wrongly tried before numbering n nodes in the reference diagram, U q For the other of the two testers to arrive at the set of nodes that were erroneously tried before numbering n nodes in the reference graph,
for the Jaccard distance of the two sets, w is a configurable constant, phi (n) is the matching condition of the exercise test graphs of the two testers and the exercise reference graph at the node n, if the exercise test graphs of the two testers are matched or are not matched with the exercise reference graph at the node n, the value of phi (n) is 0, otherwise, the value of phi (n) is 1.
9. The method for analyzing the behaviors of the drilling staff in the network shooting range as claimed in claim 8, wherein the step of performing cluster analysis on the drilling staff according to the defined graph distance comprises the following specific steps:
calculating the L2 norm of the distance vector by using a formula to obtain the distance between the drilling staff depicted by the test pattern, wherein the calculation formula is as follows:
wherein dist is the distance between the drill staff, f i Is the i-th distance factor;
and carrying out cluster analysis on the exercise personnel behaviors by adopting an OPTICS clustering method according to the defined graph distance.
10. An analysis device for the behavior of an exercise person in a network target range, comprising:
the acquisition module is used for acquiring a target and an operation sequence which are expected to be achieved in the drilling process;
the execution module is used for modeling the drilling process into a directed graph model as a drilling reference graph according to the obtained target and operation sequence obtained by the obtaining module; performing network security exercise, recording an operation behavior log of an exercise person, and storing the log into a database; matching and modeling the behaviors of the drilling personnel with the drilling reference graph in real time based on the operation behavior log by adopting a matching algorithm so as to obtain a behavior path of the drilling personnel as a drilling test graph; after the drilling is finished, storing drilling inspection graphs corresponding to all drilling personnel;
and the analysis module is used for carrying out cluster analysis on the drill staff according to the defined graph distance.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310298554.3A CN116366324A (en) | 2023-03-24 | 2023-03-24 | Analysis method and device for behaviors of drilling personnel in network target range |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310298554.3A CN116366324A (en) | 2023-03-24 | 2023-03-24 | Analysis method and device for behaviors of drilling personnel in network target range |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116366324A true CN116366324A (en) | 2023-06-30 |
Family
ID=86935779
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310298554.3A Pending CN116366324A (en) | 2023-03-24 | 2023-03-24 | Analysis method and device for behaviors of drilling personnel in network target range |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116366324A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117709077A (en) * | 2023-11-30 | 2024-03-15 | 永信至诚科技集团股份有限公司 | Simulation deduction method and system based on network target range, electronic equipment and medium |
-
2023
- 2023-03-24 CN CN202310298554.3A patent/CN116366324A/en active Pending
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117709077A (en) * | 2023-11-30 | 2024-03-15 | 永信至诚科技集团股份有限公司 | Simulation deduction method and system based on network target range, electronic equipment and medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105955889B (en) | A kind of graphical interfaces automated testing method | |
| CN109446927B (en) | Double-person interaction behavior identification method based on priori knowledge | |
| CN109271374A (en) | A kind of database health scoring method and scoring system based on machine learning | |
| CN109829692A (en) | Contract trial method, apparatus, equipment and storage medium based on artificial intelligence | |
| CN108549658A (en) | A kind of deep learning video answering method and system based on the upper attention mechanism of syntactic analysis tree | |
| Verwer et al. | Flexfringe: a passive automaton learning package | |
| CN116366324A (en) | Analysis method and device for behaviors of drilling personnel in network target range | |
| CN105786898B (en) | A kind of construction method and device of domain body | |
| CN113127933B (en) | Intelligent contract Pompe fraudster detection method and system based on graph matching network | |
| Bansal et al. | Holist: An environment for machine learning of higher-order theorem proving (extended version) | |
| CN111709244A (en) | Deep learning method for identifying causal relationship of contradictory dispute events | |
| Huang et al. | CPDScorer: Modeling and Evaluating Developer Programming Ability across Software Communities. | |
| CN107402859A (en) | Software function verification system and verification method thereof | |
| CN105892304A (en) | Curve data automation interpretation method | |
| CN113420887B (en) | Prediction model construction method, prediction model construction device, computer equipment and readable storage medium | |
| CN113642835B (en) | Work ticket generation method based on data similarity and terminal | |
| CN110956142A (en) | Intelligent interactive training system | |
| CN112257332B (en) | Simulation model evaluation method and device | |
| CN108363738B (en) | Recommendation method for industrial equipment data analysis algorithm | |
| CN107679478B (en) | Method and system for extracting space load state of power transmission line | |
| CN114971425A (en) | Database information monitoring method, device, equipment and storage medium | |
| Murtaza et al. | Structured Language Requirement Elicitation Using Case Base Reasoning | |
| Rogers et al. | ACCE: automatic coding composition evaluator | |
| Zhang et al. | Research on Defect Location Method of C Language Code Based on Deep Learning | |
| Li et al. | Evaluation method of GA-BP neural network programming ability based on entropy weight-deviation |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |